CCNA 200-301 v2 (200-301) — Questions 526600

1819 questions total · 25pages · All types, answers revealed

Page 7

Page 8 of 25

Page 9
526
PBQhard

You are connected to R1, a Cisco ISR 4331 router running IOS-XE. Your task is to enable SNMP v2c with community string 'public' (read-only) and 'private' (read-write), and configure SNMP v3 with a user 'admin' using SHA authentication (password 'Cisco123') and AES 128 encryption (password 'Cisco456'). Additionally, configure SNMP traps to be sent to a management server at 203.0.113.10 for both v2c and v3. Finally, enable NetFlow export to a collector at 203.0.113.20, using version 9. Verify your configuration using 'show snmp' and 'show ip cache flow'.

Hints

  • Remember to apply NetFlow on an interface for traffic capture.
  • SNMPv3 user requires both auth and priv passwords.
  • Use 'snmp-server enable traps' before configuring trap hosts.
A.snmp-server community public RO snmp-server community private RW snmp-server user admin v3group v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
B.snmp-server community public snmp-server community private snmp-server user admin v3 auth md5 Cisco123 priv des56 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
C.snmp-server community public RO snmp-server community private RW snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c private snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
D.snmp-server community public RO snmp-server community private RW snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 5
AnswerA
solution
! R1
snmp-server community public RO
snmp-server community private RW
snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456
snmp-server enable traps
snmp-server host 203.0.113.10 version 2c public
snmp-server host 203.0.113.10 version 3 auth admin
ip flow-export destination 203.0.113.20 2055
ip flow-export version 9
interface GigabitEthernet0/1
ip flow ingress
exit

Why this answer

The router lacks SNMP and NetFlow configuration. For SNMP v2c, you must define community strings with 'snmp-server community public RO' and 'snmp-server community private RW'. For SNMP v3, you create a user within a group; the command requires a group name, e.g., 'snmp-server user admin v3group v3 auth sha Cisco123 priv aes 128 Cisco456'.

Traps are enabled and sent to 203.0.113.10 via v2c with the public community and v3 with the admin user. NetFlow export uses version 9 to collector 203.0.113.20. Verification commands show SNMP details and flow cache export settings.

Exam trap

Watch out for common mistakes: using MD5/DES instead of SHA/AES for SNMPv3, forgetting RO/RW keywords on community strings, using the wrong community string for traps, and selecting the wrong NetFlow version. Always verify the exact requirements in the question.

Why the other options are wrong

B

The specific factual error: SNMPv3 user is configured with MD5 and DES instead of SHA and AES 128; community strings are missing RO/RW keywords.

C

The specific factual error: The v2c trap host uses 'private' instead of 'public' community string.

D

The specific factual error: NetFlow export version is set to 5 instead of 9.

527
MCQhard

An EtherChannel should form using LACP between two switches. One side is configured for LACP active, and the other side is configured for LACP active. What is the expected result if the other link settings also match?

A.The EtherChannel should form if the other interface settings are compatible.
B.The channel fails because both sides must be passive.
C.The channel becomes a routed interface automatically.
D.All VLAN tags are removed from the bundle by default.
AnswerA

This is correct because active/active is a valid LACP negotiation pairing.

Why this answer

The EtherChannel should form successfully if the underlying link settings are compatible. LACP active/active is a valid combination, as both switches actively negotiate the bundle. However, the channel does not automatically become a routed interface (option C is incorrect because EtherChannel can operate as Layer 2 or Layer 3 depending on configuration, not automatically due to LACP mode).

Additionally, VLAN tags are not removed by default from the bundle (option D is incorrect; VLAN tagging is preserved based on the switchport mode and allowed VLAN settings). The key troubleshooting point is to ensure that other interface parameters such as speed, duplex, and VLAN settings match across the member ports.

Exam trap

Don't confuse LACP active/active with incompatible settings; they are designed to negotiate successfully.

Why the other options are wrong

B

LACP passive/passive is the pairing that fails to form an EtherChannel because both sides wait for the other to initiate negotiation, resulting in no LACP PDUs being sent. Active/active is a valid and functional combination.

C

LACP operates at Layer 2 and does not change the interface type; the EtherChannel remains a Layer 2 port-channel unless explicitly configured with 'no switchport' or an IP address. The question does not mention any Layer 3 configuration.

D

EtherChannel formation does not alter VLAN tagging; if the interfaces are trunk ports, VLAN tags remain intact. The bundle simply aggregates bandwidth while preserving existing VLAN configurations.

528
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU Guard violation on a PortFast-enabled access port using Cisco IOS-XE CLI commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence (A) configures PortFast globally, then enables BPDU Guard per interface, and recovers manually with shutdown/no shutdown. Option B attempts recovery with a non-existent 'clear spanning-tree bpduguard' command. Option C incorrectly uses 'spanning-tree portfast bpduguard default' which is a global command applied in interface mode, causing a syntax error.

Option D uses 'errdisable recovery cause bpduguard' in privileged EXEC mode, but this command is a global configuration command and does not manually recover the port; it enables automatic recovery after a timer.

Exam trap

Be careful not to confuse manual recovery (shutdown/no shutdown) with automatic recovery (errdisable recovery). Also, remember that BPDU Guard is configured per interface with 'spanning-tree bpduguard enable', not globally with 'default' in interface mode.

529
MCQmedium

Which ACL statement permits only SSH from host 10.10.10.50 to server 192.168.1.10?

A.permit tcp host 10.10.10.50 host 192.168.1.10 eq 22
B.permit udp host 10.10.10.50 host 192.168.1.10 eq 22
C.permit tcp any host 192.168.1.10 eq 22
D.permit ip host 10.10.10.50 host 192.168.1.10
AnswerA

This matches the correct protocol, source, destination, and destination port.

Why this answer

SSH uses TCP destination port 22. The source is the single host 10.10.10.50 and the destination is the single host 192.168.1.10.

Exam trap

A common exam trap is selecting an ACL statement that permits UDP traffic on port 22 or permits all IP traffic from the source host. Since SSH exclusively uses TCP on port 22, permitting UDP or all IP protocols can either block SSH access or allow unintended traffic. Another trap is using 'any' as the source, which opens access to all hosts instead of restricting it to the specific host 10.10.10.50.

These mistakes lead to either overly permissive or overly restrictive ACLs, failing the security objective and the exam requirement.

Why the other options are wrong

B

Option B incorrectly permits UDP traffic on port 22, but SSH uses TCP, not UDP, so this rule would not allow SSH connections and is therefore invalid.

C

Option C permits TCP traffic from any source to the destination host on port 22, which is too broad because it does not restrict access to the specific source host 10.10.10.50 as required.

D

Option D permits all IP traffic from the source host to the destination host without restricting to TCP or port 22, allowing all protocols and ports, which is not limited to SSH and is too permissive.

530
PBQhard

You are connected to R1. Configure static NAT for a public web server (198.51.100.10 to 192.168.1.10) and PAT for the 192.168.1.0/24 LAN to use interface GigabitEthernet0/1 with overload. The current configuration has misconfigured NAT that prevents both types from working. Identify and fix the issues so that internal hosts can access the internet and external hosts can reach the internal web server.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30Internal hostsLANR1InternetISP

Hints

  • Check the NAT direction on each interface: which one faces the internal LAN and which faces the internet?
  • Look at the ACL in the PAT command — does it match the correct subnet?
  • The PAT command is missing a keyword that enables port multiplexing.
A.Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
B.Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and change ACL 1 to permit 192.168.2.0 0.0.0.255.
C.Change interface GigabitEthernet0/1 to 'ip nat inside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
D.Change interface GigabitEthernet0/1 to 'ip nat outside', remove the 'overload' keyword from the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
no ip nat inside source list 1 interface GigabitEthernet0/1
ip nat inside source list 1 interface GigabitEthernet0/1 overload
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
end

Why this answer

Three issues exist: (1) GigabitEthernet0/1 is the outside interface but is configured as 'ip nat inside' — it should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword, so it does one-to-one translation instead of port address translation. (3) ACL 1 permits 192.168.2.0/24, but the inside LAN is 192.168.1.0/24 — the ACL must match the correct subnet. Correcting these allows PAT for the LAN and static NAT for the web server.

Exam trap

Watch out for three common traps: (1) Misidentifying inside vs. outside interfaces—the interface facing the public network is always outside. (2) Forgetting the 'overload' keyword for PAT—without it, you get dynamic NAT, not PAT. (3) Using the wrong ACL—the ACL must match the inside network exactly.

Why the other options are wrong

B

The ACL must match the inside network; permitting a different subnet will not translate traffic from the correct LAN.

C

The NAT inside/outside designation is based on the direction of traffic; the interface facing the public network must be outside.

D

Without 'overload', the router will not use port numbers to multiplex multiple inside hosts to a single public IP.

531
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Hosts on VLAN 10 connected to SwitchC cannot reach the VLAN 10 gateway, which is connected to SwitchA. The administrator checks the STP status on SwitchC and sees that the port connecting to the root bridge is in a blocking state. The administrator also notices that the VLAN 10 gateway is reachable from SwitchA, but not from SwitchC. What is the most likely cause of this issue?

A.Configure PortFast on interface Gi0/2 to bring it up immediately.
B.Change the STP priority on SwitchC to a lower value (e.g., 24576) to ensure it is not the root bridge.
C.Enable BPDU Guard on interface Gi0/2 to prevent BPDU attacks.
D.Configure the spanning-tree mode to PVST+ instead of Rapid PVST+.
AnswerB

By setting the priority to 24576, SwitchC's bridge ID becomes 24586 (24576+10), which is lower than the current root's 32778. This will cause SwitchC to become the root bridge if that is the intent, or by setting it to a higher priority (like 40960) it would lose the election. However, the correct action is to make SwitchC's priority higher (numerically lower) to correct the misconfiguration. In this case, the intended root (SwitchA) should have a lower priority, or SwitchC should have a higher priority (e.g., 32768) to not be root. Actually, the correct answer is to adjust the priority so that SwitchC is not root. Setting it to 24576 would make it root, which might be the desired outcome if SwitchA is misconfigured. But given the symptom, the most direct fix is to ensure the correct root bridge has the lowest priority. The exhibit shows SwitchC's priority is 40960, which is too high, so lowering it to a value less than the current root (32768) would make it root, but that might not be the intended design. The typical fix is to set the priority on the desired root switch to a lower value. However, since the question asks for the most likely cause, the answer is to correct the priority on SwitchC to match the intended root. Given the options, B is correct because it addresses the priority misconfiguration.

Why this answer

The root bridge for VLAN 10 is SwitchA, and SwitchC's port to the root bridge is in a blocking state due to STP. Since the VLAN 10 gateway is reachable from SwitchA but not from SwitchC, the issue is that SwitchC is not the root bridge and its path to the root is blocked, preventing traffic from reaching the gateway. Lowering the STP priority on SwitchC to 24576 would make it the root bridge for VLAN 10, ensuring its port to the gateway is in a forwarding state and restoring connectivity.

Exam trap

Cisco often tests the misconception that a blocked port is always a problem to be fixed with PortFast or BPDU Guard, when the real issue is STP root bridge election and the need to adjust priority to ensure the correct switch becomes root for that VLAN.

Why the other options are wrong

A

PortFast is used to bypass the listening and learning states on access ports, but it does not resolve the root bridge election issue. The port is blocking due to STP topology inconsistency, not because of slow convergence.

C

BPDU Guard is used to protect against unauthorized switches by disabling a port if a BPDU is received, but it does not fix the root bridge election issue. The port is blocking due to STP, not due to BPDU violations.

D

Both PVST+ and Rapid PVST+ use the same bridge ID election process. Changing the mode would not resolve the priority misconfiguration; the root bridge election is based on bridge priority and MAC address, not the STP variant.

532
MCQmedium

Exhibit: A user can ping 8.8.8.8 successfully but cannot browse to www.example.com by name. Which service is the most likely failing component?

A.NTP
B.DNS
C.Syslog
D.CDP
AnswerB

Name resolution failure fits the symptoms exactly.

Why this answer

If connectivity to an IP address works but name-based access fails, the path is up and the problem is usually name resolution. DNS is the service that translates hostnames into IP addresses.

Exam trap

A common exam trap is assuming that because a user can ping an IP address like 8.8.8.8, all network services are functioning correctly. This leads to mistakenly blaming routing or connectivity issues rather than DNS. Candidates may also confuse NTP or Syslog as affecting web access, but these services do not resolve domain names.

Misunderstanding the role of CDP as a discovery protocol rather than a name resolution service can also cause confusion. The key trap is not recognizing that ping tests IP connectivity but DNS is required for translating domain names to IP addresses.

Why the other options are wrong

A

NTP (Network Time Protocol) synchronizes clocks across network devices but does not impact the ability to resolve domain names or browse websites. Time synchronization issues rarely cause name resolution failures, so NTP is not the failing component here.

C

Syslog collects and stores system logs for monitoring and troubleshooting but does not affect DNS resolution or web browsing. A syslog failure would not prevent browsing by hostname, so it is not the cause.

D

CDP (Cisco Discovery Protocol) is used for discovering directly connected Cisco devices and does not play any role in DNS or web name resolution. CDP failure would not cause inability to browse websites by name.

533
Matchingmedium

Drag and drop the IPv4/IPv6 static routing concepts on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv4 default static route

IPv6 default static route

Floating static route (backup)

Standard IPv4 static route

Standard IPv6 static route

Summary static route (discard)

Why these pairings

Each command matches its description as follows: "ip route 0.0.0.0 0.0.0.0 serial0/0/0" is an IPv4 default static route because it uses all-zeros network and mask to match any destination and specifies an exit interface. "ipv6 route ::/0 serial0/0/0" is an IPv6 default static route for the same reason with IPv6. "ip route 10.0.0.0 255.0.0.0 192.168.1.1 200" sets an administrative distance of 200, making it a floating static route that serves as a backup when the primary route fails. "ip route 10.0.0.0 255.0.0.0 192.168.1.1" is a standard static route pointing to a next-hop IP with a specific destination. "ipv6 route 2001:db8::/32 2001:db8:1::1" is a standard IPv6 static route. "ip route 10.0.0.0 255.0.0.0 null0" creates a summary static route (also called a discard route) that drops traffic matching the aggregate to prevent routing loops.

Exam trap

Do not confuse 'default route' with 'summary route'—default matches any destination, summary matches a block of networks. Also, floating routes are about backup, not broad matching.

534
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a single-area OSPFv2 network on two Cisco routers (R1 and R2) and observe the neighbor state transitions from Down to Full.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure OSPF process and router-id on R1, then add the network; repeat on R2; ensure interfaces are up; finally verify neighbor states to see the full transition sequence.

Exam trap

The trap is that candidates might think interfaces must be up before OSPF configuration, or that verification can be done after configuring only one router. The correct sequence ensures both routers are configured before checking neighbor states.

535
Drag & Dropmedium

Drag and drop the following commands into the correct order to configure OSPFv3 for IPv6 on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Commands must be executed in order: global config, IPv6 routing, interface config, OSPFv3 on interface, then verification.

Exam trap

The most common trap is starting with the OSPFv3 router configuration command without first enabling IPv6 routing globally. Also, candidates may try to apply the interface-level OSPFv3 command before entering interface configuration mode.

536
PBQmedium

You are connected to R1 via console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network administrator needs to monitor R1's system messages. Configure R1 to send syslog messages with severity level 5 (notifications) and above to the syslog server at 10.0.0.2. Also, ensure that logging is enabled and that messages include the timestamp and source interface.

Hints

  • Use 'logging host' to specify the syslog server.
  • Set the severity with 'logging trap' using the severity name or number.
  • Configure the source interface with 'logging source-interface'.
A.logging on logging trap notifications logging source-interface GigabitEthernet0/0 logging host 10.0.0.2 service timestamps log datetime
B.logging on logging trap informational logging source-interface GigabitEthernet0/1 logging host 10.0.0.2 service timestamps log datetime
C.logging on logging trap 5 logging source-interface GigabitEthernet0/0 logging 10.0.0.2 service timestamps
D.logging on logging trap notifications logging source-interface GigabitEthernet0/1 logging host 10.0.0.2 service timestamps debug datetime
AnswerA
solution
! R1
logging host 10.0.0.2
logging trap notifications
logging source-interface GigabitEthernet0/0
logging on
service timestamps log datetime msec

Why this answer

The logging commands enable syslog output. 'logging trap notifications' sets severity to 5 (notifications). 'logging source-interface' ensures syslog messages originate from a consistent IP. 'service timestamps' adds time information to log entries for easier troubleshooting.

Exam trap

Pay close attention to the exact syntax of commands: 'logging host' vs 'logging', 'service timestamps log' vs 'service timestamps debug'. Also, remember that the source interface should be the one closest to the syslog server, not necessarily the LAN interface. Severity levels: emergencies (0) to debugging (7); notifications is level 5.

Why the other options are wrong

B

The specific factual error: The trap level is set too low (informational instead of notifications), and the source interface is incorrect.

C

The specific factual error: The logging host command is missing the 'host' keyword, and the timestamps command is incomplete.

D

The specific factual error: The timestamps command applies to debug messages instead of log messages, and the source interface is wrong.

537
Drag & Dropmedium

Drag and drop the steps into the correct order to generate an IPv6 EUI-64 address from a MAC address.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start by obtaining the MAC address and splitting it into two 24‑bit halves (OUI and NIC portions). Insert FFFE in the middle to create a 64‑bit interface identifier. Flip the U/L bit (7th bit) of the first byte, then combine the identifier with the IPv6 prefix (e.g., FE80::/10 for link‑local) to form the complete address.

Exam trap

Students often forget to flip the U/L bit or perform the steps in the wrong order. Remember: MAC → split → insert FFFE → flip U/L bit → combine with prefix.

538
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a Cisco switch interface, then recover from a BPDU guard violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct configuration sequence applies PortFast and BPDU Guard directly in interface configuration mode with 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After a BPDU guard violation disables the port, manual recovery requires re-enabling the interface with 'shutdown' followed by 'no shutdown' (or configuring errdisable recovery). The other options incorrectly use global defaults, Root Guard, or false automatic recovery intervals.

Exam trap

Do not confuse BPDU Guard with Root Guard. BPDU Guard errdisables the port upon receiving any BPDU; Root Guard only prevents the port from becoming a root port. Also, remember that errdisable recovery is not automatic by default; you must configure it if you want automatic recovery.

539
Matchingeasy

Match each network service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Assigns IP addressing parameters to clients

Synchronizes device time

Sends event messages to a logging server

Why these pairings

DNS resolves human-readable hostnames to IP addresses, enabling users to access websites by name. DHCP automatically assigns IP addresses, subnet masks, default gateways, and other parameters to clients, simplifying network configuration. NTP synchronizes clocks across network devices to ensure consistent timestamps for logs and transactions.

Syslog sends event messages from network devices to a central logging server for monitoring and troubleshooting.

Exam trap

Learners often confuse the purpose of Syslog with SNMP, but Syslog is specifically for sending event messages to a logging server, not for gathering statistics or management.

540
MCQhard

A wireless client can associate to the correct corporate SSID and authenticate successfully, but receives an address from the guest network instead of the employee network. Which troubleshooting area is strongest?

A.Incorrect WLAN-to-role or VLAN mapping after successful authentication.
B.The client must be using the wrong subnet mask manually.
C.The AP must be missing PPP encapsulation.
D.The issue is that STP root election failed.
AnswerA

This is correct because the client is landing in the wrong logical segment after joining successfully.

Why this answer

The client successfully authenticates to the corporate SSID but receives an IP address from the guest network, indicating that the authentication phase is working correctly. The issue lies in the post-authentication mapping: the WLAN is likely mapped to the wrong VLAN or role (e.g., a RADIUS server attribute or local VLAN assignment is misconfigured), causing the client to be placed in the guest VLAN instead of the employee VLAN. This is a common misconfiguration in WLAN-to-VLAN or WLAN-to-role mapping after successful 802.1X authentication.

Exam trap

Cisco often tests the distinction between authentication success and post-authentication authorization (VLAN/role mapping), tricking candidates into focusing on DHCP or IP configuration issues when the real problem is the VLAN assignment after authentication.

Why the other options are wrong

B

The client receives an address from the guest network, indicating that the DHCP server or VLAN assignment is incorrect. A manually configured wrong subnet mask would not cause the client to obtain an IP from a different network; it would simply prevent proper communication within the assigned subnet. The issue is at the network assignment level, not a host configuration error.

C

PPP encapsulation is used on serial WAN links, not in wireless LAN environments. Wireless clients connect via 802.11, and APs use Ethernet or CAPWAP to connect to the network. PPP has no role in VLAN assignment or DHCP for wireless clients.

D

STP root election determines the root bridge in a switched network to prevent loops, but it does not affect VLAN assignment for wireless clients. Even if STP root election failed, it would not cause a client to receive an IP from the wrong network; it would more likely cause network instability or loops.

541
Multi-Selecthard

A switch interface connected to a Cisco IP phone with a PC behind it must carry voice and data correctly. Which two switchport commands are appropriate on that access port?

Select 2 answers
A.switchport mode trunk
B.switchport access vlan 10
C.switchport voice vlan 20
D.channel-group 1 mode active
E.spanning-tree cost 1
AnswersB, C

That assigns the PC data VLAN.

Why this answer

The access VLAN carries the workstation data traffic, and the voice VLAN carries tagged voice traffic for the IP phone. That is the standard campus switchport design for a phone with a PC behind it. The port itself remains an access port, but the two most directly relevant commands here are the access VLAN and voice VLAN assignments.

Exam trap

Don't confuse trunk mode with the need for VLAN tagging; access ports can handle both data and voice VLANs without being trunks.

Why the other options are wrong

A

Configuring an access port as a trunk would cause the switch to expect 802.1Q tagging on all frames, but the PC behind the phone typically sends untagged frames. This would break connectivity for the PC unless the phone is configured to tag PC traffic, which is not standard.

D

The channel-group command is used to create an EtherChannel, which bundles multiple physical links into a single logical link. This is not relevant for a single access port connecting to an IP phone and PC, as there is only one physical link.

E

The spanning-tree cost command manually sets the STP path cost for a port, which is used for loop prevention. It does not affect VLAN assignment or voice/data separation, so it does not address the requirement of carrying voice and data correctly.

542
PBQhard

You are connected to R1. Configure SNMPv3 with authentication (SHA) and encryption (AES-128) for user 'monitor' in group 'AdminGroup', and also configure SNMPv2c read-only community string 'cisco123' to send traps to the management server at 192.0.2.100. Additionally, configure NetFlow on interface GigabitEthernet0/0 to export flow data to 198.51.100.50 using version 9. Verify your configuration using the appropriate show commands.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1203.0.113.1/30G0/1203.0.113.2/30linkR1R2R3

Hints

  • SNMPv3 requires a view before creating the group.
  • Remember to enable NetFlow on the interface in both ingress and egress directions.
  • The SNMPv2c community string must be configured before the trap host can reference it.
A.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
B.snmp-server group AdminGroup v3 auth read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
C.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv des 56 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
D.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 5; ip flow ingress
AnswerA
solution
! R1
snmp-server group AdminGroup v3 priv read AdminView
snmp-server view AdminView iso included
snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123
snmp-server community cisco123 RO
snmp-server host 192.0.2.100 version 2c cisco123
snmp-server enable traps
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
exit
ip flow-export destination 198.51.100.50 2055
ip flow-export version 9

Why this answer

The configuration was missing SNMPv3 user, group, and trap settings. We added the SNMPv3 user 'monitor' with SHA authentication and AES-128 encryption, created a view and group 'AdminGroup' with read access, and configured the SNMPv2c community string 'cisco123' for read-only access. We also enabled SNMP traps to the manager at 192.0.2.100 and configured NetFlow on GigabitEthernet0/0 to export to 198.51.100.50 using version 9.

Verification commands show the SNMP configuration and NetFlow flow cache.

Exam trap

Pay close attention to the exact security requirements: 'priv' for encryption, AES-128 specifically, and NetFlow version 9. The exam often tests subtle differences between 'auth' and 'priv' levels, encryption algorithms, and NetFlow versions.

Why the other options are wrong

B

The group level 'auth' does not permit encryption; 'priv' is required for AES-128 encryption.

C

The encryption algorithm specified is DES (56-bit) instead of AES-128.

D

NetFlow export version is 5, not 9 as required.

543
Matchingmedium

Drag and drop the wireless LAN terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Operates only in 5 GHz band; uses 80/160 MHz channels

Introduces OFDMA and works in both 2.4 and 5 GHz bands

Uses SAE for stronger authentication than WPA2

Network name broadcast by access points

Primary concern in 2.4 GHz band; channels 1, 6, 11 are non-overlapping

Typically via HTTPS, SSH, or console for configuration

Why these pairings

802.11ac (Wi-Fi 5) operates exclusively in the 5 GHz band and uses wide channels (80/160 MHz) for high throughput. 802.11ax (Wi-Fi 6) introduces OFDMA for efficiency and supports both 2.4 GHz and 5 GHz. WPA3 enhances security with Simultaneous Authentication of Equals (SAE), replacing WPA2's Pre-Shared Key (PSK) to resist brute-force attacks. The SSID is the human-readable network name broadcast by access points.

Channel overlap is a critical issue in the 2.4 GHz band because only three channels (1, 6, 11) are non-overlapping. WLC management interfaces commonly use HTTPS, SSH, or console for secure configuration.

Exam trap

Do not assume 802.11ax operates only in 5 GHz; it works in both bands, unlike 802.11ac which is 5 GHz only.

544
MCQhard

R1 and R2 are directly connected and running OSPF. The IP addressing is correct and both routers are in area 0, but they do not form an adjacency. What is the most likely cause?

A.The OSPF MTU values do not match on the connected interfaces.
B.The routers must use identical hostnames before OSPF can form neighbors.
C.The routers must use VLAN 1 for OSPF to operate.
D.The interfaces need to be configured as trunks instead of routed ports.
AnswerA

This is correct because MTU mismatch is a known cause of OSPF adjacency problems during database exchange.

Why this answer

The most likely cause is an MTU mismatch between the two interfaces. During the OSPF database exchange process, neighbors must agree on the MTU value to successfully exchange DBD packets; a mismatch typically causes the adjacency to become stuck in the ExStart or Exchange state. Basic connectivity (e.g., ping) often still works because ICMP packets are small, but the OSPF adjacency fails due to the MTU discrepancy.

Exam trap

Don't overlook MTU settings when OSPF adjacency issues arise, especially when basic connectivity is confirmed.

Why the other options are wrong

B

OSPF neighbor formation does not depend on hostnames; it relies on matching parameters such as area ID, authentication, hello/dead intervals, and network type. Hostnames are only used for local identification and do not affect OSPF adjacency.

C

OSPF can operate over any VLAN or routed interface; there is no requirement to use VLAN 1. The adjacency issue is unrelated to VLAN numbering, and OSPF works independently of VLAN assignments on routed ports.

D

OSPF is designed to run on routed interfaces (Layer 3 interfaces) and does not require trunking. Trunk ports are used for carrying multiple VLANs between switches, not for OSPF adjacency between routers.

545
MCQhard

A wireless client associates to an AP and successfully authenticates to the correct SSID, but it does not obtain an IP address. The WLC is running in local mode. What should the technician do next?

A.Check the DHCP server to ensure it has available leases.
B.Verify the AP’s operating channel for interference.
C.Verify the VLAN mapping on the WLC for the client’s WLAN.
D.Verify the WPA3 PSK on the client.
AnswerC

In local mode, the WLC bridges client traffic to a specified VLAN. An incorrect or missing VLAN ID prevents the DHCP discovery from reaching the DHCP server. This step directly confirms whether the client’s traffic is placed on the correct subnet.

Why this answer

Option C is correct because when a wireless client authenticates to the SSID but fails to obtain an IP address, the most likely cause is a VLAN mapping mismatch on the WLC. In local mode, the WLC maps the WLAN to a specific VLAN (via the interface or VLAN tag), and if that VLAN does not have a DHCP relay or is not trunked to the correct switch, the client's DHCP requests will never reach the DHCP server. This is a common Layer 2 connectivity issue that prevents IP address assignment even though authentication succeeds.

Exam trap

Cisco often tests the misconception that DHCP issues are always server-side (Option A), when in reality the WLC's VLAN-to-interface mapping is a critical Layer 2 configuration that must be verified first in a wireless context.

Why the other options are wrong

A

Troubleshooting at Layer 3 (IP) before verifying Layer 2 (VLAN) connectivity skips a fundamental step in the OSI model.

B

Confuses a Layer 1 problem with a Layer 2/3 problem. The client’s association proves the RF link is functional.

D

This investigates a condition that has already been ruled out (authentication succeeded) and does not address the IP assignment failure.

546
Multi-Selectmedium

Which two statements accurately describe why APIs and human-oriented CLIs are both still useful in network operations?

Select 2 answers
A.APIs are useful for structured, repeatable software-driven interaction.
B.CLIs are still useful for direct human troubleshooting and inspection.
C.APIs make all CLIs obsolete in every situation.
D.CLIs are only useful for configuring initial device settings and cannot be used for monitoring.
E.Neither interface should ever return structured data.
AnswersA, B

This is correct because APIs are well suited to automation workflows.

Why this answer

APIs and CLIs are both useful because they serve different operational strengths. In practical terms, APIs are better for repeatable software interaction and structured automation, while CLIs remain valuable for direct human troubleshooting and ad hoc inspection. Mature environments often use both depending on the task.

This is not an either-or question. It is about fit for purpose.

Exam trap

Don't assume one technology is replacing the other; understand their complementary roles.

Why the other options are wrong

C

This statement is incorrect because CLIs remain essential for tasks that require human judgment, such as debugging complex issues, interactive configuration, and learning device behavior. APIs complement but do not replace CLIs, as many operational scenarios benefit from direct human interaction.

D

This is incorrect because CLIs are widely used for monitoring, troubleshooting, and ad-hoc inspection beyond initial configuration.

E

This statement is incorrect because structured data (e.g., JSON, XML) is commonly returned by both APIs and modern CLIs (e.g., via 'show' commands with formatting options) to facilitate machine parsing and automation. Returning structured data is a best practice for integrating network devices with management systems.

547
Matchingmedium

Drag and drop the PortFast and BPDU protection commands on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Immediately transitions port to forwarding state

Err-disables port upon receiving a BPDU

Prevents port from becoming root port

Prevents port from becoming designated if BPDUs stop arriving

Drops all BPDUs sent and received on the port

Reverts port to normal STP listening/learning

Why these pairings

These commands are used to configure PortFast and BPDU protection on Cisco switches.

Exam trap

Be careful to distinguish between interface-level and global commands. The 'default' keyword applies globally, not per interface.

548
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP router at 10.0.0.2/30. The internal network has a web server at 192.168.1.10 and a mail server at 192.168.1.20. You need to configure NAT so that internal hosts can access the internet (PAT overload) and external users can reach the web server via public IP 203.0.113.10 and the mail server via public IP 203.0.113.11. The inside interface is GigabitEthernet0/1 (192.168.1.1/24) and the outside interface is GigabitEthernet0/0.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/3010.0.0.2/30PCsinternal networkR1ISPR2

Hints

  • Define an ACL to match internal traffic.
  • Apply NAT inside/outside on the correct interfaces.
  • Use 'overload' for PAT.
A.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 extendable ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25 extendable
B.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat outside interface GigabitEthernet0/0 ip nat inside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25
C.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static 192.168.1.10 203.0.113.10 ip nat inside source static 192.168.1.20 203.0.113.11
D.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat outside source static tcp 203.0.113.10 80 192.168.1.10 80 ip nat outside source static tcp 203.0.113.11 25 192.168.1.20 25
AnswerA
solution
! R1
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

The named standard ACL PERMIT_INTERNAL permits all internal hosts in 192.168.1.0/24. The 'ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload' command enables PAT, translating internal addresses to the outside interface's IP. Static NAT entries map web and mail servers to public IPs with the 'extendable' keyword to allow both PAT and static NAT.

Proper interface NAT direction (inside/outside) is crucial.

Exam trap

Watch out for interface NAT direction: the inside interface is the one facing your internal network, and the outside interface faces the ISP. Also, remember that static NAT for servers must specify protocol and port to avoid mapping the entire IP. The 'extendable' keyword is often needed when combining PAT and static NAT.

Why the other options are wrong

B

The NAT interface directions are reversed; the internal-facing interface must be 'ip nat inside' and the external-facing interface must be 'ip nat outside'.

C

Static NAT for services must include the protocol (tcp/udp) and port number to map specific services; otherwise, it maps the entire IP address, which is not desired here.

D

The 'ip nat outside source static' command is used for translating the source address of inbound packets (e.g., for load balancing), not for mapping a public IP to an internal server. For inbound access to servers, 'ip nat inside source static' is required.

549
MCQmedium

Why is route summarization often useful at distribution or area boundaries in larger networks?

A.It reduces the number of route advertisements by combining multiple specific prefixes
B.It forces all users into the same VLAN
C.It automatically encrypts routing protocols
D.It removes the need for IP addressing
AnswerA

This is correct because summarization aggregates routes into fewer broader advertisements.

Why this answer

Route summarization is useful there because it reduces the number of specific prefixes that must be advertised upstream or across boundaries. In plain language, instead of sending many small route entries, the network can often advertise one broader summary that represents them collectively. This helps control routing-table growth and can make the design more scalable and easier to manage.

Summarization does not eliminate the need for routing detail inside the local area, but it can simplify what needs to be shared outward. That is why it is especially valuable at aggregation points such as distribution layers or area boundaries.

Exam trap

A common exam trap is selecting options that confuse route summarization with unrelated networking concepts such as VLAN design or encryption. For example, option B incorrectly states that summarization forces all users into the same VLAN, which is false because VLANs are Layer 2 constructs unrelated to routing summarization. Option C mistakenly associates summarization with automatic encryption of routing protocols, which is incorrect since encryption is a separate security feature.

Option D wrongly claims summarization removes the need for IP addressing, which is impossible because routing depends on IP addresses. Understanding that summarization only aggregates routing prefixes without altering VLANs, encryption, or IP addressing is essential to avoid these traps.

Why the other options are wrong

B

Incorrect because route summarization is a routing concept and does not influence VLAN membership or force users into the same VLAN, which is a Layer 2 function.

C

Incorrect because route summarization does not provide encryption; encryption of routing protocols is a separate security feature unrelated to summarization.

D

Incorrect because summarization does not remove the need for IP addressing; routing depends on IP addresses to forward packets correctly.

550
PBQhard

You are connected to R1. The connection between R1 and R2 is experiencing intermittent failures. Troubleshoot the interface G0/0 on R1 to identify and resolve the issue so that the link becomes stable and operational.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Look at the line protocol status for any unusual keywords.
  • Check the running-config for any interface-specific commands related to testing.
  • The loopback command creates a loop condition; it must be removed.
A.Enter interface configuration mode for G0/0 and issue the 'no loopback' command.
B.Enter interface configuration mode for G0/0 and issue the 'no shutdown' command.
C.Enter interface configuration mode for G0/0 and issue the 'speed 100' command to force 100 Mbps.
D.Enter interface configuration mode for G0/0 and issue the 'no keepalive' command.
AnswerA
solution
! R1
interface gigabitEthernet 0/0
no loopback

Why this answer

The interface shows '(looped)' in the line status, indicating a layer 1 loop (likely a cable loopback) or a misconfigured loopback test. The interface is physically up and line protocol is up, but the loop condition prevents normal data flow. To fix this, you must remove the loopback test with 'no loopback' on the interface, then verify the interface recovers to 'up, line protocol is up' without the loop indication.

Exam trap

Watch for the '(looped)' keyword in the interface status. It is a specific indicator of a loopback test, not a general loop or cable issue. Do not confuse it with other interface problems like speed/duplex mismatch or administrative shutdown.

Why the other options are wrong

B

The interface is not administratively down; 'no shutdown' would have no effect on a loop condition.

C

The problem is a loopback test, not a speed/duplex mismatch. Changing speed may cause additional problems.

D

Keepalives are used to detect link failures; disabling them would not resolve a loopback test and could mask real issues.

551
MCQhard

A router learns 192.168.30.0/24 from OSPF and also has a static route to 192.168.30.0/24 with administrative distance 200. Which route is installed in the routing table while both are available?

A.The OSPF route
B.The static route
C.Both routes equally for load balancing
D.Neither route, because they conflict
AnswerA

This is correct because OSPF's administrative distance is lower than 200.

Why this answer

The OSPF route is installed because its default administrative distance of 110 is lower than the static route’s configured administrative distance of 200. In practical terms, the static route has been intentionally made a backup. It is present in the configuration, but it does not become active while the lower-distance OSPF route is healthy.

This is a classic floating-static design question. The important point is that route-source preference depends on administrative distance when the prefix length is the same.

Exam trap

A common exam trap is assuming that static routes always take precedence over dynamic routes because their default administrative distance is 1. In this question, the static route’s administrative distance is manually set to 200, which is higher than OSPF’s default 110. Many candidates mistakenly select the static route, overlooking that a higher administrative distance means lower preference.

This trap tests your understanding that administrative distance values can be adjusted to create floating static routes that serve as backups rather than primary routes.

Why the other options are wrong

B

Incorrect because the static route has a higher administrative distance (200) than OSPF (110), making it less preferred and preventing it from being installed while the OSPF route is available.

C

Incorrect because routers do not install multiple routes with different administrative distances to the same prefix simultaneously; only the route with the lowest administrative distance is installed.

D

Incorrect because routers can and do choose one preferred route when multiple routes to the same prefix exist; conflicting routes do not cause both to be rejected.

552
MCQhard

A network administrator recently configured BPDU Guard on all access ports of a switch to protect against rogue switches. After the change, users in VLAN 10 report intermittent connectivity issues and frequent link flaps. The administrator checks the switch and notices that several ports are in an err-disabled state. What is the most likely cause of the problem?

A.Root Guard is preventing the port from becoming a root port.
B.BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.
C.Loop Guard has detected a unidirectional link and placed the port into err-disabled state.
D.BPDU Guard is globally enabled but not configured on the interface, so the port is err-disabled due to a BPDU received.
AnswerB

BPDU Guard is designed to work with PortFast; if enabled on non-PortFast ports, any BPDU received will err-disable the port.

Why this answer

BPDU Guard is configured to protect against rogue switches by placing a port into an err-disabled state upon receiving a BPDU. In this scenario, BPDU Guard is enabled on access ports that are receiving BPDUs (possibly from a rogue switch or misconfiguration), causing the ports to err-disable and flap. PortFast is not required for BPDU Guard to function; the issue is that BPDUs are being received on ports that are not expected to receive them.

The intermittent connectivity occurs as ports cycle into err-disabled and are re-enabled.

Exam trap

A common mistake is believing BPDU Guard requires PortFast to function; in reality, BPDU Guard can be enabled per-interface without PortFast and will err-disable the port when a BPDU is received.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent state, not err-disabled. It does not cause link flaps or err-disable ports.

C

Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not err-disable ports. It places ports in a loop-inconsistent state, which is not err-disabled.

D

The global 'spanning-tree portfast bpduguard default' command only applies BPDU Guard to PortFast-enabled ports. If a port receives a BPDU and is not PortFast, it will not be err-disabled by this global command. The scenario states BPDU Guard was configured on all access ports, implying interface-level configuration.

553
Matchingmedium

Match each IPv6 host-configuration concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Host forms addressing information using router advertisements

Server-based IPv6 host configuration method

IPv6 addressing used only on the local link

Method for deriving an interface ID from a MAC address

Why these pairings

SLAAC enables stateless autoconfiguration; stateful DHCPv6 assigns addresses; SLAAC uses RA and EUI-64; DHCPv6-PD delegates prefixes; link-local addresses are for local links.

Exam trap

Be careful not to confuse the roles of Stateful and Stateless DHCPv6: Stateful assigns addresses, Stateless provides extra info. Also, remember that EUI-64 generates the interface ID, not the prefix.

554
MCQhard

A branch office needs four subnets from the 192.168.50.0/24 network, with each subnet supporting up to 50 hosts. Which prefix length should be used for each subnet?

A./25
B./26
C./27
D./28
AnswerB

Correct. /26 gives four equal subnets and 62 usable addresses each.

Why this answer

Each subnet must support at least 50 hosts, so /26 is the smallest suitable prefix because it provides 62 usable addresses. A /24 can be split into exactly four /26 subnets.

Exam trap

A frequent exam trap is selecting a subnet mask that provides enough hosts but not enough subnets, or vice versa. For instance, choosing /25 seems tempting because it supports 126 hosts, which exceeds the 50-host requirement. However, /25 only creates two subnets from a /24, which fails the requirement for four subnets.

Another trap is picking /27, which creates enough subnets but only supports 30 hosts, insufficient for 50 hosts per subnet. Candidates must carefully balance subnet count and host capacity to avoid these pitfalls.

Why the other options are wrong

A

/25 provides 126 usable hosts per subnet, which is more than enough for 50 hosts, but it only creates two subnets from a /24 network. Since four subnets are required, /25 is insufficient for subnet count.

C

/27 creates eight subnets from a /24, which is enough subnets, but each subnet only supports 30 usable hosts. This is less than the required 50 hosts, so /27 is not suitable.

D

/28 creates sixteen subnets but only supports 14 usable hosts per subnet, which is far below the 50-host requirement. Therefore, /28 is not a valid option.

555
Multi-Selectmedium

Which TWO of the following are valid interpretations of errors seen in the output of the 'show interface' command?

Select 2 answers
A.CRC errors indicate that frames were received with an invalid checksum, often due to cabling issues.
B.Runts are frames that are larger than the maximum allowed size.
C.Giants are frames that are smaller than 64 bytes.
D.Input errors include runts, giants, CRC errors, and frame errors.
E.Flaps indicate that the interface is physically disconnected.
AnswersA, D

CRC errors occur when the cyclic redundancy check fails, indicating data corruption. This is commonly caused by faulty or noisy cabling.

Why this answer

CRC errors (option A) indicate frames with an invalid checksum, often due to cabling issues, which is correct. Option D is also correct: 'Input errors' is a cumulative counter that includes runts, giants, CRC errors, and frame errors. Option B is wrong because runts are frames smaller than 64 bytes, not larger.

Option C is wrong because giants are frames larger than the maximum allowed size (typically 1518 bytes), not smaller than 64 bytes. Option E is wrong because 'flaps' refer to an interface going up and down repeatedly, not necessarily physically disconnected; it could be due to duplex mismatch or other reasons.

Exam trap

Cisco often tests the exact byte thresholds for runts (less than 64 bytes) and giants (greater than 1518 bytes), and candidates frequently reverse these values or confuse them with other error types.

Why the other options are wrong

B

Runts are frames smaller than 64 bytes, not larger than the maximum size.

C

Giants are frames larger than the maximum allowed size (typically 1518 bytes), not smaller than 64 bytes.

E

Flaps indicate an interface repeatedly transitioning between up and down states, not necessarily a physical disconnection.

556
PBQhard

You are connected to R1. The network administrator wants to permit only HTTPS traffic (TCP port 443) from the 192.0.2.0/24 network to the 203.0.113.0/24 network, while denying all other IP traffic. Currently, an ACL applied inbound on G0/1 is blocking all traffic, including HTTPS. Identify the issue and correct the ACL configuration so that only HTTPS traffic is permitted.

Network Topology
G0/1192.0.2.1/24linkG0/1203.0.113.1/24InternetR1R2

Hints

  • The ACL is currently blocking all traffic because of the deny any any entry.
  • You need to remove the existing ACL and recreate it with a permit statement for HTTPS.
  • Remember the implicit deny at the end of every ACL; you don't need an explicit deny statement.
A.Remove the existing ACL, then create an extended ACL with a permit statement for tcp 192.0.2.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 443, and apply it inbound on G0/1.
B.Add a permit statement for tcp 192.0.2.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 443 before the existing deny ip any any entry in the ACL.
C.Remove the existing ACL and create a standard ACL with permit 192.0.2.0 0.0.0.255, then apply it inbound on G0/1.
D.Remove the existing ACL and create an extended ACL with a permit statement for tcp any any eq 443, then apply it inbound on G0/1.
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_IN
ip access-list extended BLOCK_IN
permit tcp 192.0.2.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 443
end
write memory

Why this answer

The ACL BLOCK_IN currently has a single deny ip any any entry, which blocks all traffic inbound on G0/1. The correct solution is to first remove the existing ACL, then create a new extended ACL that permits TCP 443 from source network 192.0.2.0/24 to destination network 203.0.113.0/24, and apply it inbound on G0/1. The implicit deny at the end of the ACL will then block all other traffic, achieving the desired policy.

Exam trap

The exam trap is that candidates may think adding a permit statement before the deny will work, but if they add a new entry without specifying a sequence number, it is inserted after the existing deny ip any any, so the deny remains first and blocks all traffic.

Why the other options are wrong

B

The specific factual error is that the order of entries matters; a deny any any at the end would block all traffic, but here it is placed before the permit, so the deny is evaluated first.

C

The specific factual error is that standard ACLs lack the capability to filter by protocol or port; extended ACLs are required for such granularity.

D

The specific factual error is that the permit statement uses 'any' for source and destination, making it too permissive and not matching the specified networks.

557
MCQhard

A router receives two routes to 10.50.0.0/16: one from OSPF and one static route with an administrative distance of 90. Which route is installed by default?

A.The static route, because its administrative distance is lower than OSPF's
B.The OSPF route, because dynamic routes always override static routes
C.Both routes, because equal destination networks always load-balance
D.Neither route, because the destinations overlap
AnswerA

This is correct because an administrative distance of 90 is lower than OSPF’s default 110.

Why this answer

By default, the static route with administrative distance 90 is installed because it is preferred over the OSPF route with default administrative distance 110. In plain language, the router is being told that the manually configured route is more trustworthy than the OSPF-learned one, so it chooses the static path first. The protocol type alone does not decide the outcome. Administrative distance is the key comparison when two different route sources offer the same destination prefix length.

This is a classic routing-selection question because many learners incorrectly assume OSPF always wins over static routes unless the static route uses the default administrative distance. Once the static route is given a value lower than OSPF’s 110, it becomes the preferred path unless a more specific route exists elsewhere.

Exam trap

A frequent exam trap is assuming that dynamic routing protocols like OSPF always override static routes regardless of administrative distance. Many candidates mistakenly believe that static routes only win if they use the default AD of 1. However, if a static route is manually assigned an AD lower than OSPF's default 110, it becomes the preferred route.

This misunderstanding leads to incorrect answers because the exam tests knowledge of how administrative distance influences route selection, not just the routing protocol type. Remember, the router always chooses the route with the lowest administrative distance, even if it is a static route with a custom AD.

Why the other options are wrong

B

Incorrect. Dynamic routes do not always override static routes; route preference depends on administrative distance, not just whether a route is dynamic or static.

C

Incorrect. Equal destination networks do not automatically cause load balancing if the routes have different administrative distances; only routes with equal AD and metrics are load-balanced.

D

Incorrect. Overlapping destinations from different sources are common and do not prevent route installation; the router uses administrative distance to choose the preferred route.

558
Multi-Selectmedium

Which TWO statements about network automation tools are true?

Select 2 answers
A.Ansible uses an agentless architecture and communicates with network devices over SSH by default.
B.Python is a general-purpose programming language often used with libraries like Netmiko and NAPALM to automate network tasks.
C.Puppet and Chef both use a push-based model where the master server initiates configuration changes on managed nodes.
D.Chef playbooks are written in YAML, while Ansible uses a Ruby-based DSL for defining desired state.
E.Ansible requires an agent to be installed on managed network devices, while Puppet does not.
AnswersA, B

Ansible does not require an agent on managed nodes; it relies on standard protocols such as SSH for Linux/network devices, making it agentless.

Why this answer

Ansible is agentless, meaning it does not require any software installed on managed network devices. It connects to devices over SSH by default (or API for some platforms) and pushes configuration modules directly, making it lightweight and easy to deploy in network environments.

Exam trap

Cisco often tests the confusion between push-based and pull-based models, as well as which tools use agents versus agentless architectures, to catch candidates who memorize buzzwords without understanding the underlying communication patterns.

Why the other options are wrong

C

Ansible is the tool known for push-based orchestration; Puppet and Chef rely on agent-initiated pull cycles.

D

Mixing up the DSL/language associations: Ansible = YAML, Chef = Ruby, Puppet = Puppet DSL (declarative).

E

This error stems from confusing the agentless nature of Ansible with the agent-based architecture of Puppet/Chef.

559
MCQhard

A router has routes to 192.168.0.0/16 and 192.168.100.0/24. Which route is used for traffic to 192.168.100.77?

A.192.168.0.0/16
B.192.168.100.0/24
C.Both routes are discarded because they overlap.
D.The default route is preferred if present.
AnswerB

This is correct because it is the more specific matching prefix.

Why this answer

The route to 192.168.100.0/24 is used because it is more specific. In plain language, even though the /16 route covers a large address range that includes the destination, the /24 route describes the destination network more precisely. Longest-prefix match therefore prefers the /24.

This is a basic but critical routing-table concept. The router does not choose the broader route when a narrower one matches the same destination.

Exam trap

A frequent exam trap is to select the broader route 192.168.0.0/16 because it seems to cover more addresses, including the destination. Candidates may mistakenly think that a larger subnet mask means a better route or that overlapping routes cause the router to discard both. However, Cisco routers always prefer the most specific route based on the longest-prefix match rule.

Overlapping routes are normal and do not cause discarding; instead, the router uses the route with the longest subnet mask. Misunderstanding this can lead to incorrect answers and confusion about routing behavior.

Why the other options are wrong

A

192.168.0.0/16 is a less specific route covering a larger address range. Although it includes 192.168.100.77, it is not chosen because a more specific route exists. Selecting this ignores the longest-prefix match rule.

C

Both routes are not discarded because overlapping routes are common in routing tables. The router uses the longest-prefix match to select the best route, so discarding overlapping routes is incorrect.

D

The default route is only preferred if no specific matching route exists. Since both 192.168.0.0/16 and 192.168.100.0/24 match the destination, the router chooses the more specific /24 route, not the default.

560
Matchingmedium

Match each basic IPv4 concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines network versus host portions of the address

Next hop used for off-subnet traffic

Address used to reach all hosts in the local broadcast domain

Address identifying an individual device in the subnet

Why these pairings

The subnet mask is a 32-bit value that distinguishes the network portion from the host portion of an IPv4 address, enabling devices to determine their subnet membership. The default gateway is the IP address of the local router, which serves as the next hop for traffic destined to subnets outside the local network. The broadcast address, typically the highest address in a subnet, is used to send a single packet to all hosts within the same broadcast domain.

A host address is a unique IP assigned to a single device's interface within a subnet, allowing it to be identified individually.

Exam trap

Do not confuse classful addressing with CIDR or VLSM. Classful addressing is defined by fixed boundaries per class, while classless methods allow variable-length subnet masks. NAT is a separate concept for address translation.

561
Matchingmedium

Match each IPv6 address type or concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv6 address type used for wider routed communication

IPv6 address type used only on the local segment

Address used by a device to refer to itself

Method for deriving an interface identifier from a MAC address

Why these pairings

Each IPv6 address type has a distinct purpose: Global Unicast for public routing, Link-Local for local segment, Unique Local for private site, Multicast for group communication, Anycast for nearest device, and SLAAC for stateless address assignment.

Exam trap

The most common trap is confusing the scope of Link-Local and Unique Local addresses. Remember: Link-Local is only for the local link, while Unique Local is for private site-wide use but not internet-routable. Also, don't confuse multicast with unicast.

562
MCQmedium

Why is NTP especially valuable when a network uses centralized Syslog servers?

A.Because synchronized clocks make log timestamps easier to correlate across devices
B.Because NTP converts Syslog into a routing protocol
C.Because NTP automatically creates DHCP pools
D.Because NTP eliminates the need for a Syslog server
AnswerA

This is correct because NTP improves the usefulness of centralized logs by aligning time.

Why this answer

NTP is especially valuable because centralized logs are much easier to interpret when device clocks are synchronized. In plain language, if multiple routers and switches send messages to one logging server but each device believes a different time, the event sequence becomes confusing. NTP helps align those clocks so the timestamps in the logs are consistent and the team can reconstruct incidents more accurately.

This is a practical operations concept rather than a syntax question. Syslog solves the collection problem, and NTP solves the time-correlation problem. Together they make logs more useful than either one alone. That is why the best answer focuses on timestamp consistency rather than on routing, VLAN, or NAT behavior.

Exam trap

A common exam trap is selecting an answer that incorrectly attributes routing or DHCP functions to NTP, such as thinking NTP converts Syslog into a routing protocol or automatically creates DHCP pools. These options confuse NTP’s fundamental role in time synchronization with unrelated network services. Another trap is assuming NTP eliminates the need for a Syslog server, which is false because NTP only provides accurate timestamps; it does not collect or store logs.

Understanding that NTP’s value lies in timestamp consistency, not in changing or replacing other protocols, is critical to avoid these mistakes.

Why the other options are wrong

B

Incorrect because NTP does not convert Syslog into a routing protocol; NTP’s function is strictly time synchronization, unrelated to routing protocols.

C

Incorrect because NTP does not create DHCP pools; DHCP pool creation is unrelated to time synchronization and is managed by DHCP services.

D

Incorrect because NTP does not eliminate the need for a Syslog server; it complements Syslog by providing accurate timestamps but does not replace log collection.

563
MCQhard

A wireless client joins the correct SSID and gets an address in the correct employee subnet, but cannot reach only one internal application while everything else works. Which troubleshooting area is the strongest first target?

A.The path or policy specific to that application, since general employee connectivity already works.
B.The SSID broadcast setting, because the client must not be joined correctly.
C.The voice VLAN on the wired access port connected to the AP uplink.
D.The OSPF router ID on the client device.
AnswerA

This is correct because the symptoms isolate the problem to one application rather than general WLAN access.

Why this answer

The strongest first target is the application path or policy specific to that application because the client already has general connectivity: it joined the correct SSID, authenticated, and obtained an IP address in the employee subnet. A failure limited to one internal application indicates that basic WLAN join, DHCP, and overall routing are working; therefore, ACLs, firewall rules, DNS resolution for that service, or application-specific policies are the likely cause. Option B (SSID broadcast setting) is irrelevant because the client successfully joined the SSID and has connectivity.

Option C (voice VLAN on the wired access port) is not a first target because the symptom involves a single data application, not voice, and the client is on the employee subnet, not a voice VLAN. Option D (OSPF router ID on the client) is invalid because client devices do not typically run OSPF; OSPF runs on routers, not wireless clients.

Exam trap

Avoid restarting troubleshooting from basic connectivity steps when the problem is isolated to a specific application.

Why the other options are wrong

B

The client has already joined the correct SSID, authenticated, and received an IP address in the correct subnet, so the SSID broadcast setting is not the issue. The problem is specific to one application, not general connectivity.

C

The voice VLAN on the AP uplink is used for VoIP traffic, not for general data applications. Since the client can access other internal resources, the issue is not related to the AP uplink configuration.

D

OSPF router IDs are used by routers in OSPF routing, not by end-client devices. Clients do not run OSPF, so this is irrelevant to the problem.

564
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch with two ports (G0/1 and G0/2) connected to a host. The host should be able to send and receive traffic on VLAN 10 and VLAN 20. Configure the two ports as a trunk link to the host, but ensure that the trunk only carries VLANs 10 and 20, and set the native VLAN to VLAN 99.

Network Topology
G0/1, G0/2HostSW1

Hints

  • Use the 'switchport trunk allowed vlan' command to restrict which VLANs are carried.
  • The native VLAN must match on both ends of the trunk.
A.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 99
B.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10-20 switchport trunk native vlan 99
C.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport native vlan 99
D.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 1
AnswerA
solution
! SW1
interface gigabitethernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 99
interface gigabitethernet0/2
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 99

Why this answer

Configuring the ports as trunks allows multiple VLANs. The 'allowed vlan' command restricts the trunk to only VLANs 10 and 20, while 'native vlan 99' sets the untagged VLAN to 99, ensuring proper tagging and avoiding VLAN mismatch.

Exam trap

Watch out for the difference between 'switchport trunk allowed vlan 10,20' (list) and 'switchport trunk allowed vlan 10-20' (range). Also, remember that on a trunk port, the native VLAN command must include the 'trunk' keyword: 'switchport trunk native vlan'. Finally, always verify that the native VLAN is set to the required value, not left at the default.

Why the other options are wrong

B

The specific factual error is using a range (10-20) instead of a list (10,20), which includes unintended VLANs.

C

The specific factual error is omitting the 'trunk' keyword in the native VLAN command, which is required for trunk ports.

D

The specific factual error is setting the native VLAN to 1 instead of 99, which does not meet the requirement.

565
PBQhard

You are troubleshooting a PC connected to switch SW1. The PC cannot access the internet. SW1 is connected to router R1 via port G0/1. R1 provides default gateway and DHCP services. Analyze the provided show output and fix the connectivity issue so that the PC can ping 8.8.8.8. === Show output from R1 === <pre> R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES manual administratively down down GigabitEthernet0/1 10.0.0.1 YES NVRAM up up </pre> === Show output from PC === <pre> C:\> ipconfig Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . : 169.254.123.45 Subnet Mask . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . : </pre> === Show output from SW1 === <pre> SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 </pre>

Network Topology
G0/1G0/2G0/1G0/0SW1PC1R1

Hints

  • Check if R1's interface connected to SW1 has an IP address.
  • The DHCP pool expects the default gateway to be on the same subnet as the clients.
  • APIPA address means the PC did not receive a DHCP offer.
A.Configure R1's interface G0/0 with IP address 192.168.1.1/24 and ensure the interface is not administratively down.
B.Change the VLAN on SW1's port G0/2 to VLAN 10 and configure R1's subinterface G0/0.10 with IP 192.168.1.1/24.
C.Enable DHCP snooping on SW1 and configure the port G0/2 as a trusted port.
D.Configure a static IP address of 192.168.1.10/24 on the PC with default gateway 192.168.1.1.
AnswerA
solution
! R1
interface gigabitethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown

Why this answer

The PC's APIPA address (169.254.x.x) indicates DHCP failure. The router's DHCP pool is correctly configured and has a lease, but the show output reveals that R1's interface G0/0 is administratively down and has no IP address. Without a working IP on G0/0, the router cannot serve DHCP or route traffic for VLAN 1, even though both the PC and the router are in the same VLAN.

Option A fixes the root cause by assigning the correct subnet IP and bringing the interface up. Option B is incorrect because moving the PC to a different VLAN or creating subinterfaces does nothing to enable the router's physical interface where DHCP and routing must run. Option C is wrong because DHCP snooping or trust configurations are irrelevant when the router's own interface is down/unaddressed.

Option D is a workaround that only masks the problem; the scenario requires a working DHCP service, and a static IP would not restore the intended design.

Exam trap

This question tests your ability to identify that a router interface must have an IP address in the client subnet for DHCP to work, even if the DHCP pool is correctly configured. Many candidates focus on VLANs or DHCP server settings but overlook the basic requirement of an IP address on the router interface.

Why the other options are wrong

B

Changing VLANs or using subinterfaces does not solve the problem because the router's physical interface must be up and have an IP address to serve the VLAN.

C

Enabling DHCP snooping or trust settings on the switch cannot fix a router interface that is administratively down and unassigned.

D

Assigning a static IP to the PC circumvents but does not resolve the root issue of the router's interface being down, and the scenario requires DHCP.

566
MCQhard

A routing table contains these entries for the same destination space: 10.1.0.0/16, 10.1.10.0/24, and 0.0.0.0/0. Which route is used for traffic to 10.1.10.44?

A.10.1.0.0/16
B.10.1.10.0/24
C.0.0.0.0/0
D.No route, because the entries overlap
AnswerB

This is correct because 10.1.10.44 falls within that more specific prefix.

Why this answer

The 10.1.10.0/24 route is used because it is the most specific matching prefix. In plain language, even though the /16 route and the default route could also match, the /24 route describes the destination range more precisely. Longest-prefix match therefore selects the /24 entry.

This is a foundational route-selection rule. The default route remains important as a fallback, but it is not used when more specific routes exist. Likewise, the /16 route is less specific than the /24, so it loses for this destination.

Exam trap

A frequent exam trap is selecting the less specific route (10.1.0.0/16) or the default route (0.0.0.0/0) for the destination 10.1.10.44. Candidates might mistakenly believe that overlapping routes cause conflicts or that the default route overrides specific routes. However, Cisco routers always apply the longest-prefix match rule, choosing the most specific subnet mask that fits the destination IP.

Overlapping routes do not cause routing failures; instead, they provide multiple options where the router picks the best match. Misunderstanding this can lead to incorrect answers and confusion about routing behavior.

Why the other options are wrong

A

The 10.1.0.0/16 route is less specific than the 10.1.10.0/24 route. Although it matches the destination IP, the router prefers the more specific /24 prefix, so this option is incorrect.

C

The 0.0.0.0/0 default route is only used when no other specific route matches the destination. Since both /16 and /24 routes match, the default route is not chosen here, so this option is incorrect.

D

Overlapping routes like 10.1.0.0/16 and 10.1.10.0/24 are common and do not prevent routing. The router resolves overlaps by selecting the longest prefix, so this option is incorrect.

567
Multi-Selectmedium

Which three options correctly describe how a router processes a packet destined for a remote network? (Choose three.)

Select 3 answers
.It decrements the Time-to-Live (TTL) field in the IP header.
.It performs a lookup in the routing table for the destination IP address.
.It rewrites the source and destination MAC addresses for the next hop.
.It replaces the source IP address with its own outgoing interface IP.
.It sends an ARP request for every destination IP address in the packet.
.It encapsulates the entire packet in a new Layer 2 frame with the original MAC addresses.

Why this answer

When a router forwards a packet to a remote network, it first decrements the Time-to-Live (TTL) field in the IP header to prevent infinite loops. It then performs a routing table lookup for the destination IP address to determine the next-hop interface and IP. Finally, it rewrites the source and destination MAC addresses for the next hop, because MAC addresses are only relevant on the local link and must be updated at each Layer 3 hop.

Exam trap

Cisco often tests the distinction between Layer 2 (MAC) and Layer 3 (IP) header changes, so the trap here is that candidates mistakenly think the source IP address is rewritten at each hop, confusing routing with NAT or PAT.

568
MCQhard

A router has two static routes to the same 192.168.1.0/24 network: one via next-hop 10.1.1.1 with metric 10, and the other via next-hop 10.1.1.2 with metric 5. Both routes use the default administrative distance of 1. Which next hop does the router use to forward packets to this destination?

A.10.1.1.1 because it appears first in the configuration
B.10.1.1.2 because it has the lower metric
C.Both next hops because all static routes always load balance
D.Neither next hop because static routes need tracking to be installed
AnswerB

Among equal-AD statics to the same prefix, the lower metric wins.

Why this answer

Both routes have the same prefix length and the same administrative distance. The route with the lower metric is preferred for a static route when the AD is equal only if different metrics are configured, and here the route via 10.1.1.2 has metric 5 versus metric 10.

Exam trap

A frequent exam trap is believing that the first static route configured to a destination is always preferred, which is incorrect because Cisco routers prioritize routes based on administrative distance and metric, not configuration order. Another common mistake is assuming static routes require tracking to be installed; tracking is optional and used only for failover scenarios. Additionally, some candidates incorrectly think all static routes load balance by default, but load balancing only happens when routes have equal AD and equal metrics.

Misunderstanding these details can lead to incorrect answers about route selection behavior.

Why the other options are wrong

A

Option A is incorrect because the order of static route configuration does not influence which next hop is used. Cisco routers prioritize routes based on administrative distance and metric, not the sequence of configuration.

C

Option C is incorrect because static routes only load balance when they have equal administrative distance and equal metrics. Since the metrics differ here, only the route with the lower metric is used.

D

Option D is incorrect because static routes do not require tracking to be installed in the routing table. Tracking is optional and used to monitor route availability for failover purposes.

569
Matchingeasy

Match each common network device or concept to its primary role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forwards traffic between networks

Forwards local traffic inside a LAN

Applies permit/deny policy to traffic

Provides wireless connectivity

Why these pairings

Router routes between networks; switch forwards within LAN; hub repeats signals; firewall filters traffic; AP provides Wi-Fi; modem converts digital to analog for WAN.

Exam trap

Be careful not to confuse the functions of routers and switches, as both forward traffic but at different layers. Also, remember that a home 'router' often includes a switch, AP, and modem, but the primary role of a router is routing between networks.

570
MCQhard

An engineer lowers the spanning-tree path cost on one uplink of a nonroot switch. What is the expected result if all else stays equal?

A.The switch becomes the root bridge immediately.
B.That uplink becomes more likely to be the root port.
C.All designated ports on downstream switches immediately recalculate their port roles.
D.The switch will stop transmitting BPDUs on that port until convergence is complete.
AnswerB

Correct. Lower root-path cost is preferred.

Why this answer

Lowering the path cost on a nonroot switch's uplink makes that link more attractive to the root bridge, increasing its likelihood of being selected as the root port. Option A is wrong because root bridge election depends on bridge priority and MAC address, not local path cost changes. Option C is false because designated ports on downstream switches are determined by their own topology and are unaffected by cost changes on an upstream nonroot switch's uplink.

Option D is incorrect because BPDU transmission is governed by STP timers and port roles, not by adjusting path cost.

Exam trap

Remember, path cost adjustments influence root port selection, not root bridge election or port blocking.

Why the other options are wrong

A

Reducing path cost on a nonroot switch does not affect the root bridge election, which is determined by lowest bridge ID.

C

Changing cost on one uplink of a nonroot switch does not force all designated ports on downstream switches into blocking; only a topology change might trigger recalculations.

D

Path cost adjustment does not stop BPDUs; BPDUs continue to be sent from all ports in the spanning tree.

571
PBQhard

You are connected to R1 via the console. R1 is a Cisco ISR 4321 router running IOS-XE. The network team has recently changed the routing protocol from EIGRP to OSPF, but some routes are missing from the routing table. You need to analyze the OSPF neighbor states and LSDB to identify the issue.

Network Topology
G0/010.0.1.1/30G0/010.0.1.2/30linkG0/1192.168.1.1/24linkR1R2SW1

Hints

  • Check if OSPF neighbors are in FULL state.
  • Look for mismatched OSPF network types or hello intervals.
  • Verify that both routers are in area 0.
A.Use 'show ip ospf neighbor' to check neighbor state; if not FULL, examine 'show ip ospf interface' for mismatched hello/dead intervals or network type.
B.Use 'show ip route ospf' to verify OSPF routes; if missing, re-enter the OSPF process and redistribute connected routes.
C.Use 'debug ip ospf events' to monitor OSPF packets; if no packets are seen, reconfigure OSPF router ID and clear the OSPF process.
D.Use 'show ip protocols' to verify OSPF process configuration; if incorrect, delete and recreate the OSPF process with the correct network statements.
AnswerA
solution
! R1
show ip ospf neighbor
show ip ospf interface gigabitethernet0/0
show ip route ospf

! R2
show ip ospf neighbor
show ip ospf interface

Why this answer

OSPF requires consistent hello/dead intervals and network types to form adjacency. If the neighbor is not in FULL state, routes will not be exchanged. Checking 'show ip ospf neighbor' reveals the state; mismatched parameters can be corrected by adjusting interface configuration.

Exam trap

The exam trap is that candidates may jump to reconfiguring the OSPF process or redistribution when routes are missing, but the root cause is often a simple mismatch in OSPF interface parameters. Always check neighbor states first.

Why the other options are wrong

B

The specific factual error is that 'show ip route ospf' shows only existing OSPF routes, not neighbor states. Redistribution is not needed for directly connected interfaces in the same OSPF area.

C

The specific factual error is that debugging is not the initial diagnostic step; it should be used after verifying neighbor states and interface parameters. Changing the router ID is unnecessary unless there is a duplicate router ID issue.

D

The specific factual error is that 'show ip protocols' does not display per-interface OSPF parameters. The problem is likely at the interface level, not the process level.

572
PBQhard

You are connected to R1 via console. The network has a primary link to the ISP via R2 and a backup link via R3. Configure IPv4 and IPv6 floating static default routes on R1 so that the primary path goes through R2 (AD 1) and the backup through R3 (AD 10). Additionally, configure a static route on R1 for the internal LAN 192.168.10.0/24 via R2 (AD 1). The current configuration includes a static default route ip route 0.0.0.0 0.0.0.0 10.0.0.3, which causes a recursive routing failure because 10.0.0.3 is not a valid next-hop address. Identify and fix the issue, then apply the floating static routes.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30link1G0/1G0/010.0.0.6/30link2R1R2R3

Hints

  • The IPv4 default route to 10.0.0.2 is missing from the routing table. Check if the next-hop is reachable via a directly connected interface.
  • Remove the existing problematic static default route and reconfigure it with an explicit administrative distance of 1.
  • For IPv6, use the ipv6 route command with the prefix ::/0 and specify the next-hop and administrative distance.
A.Remove the existing incorrect IPv4 static default route and reconfigure the primary IPv4 default route with the correct next-hop address (10.0.0.2) and AD 1. Add the backup IPv4 default route via 10.0.0.6 with AD 10. Then add IPv6 static default routes: ipv6 route ::/0 2001:DB8:1:1::2 1 and ipv6 route ::/0 2001:DB8:2:1::2 10. Also add the static route for 192.168.10.0/24 via 10.0.0.2 with AD 1.
B.Add a static route to 10.0.0.0/30 via the backup link to R3, then the default route to 10.0.0.2 will work. Then configure IPv6 default routes with AD 1 and 10 as described.
C.Change the administrative distance of the IPv4 default route to 10 and the backup to 1, so the backup becomes primary. Then configure IPv6 default routes with AD 10 and 1 respectively.
D.Remove the existing IPv4 static default route and configure it with the next-hop as the exit interface (e.g., GigabitEthernet0/0) instead of the IP address. Then add IPv6 default routes using the exit interface as well.
AnswerA
solution
! R1
no ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 10.0.0.2 1
ipv6 route ::/0 2001:DB8:1:1::2 1
ipv6 route ::/0 2001:DB8:2:1::2 10

Why this answer

The IPv4 default route currently uses next-hop 10.0.0.3, which is not a valid address on any directly connected interface, causing a recursive lookup failure. Option A fixes this by removing the incorrect route and correctly adding the primary (10.0.0.2 with AD 1) and backup (10.0.0.6 with AD 10) default routes, fulfilling the floating static requirement. It also adds both IPv6 floating default routes and the LAN static route.

Option B is wrong because adding a route to 10.0.0.0/30 via R3 does not fix the next-hop 10.0.0.3 failure for the default route. Option C incorrectly reverses the administrative distances, making the backup path the primary. Option D erroneously uses an exit interface instead of the correct next-hop IP, which is not suitable for multi-access or point-to-point networks without additional configuration and does not resolve the original misconfigured next-hop.

Exam trap

Be careful: Recursive routing failure means the next-hop is not reachable. Check if the next-hop is directly connected and the interface is up. Do not confuse administrative distance with metric; lower AD is preferred.

Also, ensure IPv6 routes use the correct next-hop addresses and AD values.

Why the other options are wrong

B

Adding a static route to the backup link does not correct the invalid next-hop 10.0.0.3 used in the default route and fails to address the root cause of the recursive lookup failure.

C

Swapping the administrative distances makes the backup path preferred instead of the primary, violating the requirement that R2 be the primary with AD 1.

D

Configuring the default route with an exit interface rather than a next-hop IP can cause ARP resolution issues in broadcast networks and does not replace the incorrect next-hop 10.0.0.3.

573
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a router-on-a-stick topology for inter-VLAN routing between VLANs 10 and 20, using 802.1Q trunking with native VLAN 99 for management traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The sequence follows Cisco's best practices: VLANs are created first, then access ports are assigned to them. The switch trunk is configured with 802.1Q encapsulation and the native VLAN set to 99 before the router end. On the router, the physical interface must be enabled before subinterfaces can operate.

The native VLAN subinterface is created first to handle untagged frames, then the data VLAN subinterfaces are configured. This order avoids errors such as missing VLANs, incorrect encapsulation, and physical link down state.

574
MCQhard

A switch is configured with DHCP snooping and Dynamic ARP Inspection. Hosts suddenly lose connectivity after changing IP settings manually. Which explanation is strongest?

A.DAI is rejecting ARP traffic because the manual IP change does not match trusted snooping bindings.
B.STP is blocking the host because its MAC address changed.
C.OSPF authentication failed on the access port.
D.The switch requires PPP authentication before allowing ARP traffic.
AnswerA

This is correct because DAI validates ARP against trusted information, often sourced from DHCP snooping.

Why this answer

The correct answer is A because DAI uses DHCP snooping binding to validate ARP messages; a manual IP change creates a mismatch, causing DAI to block ARP. Option B is incorrect because STP prevents loops and does not block based on MAC address changes. Option C is incorrect because OSPF authentication is a routing protocol feature irrelevant on an access port.

Option D is incorrect because PPP authentication applies to serial links, not Ethernet ARP.

Exam trap

Be cautious not to confuse DHCP snooping's role with DHCP server functionality or ARP cache operations.

Why the other options are wrong

B

STP (Spanning Tree Protocol) prevents loops in redundant topologies and does not block hosts based on IP or MAC address changes. It operates at Layer 2 and is unrelated to IP address configuration.

C

OSPF is a Layer 3 routing protocol used between routers, not on access ports connecting hosts. OSPF authentication is configured on router interfaces and does not apply to host ARP traffic on a switch.

D

PPP (Point-to-Point Protocol) authentication is used on serial links or PPPoE connections, not on Ethernet switch ports. It is unrelated to ARP inspection or DHCP snooping in a switched network.

575
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (overload) on a Cisco router using a single public IP address on the outside interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: first enter global configuration mode, then define the access list that matches inside traffic. Next, mark the inside and outside interfaces with `ip nat inside` and `ip nat outside` respectively. Finally, enable PAT with overload using `ip nat inside source list <acl> interface <outside-if> overload`.

This order ensures the router knows which interfaces are internal and external, which traffic to translate, and how to perform the translation.

Exam trap

Learners often forget to assign the 'ip nat inside' and 'ip nat outside' interface commands, or they configure them in the wrong order relative to the source NAT statement.

576
PBQhard

You are connected to R1. Configure OSPFv3 for IPv6 on R1 and R2 so that they can exchange IPv6 routes. R1's GigabitEthernet0/0 is connected to R2's GigabitEthernet0/0. R1 has a loopback0 with IPv6 address 2001:db8:1::1/32, and R2 has a loopback0 with IPv6 address 2001:db8:2::2/32. Ensure OSPFv3 is enabled on both routers, the link interfaces are in area 0, and R1 learns the loopback route from R2.

Network Topology
G0/02001:db8:abcd::1/64G0/02001:db8:abcd::2/64linkR1R2

Hints

  • OSPFv3 must be enabled on each interface that should participate in the routing process.
  • Use the 'ipv6 ospf <process-id> area <area-id>' command under the interface configuration.
  • Verify with 'show ospfv3 neighbor' and 'show ipv6 route ospf'.
A.Configure 'ipv6 ospf 1 area 0' under GigabitEthernet0/0 and Loopback0 on both routers.
B.Configure 'ipv6 router ospf 1' and then 'network 2001:db8:2::2/32 area 0' under the OSPFv3 process.
C.Configure 'ipv6 unicast-routing' and 'ipv6 ospf 1 area 0' under the global configuration.
D.Configure 'router ospf 1' and then 'ipv6 unicast-routing' under the OSPFv3 process.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
exit
interface Loopback0
ipv6 ospf 1 area 0

Why this answer

The provided configuration enables OSPFv3 on the interfaces, which is necessary, but it does not set a router-id. OSPFv3 requires a router-id to form adjacencies. Without any IPv4 addresses configured, the router-id defaults to 0.0.0.0, preventing neighbor formation and route exchange.

Therefore, a valid solution must also include a router-id command under the OSPFv3 process (e.g., 'ipv6 router ospf 1' followed by 'router-id X.X.X.X').

Exam trap

Learners often forget that OSPFv3 requires a manually configured router-id when no IPv4 addresses are present on the router.

Why the other options are wrong

B

The specific factual error is that OSPFv3 uses interface-level commands ('ipv6 ospf area') rather than the network statement used in OSPFv2.

C

The specific factual error is that OSPFv3 interface configuration is required on each interface, not just globally.

D

The specific factual error is that 'router ospf' is for IPv4 OSPF; OSPFv3 requires 'ipv6 router ospf'.

577
MCQhard

Two switches should form an EtherChannel using LACP. One side is configured active and the other passive. If the port settings otherwise match, what is the expected result?

A.The EtherChannel should form if the other interface settings are compatible.
B.The EtherChannel fails because both sides must be active.
C.the bundle forms but only in PAgP mode
D.only the active side attempts to bundle
AnswerA

This is correct because active/passive is a valid LACP negotiation pairing.

Why this answer

The EtherChannel should form successfully. In plain language, active mode initiates LACP negotiation and passive mode listens and responds. Because one side is active, the negotiation can begin and the bundle can come up as long as the underlying interface settings are compatible.

This is a standard LACP pairing. The important lesson is that active/passive works, while passive/passive usually does not. The correct answer is the one that recognizes active/passive as a valid combination.

Exam trap

Remember that active/passive works for LACP, but passive/passive does not initiate negotiation.

Why the other options are wrong

C

LACP and PAgP are incompatible, so the bundle cannot form in PAgP mode when one side uses LACP.

D

The passive side will respond to LACP negotiations, so both sides participate and the bundle forms.

578
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). Port G0/1 is connected to a sales PC, and port G0/2 is connected to an engineering PC. You need to ensure that each PC is in the correct VLAN. However, the sales PC is currently unable to ping the engineering PC because they are in different VLANs. You have a router R1 connected to SW1 via port G0/3. Configure inter-VLAN routing using Router-on-a-Stick on R1, and ensure SW1's port G0/3 is properly configured as a trunk.

Network Topology
G0/1G0/1G0/3G0/3G0/0G0/2SW1PC1VLAN 10R1PC2VLAN 20

Hints

  • Router-on-a-Stick uses subinterfaces on the router with 802.1Q encapsulation.
  • The switch port connected to the router must be configured as a trunk to carry multiple VLANs.
  • Each subinterface must have an IP address in the respective VLAN's subnet.
A.Configure subinterfaces on R1 with encapsulation dot1Q and assign IP addresses in VLAN 10 and VLAN 20. Configure SW1 interface G0/3 as a trunk port.
B.Configure a routed port on SW1 G0/3 and assign an IP address. Then configure static routes on R1 to reach each VLAN.
C.Configure SW1 interface G0/3 as an access port in VLAN 10. Then configure R1 with a single IP address in VLAN 10 and enable proxy ARP.
D.Configure SW1 interface G0/3 as a trunk port. Then configure R1 with a single IP address on the physical interface and enable VLAN routing using the 'vlan' command.
AnswerA
solution
! R1
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
interface GigabitEthernet0/0
no shutdown

! SW1
interface GigabitEthernet0/3
switchport mode trunk

Why this answer

Router-on-a-Stick allows a single router interface to route between VLANs by using subinterfaces with 802.1Q encapsulation. The switch port must be a trunk to carry the tagged frames. This configuration enables communication between VLAN 10 and VLAN 20.

Exam trap

The key trap is that candidates often forget to configure the switch port as a trunk, or they try to use a routed port on a Layer 2 switch. Also, some may think that a single IP address on the router's physical interface is sufficient, but subinterfaces are mandatory for Router-on-a-Stick.

Why the other options are wrong

B

Layer 2 switches do not support routed ports; they only support switchport mode access or trunk.

C

An access port cannot carry multiple VLANs; a trunk is required for Router-on-a-Stick.

D

Router-on-a-Stick requires subinterfaces; a single IP address on the physical interface only handles one VLAN. The 'vlan' command is not used on routers for inter-VLAN routing.

579
MCQhard

An engineer is troubleshooting an OSPF adjacency between two directly connected routers, R1 and R2. R1 is configured with a passive-interface default under the OSPF process, and the interface connecting to R2 is not explicitly set to no passive-interface. The engineer runs a show ip ospf neighbor command on R1 and sees no neighbors. What is the most likely reason for the missing adjacency?

A.The network statement does not match the interface IP address.
B.The passive-interface default command is preventing OSPF hellos on the interface.
C.The router-id is not configured, so OSPF cannot form an adjacency.
D.There is an OSPF authentication mismatch between R1 and R2.
AnswerB

The passive-interface default makes all interfaces passive, and without a no passive-interface command for the specific interface, OSPF hellos are not sent, preventing neighbor discovery.

Why this answer

The `passive-interface default` command under the OSPF process makes all interfaces passive by default, meaning OSPF Hellos are not sent unless explicitly overridden with `no passive-interface`. Since the interface to R2 was not configured with `no passive-interface`, R1 does not send Hellos, preventing adjacency. Option A is less likely because even if the network statement is correct, a passive interface still blocks Hellos.

Option C is incorrect because OSPF automatically selects a router-id if not configured (highest loopback or interface IP), and a missing router-id does not prevent Hellos. Option D is unsupported by the scenario; no authentication mismatch is indicated.

Exam trap

Cisco often tests the nuance that `passive-interface default` suppresses Hellos on all interfaces unless overridden, leading candidates to overlook the fact that even directly connected routers cannot form an adjacency without Hellos being sent.

Why the other options are wrong

A

The network statement 10.0.0.0 0.255.255.255 area 0 matches any IP in the 10.0.0.0/8 range, which likely includes the interface IP. Therefore, the network statement is not the issue.

C

A router-id is automatically selected from the highest loopback or physical interface IP if not manually configured. Lack of manual configuration does not prevent adjacency formation; OSPF will still function.

D

The running-config does not show any authentication configuration, and the symptom (no neighbors) is consistent with passive interfaces, not authentication mismatches. An authentication mismatch would typically show neighbors in EXSTART/EXCHANGE state, not missing entirely.

580
MCQhard

A branch router uses PAT for Internet access. Users can browse out, but the administrator wants a specific internal web server to be reachable from outside on a consistent public address. Which design fits that requirement best?

A.Use static NAT for the server and PAT for general user outbound traffic.
B.Use only PAT for everything, including predictable outside server reachability.
C.Disable NAT entirely because private IPv4 addresses are Internet-routable.
D.Use DHCP relay to publish the server externally.
AnswerA

This is correct because static NAT gives the server a fixed public identity while PAT supports many internal users.

Why this answer

The best design is to use static NAT for the internal web server while continuing to use PAT for general user outbound access. In plain language, PAT is ideal for many inside users sharing one public address for ordinary outbound traffic, but a server that must be reachable predictably from the outside needs a fixed public identity. Static NAT provides that one-to-one mapping.

This is a practical mixed-design scenario. The network can use PAT for user convenience and address conservation while still reserving a stable translation for a server that external clients need to find reliably. The correct answer recognizes that different NAT methods can serve different purposes in the same environment.

Exam trap

A common exam trap is selecting PAT alone to provide external access to an internal server. While PAT efficiently supports many users sharing one public IP for outbound traffic, it does not assign a fixed public IP to any internal host. This means the server’s public identity changes dynamically, preventing reliable inbound connections.

Candidates often confuse PAT’s port translation with static IP mapping, overlooking that servers need static NAT for consistent external reachability. Misunderstanding this distinction leads to incorrect answers and design flaws in real networks.

Why the other options are wrong

B

Incorrect because PAT alone cannot provide a stable public IP for inbound connections to a server, making it unsuitable for predictable external access to internal services.

C

Incorrect because private IPv4 addresses are not routable on the Internet, so disabling NAT would prevent internal hosts from accessing external networks and external clients from reaching internal servers.

D

Incorrect because DHCP relay is used to forward DHCP requests across networks and does not influence NAT or the public accessibility of internal servers.

581
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure HSRP version 2 on an interface and ensure the router becomes the active router, then verify the HSRP state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

HSRP version must be set before group configuration, then the virtual IP is assigned, followed by priority and preempt to control active router election.

Exam trap

The exam trap is that candidates often misorder the steps, especially placing version after group creation or preempt before priority. Remember: version first, then group, then priority, then preempt.

582
MCQhard

A host sends an IPv4 packet larger than the outgoing interface MTU, and the DF bit is not set. What will a router normally do?

A.Drop the packet without notification
B.Fragment the packet before forwarding
C.Convert the packet into UDP
D.Forward it unchanged and let the switch fragment it
AnswerB

Correct. The router fragments the packet when DF is not set.

Why this answer

If fragmentation is allowed, an IPv4 router can fragment a packet to fit the outgoing interface MTU. If DF were set, the router would instead drop the packet and typically send an ICMP message back to the source.

Exam trap

Be careful not to confuse the behavior when the DF bit is set with when it is not set. Remember, fragmentation is allowed when DF is not set.

Why the other options are wrong

A

A router does not drop the packet without notification when the DF bit is not set; instead, it fragments the packet. Dropping without notification only occurs when the DF bit is set and the packet exceeds the MTU, in which case the router sends an ICMP Fragmentation Needed message.

C

Routers operate at Layer 3 (IP) and do not modify the transport layer protocol (e.g., UDP or TCP) to handle MTU issues. Converting a packet to UDP would change the protocol and is not a function of IP fragmentation or any standard routing behavior.

D

Switches operate at Layer 2 and do not perform IP fragmentation. Fragmentation is a Layer 3 function handled by routers or the source host. The router must fragment the packet before forwarding it to the switch.

583
Multi-Selecthard

Exhibit: A company wants to export traffic statistics from routers to a collector for visibility into top talkers and application usage. Which two statements are accurate?

Select 2 answers
A.NetFlow can export flow data to a collector
B.NetFlow helps identify traffic patterns and top talkers
C.Syslog and NetFlow are the same feature with different names
D.NetFlow replaces routing protocols for path selection
E.NetFlow only works on Layer 2 switches and never on routers
AnswersA, B

That is exactly what it is for.

Why this answer

NetFlow exports flow records to a collector and is useful for traffic analysis and accounting visibility, enabling identification of top talkers and application usage (options A and B are correct). Syslog reports events and messages, but does not replace flow records for conversation-level traffic statistics, so option C is incorrect. NetFlow does not replace routing protocols for path selection; it is a traffic monitoring tool, not a routing mechanism, so option D is incorrect.

NetFlow works on routers and Layer 3 switches, not only Layer 2 switches, so option E is incorrect.

Exam trap

Be cautious not to confuse general network monitoring tools like Syslog and SNMP with specialized traffic analysis tools like NetFlow.

Why the other options are wrong

D

NetFlow does not replace routing protocols; it is a monitoring tool that provides traffic statistics, not a path-selection mechanism.

E

NetFlow operates on routers and Layer 3 switches, not just Layer 2 switches, and is commonly used on routers for traffic analysis.

584
Multi-Selectmedium

Which three of the following are true regarding the operation of Rapid Spanning Tree Protocol (RSTP) compared to classic STP (802.1D)? (Choose three.)

Select 3 answers
.RSTP uses proposal/agreement to achieve faster convergence.
.RSTP reduces the number of port states from five to three.
.RSTP introduces the concept of alternate and backup ports.
.RSTP requires the use of the UplinkFast feature to speed up convergence.
.RSTP uses timer-based convergence identical to 802.1D.
.RSTP eliminates the blocking state entirely.

Why this answer

RSTP (802.1w) uses a proposal/agreement handshake process to rapidly transition ports to the forwarding state without relying on timers, achieving convergence in under a second in most switched networks. This is a fundamental improvement over classic STP (802.1D), which depends on slow timer-based convergence. Additionally, RSTP reduces the classic five port states (blocking, listening, learning, forwarding, disabled) to three (discarding, learning, forwarding) and introduces new port roles—alternate and backup—to provide faster failover by maintaining a ready alternative path to the root.

Exam trap

Cisco often tests the misconception that RSTP eliminates the blocking state entirely, when in fact it renames it to discarding and still uses it for alternate and backup ports.

585
Matchingmedium

Drag and drop the port configuration commands/technologies on the left to their corresponding descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configures the port as a non-trunking access port

Limits the number of MAC addresses on a desktop access port

Separates VoIP traffic into a dedicated VLAN

Assigns the data VLAN for desktop or AP devices

Immediately transitions an end-device port to forwarding state

Macro that sets portfast, mode access, and port-security for IoT/virtual hosts

Why these pairings

These are common Cisco IOS commands used for port configuration, each with a specific function.

Exam trap

Candidates often confuse commands that set port mode (access/trunk) with commands that assign VLANs or set encapsulation. Remember that 'switchport mode access' is the specific command to make a port an access port; other commands like 'switchport access vlan' or 'switchport trunk encapsulation' serve different purposes and do not change the port mode.

586
PBQmedium

You are connected to SW1 via the console. SW1 is a multilayer switch with SVIs for VLANs 10 (192.168.10.1/24) and 20 (192.168.20.1/24). Hosts in VLAN 10 can ping their default gateway (192.168.10.1), but cannot ping hosts in VLAN 20. You suspect IP routing is not enabled or the SVIs are not up.

Hints

  • Check if IP routing is enabled globally.
  • Verify that the SVIs are up/up.
  • Use ping with source to test connectivity between VLANs.
A.Enable IP routing on SW1 with the 'ip routing' global configuration command.
B.Configure a trunk port between SW1 and an external router, then enable routing on the router.
C.Ensure the SVIs are not shut down and have the 'no shutdown' command applied.
D.Add a static route on SW1 pointing to the VLAN 20 subnet via the VLAN 10 SVI.
AnswerA
solution
! SW1
ip routing

Why this answer

A multilayer switch requires 'ip routing' to forward packets between VLANs. Without it, the switch acts as a Layer 2 device. Enabling IP routing allows the SVIs to route traffic between VLANs.

The verification commands confirm routing is active and SVIs are operational.

Exam trap

The trap is that candidates may focus on interface status or static routes, overlooking the fundamental requirement of 'ip routing' on a multilayer switch. Remember that SVIs can be up and pingable, but without IP routing enabled, the switch cannot forward packets between VLANs.

Why the other options are wrong

B

The specific factual error is that the question states SW1 is a multilayer switch with SVIs, so it can route internally without an external router. The issue is that IP routing is not enabled on the switch itself.

C

The specific factual error is that the SVIs are already up (hosts can ping the gateway), so 'no shutdown' is not the missing step. The problem is at Layer 3 routing, not Layer 2/3 interface status.

D

The specific factual error is that directly connected networks do not require static routes; the switch automatically installs them when the SVI is up. The problem is that 'ip routing' is not enabled, so the switch does not use these routes for forwarding.

587
MCQhard

A host is configured with IP address 192.168.70.18/30. Which addresses belong to the same subnet block?

A.192.168.70.16 through 192.168.70.19
B.192.168.70.18 through 192.168.70.21
C.192.168.70.12 through 192.168.70.15
D.192.168.70.20 through 192.168.70.23
AnswerA

This is correct because .18 belongs to the /30 block that runs from .16 to .19.

Why this answer

A /30 subnet has a block size of 4. In practical terms, the relevant blocks in the last octet are 0–3, 4–7, 8–11, 12–15, 16–19, and so on. Because 18 falls inside the 16–19 block, the subnet includes network address .16, usable hosts .17 and .18, and broadcast .19.

This question checks whether you can identify the correct /30 block and understand all addresses that fall inside it.

Exam trap

Be careful not to confuse adjacent subnet blocks or miscalculate the block size of a /30 subnet.

Why the other options are wrong

B

A /30 subnet always has a block size of 4 addresses, starting at multiples of 4. The block starting at .18 would be 192.168.70.16–.19, not .18–.21. The range .18–.21 crosses a subnet boundary and includes addresses from two different subnets.

C

The block 192.168.70.12–.15 is a different /30 subnet (network .12, broadcast .15). The host .18 belongs to the subnet .16–.19, not .12–.15.

D

The block 192.168.70.20–.23 is the next /30 subnet (network .20, broadcast .23). The host .18 is not in this range; it is in the .16–.19 subnet.

588
PBQmedium

You are connected to R1 via the console. R1 is an NTP client that should synchronize its clock with NTP server 192.168.1.100. The timezone is UTC-5 (Eastern Standard Time). Configure NTP on R1 so that it becomes an NTP client. Additionally, configure the router to log NTP synchronization status messages to the console and buffer logging using the numeric severity level 6 (informational).

Network Topology
G0/0192.168.1.1/24LANR1NTP server

Hints

  • Use ntp server command to point to the NTP server.
  • Logging level 6 corresponds to informational.
  • Buffered and console logging commands are separate.
A.ntp server 192.168.1.100 logging console informational logging buffered informational
B.ntp peer 192.168.1.100 logging console 6 logging buffered 6
C.ntp server 192.168.1.100 logging console 6 logging buffered 6
D.ntp server 192.168.1.100 logging console informational logging buffered 6
AnswerC
solution
! R1
ntp server 192.168.1.100
logging buffered 6
logging console 6

Why this answer

The correct NTP client command is 'ntp server 192.168.1.100', not 'ntp peer'. The logging commands must use the numeric level 6 to match the requirement. 'logging console 6' and 'logging buffered 6' achieve this; keyword 'informational' is technically valid but does not follow the explicit numeric specification. Mixing numeric and keyword is also incorrect under the given requirement.

Exam trap

Candidates often overlook the explicit requirement to use the numeric severity level and may choose options with the keyword 'informational', which are technically valid but do not meet the specified condition.

Why the other options are wrong

A

Uses the keyword 'informational' instead of the required numeric level 6.

B

Uses 'ntp peer' instead of 'ntp server', and uses numeric levels but the primary command is wrong.

D

Mixes numeric and keyword severity levels; must use numeric 6 for both console and buffer.

589
Matchingmedium

Match each HTTP method to the most common API action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve information

Create a new resource

Replace or update a resource representation

Remove a resource

Why these pairings

These are the standard HTTP methods and their typical CRUD actions in RESTful APIs.

Exam trap

Do not confuse the purpose of HTTP methods. GET is always safe and idempotent; it should never modify server state. Remember that POST creates, PUT/PATCH updates, and DELETE removes.

590
MCQmedium

An automation script needs to send a bearer token when calling a controller REST API over HTTPS. Where is that token most commonly included?

A.In the HTTP Authorization header
B.In the Ethernet trailer
C.In the DNS response section
D.In the TCP checksum field
AnswerA

That is the standard way bearer tokens are presented.

Why this answer

Bearer tokens are typically sent in the HTTP Authorization header. Query parameters or request bodies may carry credentials in some custom APIs, but the normal REST pattern is an Authorization header such as 'Authorization: Bearer <token>'.

Exam trap

Remember that bearer tokens are part of the request, not the response, and should be in the Authorization header, not in query parameters or the request body.

Why the other options are wrong

B

The Ethernet trailer contains a Frame Check Sequence (FCS) for error detection at Layer 2, not application-layer data like bearer tokens. Tokens are part of the HTTP application layer and are never placed in the Ethernet trailer.

C

DNS responses contain resource records like A, AAAA, or CNAME, which map domain names to IP addresses. They have no role in carrying authentication tokens for REST API calls, as DNS is a separate protocol for name resolution.

D

The TCP checksum field is used for error detection of the TCP segment header and payload at the transport layer. It is computed by the sender and verified by the receiver; it does not carry any application data such as bearer tokens.

591
PBQhard

You are connected to R1, a Cisco IOS-XE router that serves as the DNS resolver for the local network. The router can reach the DNS server at 198.51.100.53, but internal hosts cannot resolve the hostname 'fileserver.courseiva.com' (expected IP 203.0.113.10). Which configuration will resolve the issue?

Network Topology
G0/0192.168.1.1/24R1switch

Hints

  • The DNS server returns NXDOMAIN, meaning it has no record for that hostname or IP.
  • Use the 'ip host' command to create a static DNS entry on the router.
  • For reverse lookup, the PTR record must be configured; a single 'ip host' with the IP first automatically creates a PTR entry.
A.Add a static host entry: ip host fileserver.courseiva.com 203.0.113.10
B.Change the DNS server to 203.0.113.53 using the command 'ip name-server 203.0.113.53'
C.Add a static route to 198.51.100.53 via the next-hop interface
D.Configure the router to use the DNS server at 8.8.8.8 using 'ip name-server 8.8.8.8'
AnswerA
solution
! R1
ip host fileserver.courseiva.com 203.0.113.10
ip host 203.0.113.10 fileserver.courseiva.com

Why this answer

The DNS server is reachable but does not have an A record for fileserver.courseiva.com, so NXDOMAIN is returned. The router can resolve the name locally by adding a static host entry with `ip host`. This bypasses the external DNS and directly maps the hostname to the correct IP.

Changing the DNS server to another unknown IP does not guarantee resolution, and static routes or external public DNS are irrelevant for this internal name.

Exam trap

Candidates often attempt to change the DNS server IP or troubleshoot routing, but the core issue is the absence of a DNS record. The `ip host` command provides a simple, static solution without altering external DNS infrastructure.

Why the other options are wrong

B

The current DNS server is reachable but lacks the record; simply changing the DNS server to an arbitrary IP would not guarantee resolution unless that server is known to hold the correct record, and there is no indication that 203.0.113.53 is a valid DNS server.

C

DNS resolution failure is not due to routing: the router can already reach the DNS server. Adding a static route will not fix missing DNS records.

D

The Google public DNS server likely does not have an entry for the internal hostname fileserver.courseiva.com, so this will not enable resolution.

592
MCQhard

An OSPF router learns a route with metric 20 and another OSPF route to the same destination with metric 30. The prefix length is the same. Which path is preferred?

A.The route with metric 20
B.The route with metric 30
C.Both routes are rejected because the metrics differ
D.The default route is preferred
AnswerA

This is correct because lower metric is preferred within the same routing protocol.

Why this answer

The OSPF path with metric 20 is preferred because, within the same routing protocol and for the same prefix length, the metric is used to compare candidate paths. In practical terms, the router is not comparing source trust here because both routes come from OSPF. It is comparing OSPF’s own internal path-cost values, and the lower metric wins.

This question is about separating administrative distance from metric. Since both routes come from the same protocol, metric is the deciding factor.

Exam trap

A common exam trap is confusing administrative distance with metric when comparing routes from the same protocol. Candidates might incorrectly think that a higher metric route is rejected or that administrative distance plays a role in choosing between two OSPF routes. In reality, OSPF always prefers the route with the lowest metric, and both routes remain valid candidates.

Misunderstanding this can lead to incorrect answers about route selection or route rejection, especially when multiple OSPF routes to the same prefix exist with different metrics.

Why the other options are wrong

B

This option is incorrect because a higher metric indicates a less preferred path in OSPF. The route with metric 30 is less optimal than the one with metric 20 and therefore not preferred.

C

This option is incorrect because OSPF does not reject routes simply because their metrics differ. Differing metrics are normal and help the router choose the best path rather than causing route rejection.

D

This option is incorrect because the router already has specific OSPF routes to the destination. A default route is not preferred when a more specific route with a valid metric exists.

593
MCQhard

A host address is 10.55.8.117/29. Which address is the network address of the subnet?

A.10.55.8.112
B.10.55.8.119
C.10.55.8.120
D.10.55.8.116
AnswerA

This is correct because .117 belongs to the 112-119 /29 block.

Why this answer

A /29 subnet has a block size of 8. In practical terms, the relevant last-octet blocks are 112-119 for this host. That means the network address is 10.55.8.112. Once you identify the correct block, the first address in the block is the network address.

This is a useful addressing-boundary question because it checks careful block calculation, not memorized guesses.

Exam trap

Be careful not to confuse the network address with the first usable host or the broadcast address.

Why the other options are wrong

B

10.55.8.119 is the broadcast address for the subnet 10.55.8.112/29, not the network address. The broadcast address is the last address in the block (112+8-1=119) and is used to send traffic to all hosts in the subnet.

C

10.55.8.120 is the network address of the next /29 subnet (120-127), not the current one. The current subnet ends at 119, so 120 belongs to a different subnet.

D

10.55.8.116 is a valid host address within the subnet 10.55.8.112/29 (usable range: 113-118). It is not the network address, which must be the first address (112).

594
Multi-Selectmedium

Which three of the following correctly describe the behavior of EtherChannel? (Choose three.)

Select 3 answers
.It aggregates multiple physical links into a single logical link.
.It provides load balancing across the member links based on a hash algorithm.
.It requires that all member ports have the same speed and duplex settings.
.It requires that member ports be on different switches to form a single channel.
.It increases the total number of STP instances in the network.
.It allows multiple VLANs on the same link only if configured as an access port.

Why this answer

EtherChannel aggregates multiple physical links into a single logical link, increasing bandwidth and providing redundancy. It uses a hash algorithm (based on source/destination MAC, IP, or TCP/UDP ports) to distribute traffic across member links. All member ports must have identical speed and duplex settings and be on the same switch (or stack).

The statement that EtherChannel allows multiple VLANs only if configured as an access port is false because EtherChannel links can operate as trunks to carry multiple VLANs.

Exam trap

Cisco often tests the misconception that EtherChannel can be formed across different standalone switches (without stacking) or that it increases STP instances, when in fact it reduces them by treating the bundle as a single logical port.

595
MCQmedium

A REST API query returns this JSON snippet: { "interface": { "name": "GigabitEthernet1", "admin-status": "up", "oper-status": "down" } } What does this indicate?

A.The interface is shut down by configuration.
B.The interface is enabled but the link is not operational.
C.The interface is operating normally.
D.The interface is a loopback.
AnswerB

Correct. Admin up / oper down indicates no working link or similar fault.

Why this answer

The interface is administratively enabled, but it is not operationally passing traffic or achieving link.

Exam trap

Be careful not to confuse 'admin-status' with 'oper-status'. They represent different states of the interface.

Why the other options are wrong

A

The admin-status is 'up', which means the interface is not administratively shut down. A shut down interface would show admin-status as 'down'.

C

An interface operating normally would have oper-status 'up'. The oper-status 'down' indicates the interface is not passing traffic, so it is not functioning normally.

D

A loopback interface is a virtual interface that is always up/up (admin up, oper up) unless administratively shut down. The JSON shows oper-status 'down', which is not typical for a loopback.

596
Multi-Selectmedium

Which THREE statements accurately describe the characteristics of NETCONF and RESTCONF for programmatic network configuration?

Select 3 answers
A.NETCONF uses HTTP methods such as GET, POST, PUT, and DELETE to manipulate configuration data.
B.NETCONF uses XML-encoded RPCs over a secure transport such as SSH or TLS.
C.RESTCONF supports both XML and JSON encoding and uses HTTP methods.
D.Both NETCONF and RESTCONF rely on YANG data models to define the structure of configuration and operational data.
E.NETCONF uses a separate commit operation to apply changes, while RESTCONF uses a similar commit mechanism.
AnswersB, C, D

NETCONF encodes operations in XML and sends them as RPCs over a secure connection (SSH or TLS). This is a core characteristic of NETCONF.

Why this answer

NETCONF uses XML-encoded Remote Procedure Calls (RPCs) over a secure transport such as SSH or TLS, making option B correct. RESTCONF supports both XML and JSON encoding and uses standard HTTP methods (GET, POST, PUT, PATCH, DELETE), so option C is correct. Both NETCONF and RESTCONF rely on YANG data models to define the structure of configuration and operational data, confirming option D.

Option A is incorrect because NETCONF does not use HTTP methods; that is a characteristic of RESTCONF. Option E is wrong because RESTCONF does not use a separate commit operation; changes are applied immediately with each HTTP request, unlike NETCONF's candidate config and commit model.

Exam trap

Cisco often tests the misconception that NETCONF uses HTTP methods like RESTCONF, leading candidates to incorrectly select option A as a correct statement about NETCONF.

Why the other options are wrong

A

NETCONF uses XML‑encoded RPCs over SSH or TLS, not HTTP methods; HTTP methods are used by RESTCONF.

E

RESTCONF does not have a separate commit operation; changes are applied immediately with each HTTP request, unlike NETCONF's explicit commit step.

597
MCQeasy

What data format is commonly used in REST API responses because it is lightweight and easy for applications to parse?

A.BGP
B.JSON
C.STP
D.ARP
AnswerB

Correct. JSON is commonly used in RESTful APIs.

Why this answer

JSON is widely used in REST APIs for structured data exchange.

Exam trap

Avoid assuming older or more traditional formats like XML or CSV are used in modern REST APIs; JSON is the standard.

Why the other options are wrong

A

BGP (Border Gateway Protocol) is a path-vector routing protocol used to exchange routing information between autonomous systems, not a data serialization format. It is unrelated to REST API data formatting.

C

STP (Spanning Tree Protocol) is a Layer 2 protocol that prevents loops in Ethernet networks, not a data format for APIs. It operates at the data link layer and has no role in REST API responses.

D

ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses in local networks, not a data serialization format. It is a network layer protocol, not an API data format.

598
MCQhard

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch for a new access port connected to a user workstation. The workstation is failing to gain network access. The switch port is in the 'authorized' state, but the workstation cannot ping the default gateway. The administrator checks the running configuration and the authentication session details. What is the most likely cause of the issue?

A.The RADIUS server has not been configured with the correct shared secret, causing authentication to fail silently.
B.The RADIUS server returned a VLAN ID that placed the port in a VLAN lacking connectivity to the default gateway, such as a VLAN without an SVI or incorrect subnet assignment.
C.The switch port is in 'err-disabled' state due to a port-security violation, preventing any traffic.
D.The workstation's supplicant is not configured with the correct EAP method, causing the authentication to use the guest VLAN instead.
AnswerB

After successful 802.1X authentication, the switch can dynamically assign the port to a VLAN specified in the RADIUS Access-Accept message. If that VLAN exists but is not the correct user VLAN—for example, a dead-end VLAN or a VLAN where the default gateway IP is not configured or reachable—the device will appear authorized but will be unable to reach the gateway, exactly matching the symptoms.

Why this answer

The switch port is in the 'authorized' state, indicating that 802.1X authentication succeeded and the RADIUS server sent an Access-Accept. However, the workstation cannot ping the default gateway, pointing to a connectivity issue after authentication. The most likely cause is that the RADIUS server returned a VLAN assignment (via the Tunnel-Private-Group-ID attribute) that placed the port in a VLAN that is not the intended one, such as a management VLAN without a gateway, or a VLAN missing a routed SVI, leaving the workstation isolated despite successful authentication.

Exam trap

Cisco often tests the distinction between authentication success (port state 'authorized') and network connectivity success (correct VLAN assignment), tricking candidates into focusing on authentication failures when the real issue is a post-authentication VLAN misconfiguration.

Why the other options are wrong

A

The show authentication sessions output indicates 'Authz Success', meaning authentication and authorization succeeded. A shared secret mismatch would cause authentication failure, not a successful authorization.

C

The show command output clearly shows the port status as 'AUTHORIZED' and 'Authz Success'. There is no indication of err-disable. Port-security violations would show a different status, such as 'err-disabled' or 'security-violation'.

D

The output shows 'authVlan = 100' and the session is authorized with 'method = dot1x' and 'status = AUTHORIZED'. This indicates the supplicant successfully authenticated and was placed in the auth VLAN, not the guest VLAN. If the supplicant had failed, the port would be in the guest VLAN.

599
MCQhard

An engineer is allowed to log in to a router but cannot enter configuration mode. Which AAA function most directly explains that outcome?

A.Authorization
B.Authentication
C.Accounting
D.DNS
AnswerA

This is correct because authorization determines what the authenticated user is permitted to do.

Why this answer

Authorization most directly explains the outcome. In practical terms, the user has already passed authentication because login succeeded, but the permissions assigned to that identity do not allow configuration-level actions. This is exactly the sort of role separation authorization is meant to enforce.

This is a good example of why authentication and authorization are not the same thing.

Exam trap

A common exam trap is assuming that authentication alone controls all user permissions after login. Candidates often confuse authentication with authorization, thinking that successful login means full access. However, authentication only verifies identity, while authorization determines what commands or modes the user can access.

This confusion leads to incorrect answers, especially when a user can log in but cannot enter configuration mode. Remember, authorization is the AAA function that restricts user capabilities after authentication succeeds.

Why the other options are wrong

B

Authentication is incorrect because it only verifies the user's identity to allow login; it does not control what commands or modes the user can access after login.

C

Accounting is incorrect because it only records user activity and command usage for auditing purposes and does not influence login permissions or command access.

D

DNS is incorrect because it is related to name resolution and does not control user authentication, authorization, or command permissions on network devices.

600
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of OSPFv3 for IPv6?

Select 2 answers
A.OSPFv3 uses link-local IPv6 addresses to form neighbor adjacencies.
B.OSPFv3 uses global unicast IPv6 addresses to form neighbor adjacencies.
C.OSPFv3 is automatically enabled on all IPv6-enabled interfaces when the routing process is configured.
D.The 'show ospfv3 neighbor' command displays neighbor state, neighbor ID, and interface information.
E.The 'show ospfv3 neighbor' command displays the IPv6 address of the neighbor's interface as the neighbor ID.
AnswersA, D

OSPFv3 routers use link-local addresses (FE80::/10) for neighbor discovery and hello packets, ensuring communication remains within the local link.

Why this answer

OSPFv3 for IPv6 uses link-local IPv6 addresses (FE80::/10) to form neighbor adjacencies, not global unicast addresses (so B is incorrect). OSPFv3 does not automatically enable on all IPv6 interfaces; each interface must be explicitly configured under the OSPFv3 process using the 'ipv6 ospf' command (so C is incorrect). The 'show ospfv3 neighbor' command displays the neighbor's Router ID (a 32-bit value), not the IPv6 address of the neighbor's interface (so E is incorrect).

Correct options A and D accurately describe OSPFv3 neighbor formation using link-local addresses and the information shown by the 'show ospfv3 neighbor' command, which includes neighbor state, neighbor ID, and interface.

Exam trap

Cisco often tests the misconception that OSPFv3 behaves like OSPFv2 by using global unicast addresses for neighbor formation, or that enabling the OSPFv3 process automatically activates it on all interfaces, when in fact each interface must be explicitly enabled under the OSPFv3 process.

Why the other options are wrong

B

OSPFv3 uses link-local addresses, not global unicast addresses, for neighbor formation.

C

OSPFv3 requires explicit interface configuration under the routing process; it is not automatically enabled.

E

The neighbor ID shown is the Router ID, not the IPv6 address of the neighbor's interface.

Page 7

Page 8 of 25

Page 9