CCNA 200-301 v2 (200-301) — Questions 451525

1819 questions total · 25pages · All types, answers revealed

Page 6

Page 7 of 25

Page 8
451
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config and enable AAA. Then define the RADIUS server, configure AAA authentication to use RADIUS for 802.1X, and finally enable 802.1X on the interface.

Exam trap

The key trap is the order of operations: AAA must be enabled first, then the RADIUS server defined, then authentication configured, and finally applied to the interface. Many candidates mistakenly configure the interface first or define the server after authentication.

452
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with three redundant links to SW2: G0/1, G0/2, and G0/3. The network is experiencing loops, and STP is not configured. You need to enable STP and ensure that SW1 becomes the root bridge for VLAN 1. Configure STP on SW1 and set its priority to 4096 for VLAN 1.

Network Topology
G0/1G0/1SW1SW2

Hints

  • STP uses bridge priority to determine root bridge; lower priority wins.
  • The default priority is 32768; setting it to 4096 ensures SW1 becomes root.
A.spanning-tree vlan 1 priority 4096
B.spanning-tree vlan 1 root primary
C.spanning-tree vlan 1 priority 32768
D.spanning-tree vlan 1 priority 8192
AnswerA
solution
! SW1
spanning-tree vlan 1 priority 4096

Why this answer

By setting the STP priority to 4096 for VLAN 1, SW1 has a lower priority than the default, making it the root bridge for that VLAN.

Exam trap

The exam may test your ability to recall the exact command syntax for setting STP priority. Remember that 'spanning-tree vlan <vlan> priority <value>' sets the priority directly, while 'root primary' is a macro that sets it to 24576. Always check the exact value required.

Why the other options are wrong

B

The 'root primary' macro sets priority to 24576, not 4096.

C

A priority of 32768 is the default, so it does not guarantee root bridge status.

D

The requirement is to set priority to exactly 4096, not 8192.

453
MCQeasy

At which OSI layer do routers make forwarding decisions based on logical addressing?

A.Layer 1
B.Layer 2
C.Layer 3
D.Layer 4
AnswerC

Correct. Layer 3 is the network layer.

Why this answer

Routers operate at the network layer when making forwarding decisions based on logical Layer 3 addresses such as IPv4 or IPv6 destination addresses.

Exam trap

Don't confuse the roles of routers and switches. Remember that routers use logical addressing (IP addresses) at Layer 3, while switches use physical addressing (MAC addresses) at Layer 2.

Why the other options are wrong

A

Layer 1 (Physical layer) deals with the physical transmission of bits over media, such as cables or radio frequencies. Routers do not make forwarding decisions at this layer; they only handle electrical or optical signals.

B

Layer 2 (Data Link layer) uses MAC addresses for switching within the same network segment. Routers, however, forward packets based on Layer 3 logical addresses, not MAC addresses, which are only used for next-hop delivery.

D

Layer 4 (Transport layer) handles end-to-end communication, segmentation, and flow control using protocols like TCP and UDP. Routers do not use Layer 4 information for forwarding decisions; they only examine Layer 3 headers.

454
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a different subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure the ip helper-address on the client-facing interface (A). Then enable 'debug ip dhcp relay' (D) so forwarded packets are captured. Next trigger the DORA process by releasing/renewing the client IP address (C).

Finally verify with passive show commands (B). Debug must be active before the DORA exchange; enabling it afterward misses the output.

Exam trap

Candidates often enable debugging after triggering the DORA process, causing the debug output to show nothing. Always enable debug before the client action.

455
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to isolate CRC errors, duplex mismatches, and flapping on a Cisco IOS-XE interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, gather data with show commands to identify the errors (CRC, duplex, flapping). Then apply configuration changes to resolve the issue. Next, clear interface counters to reset statistics and create a clean baseline.

Finally, monitor interface statistics to verify that the errors are no longer occurring.

Exam trap

Do not confuse the order of clearing counters and verifying. Clear counters after applying the fix, not before, to get a clean baseline for verification. Also, always gather data before making changes.

456
MCQmedium

Which command correctly configures an IPv6 default route using next-hop address 2001:db8:1::1?

A.ipv6 route ::/0 2001:db8:1::1
B.ip route :: 2001:db8:1::1
C.ipv6 default-route 2001:db8:1::1
D.ip default-gateway 2001:db8:1::1
AnswerA

Correct. This is the valid IOS syntax for an IPv6 default route.

Why this answer

The correct IPv6 default route uses the prefix ::/0 with the command 'ipv6 route ::/0'. Option B is wrong because 'ip route' is used for IPv4 routes, not IPv6. Option C uses 'ipv6 default-route', which is not a valid Cisco IOS command.

Option D sets the management default gateway for IPv4 only and does not insert a route into the IPv6 routing table.

Exam trap

Be cautious about the syntax order and the correct representation of the IPv6 default route prefix.

Why the other options are wrong

B

Uses 'ip route', which is for IPv4; IPv6 routes require 'ipv6 route'.

C

'ipv6 default-route' is not a valid Cisco IOS command.

D

'ip default-gateway' configures the management default gateway for IPv4, not an IPv6 routing entry.

457
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Set the channel-group mode to active on both switches. Verify that the port-channel interface is configured with VLAN 100 as an access port. Then, troubleshoot and fix the issue that prevents the EtherChannel from forming due to a mismatched speed on one of the member links. After correction, verify the EtherChannel is up with 'show etherchannel summary'.

Hints

  • Check the speed and duplex settings on all member interfaces.
  • LACP requires identical speed and duplex on all ports in the channel.
  • Use the 'speed' and 'duplex' commands under the interface to match the working member.
A.Set speed 1000 and duplex full on interface GigabitEthernet0/2 of SW1, ensuring the corresponding interface on SW2 has matching settings, then verify with 'show etherchannel summary'.
B.Change the channel-group mode to desirable on both switches and verify with 'show etherchannel summary'.
C.Remove the access VLAN configuration from the port-channel interface and configure it as a trunk port instead.
D.Configure the channel-group mode to passive on SW1 and active on SW2, then verify with 'show etherchannel summary'.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full

Why this answer

The EtherChannel fails because interface GigabitEthernet0/2 on SW1 has a mismatched speed (likely 100 Mbps) compared to the other member link (1000 Mbps). LACP requires all member ports to have identical speed and duplex. The solution is to set the speed on Gi0/2 to 1000 and duplex to full.

After correction, the port will bundle, and the port-channel will come up. Verification with 'show etherchannel summary' should show both ports as 'P' (bundled) and the port-channel as 'SU' (in use, Layer2).

Exam trap

Do not confuse LACP modes (active/passive) with PAgP modes (desirable/auto). Also, remember that physical parameters like speed and duplex must match across all member ports; logical configurations like VLAN or trunking are separate but must also be consistent. Always verify the root cause before changing unrelated settings.

Why the other options are wrong

B

The specific factual error is that 'desirable' is a PAgP mode, not LACP. LACP uses 'active' and 'passive' modes.

C

The specific factual error is that the problem is physical (speed mismatch), not logical (VLAN/trunking). Changing the port type does not address the root cause.

D

The specific factual error is that the speed mismatch is the root cause, not the LACP mode. Even with correct modes, the EtherChannel will not form if speeds differ.

458
Matchingmedium

Match each security term to the question it most directly answers.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Who are you?

What are you allowed to do?

What happened during the session?

Can the system or service be accessed when needed?

Why these pairings

Each security term is paired with the question it most directly answers. Authentication, Authorization, and Accounting form the AAA framework: Authentication verifies identity (Who are you?), Authorization determines permissions (What are you allowed to do?), and Accounting tracks user activity (What happened during the session?). Availability is part of the CIA triad (Confidentiality, Integrity, Availability) and addresses whether a system or service is accessible when needed (Can the system or service be accessed when needed?).

Exam trap

Learners may confuse Authorization with Authentication. Remember: Authentication confirms identity, while Authorization defines permissions after identity is verified.

459
MCQmedium

A two-switch EtherChannel bundle is configured with LACP. One side uses active mode on both member links, while the other side uses passive mode on both member links. What is the result?

A.The bundle forms successfully
B.The links remain individual because both sides must use active
C.The bundle forms only if PAgP is also enabled
D.The channel comes up but forwards only one VLAN
AnswerA

Correct choice.

Why this answer

LACP forms a channel when at least one side actively sends negotiation frames. Active-to-passive works. Passive-to-passive would fail, but that is not the case here.

Exam trap

Ensure you know that LACP only needs one side in active mode to form a channel; both sides in passive mode would fail.

Why the other options are wrong

B

LACP does not require both sides to be in active mode; active/passive is a valid combination. The passive side will respond to LACP packets from the active side, forming the bundle.

C

PAgP is a Cisco proprietary protocol and is not required for LACP. LACP and PAgP are independent; enabling PAgP does not affect LACP negotiation.

D

EtherChannel, once formed, forwards all VLANs allowed on the trunk or access ports. There is no mechanism in LACP that restricts the bundle to a single VLAN.

460
Matchingmedium

Match each security concept to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies identity before access is granted

Determines permitted actions after identity is verified

Records activity or session information

Protects information from unauthorized disclosure

Why these pairings

These pairings correctly define core security concepts (CIA triad plus authentication and authorization).

Exam trap

Be careful not to confuse the terms within the CIA triad or between CIA and AAA. Remember: Confidentiality = privacy, Integrity = no unauthorized changes, Availability = uptime/access. AAA: Authentication = who you are, Authorization = what you can do, Accounting = what you did.

461
PBQhard

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the outside interface GigabitEthernet 0/1 with IP 203.0.113.2/29. The current configuration has an incorrect inside/outside interface assignment and a missing overload keyword. Fix all issues.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/29HostsLANR1ISPInternet

Hints

  • Check which interfaces are marked 'inside' and 'outside'.
  • The PAT command must include the 'overload' keyword.
  • The ACL must match the correct source subnet (192.168.1.0/24).
A.Configure 'ip nat inside' on GigabitEthernet0/0, 'ip nat outside' on GigabitEthernet0/1, correct ACL 10 to permit 192.168.1.0 0.0.0.255, and add 'overload' to the PAT command.
B.Configure 'ip nat outside' on GigabitEthernet0/0, 'ip nat inside' on GigabitEthernet0/1, keep ACL 10 as is, and add 'overload' to the PAT command.
C.Configure 'ip nat inside' on GigabitEthernet0/1, 'ip nat outside' on GigabitEthernet0/0, correct ACL 10 to permit 192.168.1.0 0.0.0.255, and add 'overload' to the PAT command.
D.Configure 'ip nat inside' on GigabitEthernet0/0, 'ip nat outside' on GigabitEthernet0/1, correct ACL 10 to permit 192.168.1.0 0.0.0.255, but do not add 'overload' to the PAT command.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
ip nat inside source list 10 interface GigabitEthernet0/1 overload
access-list 10 permit 192.168.1.0 0.0.0.255

Why this answer

Three issues exist: (1) The inside and outside interfaces are swapped — GigabitEthernet0/0 (LAN) should be 'ip nat inside' and GigabitEthernet0/1 (WAN) should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword. (3) ACL 10 permits 10.0.0.0/8 but the inside subnet is 192.168.1.0/24; ACL must be corrected. Fix with 'interface GigabitEthernet0/0', 'ip nat inside', 'interface GigabitEthernet0/1', 'ip nat outside', 'ip nat inside source list 10 interface GigabitEthernet0/1 overload', and 'access-list 10 permit 192.168.1.0 0.0.0.255'.

Exam trap

A common trap is confusing which interface should be inside and which should be outside. Remember: inside is the private LAN side, outside is the public WAN side. Also, do not forget the 'overload' keyword for PAT, and ensure the ACL matches the correct source subnet.

Why the other options are wrong

B

The specific factual error: The inside/outside interface assignment is reversed; ACL 10 permits 10.0.0.0/8 instead of 192.168.1.0/24.

C

The specific factual error: The inside/outside interface assignment is reversed; the WAN interface should be outside, not inside.

D

The specific factual error: The 'overload' keyword is missing, which is required for PAT to enable many-to-one translation.

462
MCQmedium

A switch receives a unicast frame for a destination MAC address that is not yet in its MAC address table. What does the switch do?

A.Drops the frame immediately
B.Floods the frame out all ports in the same VLAN except the incoming port
C.Sends the frame to the default gateway first
D.Converts the frame to a broadcast packet
AnswerB

Correct. Unknown unicast is flooded within the VLAN.

Why this answer

An unknown unicast frame is flooded within the VLAN because the switch does not yet know which port leads to the destination MAC. The frame is not sent back out the receiving port.

Exam trap

Do not confuse switch flooding behavior for unknown unicast frames with dropping or routing behaviors.

Why the other options are wrong

A

Switches are designed to forward unknown unicast frames by flooding, not dropping them. Dropping would occur only if the frame is malformed or security features like port security are violated.

C

A Layer 2 switch operates at the data link layer and does not involve the default gateway for forwarding decisions. The default gateway is used for routing between VLANs or subnets, not for unknown unicast flooding within a VLAN.

D

Switches flood the original unicast frame unchanged; they do not modify the frame type to broadcast. Broadcasting would change the destination MAC to FF:FF:FF:FF:FF:FF, which is not the case for unknown unicast flooding.

463
MCQhard

A subnet uses the prefix /22. How many usable host addresses are available?

A.254
B.510
C.1022
D.2046
AnswerC

This is correct because a /22 has 1024 total addresses and 1022 usable hosts.

Why this answer

A /22 leaves 10 host bits available. In plain language, that means each subnet contains 2^10, or 1024, total addresses. Two of those are reserved for the network and broadcast addresses in normal IPv4 subnetting, leaving 1022 usable host addresses.

This is a common subnet-capacity calculation. The safest method is to calculate the total address count from the number of host bits and then subtract the two reserved addresses. That leads directly to the correct usable-host value.

Exam trap

Remember to subtract the network and broadcast addresses from the total number of addresses to find the usable host count.

Why the other options are wrong

A

A /24 prefix provides 256 total addresses (2^(32-24)=256), with 254 usable host addresses after subtracting the network and broadcast addresses. This does not match the /22 prefix in the question.

B

A /23 prefix provides 512 total addresses (2^(32-23)=512), with 510 usable host addresses. This is half the total addresses of a /22, so it is incorrect for the given prefix.

D

A /21 prefix provides 2048 total addresses (2^(32-21)=2048), with 2046 usable host addresses. This is double the total addresses of a /22, so it is incorrect for the given prefix.

464
Matchingeasy

Match each IP service or protocol to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically provides IP configuration to clients

Resolves hostnames into IP information

Maps a local IPv4 address to a MAC address

Synchronizes device clocks

Why these pairings

DHCP automatically assigns IP addresses and other network parameters to clients. DNS translates domain names into IP addresses. ARP resolves a local IPv4 address to a MAC address on the same subnet.

NTP synchronizes device clocks over a network. These four protocols are correctly matched to their primary purposes.

Exam trap

Be careful not to confuse protocols that work together. For example, DNS is often used by HTTP and SMTP, but each protocol has a distinct primary function. Focus on the core purpose of each protocol as defined in the OSI model.

465
MCQhard

A network administrator is troubleshooting slow file transfers between two servers in different access-layer switches. The administrator runs the 'show interface' command on the uplink connecting the two switches and notices a high number of CRC errors on both ends, but a high number of late collisions on only one interface; the other interface reports no late collisions.

A.Duplex mismatch: the interface with late collisions is half-duplex while the other end is full-duplex. Configure both ends to auto-negotiate speed and duplex.
B.Speed mismatch: one interface is set to 100 Mbps, the other to 1 Gbps. This causes frequent link flaps, resulting in CRC errors. Use the 'speed' command to match the rates.
C.Faulty Ethernet cable causing signal degradation, which leads to CRC errors. The late collisions are a result of the switch misdetecting collisions due to the degraded signal. Replace the cable.
D.A broadcast storm caused by a loop is flooding the uplink with frames, leading to CRC errors and late collisions as the switch discards excess traffic. Enable Spanning Tree Protocol to block the redundant path.
AnswerA

Late collisions only occur on half-duplex Ethernet when multiple stations attempt to transmit simultaneously. When one end is full-duplex, the half-duplex end perceives any overlapping transmission as a collision, producing late collisions and CRC errors. Auto-negotiation correctly sets both ends to full-duplex when supported, fixing the problem.

Why this answer

A is correct because a duplex mismatch causes one interface to operate in half-duplex (detecting late collisions due to CSMA/CD) while the other operates in full-duplex (no collisions). The half-duplex interface waits for the carrier sense before transmitting, but the full-duplex interface transmits immediately, causing the half-duplex side to detect collisions after the transmission window (late collisions). CRC errors occur on both ends because frames are corrupted when collisions happen.

Configuring both ends to auto-negotiate ensures matching duplex and speed, resolving the issue.

Exam trap

Cisco often tests the distinction between CRC errors (which can have multiple causes like cable faults or duplex mismatch) and late collisions (which are a definitive indicator of a duplex mismatch), leading candidates to incorrectly attribute CRC errors alone to a cable issue.

Why the other options are wrong

B

Confuses speed mismatch (which prevents link establishment) with duplex mismatch (which allows the link to come up but causes errors and late collisions).

C

Assumes all interface errors are cable-related and overlooks the characteristic late-collision signature of duplex mismatch.

D

Misinterprets high utilization as a source of physical-layer errors and ignores the diagnostic value of asymmetric late collisions.

466
Multi-Selectmedium

Which two statements accurately describe why least privilege and source restriction work well together for administrative access?

Select 2 answers
A.Least privilege reduces the scope of actions an authenticated user can perform.
B.Source restriction reduces the network locations from which administrative access is permitted.
C.Either one by itself removes the need for logging.
D.Both exist only for wireless guest access policies.
E.They require all administrative traffic to use PPP encapsulation.
AnswersA, B

This is correct because least privilege limits authorization scope.

Why this answer

Least privilege and source restriction work well together because they reduce risk in different ways. In practical terms, least privilege limits what a user can do after access is granted, while source restriction reduces where an administrative session is even allowed to originate. Together they reduce both exposure and potential impact.

This is a layered management-security concept and a strong exam-style reasoning item.

Exam trap

A common exam trap is believing that either least privilege or source restriction alone fully secures administrative access. Candidates may incorrectly think that limiting user permissions removes the need to restrict source IPs, or vice versa. This mistake overlooks that least privilege controls what actions a user can perform after access, but does not prevent unauthorized access attempts from untrusted locations.

Similarly, source restriction limits where access can originate but does not limit what an authenticated user can do. The exam tests understanding that both controls are necessary and complementary for robust administrative security.

Why the other options are wrong

C

This option is incorrect because neither least privilege nor source restriction eliminates the need for logging; visibility and accountability remain critical for security auditing.

D

This option is incorrect because least privilege and source restriction are broad security principles applicable to all administrative access, not limited to wireless guest access policies.

E

This option is incorrect because PPP encapsulation is unrelated to administrative access controls like least privilege and source restriction; it does not affect management access security.

467
MCQhard

A network engineer notices that hosts on VLAN 100 (192.168.10.0/24) cannot ping the loopback interface (10.0.0.1/32) of a directly connected router R2. The engineer checks R1's routing table and sees an entry for 10.0.0.0/24 via a different next-hop, but no entry for 10.0.0.1/32. What is the most likely reason for the connectivity failure?

A.The loopback interface on R2 is administratively down.
B.R2 is advertising the loopback as a /24 network, not a /32 host route.
C.R1 has a route for 10.0.0.0/24 via a different next-hop, causing a routing loop.
D.The EIGRP metric for the /24 route is too high, so R1 prefers the connected route.
AnswerB

The loopback address 10.0.0.1/32 is typically advertised as a /32. If R2's loopback is configured with a /24 mask, it advertises 10.0.0.0/24. R1 then has a /24 route but no /32 route, so when trying to reach 10.0.0.1, the longest-prefix match fails, and the router drops the packet.

Why this answer

The issue is that R2 is advertising its loopback interface (10.0.0.1/32) as a /24 network (10.0.0.0/24) into the routing protocol. R1 receives this /24 route and installs it in its routing table, but when it tries to reach 10.0.0.1, it performs a longest-prefix match. Since R1 has a more specific /32 route for 10.0.0.1 via a different next-hop (or no /32 route at all), it does not use the /24 route to reach the loopback, causing the ping to fail.

Exam trap

Cisco often tests the concept that a routing protocol may advertise a loopback interface with a different prefix length than configured, and candidates mistakenly think the issue is a routing loop or metric problem rather than a prefix-length mismatch.

Why the other options are wrong

A

If the loopback interface were administratively down, R2 would not advertise any route for 10.0.0.0/24 via EIGRP. However, R1's routing table shows a /24 route via EIGRP, indicating the interface is up and the route is being advertised.

C

A routing loop would require packets to be forwarded back and forth between routers. In this scenario, R1 has a connected route for 10.0.0.0/24 and an EIGRP route for the same prefix, but it will use the connected route due to lower administrative distance. There is no loop because the next-hop for the connected route is directly connected, and packets are not sent to another router.

D

The EIGRP metric of 30720 is normal for a loopback route, and the connected route is preferred due to its lower administrative distance (0 vs 90), not because of a high metric. Even if the metric were lower, the connected route would still be preferred. The core issue is the missing /32 route, not the metric.

468
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the data encapsulation process as it flows down the OSI model from the source host.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Encapsulation proceeds from the top OSI layers to the bottom. First, the application generates data (Step 1). The Transport layer then adds a header (TCP or UDP) to create a segment (Step 2) because this is the first step in preparing data for reliable delivery.

The Network layer adds an IP header to form a packet (Step 3), which provides logical addressing and routing information. The Data Link layer adds a frame header and trailer to create a frame (Step 4), enabling physical addressing (MAC) and error detection. Finally, the Physical layer converts the frame to bits for transmission (Step 5), as it is the layer that ultimately puts signals on the wire.

469
Drag & Dropmedium

Drag and drop the configuration steps into the correct order to configure Port Address Translation (PAT) on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: first define the addresses to translate with an access list; next mark the inside interface with 'ip nat inside'; then mark the outside interface with 'ip nat outside'; finally, enable PAT globally with the 'ip nat inside source list ... overload' command. The overload command is not applied to an interface—it references the outside interface to translate source addresses to that interface’s IP.

Exam trap

The exam trap is that candidates often confuse the order of steps, thinking that applying the overload command or marking interfaces comes before defining the ACL. Remember: ACL first, then inside interface, then outside interface, then overload command.

470
Multi-Selectmedium

Which four of the following are correct statements about VLAN configuration and verification on a Cisco switch? (Choose four.)

Select 3 answers
.The 'switchport mode access' command places the interface into a non-trunking mode.
.By default, all ports on a Cisco switch are in VLAN 1.
.The 'show vlan brief' command displays VLANs that are active on the switch.
.VLANs 1002–1005 are reserved for user-created VLANs.
.A VLAN must be manually created before its name can be assigned.
.The 'switchport trunk native vlan' command restricts the native VLAN to only tagged frames.

Why this answer

The 'switchport mode access' command configures the interface as an access port, operating in non-trunking mode and carrying traffic for a single VLAN. By default, all ports on a Cisco switch are assigned to VLAN 1, which is the default and management VLAN. The 'show vlan brief' command displays all active VLANs along with their names and assigned ports.

A VLAN does not need to be manually created before its name can be assigned; you can assign a port to a new VLAN, which automatically creates it, and then enter VLAN configuration mode to set its name. The false statements are that VLANs 1002–1005 are reserved for user-created VLANs (they are legacy FDDI/Token Ring VLANs) and that the 'switchport trunk native vlan' command restricts the native VLAN to only tagged frames (native VLAN traffic is sent untagged).

Exam trap

Candidates often confuse the native VLAN as carrying tagged frames, and mistakenly believe VLANs 1002–1005 are user-configurable, when in fact they are reserved for legacy technologies.

Why the other options are wrong

D

VLANs 1002–1005 are reserved for legacy FDDI and Token Ring, not user-created VLANs.

F

The native VLAN on a trunk sends frames untagged; this command sets the native VLAN, not a tagging restriction.

471
Multi-Selectmedium

Which two statements accurately describe IPv6 link-local addresses?

Select 2 answers
A.They are used for communication on the local segment only.
B.They are globally routable across the Internet.
C.They are commonly involved in local IPv6 neighbor interactions.
D.They exist only when DHCPv6 fails.
E.They replace the need for any default gateway logic.
AnswersA, C

This is correct because link-local addresses are intended for local-link communication.

Why this answer

IPv6 link-local addresses are designed for communication on the local segment only. In plain language, they allow devices to talk to nearby neighbors without needing globally routable addresses. They play an important role in IPv6 functions such as Neighbor Discovery and are commonly used when hosts communicate with the default gateway on the same link. These addresses are normal and expected in IPv6 environments.

They are not globally Internet-routable, and they are not just emergency fallbacks for DHCPv6 failure. The two correct answers are the ones that preserve their local-link purpose and their importance in standard IPv6 behavior rather than treating them as optional or globally reachable.

Exam trap

Remember that link-local addresses are not routable and are not a fallback for DHCPv6. They are essential for local communications.

Why the other options are wrong

B

Link-local addresses have a scope of link-local (fe80::/10) and are not forwarded by routers, making them non-routable across the Internet. They are intended only for communication on a single network segment.

D

Link-local addresses are automatically generated on all IPv6 interfaces regardless of DHCPv6. They are a mandatory part of IPv6 operation, not a fallback mechanism.

E

For off-link communication, IPv6 hosts still require a default gateway (usually a router's link-local address) to forward packets beyond the local segment. Link-local addresses do not eliminate the need for routing logic.

472
MCQmedium

Why might voice traffic be placed in a priority queue on a WAN link?

A.To increase the TTL value of voice packets
B.To reduce delay and jitter for time-sensitive traffic
C.To change RTP into TCP for reliability
D.To avoid assigning IP addresses to phones
AnswerB

Correct. Priority queuing is used to protect time-sensitive traffic such as voice.

Why this answer

Voice traffic is delay-sensitive. Prioritization helps reduce queuing delay and jitter so real-time audio remains intelligible.

Exam trap

A common exam trap is selecting answers that confuse QoS prioritization with unrelated network functions such as increasing the TTL value of voice packets or converting RTP traffic into TCP. These options are incorrect because QoS focuses on managing packet scheduling and queuing rather than altering packet headers or transport protocols. Another trap is thinking that IP address assignment relates to QoS, which it does not.

Recognizing that priority queuing specifically targets delay-sensitive traffic like voice helps avoid these misleading options.

Why the other options are wrong

A

Increasing the TTL value of voice packets is unrelated to QoS or priority queuing. TTL controls packet lifetime and does not affect delay or jitter, so this option is incorrect.

C

QoS does not convert RTP (used for voice) into TCP. RTP is typically carried over UDP for real-time performance, so this option is incorrect.

D

Assigning IP addresses to phones is handled by DHCP or static configuration, not by QoS or priority queuing. This option is unrelated to voice traffic prioritization.

473
MCQmedium

Why does a passive interface in OSPF still matter even though it does not send hello packets?

A.The connected network can still be advertised into OSPF through other active adjacencies
B.The passive interface automatically becomes the OSPF router ID
C.The passive interface disables all OSPF operation on the router
D.The passive interface converts OSPF into EIGRP on that link
AnswerA

This is correct because passive-interface suppresses hello exchange on that interface while still allowing the network to be advertised.

Why this answer

A passive interface still matters because the connected network can still be advertised into OSPF even though the interface itself does not form neighbor relationships. In plain language, the router is saying, “This network is mine, and I want others to know about it, but I do not want to speak OSPF directly on this interface.” That is useful on user-facing or stub-like interfaces where no OSPF neighbor should exist.

This distinction is important because some engineers assume passive means “ignored entirely.” It does not. The connected network can still appear in routing updates sent through real neighbors on other interfaces. What changes is neighbor formation on the passive interface itself.

Exam trap

Don't assume 'passive' means the interface is ignored; it still advertises its network.

Why the other options are wrong

B

The OSPF router ID is determined by the highest IP address on a loopback interface or the highest active physical interface IP at the time of OSPF process startup, not by passive-interface configuration. A passive interface does not influence router ID selection.

C

The passive-interface command only suppresses OSPF hello packets on that specific interface; OSPF continues to operate normally on other interfaces, forming adjacencies and exchanging routing information. It does not disable OSPF globally.

D

The passive-interface command is specific to OSPF and does not change the routing protocol. OSPF remains OSPF; it simply stops sending hellos on that interface. EIGRP has its own passive-interface command with similar behavior but does not convert protocols.

474
Multi-Selectmedium

Which TWO actions does DHCP snooping perform by default on a Cisco switch?

Select 2 answers
A.It blocks DHCP server messages received on untrusted ports.
B.It generates a Cisco Discovery Protocol packet for each DHCP request.
C.It builds a DHCP binding table.
D.It relays DHCP requests across VLANs.
E.It converts DHCP broadcasts into unicasts.
AnswersA, C

DHCP snooping classifies ports as trusted or untrusted. Untrusted ports are not permitted to send DHCP server-side messages (e.g., DHCPOFFER, DHCPACK), thereby preventing rogue DHCP servers.

Why this answer

DHCP snooping is a Layer 2 security feature that filters DHCP messages and builds a binding table. By default, it blocks DHCP server messages on untrusted ports and dynamically creates a binding table mapping IP addresses to MAC addresses. It does not relay requests across VLANs or convert broadcasts to unicasts (those are relay agent functions).

Why the other options are wrong

B

This statement incorrectly associates two separate features; DHCP snooping operates at Layer 2 for DHCP security, not for CDP.

D

This function belongs to the relay agent, not to DHCP snooping, which operates within a single VLAN to enforce security policies.

E

This is a relay agent feature; DHCP snooping does not alter the broadcast nature of DHCP packets, it only filters them.

475
MCQmedium

When spanning tree elects a root bridge, which value is considered first?

A.Lowest MAC address only
B.Lowest bridge priority only
C.Lowest bridge ID, which begins with priority
D.Highest interface bandwidth
AnswerC

Correct. STP compares the bridge ID, and priority is the leading field in that comparison.

Why this answer

The root bridge is the switch with the lowest bridge ID. The bridge ID is made up of priority and MAC address, so priority is considered first, then MAC address if priorities tie.

Exam trap

Remember that the bridge priority is evaluated before the MAC address in the root bridge election process.

Why the other options are wrong

A

The MAC address is only used as a tiebreaker when bridge priorities are equal. It is not the first value considered in root bridge election.

B

The bridge priority is only the first part of the bridge ID; the full bridge ID (priority + MAC address) is compared. If priorities are equal, the MAC address is used as a tiebreaker.

D

Interface bandwidth is used to calculate path cost, which influences port roles (root port, designated port) but does not affect root bridge election. Root bridge election is based solely on bridge ID.

476
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch. Ports G0/1 and G0/2 are connected to two PCs that should be in VLAN 10 (Sales). Port G0/3 is a trunk link to another switch. The PCs are currently unable to communicate because the ports are in VLAN 1. Configure the switch to place the ports in the correct VLAN and ensure the trunk is properly configured with 802.1Q encapsulation and native VLAN 99.

Network Topology
trunkPC1SW1 G0/1SW1 G0/2OtherSwitch

Hints

  • Check the current VLAN assignment on access ports.
  • The trunk encapsulation must be set to dot1q for 802.1Q support.
  • Native VLAN should match on both ends of the trunk.
A.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 99.
B.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation isl and native VLAN 99.
C.Create VLAN 10, assign G0/1 and G0/2 as trunk ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 99.
D.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 1.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport access vlan 10
interface GigabitEthernet0/2
switchport access vlan 10
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 99

Why this answer

VLAN 10 must be created and the access ports must be explicitly set to access mode with 'switchport mode access' before assigning them to VLAN 10. Assigning the access ports to VLAN 10 places the PCs in the correct broadcast domain. The trunk needed explicit 802.1Q encapsulation and a native VLAN change to 99 for security and consistency.

Exam trap

Be careful to distinguish between access and trunk ports: access ports belong to a single VLAN for end devices, while trunk ports carry multiple VLANs between switches. Also, remember that 802.1Q is the standard trunking protocol, and native VLAN should be changed from default 1 for security.

Why the other options are wrong

B

The specific factual error is that ISL is a legacy Cisco proprietary trunking protocol, and modern switches default to 802.1Q. The question specifies 802.1Q encapsulation.

C

The specific factual error is that ports connected to end devices (PCs) should be access ports, not trunk ports. Trunk ports are used for inter-switch links.

D

The specific factual error is that the native VLAN must be explicitly set to 99. Native VLAN 1 is the default and is often targeted in VLAN hopping attacks.

477
PBQhard

You are troubleshooting PAT and static NAT on R1. The inside network 192.168.10.0/24 must be translated to the public IP 203.0.113.1 (interface G0/1) using port address translation. Additionally, the server at 192.168.10.100 must be reachable from the outside via static NAT to 203.0.113.5. The current configuration is not working. Identify and correct the errors in the running config on R1.

Hints

  • Check which subnet the ACL is matching — it might not be your inside network.
  • Look at the PAT command: is there an 'overload' keyword? Without it, only one translation is allowed.
  • Verify the static NAT mapping: the inside server IP should match the actual server.
A.The ACL in the NAT configuration incorrectly permits network 192.168.20.0/24 instead of 192.168.10.0/24, and the PAT command is missing the 'overload' keyword.
B.The static NAT entry uses the wrong inside address; it should be 192.168.10.100 but is configured with 192.168.10.1.
C.The PAT command is missing the 'overload' keyword, and the static NAT entry maps to the wrong public IP; it should use 203.0.113.1 instead of 203.0.113.5.
D.The static NAT entry maps the server to the wrong public IP, 203.0.113.1 instead of 203.0.113.5, and the ACL incorrectly permits network 192.168.20.0/24.
AnswerA
solution
! R1
configure terminal
no access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
end
write memory

Why this answer

The running configuration has two errors. First, access-list 100 incorrectly permits the 192.168.20.0/24 network instead of the inside network 192.168.10.0/24, so PAT will not translate any internal hosts. Second, the PAT command is missing the 'overload' keyword, which means only a single translation is possible, breaking connectivity for multiple devices.

The static NAT entry for the server is correctly mapping 192.168.10.100 to 203.0.113.5 and does not need correction.

Exam trap

Watch out for ACLs that match the wrong subnet in NAT configurations. Also, remember that PAT requires the 'overload' keyword; without it, only one translation is allowed. Static NAT often uses a different public IP than the PAT pool to avoid conflicts.

Why the other options are wrong

B

The static NAT entry is correct; the inside address 192.168.10.100 is properly mapped to 203.0.113.5.

C

Static NAT requires a separate public IP to avoid overlapping with PAT translations. The public IP 203.0.113.5 is appropriate.

D

The static NAT entry is correctly configured with 192.168.10.100 and 203.0.113.5; the error is solely in the ACL and missing overload keyword.

478
Multi-Selectmedium

Which two statements accurately describe DNS in everyday network use?

Select 2 answers
A.DNS helps resolve hostnames into IP-related information.
B.DNS makes services easier to use by allowing names instead of raw IP addresses.
C.DNS automatically assigns IP addresses to hosts.
D.DNS replaces the need for subnet masks.
E.DNS elects the STP root bridge.
AnswersA, B

This is correct because name resolution is DNS’s core function.

Why this answer

DNS translates human-friendly hostnames into IP-related information, making network services more accessible by name rather than numeric addresses. Option A is correct because DNS resolves names to IP addresses. Option B is correct because using names improves usability and allows underlying IP changes without user disruption.

Option C is incorrect because IP address assignment is a DHCP function, not DNS. Option D is incorrect because subnet masks are part of IP addressing and routing, unrelated to DNS name resolution. Option E is incorrect because STP (Spanning Tree Protocol) elects a root bridge for loop-free topology, which is unrelated to DNS.

Exam trap

A frequent exam trap is mistaking DNS for DHCP or other network functions. Some candidates incorrectly believe DNS assigns IP addresses to hosts, but that role belongs to DHCP. Others confuse DNS with protocols like STP, which manages network topology but is unrelated to name resolution.

This confusion arises because both DNS and DHCP are IP services, but they serve distinct purposes. Misunderstanding these roles can lead to incorrect answers and misconfiguration in real networks. Remember, DNS only resolves hostnames into IP-related information and does not handle IP address assignment or network path selection.

Why the other options are wrong

C

Option C is incorrect because DNS does not assign IP addresses; that task belongs to DHCP, which dynamically provides IP configuration to hosts on a network.

D

Option D is incorrect because DNS does not replace subnet masks; subnet masks are used to define network and host portions of an IP address and control routing and addressing scope.

E

Option E is incorrect because DNS has no role in Spanning Tree Protocol (STP) operations, such as electing the root bridge; these functions are unrelated to DNS.

479
PBQhard

You are troubleshooting connectivity from R1 to the 172.16.20.0/24 network. The network engineer configured a floating static route on R1 as a backup for the OSPF-learned route, but after the primary OSPF route fails, the backup does not take over. Examine the current routing table and partial configuration on R1, then fix the issue so that when the OSPF neighbor goes down, R1 can still reach 172.16.20.0/24 via R3.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30G0/1203.0.113.1/30G0/0203.0.113.2/30R2OSPFR1static backupR3

Hints

  • Check if the next-hop address is reachable via a directly connected interface.
  • A static route with a next-hop that is not directly connected requires a valid route to that next-hop.
  • Configure the static route with an exit interface to make it directly connected.
A.Change the static route to use an exit interface: ip route 172.16.20.0 255.255.255.0 GigabitEthernet0/1 203.0.113.2
B.Change the administrative distance of the static route to 110
C.Remove the OSPF process from R1
D.Add a static route to 203.0.113.0/24 via R1's directly connected interface
AnswerA
solution
! R1
no ip route 172.16.20.0 255.255.255.0 203.0.113.2 130
ip route 172.16.20.0 255.255.255.0 GigabitEthernet0/1 203.0.113.2 130

Why this answer

The floating static route was configured with an administrative distance of 130, intended to be higher than OSPF's default AD of 110 so it would only be used as a backup. However, the static route's AD is set as 130 (the command uses the distance option), which is correct. The problem is that OSPF's AD is 110, which is lower, so the static route is not installed while OSPF is up.

But when OSPF fails, the static route should appear. The issue is that the static route is pointing to a next-hop (203.0.113.2) that is not directly connected; R1 has no route to 203.0.113.2, causing the static route to be inactive. To fix, you must either change the next-hop to a directly connected interface (e.g., GigabitEthernet0/1) or add a route to reach 203.0.113.2.

The simplest solution is to configure the static route with an exit interface: 'ip route 172.16.20.0 255.255.255.0 GigabitEthernet0/1 203.0.113.2'. This ensures the route is valid when the OSPF route disappears.

Exam trap

Trap: Candidates often focus on administrative distance values but forget that a static route must have a valid next-hop to be installed. Always verify that the next-hop is reachable (directly connected) or specify an exit interface for floating static routes.

Why the other options are wrong

B

The specific factual error is that a floating static route must have a higher AD than the dynamic protocol to act as a backup; setting it equal or lower would disrupt the primary route.

C

The specific factual error is that removing OSPF is an extreme measure that breaks connectivity, whereas a floating static route is meant to be a seamless backup.

D

The specific factual error is that adding an extra static route is not the standard solution; Cisco recommends using the exit interface for directly connected next-hops to ensure route validity.

480
MCQhard

A technician is troubleshooting a network issue where hosts in VLAN 20 on SW1 cannot communicate with hosts in VLAN 20 on SW2. Both switches are connected by an Ethernet trunk link that is up/up and configured as a trunk. The VLAN databases on both switches include VLAN 20, and the spanning tree for VLAN 20 is in a forwarding state on all ports. Hosts within VLAN 20 on each switch can communicate with each other locally. What is the most likely cause?

A.The native VLAN is mismatched on the two ends of the trunk.
B.VLAN 20 has not been created in the VLAN database on SW2.
C.The trunk encapsulation is mismatched between SW1 and SW2.
D.VLAN 20 is not in the switchport trunk allowed VLAN list on the trunk port between SW1 and SW2.
AnswerD

When a trunk port’s allowed VLAN list explicitly excludes a VLAN, the switch drops all frames tagged for that VLAN, even though the VLAN exists locally and the trunk is active. This results in the described symptom of local intra-VLAN communication working but no cross-switch communication for VLAN 20.

Why this answer

The most likely cause is that VLAN 20 is not included in the allowed VLAN list on the trunk port between SW1 and SW2. Even though the trunk is up/up and VLAN 20 exists in the VLAN database, the switchport trunk allowed vlan command restricts which VLANs can traverse the trunk. If VLAN 20 is omitted from this list, frames from VLAN 20 will be dropped at the trunk, preventing inter-switch communication for that VLAN.

Exam trap

Cisco often tests the distinction between VLAN existence in the database and VLAN permission on a trunk; candidates mistakenly think that if a VLAN is created and spanning tree is forwarding, it must work, but the trunk allowed list is an independent filter that can block traffic.

Why the other options are wrong

A

Candidates may think that a native VLAN mismatch breaks all trunk functions.

B

Candidates may assume that a missing VLAN on one switch explains inter-switch failures, ignoring that local communication would also fail.

C

Candidates might overlook that the trunk link is operational, which implies matching encapsulation.

481
MCQeasy

Which field in an IPv4 packet is primarily used to prevent packets from looping forever in the network?

A.Version
B.Header checksum
C.Time to Live
D.Protocol
AnswerC

TTL is the loop-prevention field.

Why this answer

Each router decrements the TTL field by one. When TTL reaches zero, the packet is discarded. That mechanism prevents indefinite looping.

Exam trap

Remember that TTL is about lifespan and loop prevention, not error checking or addressing.

Why the other options are wrong

A

The Version field (4 bits) indicates the IP version (e.g., IPv4 or IPv6) and has no role in loop prevention. It is used by routers to interpret the packet header correctly.

B

The Header Checksum field detects errors in the IPv4 header only; it does not limit packet forwarding or prevent loops. If corrupted, the packet is discarded, but this does not stop looping.

D

The Protocol field identifies the next-level protocol (e.g., TCP, UDP, ICMP) carried in the payload. It has no impact on packet forwarding or loop prevention.

482
PBQhard

You are connected to R1 via console. R1 and R2 are connected via a serial link. OSPFv2 has been configured, but the adjacency is stuck in EXSTART state. You suspect a mismatched MTU. On R1, the interface MTU is currently set to 1400, while R2 uses the default MTU of 1500. You need to verify and fix the issue.

Network Topology
S0/0/010.0.0.1/30S0/0/010.0.0.2/30serial linkR1R2

Hints

  • The issue is with MTU mismatch.
  • Check the MTU on R1's serial interface.
  • After fixing, reset the OSPF process to force adjacency.
A.On R1, configure the interface MTU to 1500 and then clear the OSPF process using 'clear ip ospf process'.
B.On R1, configure the interface MTU to 1500 and then reload the router to apply the change.
C.On R1, configure the interface MTU to 1500 and then change the OSPF network type to point-to-point.
D.On R1, configure the interface MTU to 1500 and then adjust the OSPF hello and dead timers to match R2.
AnswerA
solution
! R1
interface Serial0/0/0
ip mtu 1500
clear ip ospf process
end

Why this answer

OSPF requires matching MTU values on a link. The incorrect MTU on R1 (1400) caused the adjacency to stall in EXSTART. Setting MTU to 1500 and clearing the OSPF process allows proper adjacency formation.

Exam trap

Do not confuse the states of OSPF adjacency. EXSTART state is specifically related to DBD exchange and MTU mismatch, while INIT or 2-WAY states are more common with hello/dead timer mismatches. Always verify MTU when adjacency is stuck in EXSTART.

Why the other options are wrong

B

The specific factual error is that a reload is not required to apply MTU changes; the interface MTU is applied immediately, and the OSPF process can be cleared to re-establish adjacencies.

C

The specific factual error is that OSPF network type does not affect MTU requirements; MTU must match regardless of network type.

D

The specific factual error is that timer mismatches affect the INIT and 2-WAY states, while EXSTART is associated with MTU or database descriptor (DBD) packet issues.

483
Multi-Selectmedium

Which two statements accurately describe the relationship between a network address and a broadcast address in IPv4 subnetting?

Select 2 answers
A.The network address is the first address in the subnet block.
B.The broadcast address is the last address in the subnet block.
C.Both addresses are normal host addresses that can be assigned to users.
D.The broadcast address always becomes the default gateway.
E.These concepts exist only in IPv6 and not IPv4.
AnswersA, B

This is correct because the network address marks the beginning of the subnet.

Why this answer

The network address identifies the beginning of the subnet block, and the broadcast address identifies the final address in that block. In practical terms, both are reserved and are not assigned to ordinary hosts. The usable host range falls between them.

This is a very basic subnetting truth, but it is foundational for every other addressing calculation.

Exam trap

Be cautious not to confuse the roles of network and broadcast addresses with usable host addresses.

Why the other options are wrong

C

Both the network address and broadcast address are reserved addresses within a subnet and cannot be assigned to hosts. The network address identifies the subnet itself, and the broadcast address is used for one-to-all communication. Assigning them to hosts would cause conflicts.

D

The default gateway is typically the IP address of a router interface on the subnet, which is a normal host address within the usable range. The broadcast address is the last address in the subnet and is reserved for broadcasting; it cannot be used as a gateway.

E

Network and broadcast addresses are fundamental to IPv4 subnetting and are defined in IPv4 standards. IPv6 does not use broadcast addresses; instead, it uses multicast and anycast. Therefore, stating these concepts exist only in IPv6 is factually incorrect.

484
Multi-Selectmedium

Which three of the following are considered best practices for securing device access in a Cisco network? (Choose three.)

Select 3 answers
.Use SSH instead of Telnet for remote management.
.Configure role-based access control (RBAC) using privilege levels or AAA.
.Implement a login banner to display a warning against unauthorized access.
.Disable password encryption using the 'service password-encryption' command.
.Allow SNMPv1 read-write community strings for ease of management.
.Use the same simple password for all devices to simplify administration.

Why this answer

SSH encrypts all traffic, including authentication credentials, protecting against eavesdropping and man-in-the-middle attacks, whereas Telnet sends everything in plaintext. Role-based access control (RBAC) via privilege levels or AAA limits users to only the commands necessary for their job, reducing the risk of accidental or malicious misconfiguration. A login banner provides legal notice that unauthorized access is prohibited, which is essential for prosecution and deters casual intruders.

Exam trap

Cisco often tests the misconception that 'service password-encryption' is a strong security measure, when in fact it only provides weak obfuscation (Type 7) that can be easily reversed, and the real best practice is to use secret passwords with Type 8/9 hashing.

485
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a DHCP issue where DHCP clients on the LAN subnet are sending DHCPDISCOVER messages but the DHCP server does not receive them. The output of the show ip dhcp binding command on R1 is shown. What is the most likely cause of the problem?

A.DHCP service is disabled on R1.
B.The ip helper-address command is configured on the WAN interface instead of the LAN interface facing the DHCP clients.
C.The DHCP pool is configured with a network address that does not match the client subnet.
D.The default-router option is missing from the DHCP pool configuration.
AnswerB

The show ip dhcp binding output shows zero bindings because the router is not relaying DHCP broadcasts. For a DHCP relay agent to work, the ip helper-address must be placed on the interface that receives client broadcasts (the LAN interface). Configuring it on the WAN interface sends relay messages toward the server in the wrong direction, so client DISCOVERs never reach the DHCP server.

Why this answer

The show ip dhcp binding output explicitly displays 'Total number of bindings = 0', confirming that no DHCP leases have been issued. Because the router is acting as a DHCP relay agent, this indicates it is not receiving any DHCPDISCOVER broadcasts from the clients. The most plausible reason is that the ip helper-address command is mistakenly placed on the WAN interface, which faces away from the client subnet, rather than on the LAN interface where the clients reside.

Without the helper address on the correct interface, broadcast DHCP messages are not forwarded to the DHCP server, resulting in zero bindings.

Exam trap

Many candidates select option C (incorrect network statement in the DHCP pool) because they assume a pool configuration error prevents any IP address assignment. However, even with a mismatched network statement, if the DHCP server received the DISCOVER messages it would still attempt to offer an address (and the binding table would show some activity or error). The true issue here is that the server never sees the requests because the relay agent is misconfigured.

Why the other options are wrong

A

Candidates may think that an empty binding table means the service is off, but the command itself would fail or show a service status if DHCP were truly disabled.

C

Candidates often associate 'no addresses assigned' with a pool misconfiguration, but a pool mismatch would not prevent the server from seeing DISCOVER messages and possibly creating failed or erroneous bindings.

D

Candidates may confuse a missing option with a complete failure of DHCP operation, but IP address leasing is independent of options like default-router.

486
Multi-Selectmedium

Which two statements about RESTful APIs are correct? (Choose two.)

Select 2 answers
A.They commonly use HTTP methods such as GET and POST.
B.They require Layer 2 adjacency between client and server.
C.They often exchange structured data such as JSON.
D.They replace the need for routing protocols on the network.
AnswersA, C

Correct. Those verbs are central to REST interactions.

Why this answer

REST commonly uses HTTP verbs and typically exchanges structured data such as JSON.

Exam trap

A frequent exam trap is the misconception that RESTful APIs require Layer 2 adjacency between client and server devices. Some candidates mistakenly believe that because RESTful APIs use HTTP, they must operate only within the same broadcast domain or VLAN. However, RESTful APIs function over routed IP networks just like any other web traffic, so Layer 2 adjacency is not necessary.

Another trap is thinking that RESTful APIs replace routing protocols, which is incorrect since APIs only provide programmable access to device functions and do not handle routing or forwarding.

Why the other options are wrong

B

Option B is incorrect because RESTful APIs do not require Layer 2 adjacency; they operate over routed IP networks, allowing clients and servers to communicate across different subnets.

D

Option D is incorrect because RESTful APIs do not replace routing protocols; they provide programmable access to device functions but do not handle routing or forwarding decisions.

487
Matchingmedium

Match each management or monitoring technology to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Exports event and log messages

Synchronizes device time

Summarizes traffic flows

Sends unsolicited alerts to a manager

Why these pairings

Syslog is designed to export event and log messages from network devices. NTP synchronizes device clocks across the network. NetFlow collects and summarizes traffic flows for analysis.

SNMP traps are unsolicited alerts sent from an agent to a management station to notify of events.

Exam trap

Be careful not to confuse the purposes of SNMP, Syslog, NetFlow, and CDP/LLDP. SNMP is for management and monitoring; Syslog is for logging; NetFlow is for traffic analysis; CDP/LLDP are for neighbor discovery. Each has a distinct role.

488
Matchingmedium

Drag and drop the switch port configuration commands on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Statically configures the port as an access port

Sets the data VLAN for an access port

Assigns the VLAN for IP phone voice traffic

Permanently sets the interface as a trunk port

Restricts which VLANs traverse the trunk

Why these pairings

The command 'switchport mode access' statically sets the port as an access port. 'switchport access vlan 10' assigns VLAN 10 as the data VLAN for connected devices. 'switchport voice vlan 20' defines the VLAN used by a Cisco IP phone for voice traffic. 'switchport mode trunk' forces the port into permanent trunking mode. 'switchport trunk allowed vlan 100,200' restricts the trunk to carry only VLANs 100 and 200.

489
PBQhard

You are connected to R1. The network has a web server at 203.0.113.10 and a DNS server at 203.0.113.20. Hosts in the 192.168.1.0/24 subnet should be able to access HTTP to the web server and DNS queries to the DNS server, but all other traffic from that subnet to the servers must be blocked. Configure an extended ACL on R1 to achieve this, and apply it inbound on the correct interface. The current configuration is shown below.

Hints

  • The ACL must filter traffic as it enters R1 from the 192.168.1.0/24 hosts.
  • Use an extended named or numbered ACL; the order of permit statements matters.
  • Remember that the implicit deny will block all other traffic, but adding an explicit deny ip any any can help with troubleshooting.
A.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/0 ip access-group 100 in
B.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip any any interface GigabitEthernet0/1 ip access-group 100 in
C.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/0 ip access-group 100 out
D.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/1 ip access-group 100 in
AnswerA
solution
! R1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
interface GigabitEthernet0/0
ip access-group 100 in

Why this answer

The required ACL must permit HTTP (tcp dst eq 80) and DNS (udp dst eq 53) from 192.168.1.0/24 to the servers, then deny all other IP traffic from that subnet. The ACL is applied inbound on GigabitEthernet0/0 to filter traffic as it enters R1 from the 192.168.1.0/24 subnet. The commands sequence creates the ACL with the correct permit statements, an explicit deny ip any any (optional but shown for clarity), and applies it to the interface.

Exam trap

The key trap is that candidates often apply ACLs on the wrong interface or in the wrong direction. Remember: inbound ACLs filter traffic entering the interface, outbound ACLs filter traffic leaving the interface. Place the ACL as close to the source as possible.

Also, the implicit deny any at the end of an ACL means you do not need an explicit deny ip any any unless you want to log or override a previous permit.

Why the other options are wrong

B

The deny ip any any statement overrides the permit statements because ACLs are processed sequentially; any packet matching the deny is dropped. Also, applying the ACL inbound on the server-facing interface would filter traffic coming from the servers, not from the 192.168.1.0/24 subnet.

C

The ACL should be applied inbound on the interface receiving traffic from the 192.168.1.0/24 subnet (GigabitEthernet0/0) to filter before routing. Applying it outbound on the same interface would only filter traffic leaving that interface, which is not the traffic path from the subnet to the servers.

D

The ACL must be applied on the interface closest to the source of the traffic to be filtered. Since the traffic originates from the 192.168.1.0/24 subnet, the ACL should be applied inbound on GigabitEthernet0/0, not on the server-facing interface.

490
Multi-Selectmedium

Which TWO commands can a network technician use on a modern Linux host to verify the IP address configuration and test reachability to a remote server?

Select 2 answers
A.ip addr
B.ifconfig
C.tracert
D.ping
E.nslookup
AnswersA, D

The `ip addr` command is the modern Linux utility to display all network interfaces and their assigned IP addresses, MAC addresses, and status.

Why this answer

The `ip addr` command (option A) is the modern Linux utility for displaying IP address configuration, replacing the deprecated `ifconfig`. The `ping` command (option D) uses ICMP Echo Request/Reply messages to test Layer 3 reachability to a remote server. `ifconfig` (option B) is deprecated and not expected for current certification exams; `tracert` (option C) is a Windows command; `nslookup` (option E) performs DNS lookups but does not verify IP configuration or connectivity.

Exam trap

Cisco often tests the distinction between Windows and Linux commands, so the trap here is that candidates may mistakenly select `tracert` (a Windows command) instead of recognizing that the Linux equivalent is `traceroute`, or they may choose `ifconfig` without knowing it is deprecated in favor of `ip addr`.

Why the other options are wrong

B

Although `ifconfig` can still display IP settings, it is a deprecated legacy command and the question expects the modern `ip addr` from the iproute2 suite.

C

`tracert` is the Windows traceroute utility; the Linux command is `traceroute`.

E

`nslookup` is a DNS troubleshooting tool and cannot verify interface IP configuration or test basic reachability like `ping`.

491
PBQmedium

You are connected to R1 via the console. R1 and R2 are running OSPFv2 in area 0. R1's router ID is 1.1.1.1, and R2's router ID is 2.2.2.2. Both routers are connected via GigabitEthernet0/0 on the 192.168.12.0/30 subnet. You need to ensure that R1 does not send OSPF hello messages out of its Loopback0 interface, while still advertising the loopback network into OSPF.

Network Topology
Lo010.0.0.1/32G0/0192.168.12.2/30R1R2

Hints

  • The command is configured under the OSPF process.
  • Use the keyword 'passive-interface' followed by the interface name.
  • This prevents OSPF from sending hello messages on that interface.
A.Configure the passive-interface Loopback0 command under the OSPF process.
B.Remove the network 192.168.12.0 0.0.0.3 area 0 command from the OSPF configuration.
C.Configure the ip ospf passive-interface command on GigabitEthernet0/0.
D.Configure the network 192.168.12.0 0.0.0.3 area 0 command under the OSPF process.
AnswerA
solution
! R1
router ospf 1
passive-interface Loopback0

Why this answer

Configuring the Loopback0 interface as passive under the OSPF process suppresses the sending of hello messages on that interface, preventing unnecessary adjacencies. The network is still advertised because OSPF includes the subnet in its LSAs.

Exam trap

Trap: Candidates may confuse passive-interface with removing network statements or applying it to the wrong interface. Remember that passive-interface suppresses hellos but still advertises the network, and it should be applied to the interface that should not form adjacencies, not the transit link.

Why the other options are wrong

B

The specific factual error is that the network statement for the transit link is necessary for OSPF adjacency; removing it would break the OSPF neighbor relationship.

C

The specific factual error is that applying passive-interface to the transit link would prevent the OSPF neighbor relationship from forming, which is not the goal.

D

The specific factual error is that adding a network statement does not suppress hello messages; it only includes the interface in the OSPF process.

492
MCQmedium

Which command enables IPv6 routing on a Cisco router?

A.ipv6 unicast-routing
B.ipv6 enable
C.ip routing ipv6
D.ipv6 route enable
AnswerA

Correct. This is the required global command.

Why this answer

The global configuration command 'ipv6 unicast-routing' enables IPv6 forwarding on a Cisco router. 'ipv6 enable' is an interface-level command used to enable IPv6 on a specific interface, not globally. 'ip routing ipv6' and 'ipv6 route enable' are syntactically invalid commands that do not exist in Cisco IOS.

Exam trap

Be careful not to confuse interface-specific commands with global routing commands. Remember that enabling IPv6 globally requires a specific command.

Why the other options are wrong

B

'ipv6 enable' is an interface command, not a global command to enable IPv6 routing.

C

'ip routing ipv6' is not a valid Cisco IOS command.

D

'ipv6 route enable' is not a valid Cisco IOS command.

493
MCQmedium

A network engineer is tasked with monitoring a large enterprise network that requires high-frequency, real-time data collection from thousands of routers and switches. The engineer needs a solution that minimizes CPU overhead on the network devices and supports push-based data delivery. Which technology should the engineer choose for this requirement?

A.SNMPv2c with frequent polling intervals
B.Streaming telemetry
C.NetFlow
D.IPFIX
AnswerB

Streaming telemetry uses a push model, reducing CPU overhead by having devices send data on a schedule or event basis. It scales well for large networks and supports real-time visibility.

Why this answer

Streaming telemetry uses a push model where devices continuously send structured data (e.g., via gRPC or UDP) to collectors, reducing the need for polling and lowering CPU impact. SNMPv2c uses pull-based polling (get requests) which increases CPU load with high-frequency queries. NetFlow and IPFIX are flow-based and better suited for traffic analysis, not real-time device metrics like CPU or memory.

Why the other options are wrong

A

SNMPv2c uses a pull model where the manager polls devices for data. Frequent polling intervals increase CPU usage on network devices and can cause scalability issues with thousands of devices, making it unsuitable for high-frequency, real-time data collection with minimal overhead.

C

NetFlow is designed for traffic flow analysis, capturing details like source/destination IPs and ports, not for collecting device health metrics such as CPU or memory. Its export mechanism can be CPU-intensive and does not provide the push-based efficiency needed for real-time monitoring of device status.

D

IPFIX is an extension of NetFlow for flexible flow export and shares the same focus on traffic flows, not device health metrics. Like NetFlow, it does not offer the push-based, low-overhead data delivery required for real-time monitoring of thousands of devices.

494
MCQeasy

A host sends traffic to a web server on another subnet. Which address is used as the destination MAC address in the first Ethernet frame sent by the host?

A.The MAC address of the remote web server
B.The MAC address of the local default gateway
C.The MAC address of the DNS server
D.The broadcast MAC address
AnswerB

Correct. The default gateway is the Layer 2 next hop for remote destinations.

Why this answer

When a host wants to communicate with a device on a different subnet, it cannot reach that device directly. The host must send the frame to its default gateway, which is the router that connects to other subnets. Therefore, the destination MAC address in the first Ethernet frame is the MAC address of the local default gateway, not the remote web server (A).

The DNS server (C) is used for name resolution, not for forwarding traffic. The broadcast MAC address (D) would send the frame to all devices on the local subnet, which is not appropriate for unicast communication to a remote destination.

Exam trap

Remember that the destination MAC address for remote communication is the default gateway's, not the remote host's.

Why the other options are wrong

A

The MAC address of the remote web server is not used because the remote host is on a different subnet and cannot be reached directly at Layer 2.

C

The DNS server is used for domain name resolution, not for forwarding data frames to remote subnets.

D

The broadcast MAC address would send the frame to all devices on the local subnet, which is incorrect for unicast traffic to a remote destination.

495
Multi-Selectmedium

Which two statements accurately describe why logs and accounting records both matter in secure operations?

Select 2 answers
A.They improve visibility into events and activity after access occurs.
B.They help with accountability and incident review.
C.They replace the need for authentication entirely.
D.They are useful only on wireless guest networks.
E.They automatically create access policies for administrators.
AnswersA, B

This is correct because both support post-event understanding and investigation.

Why this answer

Logs and accounting records both matter because security is not only about preventing access, but also about understanding what happened. In practical terms, logs can provide event visibility and system context, while accounting records can add traceability for user activity and access sessions. Together they improve incident review and operational accountability.

This is a visibility-and-traceability question, not a pure prevention question.

Exam trap

Don't confuse logs and accounting records with access control measures; they are about visibility and traceability, not prevention.

Why the other options are wrong

C

Logs and accounting records do not replace authentication; they complement it by recording who accessed what and when. Authentication is still required to verify identity before access is granted, and logs only capture activity after authentication occurs.

D

Logging and accounting are essential across all network segments, including wired, wireless, VPN, and data center environments. Limiting them to wireless guest networks would leave other critical areas unmonitored, creating security gaps.

E

Logs and accounting records are passive records of events; they do not automatically create or modify access policies. Policy creation requires administrative action based on analysis of logs, not the logs themselves.

496
MCQhard

A user connects a small unmanaged switch to an access port, and the port immediately transitions to err-disabled. Which feature most likely caused this behavior?

A.UDLD aggressive
B.BPDU Guard
C.Root guard
D.Loop guard
AnswerB

This is correct because BPDU Guard disables a PortFast-enabled interface if a BPDU is received.

Why this answer

BPDU Guard is the correct answer because it is specifically designed to protect access ports configured with PortFast. When an unauthorized switch is connected to such a port, BPDU Guard detects the incoming BPDU and immediately places the port into err-disabled state, preventing potential loops or topology changes. UDLD aggressive detects unidirectional links but does not cause err-disabled due to BPDU reception.

Root guard blocks ports that attempt to become the root bridge by placing them in root-inconsistent state (not err-disabled). Loop guard prevents alternate/root ports from becoming designated in the absence of BPDUs, putting the port into loop-inconsistent state, again not err-disabled.

Exam trap

Remember that BPDU Guard specifically targets BPDUs on PortFast ports, not general security or loop prevention.

Why the other options are wrong

A

UDLD aggressive detects unidirectional links but does not cause err-disabled on receiving BPDUs; it operates at Layer 1/2 for fiber links.

C

Root guard prevents a port from becoming the root bridge by moving it to root-inconsistent state, not err-disabled.

D

Loop guard prevents alternate/root ports from becoming designated when BPDUs stop, putting the port in loop-inconsistent state, not err-disabled.

497
Multi-Selectmedium

Which TWO statements are true regarding switch port configuration for access, voice, and trunk ports?

Select 2 answers
A.A switch port configured as a trunk port can simultaneously carry untagged traffic for the native VLAN and tagged traffic for multiple other VLANs.
B.When a port is configured with both an access VLAN and a voice VLAN, the switchport must be set to trunk mode.
C.The switchport mode dynamic auto command sets the port to actively attempt to form a trunk if the neighbor initiates negotiation.
D.An access port with a voice VLAN configured sends CDP or LLDP information to the IP phone to identify the voice VLAN.
E.Issuing the switchport trunk allowed vlan command automatically includes the native VLAN in the allowed list, so it never needs to be explicitly added.
AnswersA, D

Trunk ports support one native VLAN (untagged) and allow tagged traffic for additional VLANs listed in the allowed VLAN list.

Why this answer

Option A is correct because a trunk port, by definition, carries untagged frames for the native VLAN (typically VLAN 1 unless changed) and simultaneously carries tagged frames for all other VLANs allowed on the trunk. This behavior is fundamental to IEEE 802.1Q trunking, where the native VLAN is the only VLAN whose frames are sent untagged to maintain backward compatibility with devices that do not understand VLAN tagging.

Exam trap

Cisco often tests the distinction between 'dynamic auto' and 'dynamic desirable' DTP modes, where candidates mistakenly think 'auto' actively initiates trunk negotiation, when in fact it only responds to incoming DTP messages.

Why the other options are wrong

B

Multi-VLAN access ports (access + voice) stay in access mode; trunk mode is not required and would incorrectly pass all VLANs.

C

Dynamic desirable actively initiates, but dynamic auto is passive.

E

When you prune the allowed VLANs, any omitted VLANs (including the native VLAN) are blocked unless added back.

498
Matchingeasy

Match each STP-related feature or term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Prevents a port from becoming a root path under superior BPDU conditions

Protects certain non-designated ports when expected BPDUs stop arriving

Why these pairings

PortFast moves an access port immediately to forwarding state, skipping listening/learning to speed host connectivity. BPDU Guard protects edge ports by disabling a PortFast port if any BPDU is received, preventing accidental loops. Root Guard ensures a port never becomes a root port by ignoring superior BPDUs, maintaining the intended root bridge placement.

Loop Guard keeps non-designated ports in blocking when expected BPDUs are lost, avoiding loops from unidirectional links. The given matches correctly pair each feature to its precise STP behavior, and other descriptions would apply to different features like Root Bridge or Alternate Port, not to these terms.

Exam trap

Be careful to match each term to its specific description. The distractors are accurate descriptions of other STP features, so you must know the exact definition of the term in the stem. Do not assume that any correct STP description is the answer; it must match the given term.

499
Multi-Selectmedium

Which TWO interface issues can be identified by analyzing the output of the 'show interfaces' command?

Select 2 answers
A.Duplex mismatch
B.Routing protocol misconfiguration
C.Speed mismatch
D.VLAN mismatch
E.STP topology change
AnswersA, C

The 'show interfaces' output shows late collisions, CRC errors, or input errors that are often caused by a duplex mismatch between two connected devices.

Why this answer

The 'show interfaces' command displays interface statistics and operational status, including duplex and speed settings. A duplex mismatch occurs when one end of a link is set to full-duplex and the other to half-duplex, leading to collisions and CRC errors visible in the output. Speed mismatch is also detectable because the interface will show the negotiated speed or errors like 'input errors' if the speeds do not match.

Exam trap

Cisco often tests that 'show interfaces' reveals physical-layer issues like duplex and speed mismatches, but candidates mistakenly think it also shows Layer 2 or Layer 3 problems such as VLAN or routing misconfigurations.

Why the other options are wrong

B

Routing protocol misconfiguration is a Layer 3 issue that does not manifest in the 'show interfaces' output, which focuses on Layer 1 and Layer 2 interface statistics. To diagnose routing issues, you would use commands like 'show ip route' or 'show ip protocols'.

D

A VLAN mismatch is a Layer 2 issue that does not appear in the 'show interfaces' output; it is diagnosed using 'show vlan' or 'show interfaces trunk'. The 'show interfaces' command shows physical and data link layer statistics, not VLAN membership.

E

STP topology changes are not directly visible in 'show interfaces'; they are monitored using 'show spanning-tree' or 'debug spanning-tree events'. The 'show interfaces' command does not provide information about spanning-tree state changes.

500
MCQhard

A network technician is troubleshooting an inter-VLAN routing issue on a multilayer switch. Hosts on VLAN 10 can reach the SVI for VLAN 10 (10.0.10.1) but cannot reach hosts on VLAN 20. The technician has verified that 'ip routing' is enabled and that the 'show ip route' command displays directly connected routes for both VLANs. No static routes are configured. What should the technician do next?

A.Check the ARP table for entries on VLAN 20.
B.Issue the 'show ip routing' command again to confirm routing is enabled.
C.Configure a default route pointing to the next-hop gateway.
D.Verify the VLAN membership of the destination host on VLAN 20.
AnswerA

The Layer 3 routing table is correct; the problem is likely that the switch lacks a Layer 2 MAC address for the destination host on VLAN 20. Examining the ARP cache will confirm whether the switch can map the destination IP to a MAC address, and if not, will show that ARP resolution is failing, which explains the connectivity break.

Why this answer

Because the switch has directly connected routes for both VLANs and routing is enabled, the Layer 3 forwarding logic is intact. The failure from VLAN 10 hosts to VLAN 20 hosts suggests that the switch cannot resolve the destination host's MAC address on VLAN 20, preventing Layer 2 frame encapsulation. Checking the ARP table with 'show ip arp' or similar will reveal whether the destination IPv4 address has a valid MAC entry on the correct VLAN interface.

This targets Layer 2—the most likely remaining failure point after Layer 3 has been verified.

Exam trap

Verifying the VLAN membership of the destination host (Option D) — candidates may assume the destination host is simply on the wrong VLAN, but the scenario explicitly states that the unreachable hosts are on VLAN 20, and Layer 3 connectivity is confirmed up to the SVI. The more efficient and targeted next step is to check the ARP resolution on that VLAN, which directly addresses the encapsulation failure.

Why the other options are wrong

B

This option revisits a step already completed and verified, making it redundant. Candidates might think double-checking routing is safe, but the scenario explicitly states routing is working as expected.

C

Some candidates might believe inter-VLAN communication requires a default route, but directly connected routes already provide full reachability without static routing. This action is overly drastic and misdirected.

D

Candidates often jump to VLAN misconfigurations when inter-VLAN communication fails, even when routing is confirmed. The scenario already establishes the VLAN 20 host's location; the next logical layer to inspect is ARP resolution.

501
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity to devices in VLAN 10 on a Layer 3 switch. The administrator issues the show ip interface brief command on SW1 and sees the output displayed. What is the most likely reason that the VLAN 10 SVI is not functioning?

A.No active ports are assigned to VLAN 10.
B.The VLAN 10 SVI has been administratively shut down.
C.The IP address configured on the VLAN 10 SVI is incorrect for the subnet.
D.The switch ports assigned to VLAN 10 are all configured as trunk ports.
AnswerA

The SVI Status and Protocol are both 'down'. This occurs when the VLAN has no active member ports, which prevents the SVI from transitioning to up/up.

Why this answer

The exhibit shows the VLAN 10 SVI with Status 'down' and Protocol 'down'. In a Cisco Layer 3 switch, an SVI will only be up/up if the VLAN exists in the VLAN database and at least one active port (access or trunk) belongs to that VLAN and is in the Spanning Tree forwarding state. Since other SVIs (Vlan1, Vlan20) and physical interfaces are up/up, the most likely cause is that no ports are actively assigned to VLAN 10, leaving the VLAN inactive.

Exam trap

Many candidates mistakenly associate a 'down/down' status with an administratively shut down interface, but that condition would display 'administratively down' in the Status field, not simply 'down'.

Why the other options are wrong

B

Candidates often confuse 'down' with 'administratively down', assuming any disabled interface will show 'down'. They need to distinguish the two statuses.

C

Some candidates think a misconfigured IP address can cause an interface to be down, but status does not reflect IP configuration.

D

A common misunderstanding is that trunk ports do not make a VLAN active; in reality, a trunk carrying VLAN 10 can activate the SVI as long as the trunk is up/up and the VLAN is not pruned.

502
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IOS-XE device as an NTP client and set up syslog reporting of NTP events to a remote log server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global configuration mode. Then configure the NTP server to define the time source. Next, configure the logging host to specify the remote syslog server.

After that, enable logging of NTP events so that NTP-related syslog messages are generated and sent to the configured host. Finally, verify the configuration. Option B is wrong because configuring the logging host before the NTP server would attempt to send logs before time synchronization is set up, and the NTP server must be configured first to generate NTP events.

Option C is incorrect because enabling NTP event logging before configuring both the NTP server and the logging host means there is no NTP server to generate events and no logging destination to send them to. Option D is wrong because enabling logging of NTP events before configuring the logging host would cause generated messages to be dropped if the logging host is not yet set; the logging host must be configured before enabling NTP event logging.

Exam trap

The trap is that candidates may confuse the order of enabling NTP event logging and configuring the logging host. Remember: configure the logging host before enabling NTP event logging, and always configure the NTP server first.

503
MCQmedium

A wireless client can see two SSIDs from the same company: Corp and Guest. Which statement best explains what an SSID represents in this situation?

A.It is the wireless network name presented to clients for a specific WLAN.
B.It is the encryption algorithm securing the WLAN.
C.It is the radio antenna inside the AP.
D.It is the management IP address of the controller.
AnswerA

This is correct because an SSID identifies the WLAN to users and devices.

Why this answer

An SSID is the name that identifies a specific wireless LAN to clients. In practical terms, Corp and Guest are two different WLAN identifiers presented to users, even if they are broadcast by the same physical access point infrastructure. The SSID tells the client which wireless network it is trying to join.

This matters because people often confuse SSIDs with the access point itself or with the security protocol. The SSID is the network identifier, not the hardware or the encryption standard.

Exam trap

Do not confuse SSIDs with physical devices or security protocols; they are identifiers for networks.

Why the other options are wrong

B

The SSID is simply the network name broadcast by the access point; encryption algorithms like WPA2 or WPA3 are configured separately on the WLAN and are not part of the SSID itself.

C

An SSID is a logical identifier, not a physical component. The radio antenna is hardware that transmits and receives wireless signals, but it does not define the network name.

D

The management IP address of a wireless controller is used for administrative access to the controller, not for client connectivity. Clients use the SSID to identify and connect to a WLAN, not the controller's IP.

504
MCQmedium

A routing table entry begins with the code C. What does that code indicate?

A.A route learned through EIGRP
B.A connected network
C.A candidate default route
D.A static route to a classful network
AnswerB

Correct. C means connected.

Why this answer

In Cisco routing table output, C indicates a directly connected network. These routes are installed when an interface is up and has an address in that subnet.

Exam trap

A frequent exam trap is mistaking the 'C' code for a static route or a route learned via a routing protocol like EIGRP. Some candidates incorrectly assume 'C' means candidate default or static, but Cisco IOS uses 'S' for static routes and 'D' for EIGRP-learned routes. Misreading these codes can lead to incorrect conclusions about how a route was learned or its trustworthiness.

Remember, 'C' always means the route is directly connected to the router, which is fundamental for understanding routing behavior and troubleshooting.

Why the other options are wrong

A

Option A is incorrect because EIGRP-learned routes are marked with 'D' in Cisco IOS routing tables, not 'C'. The letter 'D' stands for 'Dynamically learned' via EIGRP, so 'C' cannot represent EIGRP routes.

C

Option C is incorrect because candidate default routes are not indicated by 'C'. Cisco uses 'S*' or other notations for candidate default routes, so 'C' does not represent default routes.

D

Option D is incorrect because static routes use the code 'S' in Cisco routing tables. The code 'C' never represents static routes, so this option is invalid.

505
PBQhard

You are connected via the console to R1, a new Cisco ISR 4321 router. The network team requires that all routers be reachable via SSH for management. R1's management interface is GigabitEthernet0/0 with IP 192.168.1.1/24. You need to configure SSH on R1, including a hostname, domain name, RSA key pair of 1024 bits, local user 'admin' with secret 'cisco123', and enable SSH version 2. Additionally, configure the vty lines to accept only SSH connections and use local authentication.

Network Topology
G0/0192.168.1.1/24linkR1Management Network

Hints

  • You need to set hostname and domain name before generating RSA keys.
  • Use 'crypto key generate rsa modulus 1024' to create the key pair.
  • Configure vty lines to only allow SSH and use local authentication.
A.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 1024 R1(config)# username admin secret cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local
B.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa general-keys modulus 1024 R1(config)# username admin password cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh telnet R1(config-line)# login local
C.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 1024 R1(config)# username admin secret cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input all R1(config-line)# login local
D.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 1024 R1(config)# username admin secret cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# password cisco123 R1(config-line)# login
AnswerA
solution
! R1
hostname R1
ip domain-name example.com
crypto key generate rsa modulus 1024
username admin secret cisco123
line vty 0 4
transport input ssh
login local

Why this answer

SSH configuration requires a hostname, domain name, RSA key pair, local username, and vty line settings. The command sequence ensures SSH version 2 is used and only SSH connections are accepted on the vty lines.

Exam trap

Watch for subtle differences: 'username secret' vs 'username password', 'transport input ssh' vs 'transport input all' or 'transport input ssh telnet', and 'login local' vs 'login'. Also ensure the hostname and domain name are set before generating RSA keys.

Why the other options are wrong

B

Using 'password' instead of 'secret' stores the password in plaintext; allowing Telnet alongside SSH does not restrict to SSH only.

C

'transport input all' permits Telnet and other protocols, which is not restrictive enough.

D

Using 'password' and 'login' on vty lines enables password-only authentication, not local user authentication.

506
MCQmedium

Which feature helps prevent a rogue DHCP server from handing out addresses on a campus switch network?

A.PortFast
B.DHCP snooping
C.HSRP
D.LLDP
AnswerB

Correct. DHCP snooping is designed for this threat.

Why this answer

DHCP snooping classifies interfaces as trusted or untrusted and can block unauthorized DHCP server replies arriving on untrusted ports.

Exam trap

Avoid confusing PortFast (which skips STP convergence) with DHCP-specific features like DHCP Snooping.

Why the other options are wrong

A

PortFast is a Spanning Tree Protocol feature that immediately transitions an access port to the forwarding state, bypassing the listening and learning states. It does not inspect or validate DHCP messages, so it cannot prevent a rogue DHCP server from handing out addresses.

C

HSRP (Hot Standby Router Protocol) provides first-hop redundancy by allowing multiple routers to share a virtual IP address, ensuring gateway availability. It does not inspect DHCP traffic or provide any mechanism to block unauthorized DHCP servers.

D

LLDP (Link Layer Discovery Protocol) is a vendor-neutral protocol used for discovering neighboring devices and their capabilities by exchanging information such as device type, management addresses, and VLAN IDs. It has no role in DHCP security or filtering DHCP messages.

507
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity issues. Hosts on the 192.168.10.0/24 network cannot reach servers on the 192.168.20.0/24 network, but they can successfully reach other networks, including the Internet. The administrator runs the show ip access-lists command on the router (output shown). What is the most likely cause?

A.The ACL is applied in the wrong direction on the interface.
B.The ACL is missing a permit statement for the 192.168.20.0/24 destination.
C.The order of the ACL entries causes the deny statement to match first.
D.The implicit deny at the end is blocking the traffic to 192.168.20.0/24.
AnswerC

Extended IP access list 110 processes entries sequentially. Entry 10 denies traffic from 192.168.10.0/24 to 192.168.20.0/24, and entry 20 permits the same source to any destination. Because the deny is listed first, it is matched before the permit, causing the traffic to be dropped.

Why this answer

The exhibit shows Extended IP access list 110 with a deny statement for traffic from 192.168.10.0/24 to 192.168.20.0/24 (entry 10) placed before a permit ip any statement (entry 20). Because ACLs are processed in sequential order, the first matching entry is used. Traffic from 192.168.10.0/24 to 192.168.20.0/24 matches the deny statement and is dropped, even though a subsequent permit entry would allow it.

The counters (145 matches for deny, 95 matches for permit) confirm that the deny is being hit first.

Exam trap

Candidates often choose option B, thinking the ACL lacks a permit statement for the 192.168.20.0/24 destination, but the permit ip any statement (entry 20) would allow that traffic if the deny were not placed before it. They overlook the critical fact that order of ACL entries determines processing.

Why the other options are wrong

A

Candidates may assume any ACL misbehavior is due to wrong interface direction, ignoring that the specific symptom (only 192.168.20.0 is unreachable) points to the deny rule itself.

B

Candidates often focus on what an ACL ‘lacks’ rather than the sequence, missing that the existing permit any covers the destination but is shadowed by the earlier deny.

D

Candidates might recall that all ACLs have an implicit deny, but they fail to realize that a packet matching an earlier deny is already discarded, and the implicit deny only applies to unmatched traffic.

508
MCQhard

A network administrator implements a set of spanning-tree enhancements to secure the switching infrastructure. Later, a help desk ticket reports that a user in a remote office cannot connect to any network resources. While investigating, the administrator notices that the switch port connecting the remote office switch to the distribution switch is in a 'root-inconsistent' state and is blocking traffic. Which protection feature, if misapplied, most likely caused this issue?

A.Loop Guard
B.Root Guard
C.BPDU Guard
D.BPDU Filter
AnswerB

Root Guard ensures that a port cannot become a root port. When a superior BPDU is received on a Root Guard-enabled port, the port transitions to a root-inconsistent state and blocks traffic, exactly as described in the scenario.

Why this answer

Root Guard is the correct answer because it forces an interface to be a designated port. If a switch receives a superior BPDU (indicating a root bridge with a lower bridge ID) on a Root Guard-enabled port, the port is placed into a 'root-inconsistent' state and blocks traffic to prevent the attached switch from becoming the root bridge. This matches the symptom described: a port in 'root-inconsistent' state blocking traffic after spanning-tree enhancements were applied.

Exam trap

Cisco often tests the distinction between 'root-inconsistent' (Root Guard) and 'loop-inconsistent' (Loop Guard) states, and the trap here is that candidates confuse the two or assume BPDU Guard is responsible for any BPDU-related blocking.

Why the other options are wrong

A

A loop-inconsistent state is different from the root-inconsistent state observed. Loop Guard acts when BPDUs stop arriving, not when they appear with a superior root claim.

C

While BPDU Guard also reacts to incoming BPDUs, it puts the port in err-disabled (shutdown) state, not a blocking state named 'root-inconsistent'. The symptom described is not error-disabled.

D

BPDU Filter would not cause the port to show a root-inconsistent state. The symptom is a protective blocking state, which BPDU Filter does not provide.

509
MCQhard

Two routers are directly connected over IPv6 and should form an OSPFv3 adjacency, but they do not. Link-local addressing is present on both interfaces. Which issue is most likely to prevent the adjacency?

A.The interfaces are assigned to different OSPFv3 areas.
B.The routers need matching hostnames before OSPFv3 can start.
C.IPv6 requires a /64 only for routing protocols to function.
D.OSPFv3 cannot run on directly connected interfaces.
AnswerA

This is correct because OSPF neighbors on the same segment must agree on the area for adjacency formation.

Why this answer

An area mismatch is a strong and direct explanation. In plain language, even though the routers can have valid IPv6 addressing and proper link-local communication on the interface, OSPFv3 still requires the two ends of the shared segment to agree on the area context for the adjacency. If one side places the interface in one area and the other side places it in another, the routers will not treat each other as valid neighbors.

This is very similar in principle to OSPF for IPv4. Link-local addressing matters in OSPFv3, but the protocol still enforces key neighbor-formation checks. The correct answer is the one that focuses on a required protocol match rather than on a vague issue like hostname or cable color.

Exam trap

Focus on OSPFv3 configuration requirements like area matching, not on distractors such as hostnames or prefix length.

Why the other options are wrong

B

OSPFv3 adjacency formation does not depend on hostnames; hostnames are only used for identification in show commands and have no impact on routing protocol operation.

C

OSPFv3 can use any valid IPv6 prefix length, including /64, /126, or /127, for the link between routers. The /64 requirement is for SLAAC, not for routing protocols.

D

OSPFv3 is specifically designed to run on directly connected interfaces, just like OSPFv2. It forms adjacencies over directly connected links to exchange routing information.

510
MCQhard

Two switches are configured for LACP EtherChannel. One side is set to passive and the other side is also set to passive. What is the most likely outcome?

A.The EtherChannel will not form because neither side initiates LACP negotiation.
B.The EtherChannel always forms because passive mode is preferred.
C.The links automatically become a routed interface.
D.The switches delete the bundle configuration automatically.
AnswerA

This is correct because LACP passive mode listens for negotiation but does not initiate it. With both sides passive, no LACP packets are sent, so the EtherChannel never forms.

Why this answer

The EtherChannel will not form because LACP passive mode only listens for negotiation; it does not initiate it. When both sides are set to passive, neither side sends LACP packets, so the bundle cannot be established. This is a deterministic outcome, not merely unlikely.

Exam trap

Ensure at least one side is set to active in LACP configurations to avoid non-formation of the channel.

Why the other options are wrong

B

Passive mode does not initiate LACP negotiation; it only responds to incoming LACPDUs. Therefore, with both sides passive, no LACPDUs are exchanged, and the EtherChannel will not form. The statement that passive mode is preferred is incorrect; active mode is typically used on at least one side to initiate the channel.

C

LACP operates at Layer 2 and does not change the interface type. The ports remain switchports (Layer 2) unless explicitly configured with 'no switchport'. LACP mode has no effect on Layer 3 routing functionality.

D

LACP configuration is not automatically deleted when negotiation fails. The configuration remains in the running-config, and the ports will simply not form an EtherChannel. The administrator must manually remove the configuration if desired.

511
MCQhard

Why is a northbound API generally more useful to orchestration software than a human-readable CLI screen?

A.Because the API provides a structured interface intended for software interaction.
B.Because CLI output cannot be read by humans.
C.Because APIs remove the need for authentication.
D.Because orchestration software cannot use HTTPS.
AnswerA

This is correct because orchestration tools work best with predictable, machine-oriented interfaces.

Why this answer

A northbound API is more useful because it is designed for structured software interaction. In practical terms, orchestration systems need predictable data and predictable request methods. Human-readable CLI output is optimized for people, not for stable machine parsing. APIs provide the cleaner contract between the controller and the automation platform.

This is a core programmability idea. Human-readable output is useful for operators, but structured APIs are better for software systems.

Exam trap

A common exam trap is to confuse the usability of CLI output with its suitability for automation. While CLI screens are indeed human-readable and essential for manual network management, they are not designed for software consumption due to inconsistent formatting and lack of structured data. Another trap is to mistakenly believe that APIs remove security requirements like authentication; in fact, APIs enforce strict authentication and authorization to protect network resources.

Misunderstanding these points can lead to incorrect answers that underestimate the importance of structured, secure interfaces in network automation.

Why the other options are wrong

B

This option is incorrect because CLI output is specifically designed to be human-readable; the problem is not readability but the lack of structured data suitable for software parsing.

C

This option is incorrect because APIs still require authentication and authorization to secure network access; they do not remove the need for security controls.

D

This option is incorrect because orchestration software commonly uses HTTPS-based APIs for secure communication; the inability to use HTTPS is not a valid reason for preferring APIs over CLI.

512
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and then recover a port that enters err-disabled state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence applies STP protections to their proper port roles: Root Guard on designated ports to prevent unexpected superior BPDUs, Loop Guard on non-designated ports to prevent unidirectional link failure from causing loops, and BPDU Guard on PortFast ports to block rogue switches. Distractors B and D are wrong because they mismatch the guard types to port roles (e.g., B puts Loop Guard on designated, Root Guard on non-designated; D does the opposite). Distractor C incorrectly reverses the recovery steps by re-enabling the port before enabling errdisable recovery globally, and it also reorders protection configuration without logical benefit.

Exam trap

The exam trap is confusing which protection goes on which port role. Remember: Root Guard protects designated ports from becoming root; Loop Guard protects non-designated ports from becoming forwarding; BPDU Guard protects PortFast ports. Also, recovery order: global first, then interface re-enable.

513
Matchingeasy

Match the data format to its most accurate characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight format commonly used by REST APIs

Markup-style format that uses opening and closing tags

Human-friendly format that relies heavily on indentation

Simple tabular format with comma-separated values

Why these pairings

JSON is lightweight and key-value based, XML uses tags and attributes, YAML relies on indentation, CSV is for tabular data, Protobuf is a binary schema-driven format, and HTML is for web page structure.

Exam trap

Avoid confusing the characteristics of different data formats. Remember that JSON uses key-value pairs, XML uses tags, YAML uses indentation, CSV is tabular, Protobuf is binary, and HTML is for web structure.

514
Matchingmedium

Match each wireless term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized platform used to manage access points

Name that identifies the wireless network to clients

Wireless security standard

Protocol associated with AP-to-controller communication

Why these pairings

SSID is the human-readable network name. BSSID is the unique MAC address of an AP radio. ESSID is the same SSID used across multiple APs in an extended network.

Beacons are management frames that advertise the network. Probe requests are sent by clients to find APs. Association is the process of connecting a client to an AP.

Exam trap

Do not confuse SSID with BSSID, Beacon frames, or Association. SSID is simply the network name; the other terms refer to different concepts.

515
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start by entering global configuration mode and enabling AAA with 'aaa new-model' to allow AAA commands. Then, configure the RADIUS server parameters using 'radius-server host' and 'radius-server key' so the switch knows where to send authentication requests. Next, create an authentication method list with 'aaa authentication dot1x default group radius' to define the authentication method.

After the method list, the global command 'dot1x system-auth-control' must be issued to enable 802.1X globally; without it, the interface-level commands will not function. Finally, apply 802.1X port authentication on the interface using 'authentication port-control auto'. This order ensures each prerequisite is met before the next step.

Exam trap

A common mistake is omitting the global 'dot1x system-auth-control' command, which is required to enable 802.1X system-wide before configuring interface-level authentication.

516
MCQmedium

A switch interface connected to another switch must carry VLANs 10, 20, and 30 only. Which command best enforces that requirement on the trunk?

A.switchport trunk allowed vlan 10,20,30
B.switchport access vlan 10,20,30
C.switchport mode dynamic auto
D.switchport trunk native vlan 10,20,30
AnswerA

This is correct because it explicitly restricts the trunk to VLANs 10, 20, and 30.

Why this answer

The correct command is the one that explicitly sets the allowed VLAN list on the trunk. In plain language, the administrator wants the inter-switch link to carry only the named VLANs instead of every VLAN by default. Cisco trunks can transport multiple VLANs, but that does not mean every VLAN should always be permitted. Restricting the allowed list supports cleaner design and helps reduce unnecessary VLAN transport.

This is a common CCNA switching task because it distinguishes between creating a trunk and controlling what the trunk actually carries. Simply enabling trunking is not enough when the requirement names exact VLANs. The answer must directly restrict the allowed list rather than change the native VLAN or apply an unrelated access-port command.

Exam trap

A common exam trap is selecting commands that do not correctly restrict VLANs on a trunk. For example, using 'switchport access vlan 10,20,30' is invalid because access ports support only one VLAN. Another trap is confusing the native VLAN setting with allowed VLANs; 'switchport trunk native vlan' only defines the untagged VLAN and does not filter VLANs.

Also, relying on dynamic trunk negotiation commands like 'switchport mode dynamic auto' does not restrict VLANs and can lead to trunks carrying all VLANs by default. These mistakes cause VLAN traffic to flow where it shouldn’t, violating design requirements.

Why the other options are wrong

B

Incorrect because 'switchport access vlan' applies only to access ports and cannot specify multiple VLANs; it does not configure trunk VLANs.

C

Incorrect because 'switchport mode dynamic auto' controls trunk negotiation but does not limit which VLANs are allowed on the trunk.

D

Incorrect because 'switchport trunk native vlan' sets only one native VLAN for untagged traffic and does not restrict the allowed VLAN list.

517
Multi-Selectmedium

Which TWO statements accurately describe Network Address Translation (NAT) types?

Select 2 answers
A.Static NAT creates a fixed one-to-one mapping between a local and global address and is typically used to allow external connectivity to internal servers.
B.Dynamic NAT assigns a public IP from a pool for the duration of a translation, but it does not modify Layer 4 port numbers.
C.PAT only translates TCP packets because it uses port numbers, leaving UDP translation unsupported.
D.Static NAT entries are automatically removed after periods of inactivity to free up public addresses.
E.With PAT, if the public IP address pool is exhausted, new translations fail because PAT requires unique public IPs for each private host.
AnswersA, B

Static NAT permanently maps a private IP to a public IP, enabling inbound access to internal resources like web servers.

Why this answer

Static NAT creates a permanent, one-to-one mapping between an inside local (private) IP address and an inside global (public) IP address. This fixed mapping is typically used to make internal servers, such as a web or email server, reachable from the internet using a consistent public address.

Exam trap

Cisco often tests the misconception that PAT only works with TCP, but in reality PAT supports both TCP and UDP, and the trap here is that candidates confuse PAT's use of port numbers with a protocol limitation.

Why the other options are wrong

C

PAT works with any transport protocol that has port fields—TCP, UDP, and even ICMP through the identifier field.

D

Only dynamic translations (from dynamic NAT or PAT) have idle timeouts; static mappings are permanent.

E

This statement describes dynamic NAT pool exhaustion, not PAT, which uses port multiplexing.

518
MCQmedium

What problem is HSRP designed to solve?

A.Layer 2 switching loops
B.Loss of the default gateway if one router fails
C.Duplicate MAC addresses on trunks
D.Wireless interference
AnswerB

Correct. HSRP provides first-hop redundancy.

Why this answer

HSRP provides a virtual default gateway so hosts continue forwarding traffic even if one physical gateway router fails.

Exam trap

Avoid confusing HSRP with load balancing or security protocols. Remember, HSRP is about redundancy, not traffic distribution or encryption.

Why the other options are wrong

A

Layer 2 switching loops are prevented by Spanning Tree Protocol (STP), not by HSRP. HSRP operates at Layer 3 to provide default gateway redundancy, not loop prevention.

C

Duplicate MAC addresses on trunks are typically caused by misconfigurations or bridging loops, not by HSRP. HSRP uses a virtual MAC address that is unique and does not cause duplication issues.

D

Wireless interference is a physical layer issue related to radio frequency signals, not something HSRP addresses. HSRP is a Layer 3 redundancy protocol for routers.

519
MCQhard

Based on the exhibit, which route will be used to reach 172.20.10.33?

A.The static route to 172.20.10.32/27
B.The OSPF route to 172.20.10.0/24
C.The default route
D.No route, because the destination does not match any prefix.
AnswerA

This is correct because 172.20.10.33 falls in the more specific /27 prefix.

Why this answer

The route used will be the one with the longest matching prefix. In practical terms, 172.20.10.33 matches both the /24 and the /27 shown, but the /27 is more specific. That means the router selects the /27 route before considering the broader /24 or any default route.

This is exactly the kind of route-table interpretation the CCNA exam likes because it rewards precise thinking about prefix boundaries.

Exam trap

A common exam trap is to select the OSPF route or the default route instead of the static route with the longer prefix. Candidates often mistakenly believe that dynamic routing protocols like OSPF always take precedence or that default routes are used when any route exists. However, Cisco routers first evaluate the longest prefix match before considering administrative distance.

Ignoring this can lead to incorrect answers because the more specific /27 static route will always be preferred over the broader /24 OSPF route or the default route for the destination 172.20.10.33.

Why the other options are wrong

B

This option is incorrect because the OSPF route to 172.20.10.0/24 is less specific than the static /27 route. The router prefers the longer prefix match, so it will not use the /24 route when a /27 route exists.

C

The default route is not used here because there are more specific routes available that match the destination IP. Default routes only apply when no other matching routes exist.

D

This option is incorrect because the destination IP clearly matches both the /24 and /27 prefixes shown in the routing table. Therefore, the router does have routes to reach 172.20.10.33.

520
Matchingmedium

Match each HTTP method to the most accurate action it commonly represents in REST-style APIs.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve existing information

Submit or create data

Update or replace an existing resource

Remove a resource

Why these pairings

HTTP methods correspond to CRUD operations in REST: GET for read, POST for create, PUT for full update, PATCH for partial update, DELETE for delete, and HEAD for headers only.

Exam trap

The trap is assuming GET can perform any operation beyond retrieval. Remember that GET must be safe and idempotent; it should never modify or delete resources. Always associate GET with read-only operations.

521
MCQmedium

Why is disabling unused services on network devices considered a sound security practice?

A.Because it reduces unnecessary attack surface and exposure on the device.
B.Because it automatically improves routing convergence.
C.Because it guarantees the device cannot be misconfigured.
D.Because it converts the device into a controller.
AnswerA

This is correct because disabling unneeded services removes avoidable risk.

Why this answer

It is considered sound because every enabled service is a potential attack surface or management exposure point. In practical terms, if a service is not needed, leaving it enabled creates unnecessary risk without business value. Reducing what is listening or available on a device helps limit opportunities for misuse or exploitation.

Option B is incorrect because disabling unused services does not affect routing protocol convergence; that is a routing protocol function. Option C is wrong because no single security practice can guarantee the device cannot be misconfigured; misconfiguration remains possible through other means. Option D is nonsensical because disabling services does not turn the device into a controller.

Exam trap

Don't confuse the primary goal of security practices with secondary benefits like performance or compliance.

Why the other options are wrong

B

Disabling unused services does not affect routing convergence, which depends on routing protocols and network topology. Service hardening and routing optimization are separate concerns.

C

Disabling services reduces risk but does not guarantee prevention of misconfiguration; human error can still occur in other settings. Security hardening is a layered approach, not a silver bullet.

D

Disabling services does not change a device's role; a router remains a router, and a switch remains a switch. Converting a device to a controller requires specific software and configuration changes.

522
PBQhard

You are connected to the console of R1, a Cisco router that is part of a larger network. The network operations team uses Ansible to manage configurations. You need to write an Ansible playbook that configures an interface description on R1. The playbook should use the ios_config module.

Hints

  • The ios_config module uses 'parents' to specify the configuration context.
  • The playbook should target the correct host group.
  • Remember to include the YAML front matter.
A.--- - name: Configure interface description hosts: R1 gather_facts: no tasks: - name: Add description to Gi0/0 ios_config: lines: - description Link to Core parents: interface GigabitEthernet0/0
B.--- - name: Configure interface description hosts: R1 gather_facts: no tasks: - name: Add description to Gi0/0 ios_config: lines: - interface GigabitEthernet0/0 - description Link to Core
C.--- - name: Configure interface description hosts: R1 gather_facts: no tasks: - name: Add description to Gi0/0 ios_command: commands: - configure terminal - interface GigabitEthernet0/0 - description Link to Core
D.--- - name: Configure interface description hosts: R1 gather_facts: no tasks: - name: Add description to Gi0/0 ios_config: lines: - description Link to Core parents: GigabitEthernet0/0
AnswerA
solution
! R1
---
- hosts: routers
  gather_facts: no
  tasks:
    - name: Configure interface description
      ios_config:
        lines:
          - description WAN Link
        parents: interface GigabitEthernet0/0

Why this answer

The playbook uses the ios_config module to add the description line under the interface configuration. The 'parents' parameter sets the context to 'interface GigabitEthernet0/0'. The playbook must be saved as a .yml file and run with ansible-playbook.

Exam trap

A common trap is confusing ios_config with ios_command, or incorrectly formatting the 'parents' parameter. Remember that ios_config is for configuration changes and requires the 'parents' parameter to specify the exact command that enters the configuration context, such as 'interface GigabitEthernet0/0'.

Why the other options are wrong

B

The specific factual error: The 'lines' parameter should only contain the configuration commands to be applied under the parent context, not the parent command itself.

C

The specific factual error: The ios_command module does not handle configuration mode properly and is not intended for configuration tasks; it sends commands and returns output without state management.

D

The specific factual error: The 'parents' parameter expects the exact command that enters the configuration context, such as 'interface GigabitEthernet0/0', not just the interface name.

523
Multi-Selectmedium

Which two statements accurately describe why SSH is preferred over Telnet for device administration?

Select 2 answers
A.SSH is generally considered the more secure choice for remote CLI administration.
B.Telnet is generally considered less secure for remote device administration.
C.SSH eliminates the need for authentication and authorization policy.
D.Telnet is required before SSH can operate.
E.SSH is used only on wireless controllers and nowhere else.
AnswersA, B

This is correct because SSH is the preferred secure remote-management option.

Why this answer

SSH is preferred because it encrypts all traffic, including authentication credentials, making it secure for remote CLI administration, whereas Telnet transmits data in plaintext and is considered less secure. Option C is incorrect because SSH does not eliminate authentication; it requires authentication and often enforces stronger policies. Option D is false because SSH and Telnet are independent protocols; Telnet is not required for SSH to operate.

Option E is wrong because SSH is used on routers, switches, firewalls, and many other devices, not only wireless controllers.

Exam trap

Don't confuse protocol security features with ease of configuration or performance. Focus on security benefits.

Why the other options are wrong

C

SSH does not eliminate the need for authentication and authorization policies; it only provides a secure transport layer. Network devices still require AAA (Authentication, Authorization, and Accounting) or local username/password configurations to control access.

D

Telnet is not a prerequisite for SSH; they are independent protocols. SSH can be configured and used on a device without Telnet ever being enabled. In fact, many devices have SSH enabled by default while Telnet is disabled for security reasons.

E

SSH is not limited to wireless controllers; it is widely used on routers, switches, firewalls, servers, and many other network devices. It is a universal protocol for secure remote administration across all types of infrastructure.

524
Matchingmedium

Drag each automation or API concept from the left to its corresponding description on the right. Not all descriptions are used. Concepts: - Northbound API - Southbound API - JSON - HTTPS

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application-facing interface to the controller

Controller-facing interface toward managed infrastructure

Structured data format

Secure transport for API communication

Why these pairings

Northbound API: the application-facing interface of an SDN controller, allowing apps to request services. Southbound API: the interface that enables the controller to configure managed devices, such as OpenFlow. JSON: a structured data format using key/value pairs and arrays, lightweight and machine‑friendly.

HTTPS: secure, encrypted transport for API communications, protecting data in transit. Distractors: 'Human-readable serialization format' describes YAML, not JSON or APIs. 'Protocol for network device configuration' might refer to NETCONF or CLI, not HTTPS or the APIs listed.

Exam trap

Be careful not to confuse JSON and YAML: JSON uses brackets and is machine-friendly, while YAML uses indentation and is human-friendly. Also, remember that Ansible uses YAML, not XML.

525
MCQhard

Two OSPF routers connected on an Ethernet link remain in the INIT state. Which issue is the most likely cause?

A.The routers have identical router IDs
B.The routers cannot exchange Hellos bidirectionally on the segment
C.The routers have already reached FULL and are waiting to install routes
D.The routers are using the same OSPF process ID
AnswerB

Correct. INIT often indicates one-way Hello communication.

Why this answer

INIT means a router is seeing Hellos from its neighbor but does not see its own router ID in the neighbor field of received Hellos. A common cause is one-way communication or a mismatched multicast/adjacency problem, often at Layer 2.

Exam trap

A common exam trap is to assume that duplicate router IDs cause routers to remain stuck in the INIT state. While duplicate router IDs do cause adjacency issues, they typically result in different neighbor states or error messages, not the INIT state specifically. Another trap is to think that using the same OSPF process ID on both routers causes adjacency failure; however, the process ID is locally significant and does not affect neighbor formation.

Misinterpreting the INIT state as a sign of routers already being fully adjacent or waiting to install routes is also incorrect, as FULL is a later state. The key is to recognize that INIT indicates one-way Hello communication, often due to Layer 2 or multicast issues.

Why the other options are wrong

A

Duplicate router IDs cause adjacency problems but usually result in neighbor states other than INIT or generate specific error messages. INIT state more commonly indicates one-way Hello communication rather than duplicate router ID issues.

C

Incorrect. FULL is the final OSPF neighbor state indicating full adjacency and route exchange completion. INIT is an early state and does not mean routers are waiting to install routes.

D

Incorrect. The OSPF process ID is locally significant and does not affect neighbor adjacency formation. Using the same or different process IDs on routers does not cause them to remain stuck in the INIT state.

Page 6

Page 7 of 25

Page 8