CCNA 200-301 v2 (200-301) — Questions 601675

1819 questions total · 25pages · All types, answers revealed

Page 8

Page 9 of 25

Page 10
601
MCQhard

In a network running STP, SW2 became the root bridge for VLAN 10. Both SW1 and SW2 have the same bridge priority. Why did SW2 become the root?

A.Because SW2 has the lower bridge ID due to the lower MAC address.
B.Because SW2 has the higher VLAN number configured.
C.Because SW2 has more trunk ports than SW1.
D.Because SW2 has the highest bridge priority.
AnswerA

This is correct because the priorities are equal, so the lower MAC address wins the root election.

Why this answer

SW2 became the root bridge because its bridge ID is lower. In practical terms, spanning tree elects the root bridge by comparing bridge IDs, which are based on priority plus MAC address. The device with the lowest bridge ID wins. In the exhibit, both switches use the same priority, so the tie is broken by the lower MAC address.

This is a classic STP interpretation question. Many learners focus only on priority, but if priorities match, the MAC address becomes decisive.

Exam trap

Remember, in STP, lower values are preferred. If priorities match, the MAC address decides the root bridge.

Why the other options are wrong

B

The VLAN number is not a factor in the STP root bridge election. The election is based solely on bridge ID, which consists of bridge priority and MAC address.

C

The number of trunk ports does not affect the root bridge election. STP uses bridge ID (priority and MAC address) to determine the root bridge, not port count or type.

D

The root bridge is elected based on the lowest bridge ID, not the highest. A higher bridge priority (numerically larger) makes a switch less likely to become root.

602
MCQhard

A router pair is directly connected, but they do not become OSPF neighbors. IP addressing and area assignment are correct. What is the most likely cause?

A.OSPF network type mismatch on the connected interfaces
B.Duplicate default routes on both routers
C.Missing VLAN trunking on the link
D.The OSPF process IDs are required to match
AnswerA

This is correct because one side is using point-to-point and the other is using broadcast, which can prevent a stable adjacency.

Why this answer

OSPF network type mismatch is a frequent reason for adjacency failure when basic IP and area settings are correct. If one side is configured as broadcast and the other as point-to-point, the hello timers, neighbor discovery behavior, and designated router election rules diverge, preventing neighbor formation. Unlike process IDs (which are locally significant), a mismatch in network type directly affects how OSPF hellos are processed.

This is a well-known L2/L3 misconfiguration that must be checked alongside router‑ID and authentication parameters.

Exam trap

A common exam trap is assuming that OSPF process IDs must match on both routers to form neighbors. Many candidates mistakenly believe process IDs are globally significant, but they are only locally important identifiers. Another tempting mistake is blaming IP addressing or area mismatches without checking the OSPF network type.

Since network type controls how OSPF hellos are sent and received, a mismatch between broadcast and point-to-point types can silently block adjacency formation even when IP and area configurations appear correct. This subtlety often leads to confusion during troubleshooting and exam scenarios.

Why the other options are wrong

B

Incorrect because duplicate default routes affect routing decisions but do not impact the OSPF neighbor formation process, which depends on hello packets and network type compatibility.

C

Incorrect since VLAN trunking applies to Layer 2 switch ports, not routed interfaces running OSPF. The problem described involves OSPF adjacency, not VLAN or trunk configuration.

D

Incorrect because OSPF process IDs are locally significant identifiers and do not need to match between routers for neighbor relationships to form. This does not cause adjacency failure.

603
Matchingmedium

Match each wireless concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The WLAN name shown to clients

Device that provides wireless connectivity

Design in which centralized devices manage APs

Wireless security standard

Why these pairings

SSID is the WLAN name broadcasted to clients, making it synonymous with 'The WLAN name shown to clients.' An access point is the device that bridges wireless clients to the wired network, directly matching 'Device that provides wireless connectivity.' A controller-based WLAN uses a central controller to manage multiple APs, which aligns with 'Design in which centralized devices manage APs.' WPA2 is a security protocol for wireless networks, fitting 'Wireless security standard.' The other concepts (BSSID, beacon frames, etc.) are related but not part of this matching exercise.

Exam trap

Watch out for common confusions: SSID vs BSSID (name vs MAC), the roles of beacon frames (advertisement) vs probe requests (discovery), and the correct order of authentication (before association). Cisco exams often test these distinctions.

604
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a VLAN 10 subnet and enable DHCP relay for a remote client on VLAN 20.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to globally exclude IP addresses first, preventing the DHCP server from assigning reserved addresses. Then define the DHCP pool for VLAN 10 with network parameters, enable DHCP relay on the VLAN 20 interface so it forwards requests to the server, and finally verify the service is functioning. Options that place relay before pool or exclusions after pool misorder these essential configuration steps and deviate from recommended practice.

Exam trap

Many learners mistakenly think DHCP relay must be enabled before pool creation or that exclusions are a sub‑mode command inside the pool; in fact, exclusions are configured globally and should be defined before the pool to avoid accidental assignment of excluded IPs.

605
MCQeasy

Which HTTP method is commonly used to retrieve information from a REST API without modifying the resource?

A.POST
B.GET
C.PUT
D.DELETE
AnswerB

Correct. GET retrieves data.

Why this answer

GET is the standard HTTP method for retrieving a resource representation without changing the resource.

Exam trap

Do not confuse retrieval with modification. GET retrieves data without altering the resource, unlike POST, PUT, or DELETE.

Why the other options are wrong

A

POST is used to create a new resource or submit data to be processed, which often results in a change in server state. It is not idempotent and is not designed for retrieval without modification.

C

PUT is used to update or replace an existing resource, which modifies the resource. It is not a safe or idempotent method for retrieval without side effects.

D

DELETE is used to remove a resource, not retrieve it. Using DELETE would modify the resource by deleting it, which contradicts the requirement of not modifying the resource.

606
Drag & Dropmedium

Drag and drop the following IOS-XE CLI commands into the correct order to configure AAA with a RADIUS server and then enable 802.1X port authentication on an interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

AAA configuration must precede 802.1X. The order is global AAA setup, then global 802.1X enablement, followed by per-interface authentication configuration.

Exam trap

Do not confuse the order of global AAA enablement and RADIUS server definition. AAA must be enabled first. Also, remember that global 802.1X enablement comes before interface-specific commands.

607
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to a PC on port G0/1. The network administrator wants to secure the port by allowing only two MAC addresses and enabling sticky MAC learning. Additionally, if a violation occurs, the port should be put into error-disabled state. Configure port security on G0/1 with maximum MAC addresses of 2, sticky learning, and shutdown violation mode.

Network Topology
G0/1SW1PC

Hints

  • Port security must first be enabled with switchport port-security.
  • Sticky MAC dynamically learns and saves MAC addresses to running-config.
A.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation shutdown
B.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation restrict
C.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation protect
D.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address 0000.1111.2222 SW1(config-if)# switchport port-security violation shutdown
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation shutdown

Why this answer

Port security restricts access based on MAC addresses. The first command, `switchport port-security`, enables port security on the interface. With sticky, learned MACs are saved to the running config; `shutdown` violation mode places the port in error-disable state, requiring manual recovery.

Option A includes all required commands in the correct order. Option B uses `restrict`, which drops traffic but does not errdisable. Option C uses `protect`, which drops silently without logging.

Option D manually configures a specific MAC instead of enabling sticky learning, so it does not meet the requirement for sticky.

Exam trap

Do not confuse the three violation modes: shutdown (error-disable), restrict (drop + log), and protect (drop silently). Also, remember that sticky MAC learning is enabled with the 'mac-address sticky' command, not by manually configuring a MAC address.

Why the other options are wrong

B

The violation mode 'restrict' does not place the port in error-disabled state; it only drops traffic from unauthorized MACs and increments a counter.

C

The 'protect' mode drops violating frames but does not disable the port or generate syslog messages; it is the least restrictive violation mode.

D

The command 'switchport port-security mac-address' manually assigns a MAC address, whereas 'switchport port-security mac-address sticky' enables dynamic learning and storage of MAC addresses.

608
PBQhard

You are connected to R1 via console. R1 must reach the remote loopback 2001:db8:1::1/128 on R3 via R2 (2001:db8:0:2::2/64). Currently, IPv6 ping fails. Additionally, configure a floating static default route via R2 (198.51.100.2/30) with an appropriate AD so that it only becomes active if a dynamic default route (with default AD 1) is absent. Identify and fix the recursive routing failure, correct the next-hop, set the correct AD, and ensure the default route is present.

Network Topology
G0/12001:db8:0:2::1/64G0/12001:db8:0:2::2/64G0/12001:db8:0:2::2/64R2R1R3

Hints

  • Check if the next-hop address is directly connected; use show ipv6 route to see if a recursive route exists.
  • The default AD for a static route is 1; for a floating static route to back up a dynamic protocol, use a higher AD (e.g., 254).
  • Use the exit interface in the static route to avoid recursive lookup failure.
A.Change the IPv6 static route to '2001:db8:1::1/128 GigabitEthernet0/1 2001:db8:0:2::2' and set the floating default route's AD to 254.
B.Change the IPv6 static route to '2001:db8:1::1/128 2001:db8:0:2::1' and set the floating default route's AD to 1.
C.Change the IPv6 static route to '2001:db8:1::1/128 GigabitEthernet0/1 2001:db8:0:2::2' and set the floating default route's AD to 1.
D.Change the IPv6 static route to '2001:db8:1::1/128 2001:db8:0:2::2' and set the floating default route's AD to 254.
AnswerA, D
solution
! R1
no ipv6 route 2001:db8:1::1/128 2001:db8:0:2::1
ipv6 route 2001:db8:1::1/128 GigabitEthernet0/1 2001:db8:0:2::2
no ip route 0.0.0.0 0.0.0.0 198.51.100.2 1
ip route 0.0.0.0 0.0.0.0 198.51.100.2 254

Why this answer

The original IPv6 static route uses the next-hop 2001:db8:0:2::1, which is R1's own G0/1 address, causing a routing loop. Correct the route by specifying a directly connected remote next-hop (2001:db8:0:2::2) either with or without the exit interface. Set the floating static default route with an AD higher than the dynamic route's default AD (e.g., 254) so it becomes a backup.

Option A (exit interface + next-hop) and Option D (next-hop only) both achieve this; Options B and C fail due to wrong next-hop or AD.

Exam trap

Be careful: using the router's own IP as a next-hop creates a forwarding loop, not a reachability failure. For a floating static route, the AD must be higher than the active route's AD to act as a backup.

Why the other options are wrong

B

The next-hop is R1's own address (loop) and AD 1 makes the route equally preferred to dynamic routes, defeating the floating purpose.

C

AD 1 makes the route equally preferred, not a floating backup.

609
Multi-Selecteasy

A support engineer is explaining why a host uses ARP before sending a frame on an Ethernet LAN. Which two statements are correct?

Select 2 answers
A.ARP resolves an IPv4 address to a MAC address
B.A host may ARP for its default gateway when sending to a remote network
C.ARP is used to discover the remote router's OSPF router ID
D.ARP replaces DNS for hostname resolution
AnswersA, B

The host needs the destination MAC for local Layer 2 forwarding.

Why this answer

On Ethernet, the sender needs a destination MAC address. For remote destinations, that usually means ARPing for the default gateway's MAC.

Exam trap

A frequent exam trap is selecting options that confuse ARP with DNS or routing protocol functions. For example, some may incorrectly believe ARP resolves hostnames like DNS or discovers OSPF router IDs. These misunderstandings arise because ARP and DNS both involve address resolution, but ARP only maps IPv4 addresses to MAC addresses on the local LAN, while DNS maps hostnames to IP addresses.

Similarly, ARP does not interact with routing protocols like OSPF. Misinterpreting ARP’s role leads to incorrect answers and can cost points on the CCNA exam.

Why the other options are wrong

C

Incorrect because ARP does not discover routing protocol identifiers like OSPF router IDs; these are unrelated to Layer 2 address resolution.

D

Incorrect because ARP does not replace DNS; DNS resolves hostnames to IP addresses, whereas ARP resolves IP addresses to MAC addresses.

610
Multi-Selectmedium

Which three of the following are characteristics of Layer 2 Ethernet switches that improve network performance? (Choose three.)

Select 3 answers
.They create separate collision domains per port.
.They forward frames based on the destination MAC address.
.They reduce the number of broadcast domains.
.They can perform cut-through switching to reduce latency.
.They use IP addresses to make forwarding decisions.
.They automatically block all unknown unicast frames.

Why this answer

Layer 2 Ethernet switches improve network performance by creating separate collision domains per port, eliminating collisions between devices on different ports. They forward frames based on the destination MAC address, enabling efficient hardware-based switching. Cut-through switching reduces latency by starting to forward as soon as the destination MAC address is read.

The other options are incorrect: switches do not reduce broadcast domains (broadcasts are forwarded to all ports in the same VLAN unless a router or VLAN segmentation is used); switches operate at Layer 2 using MAC addresses, not IP addresses; and unknown unicast frames are flooded out all ports except the incoming port, not automatically blocked, to ensure connectivity if the destination is unknown.

Exam trap

Cisco often tests the distinction between collision domains and broadcast domains, where candidates mistakenly think switches reduce broadcast domains, but switches only segment collision domains while broadcast domains are controlled by VLANs or routers.

611
PBQhard

You are connected to R1 (198.51.100.1/24). Using RESTCONF, you need to retrieve the current operational status of GigabitEthernet0/0/0 via the ietf-interfaces YANG model, then update its description to 'WAN-Link-to-R2' using a PATCH request with the Cisco-IOS-XE-native YANG model. The candidate must identify the correct base URI, YANG module path, HTTP headers (Accept: application/yang-data+json), interpret the JSON response, and recognize the error that occurs when an incorrect Content-Type header or wrong YANG path is used.

Network Topology
G0/0/0198.51.100.1/24G0/0/0198.51.100.2/24EthernetR1R2

Hints

  • The ietf-interfaces model provides operational data; configuration changes require Cisco-IOS-XE-native.
  • The Content-Type header must be application/yang-data+json for PATCH requests.
  • URL-encode special characters like '/' in interface names as '%2F'.
A.GET request to /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0/0 with Accept: application/yang-data+json; PATCH request to /restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=0/0/0 with Content-Type: application/yang-data+json and body {"Cisco-IOS-XE-native:description": "WAN-Link-to-R2"}
B.GET request to /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0/0 with Accept: application/json; PATCH request to /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0/0 with Content-Type: application/yang-data+json and body {"description": "WAN-Link-to-R2"}
C.GET request to /restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=0/0/0 with Accept: application/yang-data+json; PATCH request to /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0/0 with Content-Type: application/json and body {"description": "WAN-Link-to-R2"}
D.GET request to /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/0/0 with Accept: application/yang-data+json; PATCH request to /restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=0/0/0 with Content-Type: application/json and body {"Cisco-IOS-XE-native:description": "WAN-Link-to-R2"}
AnswerA
solution
! R1
Use GET: curl -k -u admin:cisco -H "Accept: application/yang-data+json" https://198.51.100.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0%2F0
Use PATCH: curl -k -u admin:cisco -X PATCH -H "Content-Type: application/yang-data+json" -d '{"Cisco-IOS-XE-native:description":"WAN-Link-to-R2"}' https://198.51.100.1/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=GigabitEthernet0%2F0%2F0/description

Why this answer

The GET request correctly uses the ietf-interfaces YANG path and Accept header to retrieve the interface operational data. The PATCH request fails because it attempts to modify 'description' under the ietf-interfaces model, which is read-only for operational data; the writable 'description' is under Cisco-IOS-XE-native:native/interface/GigabitEthernet. The correct PATCH URI targets the Cisco-IOS-XE-native YANG module path, and the Content-Type must be application/yang-data+json.

The 400 error indicates a mismatch between the YANG path in the URI and the data payload.

Exam trap

A common trap is confusing operational (read-only) and configuration (writable) YANG models. Remember that ietf-interfaces provides operational data, while Cisco-IOS-XE-native provides configuration data. Also, ensure the correct Content-Type header is used for write operations.

Why the other options are wrong

B

The specific factual error is that the ietf-interfaces model's operational data cannot be modified via PATCH; the writable description is under Cisco-IOS-XE-native. Also, the Accept header should be application/yang-data+json.

C

The specific factual error is that the GET request should use ietf-interfaces for operational data, and the PATCH request should use the native model with correct Content-Type.

D

The specific factual error is that the Content-Type header must be application/yang-data+json, not application/json, to indicate the payload is YANG-encoded JSON.

612
MCQhard

A network engineer has enabled DHCP snooping on a Catalyst switch to prevent rogue DHCP servers. All access ports in VLAN 10 are untrusted. A router attached to a trunk port on the switch acts as the default gateway for VLAN 10 and is configured with the ip helper-address 10.1.2.5, which points to a remote DHCP server. After enabling DHCP snooping, hosts in VLAN 10 cannot obtain IP addresses; packet captures show DHCPDISCOVER messages are sent, but no DHCPOFFER is received. What is the most likely cause?

A.The router's ip helper-address command is pointing to an incorrect DHCP server IP address.
B.The switch port connecting to the router is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet, so the switch needs a switched virtual interface (SVI) in VLAN 10 with an IP address for Layer 3 connectivity.
D.DHCP snooping is dropping DHCPDISCOVER messages because the client access ports are untrusted.
AnswerB

DHCP snooping trusts only designated ports to forward DHCP server messages. Since the router relays the DHCPOFFER onto the trunk port, an untrusted port will cause the switch to discard the offer, resulting in DHCP failure.

Why this answer

DHCP snooping treats all ports as untrusted by default. When a router acting as a DHCP relay is connected to an untrusted trunk port, the switch drops DHCPOFFER messages received from the router because they originate from an untrusted interface. Configuring the trunk port as trusted allows DHCP server responses (OFFER, ACK) to pass through to clients.

Exam trap

Cisco often tests the distinction that DHCP snooping blocks DHCP server messages (OFFER/ACK/NAK) on untrusted ports, not client messages (DISCOVER/REQUEST), leading candidates to incorrectly assume client messages are dropped.

Why the other options are wrong

A

This distractor exploits the common tendency to blame the helper address configuration first, overlooking the security feature that silently drops the returning DHCPOFFER.

C

This plays on the misconception that a switch requires an IP address on the client VLAN to facilitate DHCP, when in fact the router acting as the relay agent provides Layer 3 connectivity.

D

This misinterprets DHCP snooping behavior: it assumes all DHCP traffic is filtered on untrusted ports, overlooking the critical distinction that only server-side messages are blocked, not client requests.

613
PBQhard

You are connected to R1. Configure HSRP on interface GigabitEthernet0/0 so that R1 becomes the active router for group 10 with a virtual IP of 192.0.2.254/24. Ensure that R1 preempts if it regains a higher priority, and track interface GigabitEthernet0/1 to decrement priority by 20 if it goes down. Additionally, troubleshoot the current configuration: both routers are showing as active for group 11 with virtual IP 203.0.113.1, which is incorrect — the virtual IP should be 203.0.113.254 for group 11.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Use 'standby <group> preempt' to enable preemption.
  • Track interface uses 'standby <group> track <interface> <decrement>'.
  • Correct the virtual IP for group 11 to 203.0.113.254.
A.interface GigabitEthernet0/0 standby 10 ip 192.0.2.254 standby 10 preempt standby 10 track GigabitEthernet0/1 20 interface GigabitEthernet0/0 standby 11 ip 203.0.113.254 standby 11 preempt
B.interface GigabitEthernet0/0 standby 10 ip 192.0.2.254 standby 10 preempt standby 10 track GigabitEthernet0/1 20 interface GigabitEthernet0/0 standby 11 ip 203.0.113.254
C.interface GigabitEthernet0/0 standby 10 ip 192.0.2.254 standby 10 track GigabitEthernet0/1 20 interface GigabitEthernet0/0 standby 11 ip 203.0.113.254 standby 11 preempt
D.interface GigabitEthernet0/0 standby 10 ip 192.0.2.254 standby 10 preempt standby 10 track GigabitEthernet0/1 20 interface GigabitEthernet0/0 standby 11 ip 203.0.113.1 standby 11 preempt
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 11 ip 203.0.113.254
standby 10 preempt
standby 10 track GigabitEthernet0/1 20
standby 11 preempt

Why this answer

Both routers showing active for group 11 indicates a mismatch in the virtual IP address or missing preempt. To fix group 11, correct the virtual IP to 203.0.113.254 with 'standby 11 ip 203.0.113.254'. Add preempt with 'standby 11 preempt' to break the tie.

For group 10, to ensure R1 becomes active, you must configure preempt ('standby 10 preempt') and interface tracking ('standby 10 track GigabitEthernet0/1 20'). However, with default priority, R1 might not become active if R2's interface IP is higher; therefore, a priority command like 'standby 10 priority 110' may be necessary. The options shown do not include that priority command, so in practice the configuration is incomplete.

Exam trap

Many candidates forget that HSRP preempt requires a higher priority to actually trigger preemption; without explicitly configuring a higher priority, the router may remain in Standby state even with preempt enabled.

Why the other options are wrong

B

This option lacks 'standby 11 preempt', so R1 will not preempt for group 11, failing to resolve the active-active tie.

C

This option omits 'standby 10 preempt', so R1 will not preempt for group 10 as required.

D

This option uses the incorrect virtual IP 203.0.113.1 for group 11, which does not match the required 203.0.113.254.

614
MCQmedium

A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?

A.The port received a BPDU and BPDU Guard shut it down.
B.DHCP snooping blocked the user's ARP requests.
C.Port security moved the port to protect mode.
D.The trunk native VLAN matched incorrectly.
AnswerA

This matches the symptom and the log message.

Why this answer

BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.

Exam trap

A frequent exam trap is mistaking BPDU Guard triggers for issues caused by DHCP snooping or port security. Candidates may incorrectly assume that DHCP snooping blocking ARP or port security violations cause the err-disabled state when the log explicitly mentions BPDU Guard. Another pitfall is confusing native VLAN mismatches on trunks as the cause, but these do not generate BPDU Guard errors.

The key is to recognize that BPDU Guard specifically responds to receiving BPDUs on PortFast-enabled ports, which signals an unexpected switch connection and leads to err-disable. Misreading the log or symptoms can lead to selecting incorrect answers that do not align with BPDU Guard’s function.

Why the other options are wrong

B

Incorrect. DHCP snooping blocks unauthorized DHCP messages but does not cause BPDU Guard to err-disable a port. The log specifically mentions BPDU Guard, so DHCP snooping is unrelated here.

C

Incorrect. Port security violations cause err-disable states but are triggered by MAC address violations, not by receiving BPDUs. The log message points to BPDU Guard, not port security.

D

Incorrect. A trunk native VLAN mismatch causes VLAN tagging issues but does not trigger BPDU Guard or err-disable a port due to BPDU reception. This option does not explain the BPDU Guard log message.

615
Multi-Selectmedium

Which three options best describe how machine learning models are trained for network anomaly detection? (Choose three.)

Select 3 answers
.Using historical baseline traffic data to learn normal behavior patterns
.Labeling datasets with known attack signatures for supervised learning
.Applying unsupervised clustering to identify deviations without predefined labels
.Requiring manual threshold configuration for every monitored metric
.Training exclusively on synthetic data generated by simulation tools
.Relying solely on SNMP polling intervals to detect anomalies

Why this answer

Machine learning models for network anomaly detection are effectively trained using historical baseline traffic data to learn normal behavior patterns, which allows the model to identify deviations that may indicate anomalies. Labeled datasets with known attack signatures enable supervised learning, where the model learns to classify traffic as normal or malicious based on examples. Unsupervised clustering techniques, such as k-means or DBSCAN, can identify deviations without predefined labels by grouping similar data points and flagging outliers as potential anomalies.

The three incorrect options—manual threshold configuration, training exclusively on synthetic data, and reliance on SNMP polling—are not characteristic of ML training methods. Manual threshold configuration is a rule‑based approach that does not involve learning from data. Training exclusively on synthetic data is not representative of real‑world traffic patterns and would not generalize well.

Relying solely on SNMP polling intervals is a traditional monitoring method, not a machine learning technique.

Exam trap

Cisco often tests the distinction between traditional rule-based monitoring (e.g., SNMP thresholds) and machine learning approaches, expecting candidates to recognize that ML models learn patterns automatically rather than relying on static thresholds or synthetic-only data.

616
MCQmedium

Which protocol is most directly responsible for keeping device clocks synchronized across a network?

A.NTP
B.TFTP
C.DHCP
D.CDP
AnswerA

This is correct because NTP is used to synchronize clocks across devices.

Why this answer

The correct protocol is NTP. In plain language, NTP helps devices agree on the current time so that logs, authentication events, monitoring data, and troubleshooting records line up accurately. Without consistent time, a network team may see events from multiple devices but be unable to reconstruct the actual sequence correctly.

This matters more than many people realize because accurate time underpins many operational workflows. Syslog messages, security events, and monitoring alerts become much easier to trust when devices are synchronized. DHCP, TFTP, and CDP are useful for other purposes, but they do not exist to align device clocks. NTP is the protocol specifically associated with time synchronization.

Exam trap

A frequent exam trap is selecting DHCP, TFTP, or CDP as the protocol responsible for clock synchronization. DHCP is often confused because it deals with network configuration, but it does not synchronize time. TFTP might seem relevant due to its role in transferring files like configurations, but it has no time-related function.

CDP is a Cisco proprietary protocol for device discovery and neighbor information exchange, not for time services. Candidates must recognize that only NTP is designed specifically to keep device clocks synchronized across a network, which is critical for accurate logging and event correlation.

Why the other options are wrong

B

TFTP is incorrect because it is a simple file transfer protocol used for tasks like configuration file transfers, not for synchronizing device clocks.

C

DHCP is incorrect because it provides IP addressing and network configuration to clients but does not handle time synchronization between devices.

D

CDP is incorrect because it is a Cisco proprietary protocol for device discovery and neighbor information exchange, not for clock synchronization.

617
Drag & Dropmedium

Drag and drop the following phases into the correct order to configure gRPC streaming telemetry subscription setup and then the NetFlow data path sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure telemetry, then set up NetFlow export, define the flow monitor, and finally apply it to an interface.

Exam trap

Be careful not to apply a flow monitor to an interface before it is defined, and remember that telemetry configuration must precede NetFlow export setup.

618
PBQhard

You are connected to R1 via console. PC1 is connected to R1's GigabitEthernet0/1 interface and is configured with a static IP address. PC1 cannot reach the internet (203.0.113.1). Identify and resolve the connectivity issue. Configure R1 to restore full connectivity for PC1.

Network Topology
203.0.113.1/30PC1Internet

Hints

  • The problem is not with IP addressing or routing; R1 can reach the internet.
  • PC1 uses a private IP address (RFC 1918), which must be translated before leaving R1.
  • Check if NAT is configured on R1.
A.Configure NAT overload on R1: define ACL 1 to permit 192.168.1.0 0.0.0.255, set GigabitEthernet0/0 as outside and GigabitEthernet0/1 as inside, and apply ip nat inside source list 1 interface GigabitEthernet0/0 overload.
B.Configure a static route on R1: ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 203.0.113.1.
C.Change PC1's default gateway to 203.0.113.1.
D.Enable IP routing on R1 and configure OSPF.
AnswerA
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

PC1 has a default gateway of 192.168.1.1, which is correct, but R1 is not performing NAT. R1 can reach the internet (203.0.113.1) but PC1 cannot because R1 drops packets from PC1 destined to the internet without source NAT. The fix is to configure NAT overload (PAT) on R1: define an ACL to match PC1's subnet, configure the inside and outside interfaces, and enable NAT on the outside interface.

This will translate PC1's private IP to R1's public IP.

Exam trap

The trap is that candidates may focus on routing (default route, routing protocols) or IP addressing (default gateway) when the real issue is NAT. Always verify if private IPs are being translated when hosts cannot reach the internet, even if the router itself has connectivity.

Why the other options are wrong

B

The specific factual error is that a default route is already in place and working; adding another does not solve the NAT problem.

C

The specific factual error is that a host's default gateway must be on the same subnet; 203.0.113.1 is not reachable directly from PC1.

D

The specific factual error is that OSPF does not solve the private-to-public address translation problem; it only exchanges routes between routers.

619
MCQhard

An EtherChannel uses LACP. One side is configured correctly, but the peer side has a different switchport mode on one of the member links. What is the most likely result?

A.The bundle may fail to form correctly because the member-link settings are inconsistent.
B.The switch automatically rewrites the peer configuration to match.
C.LACP converts the mismatched link into a routed interface automatically.
D.The mismatched link is placed in a spanning-tree blocking state.
AnswerA

This is correct because EtherChannel depends on compatible member settings.

Why this answer

The most likely result is that the bundle will not form cleanly because EtherChannel requires member links to agree on important operational settings. In practical terms, LACP negotiation alone is not enough. The links also need compatible characteristics such as switchport mode, VLAN handling, speed, and duplex where relevant.

This is a common troubleshooting pattern. It tests whether you know that bundle membership depends on configuration consistency, not just on enabling LACP.

Exam trap

Do not assume LACP can resolve all configuration mismatches. Ensure all settings are consistent across member links.

Why the other options are wrong

B

Switches do not automatically rewrite peer configurations; configuration changes must be made manually or via network automation tools. LACP only negotiates parameters like speed and duplex, not switchport mode or VLAN settings.

C

LACP operates at Layer 2 and does not change the interface type; a mismatched link remains a Layer 2 interface. Converting to a routed interface requires manual configuration with 'no switchport' command.

D

This is incorrect because a switchport mode mismatch in an EtherChannel typically causes the link to be suspended or placed into an errdisable state, not into a spanning-tree blocking state. Spanning tree deals with loops, not port-channel parameter mismatches.

620
PBQhard

You are troubleshooting a PC (PC-A) connected to switch SW1, which is connected to router R1. PC-A has an APIPA address (169.254.23.45) and cannot reach the internet (203.0.113.1). You confirm that R1 has a correctly configured DHCP pool for the 192.168.10.0/24 subnet, but the DHCP service is not enabled. The network uses VLAN 10 with subnet 192.168.10.0/24. Verify and correct the configuration on PC-A, SW1, and R1 to restore full connectivity.

Network Topology
G0/0/0192.168.10.1/24G0/0/0192.168.10.1/24203.0.113.1PC-ASW1R1Internet

Hints

  • Check if the DHCP server process is running on R1.
  • APIPA addresses (169.254.x.x) indicate DHCP failure.
  • The DHCP pool is configured but not yet active.
A.Enable the DHCP service on R1 with the 'service dhcp' command.
B.Configure a default gateway on PC-A with the IP address 192.168.10.1.
C.Change the VLAN on SW1's interface connected to PC-A from VLAN 10 to VLAN 1.
D.Add the 'ip helper-address' command on R1's interface connected to SW1.
AnswerA
solution
! R1
service dhcp

! SW1


! PC-A

Why this answer

The APIPA address (169.254.x.x) indicates that PC-A failed to obtain a DHCP lease. The correct solution is to enable the DHCP service on R1 with 'service dhcp', which is not running despite the configured pool. Option B is incorrect because setting a default gateway on PC-A with a static IP would still require a valid address in the subnet; the APIPA address cannot communicate with 192.168.10.1.

Option C is wrong because the PC-A interface on SW1 is correctly assigned to VLAN 10. Option D is unnecessary since R1 is directly connected to the same subnet, so 'ip helper-address' is only used to forward DHCP broadcasts across router boundaries.

Exam trap

Do not assume that configuring a DHCP pool is sufficient; the DHCP service must be explicitly enabled with 'service dhcp'. Also, remember that APIPA addresses indicate DHCP failure, not just a missing gateway.

Why the other options are wrong

B

The PC's APIPA address cannot reach the 192.168.10.1 gateway because it is not in the same subnet, so configuring a default gateway alone does not restore connectivity.

C

Changing the VLAN to VLAN 1 would isolate PC-A from the correct subnet (VLAN 10), breaking connectivity instead of fixing it.

D

The 'ip helper-address' command is used on interfaces that need to forward DHCP broadcasts to a remote DHCP server; here R1 itself is the DHCP server and is directly attached, so the command is not needed.

621
PBQhard

You are connected to R1. Configure OSPFv3 for IPv6 so that R1 and R2 can exchange IPv6 routes over their directly connected link. Enable IPv6 routing, assign OSPFv3 process and area on the interface, and verify that the neighbor adjacency forms and routes appear in the IPv6 routing table.

Network Topology
G0/02001:DB8:1::1/64G0/0 2001:DB8:1::2/64R1R2

Hints

  • OSPFv3 requires IPv6 unicast routing to be enabled globally.
  • OSPFv3 is enabled on the interface, not under a router ospf process like OSPFv2.
  • Use 'ipv6 ospf <process-id> area <area-id>' on the interface.
A.Enable IPv6 routing with 'ipv6 unicast-routing', configure OSPFv3 on the interface with 'ipv6 ospf 1 area 0', and verify with 'show ospfv3 neighbor' and 'show ipv6 route ospf'.
B.Enable IPv6 routing with 'ipv6 unicast-routing', configure OSPFv3 globally with 'router ospfv3 1' and 'router-id 1.1.1.1', then assign the interface to area 0 with 'ipv6 ospf 1 area 0'.
C.Enable IPv6 routing with 'ipv6 unicast-routing', configure OSPFv3 on the interface with 'ipv6 ospf 1 area 0', and verify with 'show ip ospf neighbor' and 'show ip route ospf'.
D.Enable IPv6 routing with 'ipv6 unicast-routing', configure OSPFv3 on the interface with 'ipv6 ospf 1 area 0', and verify with 'show ospfv3 neighbor' and 'show ipv6 route'.
AnswerA
solution
! R1
configure terminal
ipv6 unicast-routing
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
end

Why this answer

Option A is correct because it includes enabling IPv6 routing with 'ipv6 unicast-routing', applying OSPFv3 to the interface using 'ipv6 ospf 1 area 0', and verifying with the correct OSPFv3-specific commands 'show ospfv3 neighbor' and 'show ipv6 route ospf'. Option B is incorrect because it adds a global 'router ospfv3 1' command, which is unnecessary; OSPFv3 can be configured directly on the interface without a global process. Option C is incorrect because it uses IPv4 OSPF verification commands 'show ip ospf neighbor' and 'show ip route ospf', which are not valid for OSPFv3.

Option D is incorrect because although it uses the correct 'show ospfv3 neighbor', the 'show ipv6 route' command does not filter to OSPF-learned routes, so it displays all IPv6 routes rather than just OSPF routes.

Exam trap

Do not confuse OSPFv3 with OSPFv2. OSPFv3 uses 'ipv6 ospf' on the interface and 'show ospfv3 neighbor' for verification. Also, remember to enable IPv6 routing with 'ipv6 unicast-routing'.

Why the other options are wrong

B

Adding a global 'router ospfv3 1' command is unnecessary; OSPFv3 can be enabled directly on the interface without a separate global configuration.

C

Using 'show ip ospf neighbor' and 'show ip route ospf' are IPv4 OSPFv2 commands, not valid for OSPFv3 which requires 'show ospfv3 neighbor' and 'show ipv6 route ospf'.

D

The 'show ipv6 route' command displays all IPv6 routes, not just OSPF-learned ones; the filter 'ospf' is required to see OSPF routes specifically.

622
MCQhard

A client connects to an employee WLAN using 802.1X authentication. The authentication process completes successfully, but the client fails to obtain an IP address via DHCP. What is the most likely cause?

A.The client is being placed into the wrong policy or VLAN after successful authentication.
B.The WLAN is configured with the wrong SSID, which prevents DHCP packets from being forwarded.
C.The client has a static IP address manually configured, causing a DHCP conflict.
D.The access point is configured with an incorrect default gateway, preventing DHCP relay.
AnswerA

Post‑authentication VLAN assignment via RADIUS attributes can override the default interface VLAN. If the assigned VLAN has no DHCP server, the client cannot obtain an address.

Why this answer

Even after successful 802.1X authentication, the client may be assigned to the wrong VLAN or policy through RADIUS attributes (such as Tunnel-Type or Cisco AV-pair). If that VLAN lacks a DHCP server or correct subnet, the client will not receive an IP address. The other options describe issues that either prevent association entirely (wrong SSID) or are not typical causes in controller-based WLANs (static IP, AP gateway misconfiguration).

Exam trap

Cisco often tests the distinction between authentication success and post-authentication network access, leading candidates to focus on pre-authentication issues (like wrong PSK or RADIUS timeout) when the real problem is VLAN assignment or DHCP relay misconfiguration.

Why the other options are wrong

B

An incorrect SSID would prevent the client from associating to the WLAN at all, not allow authentication followed by DHCP failure.

C

A statically configured IP is less likely the strongest cause because the client would either not use DHCP or would obtain an APIPA address, and the issue is specifically about failing to obtain a correct address via DHCP.

D

The access point’s default gateway does not impact DHCP forwarding for client traffic; in controller-based deployments, DHCP packets are handled by the controller or bridged directly to the wired network.

623
PBQhard

You are connected to R1 via the console. R1 and R2 are connected via a fiber link using SFPs. The link is not coming up. Configure the correct SFP type on R1's interface GigabitEthernet0/0 to support the required 2 km distance, and fix any auto-negotiation or speed/duplex misconfiguration so that the link becomes operational.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/302 km fiberR1R2

Hints

  • Check the transceiver details to see the current SFP's distance capability.
  • The link requires 2 km; the current SFP only supports 550 m.
  • Auto-negotiation is not used on fiber links; disable it with 'no negotiation auto'.
A.Replace SFP with 1000BASE-LX, configure 'no negotiation auto' on GigabitEthernet0/0, and remove 'speed 1000' and 'duplex full'.
B.Replace SFP with 1000BASE-SX, configure 'negotiation auto' on GigabitEthernet0/0, and keep 'speed 1000' and 'duplex full'.
C.Replace SFP with 1000BASE-LX, configure 'negotiation auto' on GigabitEthernet0/0, and keep 'speed 1000' and 'duplex full'.
D.Replace SFP with 1000BASE-LX, configure 'no negotiation auto' on GigabitEthernet0/0, and configure 'speed 100' and 'duplex full'.
AnswerA
solution
! R1
interface gigabitEthernet 0/0
no speed 1000
no duplex full
no negotiation auto
end

Why this answer

The current SFP is 1000BASE-SX (850 nm), rated for only 550 m, which is insufficient for a 2 km link. It must be replaced with a 1000BASE-LX SFP that supports up to 10 km. The interface currently has 'speed 1000', 'duplex full', and 'negotiation auto'.

On fiber SFPs, auto-negotiation is not supported and the speed and duplex are fixed at 1000 Mbps full duplex; therefore, 'no negotiation auto' is required, and any manually configured speed/duplex that violates the SFP's capabilities will prevent the link from coming up. Option A correctly uses 1000BASE-LX, disables auto-negotiation, and removes the redundant speed/duplex commands (the defaults are sufficient). Option D incorrectly sets 'speed 100', which is incompatible with the 1000BASE-LX SFP, causing the link to fail.

Option B uses the wrong SFP type (1000BASE-SX). Option C uses the correct SFP but leaves 'negotiation auto', which is unsupported on fiber SFPs and will keep the link down.

Exam trap

Do not assume auto-negotiation is always required; fiber SFPs use fixed parameters. Also, remember that 1000BASE-SX is for short distances (up to 550 m), while 1000BASE-LX supports longer distances (up to 10 km).

Why the other options are wrong

B

Uses 1000BASE-SX, which cannot support the required 2 km distance.

C

Retains 'negotiation auto', which is not supported on fiber SFPs and prevents the link from establishing.

D

Configures 'speed 100', a value incompatible with a 1000BASE-LX SFP, causing a link failure.

624
MCQhard

A company wants to connect two sites across an IP network by creating a logical tunnel between the edge routers. Which technology is most directly associated with that requirement?

A.GRE
B.PortFast
C.DHCP relay
D.Root guard
AnswerA

This is correct because GRE is commonly used to create logical tunnels across IP networks.

Why this answer

GRE is the most directly associated technology because it creates a logical tunnel between routers across an existing IP network. In practical terms, it allows the routers to treat the path as a virtual point-to-point connection for encapsulated traffic.

The question is specifically about tunneling between sites, not about plain routing, management, or switching behavior.

Exam trap

A common exam trap is mistaking GRE for unrelated Cisco features like PortFast or DHCP relay. PortFast is a Spanning Tree Protocol optimization for edge ports and does not create tunnels. DHCP relay forwards DHCP requests and is unrelated to site-to-site connectivity.

Another trap is confusing GRE with security features like IPsec; GRE itself does not encrypt traffic but only encapsulates it. Candidates might also overlook that GRE tunnels require proper MTU handling to avoid fragmentation issues, which can cause connectivity problems if ignored.

Why the other options are wrong

B

PortFast is incorrect because it is an STP feature that immediately transitions a switch port to forwarding state and does not provide any tunneling or routing capabilities.

C

DHCP relay is incorrect because it only forwards DHCP broadcast requests between clients and servers and does not create tunnels or connect sites logically over an IP network.

D

Root guard is incorrect because it is an STP topology protection feature that prevents a port from becoming a root port, and it does not create tunnels or affect routing.

625
Drag & Drophard

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, including recovery steps when a port enters err-disabled.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Root Guard must be applied first on designated ports to prevent unwanted root bridge changes, then Loop Guard on non-designated ports to prevent loops, followed by BPDU Guard on PortFast ports. Recovery steps are last because they apply after a violation occurs.

Exam trap

The trap is that candidates may confuse the order of applying STP protections. Remember: Root Guard first (designated ports), then Loop Guard (non-designated), then BPDU Guard (PortFast), and recovery last. Do not place recovery first or mix up the sequence.

626
Multi-Selectmedium

A security policy requires administrators to permit SSH to network devices but block insecure remote CLI access. Which two actions support that goal?

Select 2 answers
A.Enable SSH on the VTY lines and use local or AAA authentication
B.Disable Telnet access on the VTY lines
C.Enable CDP globally
D.Configure the console line for transport input ssh
AnswersA, B

SSH provides encrypted remote management.

Why this answer

To meet the requirement, the device should allow encrypted SSH access and explicitly avoid Telnet for remote management.

Exam trap

A frequent exam trap is selecting options related to the console line or CDP when the question focuses on securing remote CLI access. The console line is for local physical access and does not support SSH, so configuring SSH there does not meet the requirement. Similarly, enabling CDP is unrelated to securing management access and does not block insecure protocols like Telnet.

Another common mistake is assuming that enabling SSH alone is sufficient without disabling Telnet, which leaves an insecure access method open. Candidates must carefully distinguish between local and remote access methods and ensure insecure protocols are explicitly blocked on VTY lines.

Why the other options are wrong

C

Enabling CDP globally is incorrect because CDP is a device discovery protocol and does not secure or restrict remote CLI access, so it does not support the goal of blocking insecure access.

D

Configuring the console line for transport input ssh is incorrect because the console line is for local physical access and does not support SSH, so this does not enforce secure remote access.

627
PBQmedium

You are connected to R1 via console. R1 has two interfaces: GigabitEthernet0/0 (10.0.0.1/30, connected to ISP) and GigabitEthernet0/1 (192.168.1.1/24, connected to internal LAN). The LAN hosts (192.168.1.0/24) need to access the internet. Configure dynamic NAT with PAT (overload) on R1 using a NAT pool so that internal hosts share the public IP 10.0.0.1 when accessing the internet. Assume the ISP router is already configured and reachable.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30PCsLANR1ISPInternet

Hints

  • Define an ACL to match internal traffic.
  • Create a NAT pool with the public IP address.
  • Apply overload to allow multiple hosts to share the public IP.
A.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 10.0.0.1 10.0.0.1 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
B.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 10.0.0.1 10.0.0.2 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
C.access-list 1 permit any ip nat pool PUBLIC 10.0.0.1 10.0.0.1 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC overload interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside
D.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
AnswerA
solution
! R1
ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255
ip nat pool PUBLIC_POOL 10.0.0.1 10.0.0.1 netmask 255.255.255.252
ip nat inside source list NAT_ACL pool PUBLIC_POOL overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

Option A is correct because it creates an ACL matching only the internal subnet (192.168.1.0/24), defines a NAT pool containing only the single public IP 10.0.0.1, enables PAT with the 'overload' keyword, and correctly assigns inside/outside interfaces. Option B is wrong because the pool includes 10.0.0.2, which is the ISP's IP and would cause conflicts, plus it lacks the 'overload' keyword so PAT is not activated. Option C is wrong because the ACL uses 'any', potentially matching unintended traffic, and the interface roles are reversed (G0/0 as inside, G0/1 as outside), breaking the NAT translation direction.

Option D is incorrect because while it implements PAT correctly, it uses interface overload rather than a NAT pool, which does not meet the explicit requirement to use a pool.

Exam trap

Pay close attention to the exact requirements: the question specifies a pool with IP 10.0.0.1, not interface overload. Also ensure ACL matches only the internal subnet, and interfaces are correctly designated as inside/outside.

Why the other options are wrong

B

The pool range includes 10.0.0.2 (the ISP's IP) and lacks the overload keyword, so PAT is disabled.

C

The ACL permits all traffic (any) and the inside/outside interfaces are reversed.

D

This uses interface overload instead of a NAT pool, contradicting the pool requirement.

628
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on the designated port facing a downstream switch to prevent a rogue switch from becoming root. Also, enable Loop Guard on the uplink port to prevent STP loops, and configure BPDU Guard on a PortFast-enabled access port. Ensure that if a superior BPDU is received on the Root Guard port, it is blocked, and if a BPDU is received on the BPDU Guard port, it goes err-disabled.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30trunkG0/1192.168.10.1/24R2R1access vlan 10SW2PC

Hints

  • Root Guard is applied on designated ports to block superior BPDUs.
  • Loop Guard is applied on root or alternate ports to prevent loops if BPDUs stop.
  • BPDU Guard with PortFast err-disables the port upon receiving any BPDU.
A.The configuration is correct; no changes are needed.
B.Root Guard should be applied on G0/0 instead of G0/1, and Loop Guard on G0/1 instead of G0/0.
C.BPDU Guard should be configured on G0/1 instead of G0/2, and Loop Guard should be removed from G0/0.
D.Root Guard should be applied on G0/2 instead of G0/1, and BPDU Guard should be removed from G0/2.
AnswerA
solution
! R1

Why this answer

R1 is the STP root for VLAN 10. The downstream port (G0/1) is a designated port, so Root Guard is correctly applied to prevent a superior BPDU from being accepted. The uplink port (G0/0) is a root port, so Loop Guard should be applied there to prevent an STP loop if BPDUs stop arriving.

The access port (G0/2) has PortFast and BPDU Guard enabled, which will err-disable the port if a BPDU is received. The current configuration is correct; no changes are needed. If a superior BPDU arrives on G0/1, Root Guard will block the port.

If a BPDU arrives on G0/2, BPDU Guard will err-disable it.

Exam trap

The trap is that candidates may think changes are needed because they misapply STP protections to the wrong port types. Remember: Root Guard on designated ports, Loop Guard on root/alternate ports, BPDU Guard on PortFast access ports.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to a root port would not prevent a rogue switch from becoming root. Loop Guard on a designated port is unnecessary and could cause false positives.

C

BPDU Guard on a trunk port would err-disable it upon receiving a BPDU, which is normal for trunk ports. Loop Guard on the root port is essential for loop prevention; removing it would leave the network vulnerable.

D

Root Guard on an access port would block the port if a superior BPDU is received, but access ports should not receive BPDUs if PortFast is enabled. BPDU Guard already handles that by err-disabling the port.

629
Multi-Selectmedium

Which three of the following correctly describe how a Layer 2 switch handles frames? (Choose three.)

Select 3 answers
.If the destination MAC address is a known unicast, the switch forwards the frame only out of the port associated with that MAC address.
.If the destination MAC address is broadcast (FFFF.FFFF.FFFF), the switch floods the frame out all ports except the incoming port.
.If the destination MAC address is unknown (not in the MAC address table), the switch drops the frame to prevent loops.
.The switch dynamically learns MAC addresses by examining the source MAC address of incoming frames on each port.
.The switch updates the MAC address table every 30 seconds by default using CDP advertisements.
.If the source MAC address in a frame matches the destination MAC address, the switch forwards the frame to all ports.

Why this answer

A Layer 2 switch forwards known unicasts only to the associated port (A), floods broadcasts out all ports except the incoming port (B), and dynamically learns MAC addresses from source MACs of frames (D). Unknown unicasts are flooded, not dropped (C is wrong). MAC address table learning relies on source MAC inspection, not CDP (E is wrong).

If source and destination MAC are identical, the frame is not forwarded; it is typically dropped (F is wrong).

Exam trap

Cisco often tests the misconception that an unknown unicast is dropped, but the correct behavior is flooding; the trap is that candidates confuse 'unknown unicast' with 'unicast not in the table' and incorrectly assume it is treated like a loop-prevention drop.

630
PBQhard

You are connected to a multilayer switch MLS1 via the console. Configure MLS1 so that IP phones connected to interface GigabitEthernet0/1 receive power via PoE, use VLAN 10 for data traffic, and use VLAN 20 for voice traffic, while the access port for an AP on GigabitEthernet0/2 should be placed in VLAN 30 and have PoE disabled. Verify your configuration using appropriate show commands.

Hints

  • Voice VLAN is configured with a separate command from the access VLAN.
  • PoE can be disabled per interface using 'power inline never'.
  • Use 'show interfaces switchport' to see both voice and access VLAN assignments.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 20 switchport voice vlan 10 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline auto
AnswerA
solution
! MLS1
interface GigabitEthernet0/1
switchport voice vlan 20
power inline auto
interface GigabitEthernet0/2
switchport access vlan 30
power inline never

Why this answer

For the IP phone port (G0/1), you need to enable PoE (power inline auto) and configure the voice VLAN (switchport voice vlan 20) so that the phone uses VLAN 20 for voice and the access VLAN 10 for data. For the AP port (G0/2), you must change the access VLAN to 30 and disable PoE (power inline never) to prevent powering the AP through the switch. Verify with 'show interfaces switchport' to confirm voice VLAN and access VLAN settings, and 'show power inline' to check PoE status.

Exam trap

A common trap is confusing the voice VLAN command with trunking or swapping the access and voice VLANs. Also, remember that IP phones require PoE, while the AP in this scenario does not. Always verify with show commands.

Why the other options are wrong

B

The specific factual error is that IP phones typically use an access port with a voice VLAN, not a trunk port. Trunking is unnecessary and can cause compatibility issues.

C

The specific factual error is confusing the access VLAN and voice VLAN assignments. The voice VLAN is configured with 'switchport voice vlan', and the access VLAN with 'switchport access vlan'.

D

The specific factual error is reversing the PoE settings: 'power inline never' on the phone port and 'power inline auto' on the AP port.

631
Multi-Selectmedium

Which TWO statements correctly describe the behavior of PAT (Port Address Translation) as configured on a Cisco router?

Select 2 answers
A.PAT translates multiple internal addresses to a single public IP address by using unique source port numbers.
B.PAT requires a 1:1 mapping of internal to external IP addresses.
C.PAT can only be configured with a pool of public IP addresses.
D.PAT uses both IP addresses and port numbers to track translations.
E.PAT translations are always static and never time out.
AnswersA, D

PAT distinguishes between multiple internal hosts sharing the same public IP by assigning a different source port for each session. The router maintains a translation table that tracks the original internal IP and port along with the assigned public IP and port.

Why this answer

PAT (Port Address Translation) translates multiple internal private IP addresses to a single public IP address by assigning unique source port numbers to each session, allowing many internal hosts to share one public IP. This is correctly described in option A. Option D is also correct because PAT uniquely identifies each translation by both the IP address and the port number, enabling the router to demultiplex return traffic.

Option B is wrong because PAT uses many-to-one mapping, not 1:1; a 1:1 mapping is characteristic of static NAT. Option C is incorrect because PAT can operate with a single public IP address (often the outside interface address) rather than requiring a pool. Option E is false because PAT translations are dynamically created and time out after a period of inactivity; they are not static.

Exam trap

Cisco often tests the misconception that PAT requires a pool of public IPs or a 1:1 mapping, when in fact PAT is designed for many-to-one translation using port numbers, and can operate with a single public IP address.

Why the other options are wrong

B

PAT does not require a 1:1 mapping; it allows many internal addresses to share a single public IP. A 1:1 mapping is characteristic of static NAT, not PAT.

C

PAT can be configured with either a single public IP address (using the interface address) or a pool of public IP addresses. It does not require a pool; a single address is sufficient for PAT overload.

E

PAT translations are dynamic and have a timeout (default 86400 seconds for general translations, but shorter for TCP/UDP). They are removed after the session ends or the timeout expires.

632
PBQhard

You are connected to R1, a branch router. Configure an extended ACL named BRANCH_IN that permits only HTTP (TCP port 80) traffic from the internal network 192.168.1.0/24 to the web server at 203.0.113.10, and permits ICMP echo-reply from any source to any destination. Apply the ACL inbound on the interface facing the internal network. Then verify that only the specified traffic is allowed.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/30HostsInternal LANR1ISPWeb Server

Hints

  • The ACL is defined but not yet applied to an interface.
  • Consider which direction traffic from the internal network flows relative to the interface.
  • Use 'ip access-group' under the correct interface configuration mode.
A.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in
B.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN out
C.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in
D.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in ! interface GigabitEthernet0/1 ip access-group BRANCH_IN in
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip access-group BRANCH_IN in

Why this answer

Option A is correct because it creates an extended ACL that permits TCP port 80 from the internal 192.168.1.0/24 to the web server 203.0.113.10 and permits only ICMP echo-reply, then applies it inbound on the internal interface G0/0, matching the requirement. Option B is wrong because the ACL is applied outbound on G0/0, but traffic from internal hosts to the web server exits via the WAN interface (G0/1), not G0/0. Option C is wrong because it permits all ICMP (any any) instead of only echo-reply, allowing unnecessary ICMP traffic.

Option D is wrong because it applies the ACL inbound on both G0/0 and G0/1; applying it on G0/1 would incorrectly filter inbound traffic from the ISP, potentially blocking the web server's responses.

Exam trap

Pay close attention to the direction of traffic flow. The ACL must be applied inbound on the interface that receives traffic from the internal network. Also, be precise with ICMP types: 'echo-reply' is the response to a ping, not the initial echo request.

Why the other options are wrong

B

The ACL is applied in the wrong direction. Applying it outbound would filter traffic leaving the interface, not entering it.

C

The ACL permits all ICMP traffic instead of only echo-reply. This violates the requirement to permit only ICMP echo-reply.

D

Applying the ACL to an additional interface (G0/1) is unnecessary and may cause unintended filtering. The requirement specifies only one interface.

633
Multi-Selectmedium

Which two statements about YANG are correct?

Select 2 answers
A.It defines structured models for configuration and state data
B.It is commonly associated with NETCONF and RESTCONF
C.It is a replacement for OSPF adjacency formation
D.It is the same thing as JSON syntax
E.It automatically discovers neighbors on a LAN
AnswersA, B

That is the core purpose of YANG.

Why this answer

YANG is a data modeling language used to describe configuration and operational state. It is commonly used with NETCONF and RESTCONF, but it is not itself the transport protocol.

Exam trap

A common exam trap is mistaking YANG for a routing protocol or a data format. Some candidates incorrectly believe YANG replaces protocols like OSPF for adjacency formation or that it is the same as JSON syntax. This confusion arises because YANG models can be encoded in JSON or XML, but YANG itself is a modeling language, not a transport or routing protocol.

Misunderstanding this can lead to selecting incorrect answers that describe YANG as performing routing or neighbor discovery functions, which it does not. Recognizing YANG’s role as a data modeling language avoids this pitfall.

Why the other options are wrong

C

Option C is incorrect because YANG is not a routing protocol and does not handle OSPF adjacency formation or any routing functions.

D

Option D is incorrect as YANG is a modeling language, not a data format like JSON. Although YANG models can be encoded in JSON, they are not the same thing.

E

Option E is incorrect because YANG does not perform network discovery functions such as automatically discovering neighbors on a LAN; that is outside its scope.

634
MCQhard

A host address is 192.168.90.33/28. Which address is the last usable host in the subnet?

A.192.168.90.46
B.192.168.90.47
C.192.168.90.33
D.192.168.90.48
AnswerA

This is correct because .46 is the last usable address before the .47 broadcast in the 32-47 block.

Why this answer

The /28 subnet mask (255.255.255.240) gives a block size of 16 addresses. The network address for 192.168.90.33 is 192.168.90.32, so the broadcast address is 192.168.90.47. The last usable host is the broadcast address minus one, which is 192.168.90.46.

Exam trap

Cisco often tests the distinction between the broadcast address and the last usable host, tricking candidates who forget to subtract one from the broadcast address.

Why the other options are wrong

B

192.168.90.47 is the broadcast address for the subnet 192.168.90.32/28. Broadcast addresses cannot be assigned to hosts; they are used to send traffic to all hosts in the subnet.

C

192.168.90.33 is the first usable host in the subnet (network address .32 + 1). The question asks for the last usable host, not the first.

D

192.168.90.48 is the network address of the next subnet (192.168.90.48/28). It is not part of the current subnet and cannot be used as a host address in the subnet containing .33.

635
MCQhard

A network engineer adds a loopback interface Lo0 with IP address 172.16.0.1/32 to router R1. After restarting the OSPF process, the OSPF router-ID changes from 10.1.1.1 to 172.16.0.1, and the neighbor relationship with R2 resets. What should the technician do next to prevent this disruption the next time a loopback is added?

A.Configure passive-interface Lo0 under the OSPF process
B.Configure a static router-id using the router-id command under the OSPF process
C.Set a higher OSPF priority on the router’s interfaces
D.Configure the OSPF area as a stub area
AnswerB

Explicitly setting the OSPF router-ID prevents the process from dynamically re-electing a new router-ID based on interface IPs. This guarantees a stable router-ID regardless of added loopbacks, avoiding adjacency resets.

Why this answer

Configuring a static router-id under the OSPF process ensures the router-ID never changes due to interface IP changes or loopback additions. This directly addresses the root cause of the adjacency reset—dynamic router-ID re-election.

Exam trap

Candidates often mistake the passive-interface command as a way to prevent the loopback IP from being considered for router-ID selection, but OSPF router-ID election is independent of interface passive state; it always picks the highest loopback IP at process start.

Why the other options are wrong

A

Passive-interface does not influence router-ID selection, which is based solely on highest active loopback IP address at process initialization.

C

Confusing DR election parameters with router-ID election leads candidates to a parameter that is irrelevant to router-ID stability.

D

Changing area type does not address router-ID fluctuation; it targets LSDB optimization, which is unrelated to the dynamic router-ID re-election after loopback addition.

636
MCQhard

An OSPF-enabled router R1 fails to advertise the 192.168.50.0/24 network to neighbor R2, even though the neighbor relationship is up. Which misconfiguration on R1 would cause this?

A.The OSPF process must be process ID 50 to advertise 192.168.50.0/24
B.The wildcard network statement does not match 192.168.50.0/24
C.OSPF cannot advertise a directly connected LAN
D.R2 needs a default route before learning intra-area routes
AnswerB

Correct choice.

Why this answer

If the network statement on R1 does not match the interface connected to 192.168.50.0/24, OSPF will not enable on that interface and the subnet will not be advertised. The route stays absent from neighbors despite OSPF running elsewhere.

Exam trap

A frequent exam trap is believing that the OSPF process ID must match across routers to advertise specific networks or that OSPF cannot advertise directly connected LANs. Candidates may also incorrectly assume that a default route is required on a router before it can learn intra-area routes. These misconceptions lead to overlooking the actual cause: a mismatched wildcard mask in the network statement that prevents OSPF from activating on the interface.

This trap causes candidates to focus on irrelevant configuration elements instead of verifying the network statement accuracy.

Why the other options are wrong

A

The OSPF process ID is locally significant and does not affect which networks are advertised. Changing the process ID to 50 is unnecessary and does not solve the problem of missing routes.

C

OSPF can advertise directly connected LANs if their interfaces are included in the OSPF network statements. This option is incorrect because directly connected LANs are advertised when properly configured.

D

A default route is not required for a router to learn intra-area OSPF routes. OSPF routers exchange routing information through link-state advertisements without needing a default route first.

637
Matchingmedium

Drag and drop the AAA and 802.1X terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP; encrypts only the password in the packet

Uses TCP; encrypts the entire packet

Port-based authentication using EAPoL frames

RADIUS server that validates credentials in 802.1X

Global command to enable AAA on IOS-XE

Why these pairings

AAA components: authentication verifies identity, authorization grants rights, accounting logs activities. 802.1X roles: supplicant is the client, authenticator is the switch/AP, and authentication server (RADIUS) validates and authorizes.

Exam trap

Candidates often confuse the roles in 802.1X or mix up AAA components. Remember that authentication is about identity verification, authorization is about permissions, and accounting is about logging. In 802.1X, the supplicant is the client, the authenticator is the network device, and the authentication server validates credentials.

638
MCQhard

A user reports they cannot access any network resources. A network administrator runs ipconfig on the user's Windows PC and sees an IPv4 address of 169.254.45.3/16. The administrator then pings the default gateway 10.0.0.1, which fails, and uses traceroute to 10.0.0.1, which shows only '1 * * * Request timed out.' What is the most likely cause of the problem?

A.The PC's DNS server address is incorrect.
B.The switch port is in an administratively down state.
C.The Ethernet cable is unplugged from the PC.
D.The DHCP server is unreachable.
AnswerD

The 169.254.x.x APIPA address indicates that the PC is configured for DHCP but did not receive a DHCP offer. Because the address is not in the same subnet as the default gateway, all connectivity beyond the local link fails.

Why this answer

The 169.254.45.3/16 address is an Automatic Private IP Addressing (APIPA) address, assigned by Windows when a DHCP discovery fails. The failed ping and traceroute to the default gateway confirm that the PC has no IP connectivity to the network. Since the PC is on the same subnet as the DHCP server (10.0.0.0/24), the most likely cause is that the DHCP server is unreachable, preventing the PC from obtaining a valid IP address.

Exam trap

Cisco often tests the distinction between a link-local APIPA address and a 'Media disconnected' state; the trap here is that candidates may assume a physical issue (unplugged cable or disabled port) when the presence of an APIPA address actually proves the physical and data link layers are operational.

Why the other options are wrong

A

DNS misconfiguration would not prevent direct IP connectivity to the gateway.

B

With the port down, the PC would not assign any IP address; APIPA assignment requires an active link.

C

Physical disconnection prevents link establishment, so no IP address is assigned.

639
MCQhard

A host with address 10.0.0.130/25 needs to identify its subnet. Which subnet is correct?

A.10.0.0.0/25
B.10.0.0.64/25
C.10.0.0.128/25
D.10.0.0.192/25
AnswerC

This is correct because 130 falls in the 128 through 255 range.

Why this answer

A /25 uses blocks of 128 addresses. In plain language, that means the fourth-octet ranges are 0–127 and 128–255. Since the host address ends in 130, it belongs to the upper block, which means the subnet is 10.0.0.128/25.

This kind of question is a staple of subnetting because it tests whether you can identify the correct subnet boundary from the prefix and host address. Once you recognize the /25 split, the answer becomes straightforward.

Exam trap

Be careful not to confuse the subnet mask with the number of addresses it covers. Always calculate the address range based on the subnet mask.

Why the other options are wrong

A

The subnet 10.0.0.0/25 covers addresses 10.0.0.0 through 10.0.0.127. Since 10.0.0.130 is outside this range, it cannot belong to this subnet. The host's address must be within the subnet's range.

B

The /25 prefix length has a subnet size of 128, so valid network addresses are multiples of 128 (0, 128, 256, etc.). 10.0.0.64 is not a multiple of 128, so it is not a valid /25 network address.

D

The /25 prefix length creates subnets with a block size of 128, starting at 0, 128, 256, etc. 10.0.0.192/25 would be a valid subnet if the network started at 192, but 192 is not a valid /25 boundary because 192 is not a multiple of 128.

640
PBQmedium

You are connected to the console of R1. The network administrator reports that R1 cannot discover neighboring devices via CDP. R1 is connected to SW1 via GigabitEthernet0/0. You suspect CDP is disabled globally or on the interface. Your task is to enable CDP and verify neighbor discovery.

Network Topology
G0/0G0/1R1SW1

Hints

  • CDP can be disabled globally or per interface.
  • Use the 'show cdp' command to check global status.
  • After enabling, wait a few seconds for neighbor discovery.
A.Enter global configuration mode, issue 'cdp run', then enter interface configuration mode for GigabitEthernet0/0 and issue 'cdp enable'.
B.Enter global configuration mode, issue 'cdp enable', then enter interface configuration mode for GigabitEthernet0/0 and issue 'cdp run'.
C.Enter global configuration mode, issue 'cdp run', then enter interface configuration mode for GigabitEthernet0/0 and issue 'no cdp disable'.
D.Enter global configuration mode, issue 'cdp enable', then enter interface configuration mode for GigabitEthernet0/0 and issue 'no cdp disable'.
AnswerA
solution
! R1
cdp run
interface GigabitEthernet0/0
cdp enable

Why this answer

CDP was disabled globally and on the interface. Enabling CDP globally and then on the interface allows R1 to discover directly connected Cisco devices.

Exam trap

Remember that CDP requires two separate commands: 'cdp run' globally and 'cdp enable' on each interface. Do not confuse the global and interface commands, and do not invent commands like 'no cdp disable'.

Why the other options are wrong

B

The specific factual error is that 'cdp enable' is used on interfaces, not globally. The global command to enable CDP is 'cdp run'.

C

The specific factual error is that 'no cdp disable' is not a valid Cisco IOS command. The proper command is 'cdp enable'.

D

The specific factual errors are: the global command should be 'cdp run', and the interface command should be 'cdp enable'.

641
MCQhard

A network technician is troubleshooting a DHCP relay issue. The router at the branch office is supposed to forward DHCP requests from local clients to a central DHCP server. Clients connected to Gi0/1 are not receiving IP addresses. The technician verifies that the DHCP server is reachable from the router, that no ACLs are blocking DHCP traffic, and that the DHCP scope on the server has available leases. Upon checking the running configuration, the technician notices that the ip helper-address command is applied to interface Gi0/0 (the WAN link toward the server) instead of Gi0/1. What should the technician do next?

A.Check the DHCP server logs for any error or warning messages related to the clients' requests.
B.Move the ip helper-address command from interface Gi0/0 to interface Gi0/1.
C.Issue the show ip interface brief command to ensure that interface Gi0/1 is in an up/up state.
D.Remove the ip helper-address from Gi0/0 and then reapply it to the same interface to ensure the command is active.
AnswerB

DHCP relay requires the helper address to be configured on the interface that faces the DHCP clients (the broadcast domain where clients send their DHCPDISCOVER messages). By moving the command to Gi0/1, the router will correctly intercept and forward client requests to the DHCP server.

Why this answer

The ip helper-address command must be configured on the interface that receives DHCP broadcasts from clients—in this case, Gi0/1, the LAN-facing interface. Placing it on the WAN interface (Gi0/0) means the router never sees the client broadcasts and therefore never relays them. Moving the command to Gi0/1 enables the router to intercept DHCP discoveries and forward them as unicast packets to the DHCP server.

This action directly addresses a common DHCP relay misconfiguration at the network services layer.

Exam trap

The most common incorrect next step is checking DHCP server logs (Option A). Candidates often assume the problem lies on the server side when clients fail to obtain addresses, overlooking the relay placement configuration on the router. Another trap is to reapply the helper address on the same WAN interface, hoping it will take effect.

Why the other options are wrong

A

This skips the obvious configuration mismatch and targets the wrong component. It assumes the issue is on the server side rather than the router's DHCP relay placement.

C

This action investigates Layer 1/2 status when the problem is already identified as a Layer 3 (DHCP relay) configuration error. It skips applying the fix and delays resolution.

D

Candidates might think the command simply didn't take effect and that reapplying it solves the problem, misunderstanding the directional requirement of DHCP relay placement.

642
MCQhard

A network engineer has implemented DHCP snooping on a Cisco switch to prevent unauthorized DHCP servers. The switch's VLAN 100 SVI is configured with ip helper-address to relay DHCP requests to a legitimate server in VLAN 200. Clients in VLAN 100 cannot obtain IP leases, even though the DHCP server is reachable from the switch and has available addresses.

A.The ip helper-address command has been incorrectly applied to VLAN 100 instead of VLAN 200.
B.The switch port that connects to the DHCP server's VLAN is not configured as a trusted DHCP snooping port.
C.DHCP snooping must be disabled globally because it conflicts with the configured DHCP relay agent.
D.The DHCP server lacks a valid default gateway, preventing replies from reaching the relay agent's SVI subnet.
AnswerB

DHCP snooping classifies ports as trusted or untrusted. Server-originated DHCP messages (Offer/ACK) are only allowed on trusted ports. The server's response comes from VLAN 200, so the interface facing that server must be trusted.

Why this answer

DHCP snooping treats all switch ports as untrusted by default, which blocks DHCP server messages (OFFER, ACK) from entering the switch. Even though the switch itself can reach the DHCP server, the relayed reply from the server arrives on a port that is not trusted, so DHCP snooping drops the packet before it can be forwarded to the client. Configuring the port connecting to the DHCP server as a trusted port allows the server's responses to pass through the switch, resolving the issue.

Exam trap

Cisco often tests the interaction between DHCP snooping and DHCP relay, where candidates mistakenly think the relay bypasses snooping or that the issue is with the helper-address configuration, rather than the untrusted port blocking the server's unicast reply.

Why the other options are wrong

A

Many engineers mistakenly think the helper should reside on the server VLAN; however, it must reside on the client-facing L3 interface.

C

A common misconception is that DHCP relay bypasses snooping, but snooping still inspects the server's unicast response and drops it unless the ingress port is trusted.

D

Candidates often suspect routing issues, but verified reachability eliminates this. The problem lies in the snooping policy, not IP connectivity.

643
Multi-Selectmedium

Which two statements about ARP on an IPv4 Ethernet network are correct? (Choose two.)

Select 2 answers
A.An ARP request is sent as a Layer 2 broadcast.
B.An ARP reply is normally sent as a unicast frame.
C.ARP is used to map IPv6 addresses to MAC addresses.
D.ARP is forwarded by routers across subnets by default.
AnswersA, B

Correct. The requester does not yet know the destination MAC.

Why this answer

ARP resolves an IPv4 address to a MAC address on the local segment. ARP requests are broadcast; ARP replies are typically unicast.

Exam trap

Be careful not to confuse ARP requests with replies, and remember that ARP operates only within a local segment.

Why the other options are wrong

C

ARP is specifically designed for IPv4 networks to map IPv4 addresses to MAC addresses. IPv6 uses Neighbor Discovery Protocol (NDP) with ICMPv6 messages to perform address resolution, not ARP.

D

ARP operates only within a single broadcast domain (subnet) and is not forwarded by routers. Routers separate broadcast domains and do not forward ARP requests or replies across subnets by default.

644
PBQhard

You are connected to R1, a Cisco router running IOS-XE. Configure SNMP v2c with a read-only community string 'publicRW' (note: the string is intentionally misnamed for the task), and SNMP v3 with user 'admin' using MD5 authentication (password 'cisco123') and DES encryption (password 'cisco456'). Ensure SNMP traps for linkUp/linkDown are sent to the management server at 192.0.2.100. Additionally, configure NetFlow export to send version 9 flow records to 192.0.2.200 on UDP port 2055, and ensure that only inbound traffic on GigabitEthernet0/0 is monitored. Finally, verify your configuration using 'show snmp' and 'show ip cache flow'.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Remember to create the SNMP v3 user with both auth and priv parameters.
  • NetFlow requires both a destination and version; also apply flow monitoring on an interface.
  • Use 'snmp-server enable traps' to activate trap generation before specifying the host.
A.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow ingress
B.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9
C.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow egress
D.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
AnswerA
solution
! R1
snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456
snmp-server enable traps snmp linkdown linkup
snmp-server host 192.0.2.100 traps version 2c publicRW
ip flow-export destination 192.0.2.200 2055
ip flow-export version 9
interface GigabitEthernet0/0
ip flow ingress
end

Why this answer

The initial configuration has an SNMP v2c community string 'publicRW' set as RO, but the task requires it to be the read-only string. The SNMP v3 user 'admin' with MD5/DES is missing entirely, as are trap destinations and NetFlow export. To fix, first add the SNMP v3 user with 'snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456', then enable traps with 'snmp-server enable traps snmp linkdown linkup' and 'snmp-server host 192.0.2.100 traps version 2c publicRW'.

For NetFlow, configure 'ip flow-export destination 192.0.2.200 2055', 'ip flow-export version 9', and apply flow monitoring on an interface (e.g., 'interface GigabitEthernet0/0' with 'ip flow ingress'). The 'show snmp' command will display the community strings and trap receivers, while 'show ip cache flow' will show flow records.

Exam trap

Students often forget to apply NetFlow on an interface with 'ip flow ingress' or confuse it with Flexible NetFlow commands. Also, they may omit the trap enable command or use the wrong SNMP version for trap delivery. Always ensure that NetFlow collection is enabled on an interface and that SNMP traps are both enabled globally and sent to the correct host.

Why the other options are wrong

B

The configuration omits the 'ip flow ingress' (or any) interface command, so NetFlow will not collect any traffic.

C

The 'ip flow egress' command monitors outbound traffic, not the specified inbound traffic on GigabitEthernet0/0.

D

The 'ip flow monitor FLOW-MONITOR input' command references a flexible NetFlow monitor that does not exist; traditional 'ip flow ingress' is required.

645
MCQmedium

Which command places a switch interface into trunking mode directly instead of relying on negotiation?

A.switchport mode trunk
B.switchport access vlan 10
C.switchport mode dynamic auto
D.spanning-tree portfast
AnswerA

This is correct because it directly forces the interface into trunk mode.

Why this answer

The direct command is `switchport mode trunk`. In plain language, this tells the switch to behave as a trunk port rather than waiting to negotiate that role through DTP. That makes the administrative intent clear and avoids ambiguity. In many production environments, explicit configuration is preferred because it is easier to understand and troubleshoot than relying on negotiation behavior.

This is a core CCNA switching idea because trunks and access ports serve very different purposes. The wrong answers either describe negotiation states or commands that relate to other aspects of VLAN behavior. The best answer is the one that directly forces the interface into trunk mode instead of merely suggesting or passively waiting for trunking.

Exam trap

Be careful not to confuse commands that involve negotiation or specify encapsulation with those that directly set the mode.

Why the other options are wrong

B

The command 'switchport access vlan 10' assigns the interface to a specific access VLAN, placing it in access mode, not trunk mode. Trunk mode is required to carry multiple VLANs, and this command does not enable trunking.

C

The command 'switchport mode dynamic auto' places the interface in a mode that waits for the neighboring switch to initiate trunking via DTP. It does not directly force trunking; the interface will only become a trunk if the neighbor is set to 'dynamic desirable' or 'trunk'.

D

The command 'spanning-tree portfast' is used to speed up the transition of an access port to the forwarding state, bypassing the listening and learning phases. It has no effect on trunking mode and is unrelated to VLAN trunk configuration.

646
Drag & Dropmedium

Drag and drop the following steps into the correct order to retrieve the operational status of interface GigabitEthernet0/0 using NETCONF and the ietf-interfaces YANG model.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

First, establish an SSH connection to the device's NETCONF subsystem (TCP port 830). The NETCONF protocol then performs a capability exchange via <hello> messages to ensure both sides support the required YANG models. Next, a <get> RPC with an XPath filter is sent to request the specific interface status.

The server replies with <rpc-reply> containing the XML data. The client parses the XML to extract the desired value. Finally, the NETCONF session is closed by a <close-session> RPC, and the SSH connection is terminated.

This order ensures a proper NETCONF transaction lifecycle.

647
MCQhard

A host cannot communicate with its default gateway. The technician uses the show arp command on the host and sees that the ARP entry for the gateway IP is incomplete. The technician has already verified that the Ethernet cable is securely connected and the switch port is active. What should the technician do next?

A.Check the switch port’s VLAN configuration and ensure the host and router interface are in the same VLAN.
B.Replace the Ethernet cable between the host and the switch.
C.Clear the ARP cache on the host and attempt to ping the gateway again.
D.Check the router’s routing table for a route to the host’s subnet.
AnswerA

If the host and gateway are in different VLANs, the ARP request broadcast never reaches the gateway, so the entry stays incomplete. This step directly addresses the most probable Layer 2 fault after excluding physical issues.

Why this answer

An incomplete ARP entry for the default gateway indicates that the host sent an ARP request but never received a reply. Since the physical layer (cable and switch port) is verified as operational, the most likely cause is a Layer 2 mismatch: the host and the router interface are in different VLANs, preventing the ARP reply from reaching the host. Checking the switch port's VLAN configuration ensures both devices are in the same broadcast domain, which is required for ARP to function.

Exam trap

Cisco often tests the distinction between Layer 2 connectivity (ARP, VLANs) and Layer 3 connectivity (routing), leading candidates to incorrectly focus on routing tables or ARP cache clearing when the real issue is a VLAN mismatch.

Why the other options are wrong

B

Candidates may equate a physical link symptom with a faulty cable, but the port’s active status indicates a good L1 connection. This action skips necessary logical checks.

C

This is a common ‘quick fix’ mindset, but in a structured troubleshooting process, clearing the cache hides information without solving the root cause.

D

Candidates might confuse local ARP failure with reachability issues to a remote subnet, but the gateway is the router itself. Routing is irrelevant until the destination is off-segment.

648
MCQeasy

Which HTTP method is normally used by a REST API client to retrieve data from a resource without changing it?

A.POST
B.PUT
C.GET
D.DELETE
AnswerC

GET retrieves resource information.

Why this answer

GET requests read a resource. They are used to retrieve state or information without modifying the target object.

Exam trap

Confusing HTTP methods can lead to selecting POST or PUT when the question specifically asks for retrieving data without modification. POST is often associated with creating resources, and PUT with updating them. Selecting DELETE is clearly incorrect as it removes resources.

The trap is to overlook that GET is the only method designed to safely retrieve data without side effects, which is critical in REST API operations relevant to network programmability.

Why the other options are wrong

A

POST is incorrect because it is used to create or submit data, not to retrieve data without changes.

B

PUT is incorrect as it replaces or updates a resource, which modifies the data rather than just retrieving it.

D

DELETE is incorrect since it removes a resource, not retrieves data.

649
MCQhard

Exhibit: A router has the following routes in its routing table: - OSPF: 10.1.1.0/24 - Static: 10.1.1.128/25 - Default: 0.0.0.0/0 A packet is destined for 10.1.1.130. Which route does the router use?

A.The OSPF 10.1.1.0/24 route
B.The static 10.1.1.128/25 route
C.The default route
D.The router load-balances across all three
AnswerB

Longest-prefix match sends 10.1.1.130 to the /25.

Why this answer

Routers use longest-prefix match before they think about metrics. The /25 route for 10.1.1.128/25 is more specific than the /24 or the default route, so traffic for 10.1.1.130 follows that path.

Exam trap

A common exam trap is to select a route based solely on routing protocol preference or administrative distance without considering prefix length. Many candidates incorrectly choose the OSPF 10.1.1.0/24 route because OSPF is a dynamic protocol and might assume it is preferred over a static route. However, Cisco routers always apply longest-prefix match first, so the static 10.1.1.128/25 route is chosen because it is more specific.

Another trap is to think the router load-balances across all routes, but load balancing only occurs among routes with equal prefix length and metric, not across different subnet sizes.

Why the other options are wrong

A

The OSPF 10.1.1.0/24 route matches the destination IP but has a shorter prefix length than the static /25 route. Since longest-prefix match takes priority, this route is not used.

C

The default route is a last-resort route used only when no other specific routes match the destination IP. Since more specific routes exist, it is not selected here.

D

The router does not load-balance across routes with different prefix lengths because longest-prefix match selects a single best route, so this option is incorrect.

650
MCQmedium

A switch stack is running PVST+. Users on VLAN 40 lose connectivity for roughly 30 seconds every time the uplink on SW2 flaps. Based on the exhibit, which change would most directly improve convergence for this VLAN?

A.Configure spanning-tree mode rapid-pvst.
B.Increase the bridge priority on SW2 for VLAN 40.
C.Disable PortFast on all access ports.
D.Convert the uplink to a routed port.
AnswerA

Rapid PVST+ is the direct fix for slow STP convergence in this case.

Why this answer

The output shows VLAN 40 is still using the legacy IEEE STP process, which converges much more slowly than Rapid PVST+. Moving the switch to rapid-pvst mode gives VLAN 40 the faster proposal/agreement behavior that typically cuts convergence time from tens of seconds to a few seconds.

Exam trap

A frequent exam trap is selecting options that change the root bridge election or port roles, such as increasing bridge priority, assuming this will speed up convergence. While root bridge placement affects path selection, it does not reduce the inherent delay caused by legacy STP timers. Another trap is disabling PortFast on access ports, which only affects edge port transitions and does not influence uplink link flap recovery times.

Additionally, converting uplinks to routed ports changes the network design and removes STP from those ports, which is not the intended solution for VLAN-specific STP convergence delays. The key mistake is confusing topology optimization with protocol speed improvements.

Why the other options are wrong

B

Increasing bridge priority changes root bridge election but does not speed up the STP convergence process, so it does not resolve the 30-second connectivity loss.

C

Disabling PortFast affects only edge ports and does not influence the convergence time of uplink ports or VLANs experiencing link flaps.

D

Converting the uplink to a routed port removes it from STP but alters network design and does not specifically improve VLAN 40’s STP convergence speed.

651
MCQeasy

Which Cisco IOS command configures a default static route pointing to next hop 203.0.113.1?

A.ip route 0.0.0.0 0.0.0.0 203.0.113.1
B.ip default-gateway 203.0.113.1
C.default-information originate 203.0.113.1
D.route add 0.0.0.0 203.0.113.1
AnswerA

Correct. This is the standard Cisco IOS syntax.

Why this answer

A default static route uses the all-zero network and mask, followed by the next-hop IP address or exit interface.

Exam trap

Remember that a default static route uses the all-zero network and mask, not a /32 mask or an exit interface unless specified.

Why the other options are wrong

B

The ip default-gateway command is used on Cisco switches in Layer 2 mode or on routers when IP routing is disabled. On a router with IP routing enabled, this command does not create a static route; it only sets the default gateway for the management interface, not for forwarding traffic.

C

The default-information originate command is used in routing protocols like OSPF or EIGRP to inject a default route into the routing domain. It does not create a static route itself; it only advertises an existing default route (which must already be present in the routing table) to other routers.

D

The route add command is used in Windows or Linux operating systems, not in Cisco IOS. Cisco IOS uses the ip route command to configure static routes. Using route add on a Cisco router would result in an unrecognized command error.

652
MCQhard

A network engineer receives a call that users in VLAN 10 on Switch B cannot ping the default gateway, which is a router on a stick connected to Switch A. The engineer checks the Spanning Tree Protocol state on the interface connecting Switch A to Switch B (GigabitEthernet0/1) and finds it is in a root-inconsistent state. Which command output best explains the cause of the issue?

A.The interface is in err-disable state due to BPDU guard.
B.Root guard is enabled and the port received a superior BPDU, causing it to become root-inconsistent.
C.Loop guard is enabled and the port is in a blocking state due to missing BPDUs.
D.The port is in a forwarding state but the VLAN is misconfigured.
AnswerB

Root guard on the interface caused the port to be placed in root-inconsistent state when a superior BPDU was received, blocking the port.

Why this answer

Root guard, when enabled on a port, places that port into a root-inconsistent blocking state if it receives a superior BPDU, preventing the switch from becoming the root bridge. This root-inconsistent state stops forwarding traffic, which explains why users in VLAN 10 cannot reach the default gateway. The port remains physically up but is blocked by spanning tree, so normal interface status would not show a down state, making the root-inconsistent state the key indicator.

Exam trap

Candidates often confuse root guard with BPDU guard: BPDU guard err-disables a port upon receiving any BPDU on a PortFast port, while root guard responds to superior BPDUs by placing the port in root-inconsistent state, not err-disable.

Why the other options are wrong

A

BPDU guard causes an err-disable state, which would show the interface as down or err-disabled, not as root-inconsistent.

C

Loop guard places a port into loop-inconsistent blocking state when BPDUs stop being received, not when a superior BPDU is received.

D

A forwarding state would allow traffic; the problem here is that the port is in a blocked state due to root guard, not a misconfigured VLAN.

653
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch. Port G0/1 connects to a PC that should be allowed only one MAC address. Currently, the port is configured with default settings. You need to enable port security on G0/1, set the maximum MAC addresses to 1, configure the port to shut down if a violation occurs, and ensure that the first learned MAC address is sticky (i.e., saved to the running config).

Network Topology
G0/1PCSW1

Hints

  • Port security must be enabled on an access port or trunk port.
  • The 'sticky' keyword makes the MAC address sticky and adds it to the running config.
A.interface G0/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown switchport port-security mac-address sticky
B.interface G0/1 switchport port-security switchport port-security maximum 1 switchport port-security violation protect switchport port-security mac-address sticky
C.interface G0/1 switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky
D.interface G0/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown switchport port-security mac-address 0000.1111.2222
AnswerA
solution
! SW1
interface gigabitethernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky

Why this answer

Enabling port security and setting maximum MAC addresses to 1 limits the port to one device. The violation shutdown mode disables the port if another MAC attempts to use it. Sticky MAC learning dynamically learns the first MAC and saves it to the running configuration.

Exam trap

Be careful to distinguish between the different violation modes: shutdown (disables port), protect (drops packets without notification), and restrict (drops packets and sends SNMP trap). Also, note that sticky MAC learning is different from statically configuring a MAC address; sticky learning automatically saves the learned MAC to the running config.

Why the other options are wrong

B

The violation mode 'protect' does not shut down the port; it only drops offending traffic. The question explicitly requires the port to shut down.

C

The maximum MAC addresses must be set to 1 to restrict the port to a single device. Setting it to 2 allows an additional device.

D

The command 'switchport port-security mac-address 0000.1111.2222' statically assigns a MAC address, which does not allow dynamic learning. Sticky learning is enabled with the 'sticky' keyword.

654
Matchingmedium

Match each IPv4 route type to its most accurate source or description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Present because the network is directly attached

Manually configured by an administrator

Learned through a routing protocol

Used when no more specific route matches

Why these pairings

Each route type is matched to its defining characteristic. A connected route is automatically generated when an interface is configured with an IP address and is in an up/up state, making it present solely because the network is directly attached. A static route is explicitly entered by an administrator, hence manually configured.

A dynamic route is learned through a routing protocol such as OSPF or EIGRP, without manual input. A default route (0.0.0.0/0) is primarily defined by its use as the last-resort gateway when no more specific route matches the destination, even though it could be statically or dynamically learned; the key distinguishing factor here is its behavior, not its configuration method.

Exam trap

Be careful to match the route type to its specific source or description. Do not assume that any accurate description is the correct match; read the stem carefully. Directly connected routes are unique because they are automatically generated from interface configurations.

655
MCQmedium

Which IPv6 address type is automatically created on an interface and used for communication on the local link only?

A.Global unicast
B.Link-local
C.Unique local
D.Multicast
AnswerB

Correct. Link-local addresses exist per link and are not routed.

Why this answer

Every IPv6-enabled interface generates a link-local address, typically in the FE80::/10 range. It is used for neighbor discovery, local communication, and next-hop resolution on the same link.

Exam trap

A common exam trap is confusing link-local addresses with unique local or global unicast addresses. Link-local addresses are automatically generated and only valid on the local link, whereas unique local addresses resemble private IPv4 addresses but are routable within an organization. Multicast addresses are not assigned to interfaces for unicast communication, so selecting multicast is incorrect.

Understanding the scope and automatic generation of link-local addresses is critical.

Why the other options are wrong

A

Global unicast addresses are routable beyond the local link and are not automatically created for local link communication only.

C

Unique local addresses are similar to private IPv4 addresses and are routable within an organization, not limited to the local link.

D

Multicast addresses are used for group communication and are not assigned as interface addresses for unicast communication.

656
MCQhard

A network administrator is troubleshooting an IPv6 connectivity issue on a newly deployed router. The router's G0/0/0 interface is configured with an IPv6 address using EUI-64, but hosts on that subnet cannot reach the router's link-local address. The administrator runs 'show ipv6 interface g0/0/0' and sees that the interface is up/up but the IPv6 address is not in the expected format. What is the most likely cause of the problem?

A.The interface is administratively down.
B.The IPv6 address was not configured correctly; the 'ipv6 address' command was likely omitted or misconfigured.
C.The MAC address of the interface is invalid, preventing EUI-64 from generating a proper address.
D.The router is not sending Router Advertisements, so hosts cannot autoconfigure.
AnswerB

If the 'ipv6 address' command was omitted, IPv6 is not enabled, and no link-local address exists. If it was misconfigured (e.g., missing the `eui-64` keyword), the router would still have a link-local address, so the symptom of hosts unable to reach the link-local address would not occur. Therefore, omission is the most likely cause given the symptom.

Why this answer

The router's G0/0/0 interface is up/up, but the IPv6 address is not in the expected EUI-64 format. This indicates that the 'ipv6 address' command was likely omitted entirely, because if it were simply misconfigured (e.g., without the `eui-64` keyword), the router would still automatically generate a link-local address, and hosts would be able to reach it. Since hosts cannot reach the link-local address, IPv6 is not enabled on the interface at all.

The correct configuration requires the `ipv6 address` command with the appropriate prefix and the `eui-64` keyword.

Exam trap

Cisco often tests the distinction between interface status (up/up) and configuration correctness, leading candidates to assume that a working interface means the IPv6 address is properly configured, when in fact the address may be missing or misconfigured.

Why the other options are wrong

A

The 'show ipv6 interface' output shows 'up, line protocol is up', indicating the interface is not administratively down. An administratively down interface would show 'administratively down' in the output.

C

The link-local address (FE80::21A:2BFF:FE3C:4D5E) is correctly formed using EUI-64, which requires a valid MAC address. The presence of 'FF:FE' in the middle indicates EUI-64 is functioning properly, so the MAC address is valid.

D

The output shows 'ND router advertisements are sent every 200 seconds', confirming that Router Advertisements are enabled. The problem is about the router's own IPv6 address, not host autoconfiguration.

657
MCQhard

A route to 10.10.20.0/24 disappears when an OSPF adjacency fails. Which design would most directly provide an automatic backup without changing the primary OSPF path during normal operation?

A.A floating static route with a higher administrative distance than OSPF
B.A standard static route with the default administrative distance of 1
C.Removing OSPF entirely and using only a default route
D.Disabling the routing table on the router until failure occurs
AnswerA

This is correct because it provides a backup route without replacing OSPF under normal conditions.

Why this answer

The most direct design is a floating static route with a higher administrative distance than OSPF. In plain language, that means the router keeps a manually configured backup route in reserve but does not use it while the OSPF route remains healthy. If the OSPF path disappears, the backup static route becomes active automatically. This is a very common and practical way to add simple failover.

The key requirement in the question is that the primary OSPF path should remain unchanged under normal conditions. A normal static route with default distance would override OSPF and break that goal. A floating static route avoids that by staying less preferred until a failure occurs. That is why it is the correct design choice here.

Exam trap

Avoid assuming that static routes are always less preferred than dynamic routes without considering administrative distance.

Why the other options are wrong

B

A standard static route with the default administrative distance of 1 would override the OSPF route (AD 110) because a lower AD is preferred. This would replace the primary OSPF path with the static route, not provide a backup that only activates upon failure.

C

Removing OSPF entirely eliminates the primary dynamic routing protocol, which is not a backup solution. The question requires preserving OSPF as the normal path and only providing an automatic backup when OSPF fails.

D

Disabling the routing table is not a valid operational practice; routers require the routing table to forward packets. This option does not provide any automatic backup mechanism and would break connectivity entirely.

658
Matchingmedium

Match each API workflow concept to the description that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Target resource path

Requested action such as retrieve or delete

Access-related value carried by the client

Structured payload format

Why these pairings

In REST API workflows, the endpoint is the URL path that identifies a specific resource (e.g., /users). The HTTP method defines the action to perform on that resource, such as GET (retrieve), POST (create), PUT (update), or DELETE (remove). A token is a credential that the client sends in the request header to authenticate and authorize access, and JSON is the lightweight data‑interchange format used to structure the payload in the request body or response.

Exam trap

Don’t mix up the method (which tells the server what to do) with the endpoint (which identifies where to act)—a common mistake is to confuse actions with resource paths, or to think a token is a data format instead of a security credential.

659
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be translated to the outside interface IP (198.51.100.1) using PAT (NAT overload). Additionally, a static NAT entry must map host 192.168.1.10 to 203.0.113.10. The current configuration is incomplete and contains errors. Correct the configuration so that both translations work properly.

Network Topology
G0/0 inside192.168.1.1/24G0/1 outside198.51.100.1/24R1

Hints

  • Check the direction of NAT on each interface (inside vs outside).
  • The PAT command requires the keyword 'overload' to enable port address translation.
  • The access list must match the inside local network, not a different subnet.
A.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.10 203.0.113.10
B.interface GigabitEthernet0/1 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.10 203.0.113.10
C.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 10.0.0.0 0.255.255.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 ip nat inside source static 192.168.1.10 203.0.113.10
D.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
AnswerA
solution
! R1
interface GigabitEthernet0/1
ip nat outside
exit
ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

Why this answer

The configuration has three issues: 1) GigabitEthernet0/1 is incorrectly set as 'ip nat inside' instead of 'ip nat outside'. 2) The PAT command is missing the 'overload' keyword. 3) Access-list 1 permits 10.0.0.0/8, not the inside subnet 192.168.1.0/24. The commands fix these: change the interface to 'ip nat outside', add 'overload' to the PAT command, and update the ACL to permit the correct inside network.

Exam trap

Watch out for three common mistakes: 1) Forgetting to set the outside interface as 'ip nat outside'. 2) Using an ACL that does not match the inside network. 3) Omitting the 'overload' keyword for PAT. Also, do not add protocol/port to static NAT unless specifically required.

Why the other options are wrong

B

The specific factual error is that the interface facing the outside (public) network is incorrectly configured as 'ip nat inside'.

C

The specific factual errors are: 1) The ACL does not match the correct inside network. 2) The 'overload' keyword is omitted, preventing PAT from working.

D

The specific factual error is that the static NAT command includes protocol and port, limiting the translation to TCP port 80 only.

660
MCQmedium

Why is NTP especially valuable when a company uses a centralized Syslog server?

A.It synchronizes device clocks so centralized log timestamps can be correlated accurately.
B.It assigns the Syslog server its IP address.
C.It replaces the need for Syslog entirely.
D.It encrypts all Syslog messages automatically.
AnswerA

This is correct because time alignment improves the usefulness of centralized logs.

Why this answer

NTP is especially valuable because it aligns device clocks, which makes centralized log timestamps much easier to interpret. In practical terms, if devices disagree on time, the combined log stream becomes harder to trust and correlate. NTP improves the timeline accuracy of operational and security analysis.

This is why NTP and Syslog are often discussed together. One centralizes events, and the other makes those events easier to line up correctly.

Exam trap

A common exam trap is to confuse NTP’s role with other network functions such as IP addressing or encryption. Some candidates incorrectly think NTP assigns IP addresses to devices or encrypts Syslog messages. This misunderstanding leads to selecting options that describe unrelated functions.

NTP’s sole purpose is to synchronize clocks across devices, enabling accurate timestamping of logs. Misinterpreting this can cause candidates to overlook the critical importance of time alignment in centralized logging environments, which is the core reason NTP is valuable when using a centralized Syslog server.

Why the other options are wrong

B

Incorrect because NTP does not assign IP addresses; IP addressing is handled by DHCP or manual configuration, not time synchronization protocols.

C

Incorrect because NTP does not replace Syslog; NTP provides time synchronization, while Syslog collects and centralizes log messages from devices.

D

Incorrect because NTP does not encrypt Syslog messages; encryption requires separate protocols such as TLS or IPsec, not time synchronization services.

661
PBQhard

You are connected to R1 via console. R1 is a router that connects two internal subnets (192.168.1.0/24 and 192.168.2.0/24) to the internet via a serial link to ISP. Currently, no ACL is applied. Your task is to configure an extended named ACL on R1 that permits only HTTP (TCP/80) and HTTPS (TCP/443) traffic from the 192.168.1.0/24 subnet to the internet, and denies all other traffic from that subnet. Traffic from 192.168.2.0/24 must be permitted without restriction. Apply the ACL inbound on the interface facing the internal subnets. Additionally, verify that the implicit deny is not blocking necessary traffic by ensuring that the ACL correctly handles the traffic.

Network Topology
G0/0192.168.1.1/24serialR1ISP

Hints

  • Traffic from 192.168.1.0/24 enters R1 through G0/0, so apply the ACL inbound on G0/0.
  • The ACL must include a permit statement for 192.168.2.0/24 to avoid being blocked by implicit deny.
  • Use the 'eq' keyword to match specific port numbers for HTTP (80) and HTTPS (443).
A.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/0 ip access-group FILTER in
B.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/0 ip access-group FILTER out
C.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/1 ip access-group FILTER in
D.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/0 ip access-group FILTER in interface g0/1 ip access-group FILTER in
AnswerA
solution
! R1
ip access-list extended FILTER
permit tcp 192.168.1.0 0.0.0.255 any eq 80
permit tcp 192.168.1.0 0.0.0.255 any eq 443
permit ip 192.168.2.0 0.0.0.255 any
interface gigabitEthernet0/0
ip access-group FILTER in

Why this answer

The task required an extended ACL to permit HTTP/HTTPS from 192.168.1.0/24 and all traffic from 192.168.2.0/24. The candidate must create a named ACL (e.g., FILTER), add two permit statements for TCP/80 and TCP/443 from 192.168.1.0 0.0.0.255 to any, then a permit ip from 192.168.2.0 0.0.0.255 to any. The ACL is applied inbound on G0/0 (the interface facing 192.168.1.0/24) because traffic from that subnet enters R1 through G0/0.

Applying it outbound on G0/0 would be incorrect, as it would only filter traffic leaving that subnet, not entering. Also, the ACL must be applied on the correct interface to avoid blocking traffic from 192.168.2.0/24, which enters via G0/1.

Exam trap

The most common trap is confusing inbound vs outbound ACL application. Remember: inbound ACL filters traffic entering the interface; outbound ACL filters traffic leaving the interface. For traffic originating from a subnet, apply the ACL inbound on the interface connected to that subnet.

Why the other options are wrong

B

The ACL is applied in the wrong direction. For traffic originating from 192.168.1.0/24, the ACL must be applied inbound on the interface where that traffic enters the router (G0/0).

C

The ACL is applied on the wrong interface. The interface facing the restricted subnet (192.168.1.0/24) is G0/0, not G0/1.

D

The ACL should only be applied on the interface where the restricted subnet traffic enters (G0/0). Applying it on G0/1 is redundant and could inadvertently filter traffic from 192.168.2.0/24 if the ACL is modified later.

662
MCQhard

A network administrator is troubleshooting connectivity loss in a switched network. All switches run Rapid PVST+. A host connected to an access port on SwitchC can no longer reach the default gateway. The access port is configured with PortFast and BPDU Guard. The administrator checks the interface status and finds it in an err-disabled state. What is the most likely cause of this issue?

A.The root bridge election failed, causing a loop.
B.BPDU Guard detected a BPDU on a PortFast-enabled port and disabled it.
C.Rapid PVST+ is not compatible with PortFast.
D.The port is configured as a trunk but should be an access port.
AnswerB

BPDU Guard is enabled on Gi0/1, and a BPDU was received, causing the port to go err-disabled.

Why this answer

B is correct because BPDU Guard is designed to protect the spanning-tree topology by disabling a PortFast-enabled port if it receives a BPDU, placing the port in err-disabled state. Option A is incorrect: a root bridge election failure would not cause a port to err-disable; loops do not directly trigger this state without BPDU Guard. Option C is incorrect because PortFast and BPDU Guard work with all spanning-tree variants including Rapid PVST+.

Option D is incorrect: a trunk misconfiguration alone would not cause err-disable unless BPDU Guard detects a BPDU on a PortFast port.

Exam trap

Cisco often tests the misconception that PortFast and BPDU Guard are incompatible with Rapid PVST+, but in reality, PortFast is a port-level feature that works identically across all spanning-tree variants, and BPDU Guard is the mechanism that causes the err-disabled state when a BPDU is received.

Why the other options are wrong

A

A root bridge election failure would not place the port in err-disabled state; it would cause loops but not trigger BPDU Guard directly.

C

PortFast and BPDU Guard are fully compatible with Rapid PVST+; this option implies incompatibility, which is incorrect.

D

A trunk misconfiguration alone would not cause the port to go err-disable unless a BPDU is received on a PortFast-enabled port, and BPDU Guard is the specific mechanism for that.

663
MCQmedium

Exhibit: R1 has a static default route to 192.0.2.2 and also learns a default route from OSPF. Which default route is installed in the routing table?

A.The OSPF default route because dynamic routes are preferred
B.The static default route because its administrative distance is lower
C.Both default routes because they have the same prefix length
D.Neither route until a floating static route is configured
AnswerB

Static AD 1 beats OSPF AD 110.

Why this answer

When two routes to the same prefix are learned from different sources, the router compares administrative distance first. A static route has AD 1 by default, while OSPF has AD 110, so the static default route wins unless its AD was changed manually.

Exam trap

A common exam trap is believing that OSPF default routes always override static default routes because dynamic routing protocols are 'more intelligent' or 'preferred.' This misconception leads to selecting the OSPF route as installed, ignoring the fundamental Cisco routing rule that administrative distance determines route preference. Since static routes have a default AD of 1 and OSPF routes have an AD of 110, the static route is preferred unless its AD is manually changed. Misunderstanding this can cause incorrect answers and confusion about route installation behavior.

Why the other options are wrong

A

This option is incorrect because dynamic routes like OSPF are not automatically preferred over static routes. Administrative distance determines preference, and static routes have a lower AD than OSPF by default.

C

This option is incorrect because having the same prefix length does not mean both routes are installed. The router uses administrative distance to choose a single best route.

D

This option is incorrect because a normal static default route is valid and installed immediately. A floating static route is only needed if you want a backup route with a higher AD.

664
PBQhard

You are connected to R1. Configure HSRP so that R1 becomes the active router for VLAN 10, with a virtual IP of 192.168.10.1. Ensure that R1 preempts if it comes back online after a failure. Also, configure R1 to decrement its HSRP priority by 20 if its GigabitEthernet0/1 interface goes down. The current configuration shows both routers as active — identify and fix the issues.

Network Topology
Gi0/0.10192.168.10.3/24Gi0/0.10192.168.10.2/24switchR1R2

Hints

  • Both routers show Active because they have equal priority and no preempt.
  • The virtual IP configured is 192.168.10.254 but the task requires 192.168.10.1.
  • To ensure R1 is active, set its priority higher than R2's default (100) and enable preempt.
A.Change the virtual IP to 192.168.10.1, set priority to 110, enable preempt, and track interface GigabitEthernet0/1 with decrement 20.
B.Change the virtual IP to 192.168.10.1, set priority to 100, enable preempt, and track interface GigabitEthernet0/1 with decrement 20.
C.Change the virtual IP to 192.168.10.254, set priority to 110, enable preempt, and track interface GigabitEthernet0/1 with decrement 20.
D.Change the virtual IP to 192.168.10.1, set priority to 110, enable preempt, but do not track any interface.
AnswerA
solution
! R1
interface GigabitEthernet0/0.10
standby 10 ip 192.168.10.1
standby 10 priority 110
standby 10 preempt
standby 10 track GigabitEthernet0/1 20

Why this answer

The scenario indicates both routers appear as Active, which is abnormal. This could result from a misconfigured virtual IP or group number mismatch. The required fix is to set the virtual IP to 192.168.10.1, assign R1 a higher priority (110 vs R2's default 100), enable preempt so R1 reclaims active role after failure, and track GigabitEthernet0/1 with a decrement of 20 to lower priority if that interface goes down.

Exam trap

Watch for three common mistakes: (1) forgetting to set a higher priority to win the election, (2) using the wrong virtual IP address, and (3) omitting the track command when required. Also note that preempt alone does not guarantee active status if priorities are equal.

Why the other options are wrong

B

HSRP election uses priority as the primary tie-breaker; equal priority leads to comparison of primary IP addresses, which may not favor R1.

C

The virtual IP address must be consistent across all HSRP routers and match the configured gateway; a mismatch prevents proper operation.

D

Without tracking, R1's priority remains unchanged even if the uplink fails, so R1 would remain active despite losing connectivity, causing traffic black-holing.

665
Multi-Selectmedium

Which three statements accurately describe the operation of the Spanning Tree Protocol (STP) root bridge election? (Choose three.)

Select 3 answers
.The switch with the lowest bridge ID (priority + MAC address) becomes the root bridge.
.If two switches have the same priority, the one with the lowest MAC address is chosen.
.All ports on the root bridge are placed in the designated role.
.The root bridge is always the switch with the highest MAC address.
.The root bridge priority can be modified using the 'spanning-tree vlan vlan-id root secondary' command to force it to become root.
.The root bridge election occurs every 30 seconds by default.

Why this answer

The Spanning Tree Protocol (STP) root bridge election is based on the bridge ID, which combines a configurable priority (default 32768) and the switch's MAC address. The switch with the lowest bridge ID wins the election, making option 1 correct. If priorities are equal, the MAC address serves as the tiebreaker, so the switch with the lowest MAC address is chosen, confirming option 2.

Once elected, all ports on the root bridge become designated ports (forwarding), as they are the most efficient paths to the root, making option 3 correct.

Exam trap

Cisco often tests the misconception that the root bridge is elected periodically (e.g., every 30 seconds) or that the 'root secondary' command forces a switch to become root, when in fact the election is event-driven and the command only sets a specific priority for backup purposes.

666
Matchingmedium

Match each route type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Present because the network is directly attached to a router interface

Manually configured by an administrator

Learned through a routing protocol

Used when no more specific route matches

Why these pairings

Connected routes are automatically generated when a router interface is configured and active because the network is directly attached. Static routes are manually configured by an administrator to define specific paths. Dynamic routes are learned through routing protocols like OSPF or EIGRP.

Default routes serve as a catch-all entry, used when no more specific route matches the destination.

Exam trap

Be careful not to confuse the method of route creation: static routes are manually configured, dynamic routes are learned via protocols, and connected routes are automatically generated. The default route is a special static route but is often considered its own type.

667
Drag & Dropmedium

Drag and drop the following steps into the correct order (recommended best-practice workflow) to configure VLANs, assign access ports, enable 802.1Q trunking, set the native VLAN, and verify the configuration on a Cisco switch running IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, create VLANs globally so they exist in the VLAN database. Next, assign access ports to the desired VLANs, ensuring end‑device connectivity is established locally. Then configure trunking on the appropriate interfaces, including setting the native VLAN; doing trunking after access port assignment prevents accidental VLAN propagation across the trunk before all access ports are correctly placed.

Verification is always the final step to confirm the entire configuration. Option D (VLAN creation → trunking → access ports → verify) is technically functional but violates the best‑practice order because trunking should be configured only after access ports are assigned to avoid potential topology issues.

Exam trap

Do not confuse the order of operations: VLANs must exist before ports can be assigned. Also, trunking is configured on specific interfaces, not globally, and should be done after access ports are set. Verification is always the final step.

668
Drag & Dropmedium

Drag and drop the following steps into the correct order to create VLANs, assign access ports, configure 802.1Q trunks, set the native VLAN, and verify with 'show vlan brief' and 'show interfaces trunk'.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

VLANs must be created before assigning ports; trunking is configured after access ports; verification is the final step.

Exam trap

Do not confuse the order of VLAN creation and port assignment. VLANs must be created before ports can be assigned to them. Also, native VLAN configuration is part of trunk configuration and should be done after trunk mode is set.

669
MCQmedium

A switch displays the following output: Interface Status VLAN Gi1/0/5 connected 20 Gi1/0/6 notconnect 1 Gi1/0/24 trunk trunk Which interface is operating as an access port in VLAN 20?

A.Gi1/0/5
B.Gi1/0/6
C.Gi1/0/24
D.None of the interfaces
AnswerA

Correct. It is connected and assigned to VLAN 20.

Why this answer

The output explicitly shows Gi1/0/5 in VLAN 20 and not operating as a trunk.

Exam trap

Be careful not to confuse trunk ports with access ports or assume interfaces not shown in the output are relevant.

Why the other options are wrong

B

Gi1/0/6 is an access port in VLAN 1 (the default VLAN), not VLAN 20. The question specifically asks for an interface operating as an access port in VLAN 20, so this option is incorrect.

C

Gi1/0/24 is configured as a trunk port, which carries traffic for multiple VLANs and is not an access port. Access ports belong to a single VLAN, so this option is incorrect.

D

Gi1/0/5 is clearly an access port in VLAN 20, so there is an interface that matches the description. Therefore, 'None of the interfaces' is incorrect.

670
MCQmedium

A network engineer successfully logs in to a router, but cannot enter configuration mode because the command is rejected by policy. Which AAA function is controlling this behavior?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Correct. Authorization controls what actions the user may perform.

Why this answer

Authentication confirms identity. Authorization determines which commands, privilege levels, or resources that authenticated user is permitted to access.

Exam trap

A common exam trap is confusing authentication with authorization. Candidates often think that if a user cannot enter configuration mode, it means the login failed, which is incorrect. Authentication only confirms the user's identity during login.

Once authenticated, authorization controls what commands or modes the user can access. Misunderstanding this distinction leads to incorrect answers. The question states the user successfully logged in, so the failure to enter configuration mode is due to authorization restrictions, not authentication failure.

Why the other options are wrong

A

Authentication is the process of verifying a user's identity during login. Since the engineer successfully logged in, authentication has already succeeded and is not preventing command execution.

C

Accounting records user activities and commands for auditing purposes but does not grant or deny access to commands or configuration modes, so it cannot be the cause of the command rejection.

D

Encryption protects data confidentiality during transmission but does not control user access or command permissions, so it is unrelated to the inability to enter configuration mode.

671
Matchingmedium

Match each IPv4 addressing term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Address that identifies the subnet itself

Address assigned to an individual device in the subnet

Address used to reach all hosts in the subnet

Value that defines network versus host portions

Why these pairings

The network address is the first address in a subnet and identifies the subnet itself. The host address is any usable address assigned to a device within the subnet. The broadcast address is the last address in the subnet, used to send data to all hosts.

The subnet mask is a 32-bit value that separates the network and host portions of an IP address.

Exam trap

Do not confuse the host address with the network address or broadcast address. The host address is the usable IP for a device, while the network and broadcast addresses are reserved.

672
MCQhard

A network engineer notices that users on VLAN 100 are experiencing intermittent connectivity to the server farm. The switch connecting these users shows no errors on the uplink interface, but the server farm switch reports a high number of input errors on its connected interface. The engineer runs 'show controllers' on the server farm switch. What is the most likely cause of the issue?

A.The interface is configured with the wrong duplex setting.
B.The SFP module is faulty or incompatible with the cable type.
C.The cable is too long, causing attenuation.
D.Auto-negotiation is disabled, causing a speed mismatch.
AnswerB

The 'show controllers' output shows the media type as 1000BaseSX SFP with auto-negotiation off, but the interface is reporting no errors. However, the other switch sees input errors. This points to a hardware issue with the SFP, such as a faulty module or a mismatch between the SFP and the fiber cable (e.g., using a single-mode SFP with multi-mode fiber).

Why this answer

The 'show controllers' command on the server farm switch reveals physical-layer issues such as framing errors, CRC errors, or alignment errors, which are often caused by faulty or incompatible SFP modules. Since the uplink interface on the user switch shows no errors, the problem is isolated to the server farm switch's interface, and a faulty SFP can introduce signal degradation or electrical issues without necessarily causing complete link failure. Option B is correct because SFP incompatibility or defects commonly produce input errors at the physical layer, even when the link appears up.

Exam trap

Cisco often tests the distinction between 'show interfaces' (which shows input errors but not the specific physical-layer cause) and 'show controllers' (which reveals the exact physical-layer errors), leading candidates to mistakenly choose duplex mismatch or cable length issues without recognizing that the command output points to SFP or transceiver problems.

Why the other options are wrong

A

The 'show controllers' output confirms Full-duplex on both ends, so a duplex mismatch is not the cause. Duplex mismatch would typically cause collisions or CRC errors, which are not indicated here.

C

While excessive cable length can cause attenuation and errors, the 'show controllers' output does not show specific error counters like symbol errors or FCS errors that would indicate attenuation. The link is up and no errors are reported on this switch, making cable length an unlikely cause.

D

Speed is set to 1000 Mbps on both ends, and auto-negotiation is off, which is normal for fiber connections. A speed mismatch would prevent the link from coming up or cause constant errors, but the link is up and no errors are reported on this switch.

673
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a fiber optic link that is down on a Cisco switch using SFP transceiver diagnostics and interface commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The logical troubleshooting sequence moves from simple physical checks to detailed diagnostics. Step 1 verifies the most basic physical layer (cable and connectors). Step 2 confirms the SFP compatibility and seating.

Step 3 checks the interface administrative and protocol status. Step 4 inspects optical levels, which can only be meaningful if the interface is up and the SFP is recognized. Step 5 examines error counters for deeper layer‑1 issues.

This order follows Cisco’s recommended troubleshooting methodology: physical → transceiver → interface status → optical diagnostics → error counters.

674
MCQeasy

Which OSPF component is used to identify routers uniquely inside an OSPF domain?

A.Area ID
B.Router ID
C.Hello timer
D.Wildcard mask
AnswerB

The router ID uniquely identifies an OSPF speaker.

Why this answer

The router ID is the unique identifier OSPF uses for each router. It is not the same thing as the process ID, which is locally significant only.

Exam trap

A frequent exam trap is mistaking the OSPF area ID for the router ID. While area IDs define logical groupings of routers within an OSPF domain, they do not uniquely identify individual routers. Another pitfall is confusing the router ID with the OSPF process ID, which is locally significant and does not uniquely identify routers.

Additionally, some candidates incorrectly select hello timers or wildcard masks, which serve different purposes such as neighbor keepalive intervals and network statement definitions, respectively. Understanding these distinctions is critical to avoid selecting incorrect options that sound related but serve different functions.

Why the other options are wrong

A

Area ID identifies OSPF areas, which are logical subdivisions within the OSPF domain, but it does not uniquely identify individual routers. Selecting area ID confuses the concept of router identification with area grouping.

C

Hello timer controls how often OSPF routers send hello packets to maintain neighbor adjacency. It does not serve as a unique identifier for routers.

D

Wildcard mask is used in OSPF network statements to specify which IP addresses belong to an OSPF area. It does not identify routers uniquely.

675
Matchingmedium

Match each access-layer feature to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Separates phone voice traffic from normal user data

Limits and controls MAC address use on a switch port

Why these pairings

PortFast speeds up STP convergence by immediately transitioning an edge port (connected to an end host) from blocking to forwarding state, bypassing listening and learning. BPDU Guard disables an edge port (errdisable) if a BPDU is received, protecting against accidental loops from misconfigured devices. Voice VLAN separates voice traffic from data by assigning a dedicated VLAN to IP phones, enabling QoS and traffic prioritization.

Port Security limits the number of allowed MAC addresses on a switch port and can disable the port or alert if unauthorized MACs are detected, controlling access.

Exam trap

Candidates often confuse PortFast with BPDU Guard, thinking both speed convergence, or mix up voice VLAN with port security. Remember: PortFast is for fast STP transitions, BPDU Guard is for loop protection, voice VLAN isolates phone traffic, and port security controls MAC addresses.

Page 8

Page 9 of 25

Page 10