CCNA Network Infrastructure and Connectivity Questions

75 of 390 questions · Page 3/6 · Network Infrastructure and Connectivity · Answers revealed

151
MCQhard

A network engineer notices that users on VLAN 100 are experiencing intermittent connectivity to the server farm. The switch connecting these users shows no errors on the uplink interface, but the server farm switch reports a high number of input errors on its connected interface. The engineer runs 'show controllers' on the server farm switch. What is the most likely cause of the issue?

A.The interface is configured with the wrong duplex setting.
B.The SFP module is faulty or incompatible with the cable type.
C.The cable is too long, causing attenuation.
D.Auto-negotiation is disabled, causing a speed mismatch.
AnswerB

The 'show controllers' output shows the media type as 1000BaseSX SFP with auto-negotiation off, but the interface is reporting no errors. However, the other switch sees input errors. This points to a hardware issue with the SFP, such as a faulty module or a mismatch between the SFP and the fiber cable (e.g., using a single-mode SFP with multi-mode fiber).

Why this answer

The 'show controllers' command on the server farm switch reveals physical-layer issues such as framing errors, CRC errors, or alignment errors, which are often caused by faulty or incompatible SFP modules. Since the uplink interface on the user switch shows no errors, the problem is isolated to the server farm switch's interface, and a faulty SFP can introduce signal degradation or electrical issues without necessarily causing complete link failure. Option B is correct because SFP incompatibility or defects commonly produce input errors at the physical layer, even when the link appears up.

Exam trap

Cisco often tests the distinction between 'show interfaces' (which shows input errors but not the specific physical-layer cause) and 'show controllers' (which reveals the exact physical-layer errors), leading candidates to mistakenly choose duplex mismatch or cable length issues without recognizing that the command output points to SFP or transceiver problems.

Why the other options are wrong

A

The 'show controllers' output confirms Full-duplex on both ends, so a duplex mismatch is not the cause. Duplex mismatch would typically cause collisions or CRC errors, which are not indicated here.

C

While excessive cable length can cause attenuation and errors, the 'show controllers' output does not show specific error counters like symbol errors or FCS errors that would indicate attenuation. The link is up and no errors are reported on this switch, making cable length an unlikely cause.

D

Speed is set to 1000 Mbps on both ends, and auto-negotiation is off, which is normal for fiber connections. A speed mismatch would prevent the link from coming up or cause constant errors, but the link is up and no errors are reported on this switch.

152
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a fiber optic link that is down on a Cisco switch using SFP transceiver diagnostics and interface commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The logical troubleshooting sequence moves from simple physical checks to detailed diagnostics. Step 1 verifies the most basic physical layer (cable and connectors). Step 2 confirms the SFP compatibility and seating.

Step 3 checks the interface administrative and protocol status. Step 4 inspects optical levels, which can only be meaningful if the interface is up and the SFP is recognized. Step 5 examines error counters for deeper layer‑1 issues.

This order follows Cisco’s recommended troubleshooting methodology: physical → transceiver → interface status → optical diagnostics → error counters.

153
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method. The client is unable to access a web server by its FQDN.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The OSI bottom-up approach starts at Layer 1 (physical), then Layer 2 (data link), Layer 3 (network), and finally Layer 7 (application) for DNS/FQDN resolution. The given sequence follows this principle by checking physical connectivity and link status before IP configuration, then testing DNS and HTTP access.

Exam trap

The trap is that candidates may start troubleshooting at the application layer because the symptom involves DNS/FQDN, but the bottom-up method requires starting at Layer 1. Always follow the specified troubleshooting model exactly.

154
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The OSI bottom-up method starts at physical layer and moves up. This ensures that lower-layer issues are resolved before higher-layer troubleshooting, preventing wasted effort on symptoms caused by underlying problems.

Exam trap

The exam trap is that candidates may confuse bottom-up with top-down troubleshooting or think that checking the network layer first is more efficient. Remember: bottom-up always starts at the physical layer and proceeds sequentially upward.

155
Multi-Selectmedium

Which three of the following are required to implement inter-VLAN routing on a Cisco switch using a router-on-a-stick configuration? (Choose three.)

Select 3 answers
.A trunk link between the switch and the router, carrying multiple VLANs.
.Subinterfaces on the router, each configured with an IP address in the respective VLAN subnet.
.The switchport mode trunk command on the switch port connecting to the router.
.A separate physical router interface for each VLAN.
.IP routing enabled on the switch.
.A Layer 3 switch with routed ports.

Why this answer

In a router-on-a-stick configuration, inter-VLAN routing is achieved by connecting a single router to a switch via a trunk link. The trunk carries multiple VLANs (using 802.1Q tagging), and the router uses subinterfaces—each configured with an IP address in the respective VLAN subnet—to route traffic between VLANs. The switch port connecting to the router must be configured as a trunk (e.g., with the `switchport mode trunk` command) to allow all VLAN traffic to reach the router.

Exam trap

Cisco often tests the distinction between router-on-a-stick (which requires a trunk and subinterfaces on an external router) and inter-VLAN routing using a Layer 3 switch (which requires IP routing enabled on the switch and SVIs), leading candidates to incorrectly select options that apply to the Layer 3 switch method.

156
Drag & Dropmedium

Drag and drop the following steps into the correct order to replace a faulty fiber optic SFP module and verify the interface on a Cisco IOS-XE switch. Assume the fiber cable is already disconnected from the SFP module.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order assumes the fiber cable is already disconnected as a safety prerequisite. After removal of the old SFP, insert the new SFP, then reconnect the fiber cable. Finally, verify the interface status with 'show interfaces' and check for errors with 'show interfaces counters errors' to ensure proper operation.

Exam trap

The trap is that candidates may think the cable can be connected at any point, but the correct order requires the module to be inserted before the cable, and the cable must be connected before verification. Also, some may skip the error-checking step, but it is essential for complete verification.

157
Multi-Selectmedium

Which three options are valid steps for configuring a router-on-a-stick inter-VLAN routing setup? (Choose three.)

Select 3 answers
.Create subinterfaces on the router for each VLAN.
.Assign an IP address to each subinterface that matches the VLAN’s default gateway.
.Enable IP routing on the router with the 'ip routing' command.
.Configure the switch ports that connect to the router as access ports in a single VLAN.
.Set the native VLAN on the trunk to match the management VLAN on the switch.
.Use the 'switchport mode access' command on the router-facing switch port.

Why this answer

In a router-on-a-stick configuration, the router uses subinterfaces to connect to multiple VLANs over a single physical interface. Each subinterface must be assigned an IP address that serves as the default gateway for its respective VLAN, and the router must have IP routing enabled (via the 'ip routing' command) to forward traffic between these subinterfaces. The three incorrect options fail because: configuring switch ports as access ports in a single VLAN would restrict connectivity to only that VLAN, breaking inter-VLAN routing; setting the native VLAN on the trunk to match the management VLAN is not required and is unrelated to router-on-a-stick functionality; and using 'switchport mode access' on the router-facing switch port would turn the link into a non-trunk access link, preventing multiple VLANs from reaching the router.

Exam trap

Cisco often tests the requirement to explicitly enable IP routing with the 'ip routing' command, as it is disabled by default on some router platforms, leading candidates to assume routing is automatically active.

158
PBQhard

You are connected to the console of switch SW1. A user on VLAN 10 reports they cannot reach the internet (203.0.113.1). The switch is configured as a Layer 3 switch with SVIs. Identify and correct the misconfiguration that prevents the user's default gateway from functioning. The user's PC has IP address 192.168.10.50/24 and uses 192.168.10.1 as its default gateway.

Network Topology
192.168.10.50/24198.51.100.1198.51.100.1203.0.113.1PCSW1R1Internet

Hints

  • Check the SVI configuration for any 'no' commands that might affect ARP behavior.
  • The switch has a default route, but the client may not be able to resolve the gateway MAC address.
  • Proxy ARP is disabled on the SVI; re-enable it.
A.The SVI for VLAN 10 has 'no ip proxy-arp' configured, and there is no default route on the switch.
B.The SVI for VLAN 10 has the wrong IP address configured; it should be 192.168.10.254 instead of 192.168.10.1.
C.The switch has a default route pointing to 203.0.113.1, but the SVI for VLAN 10 is missing the 'ip helper-address' command.
D.The VLAN 10 interface is administratively down, and the switch needs to be reloaded to apply the configuration.
AnswerA
solution
! SW1
interface Vlan10
ip proxy-arp

Why this answer

The switch's SVI for VLAN 10 has the correct IP address (192.168.10.1) and will always respond to ARP requests for that address regardless of the proxy‑arp setting. The real problem is the absence of a default route, so the switch cannot forward traffic destined for the Internet (203.0.113.1). Option A correctly points to the missing default route as the root cause; the 'no ip proxy-arp' line is present but irrelevant to the SVI's own ARP behavior.

The solution is to configure a default route toward the next‑hop router (198.51.100.1).

Exam trap

Candidates often assume that an SVI needs proxy ARP enabled to answer ARP for its own IP address, overlooking that a Layer 3 switch always responds to ARP requests for its interface addresses. The more critical oversight is forgetting that a Layer 3 switch, like a router, requires a default route to reach external networks.

Why the other options are wrong

B

The specific factual error is that the SVI IP must match the default gateway configured on the client; changing it to a different address would not fix the issue.

C

The specific factual error is confusing DHCP relay with routing; 'ip helper-address' does not affect the default gateway's ability to forward traffic.

D

The specific factual error is that an administratively down interface would cause complete loss of connectivity, not just internet access, and reloading is not a standard troubleshooting step for configuration issues.

159
PBQhard

You are connected to R1 via the console. R1 and R2 are directly connected via their GigabitEthernet0/0 interfaces. The link between them is down. Your task is to diagnose and fix the issue: R1's interface is configured for 100 Mbps full-duplex, but R2 is using auto-negotiation. Additionally, the link requires a Gigabit Ethernet connection over a distance of 5 km. Configure R1's interface to match R2's settings (auto-negotiation) and then select and install the correct SFP module to support the 5 km distance requirement.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30SFP linkR1R2

Hints

  • Check the current speed and duplex settings on R1's interface.
  • Auto-negotiation requires both sides to be set to 'auto' to succeed.
  • For distances up to 5 km, use a 1000BASE-LX SFP (single-mode fiber).
A.Configure R1 with 'no speed', 'no duplex', and 'negotiation auto' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-LX SFP.
B.Configure R1 with 'speed 1000' and 'duplex full' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-SX SFP.
C.Configure R1 with 'no speed', 'no duplex', and 'negotiation auto' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-SX SFP.
D.Configure R1 with 'speed 100' and 'duplex full' on GigabitEthernet0/0, then replace the SFP module with a 1000BASE-LX SFP.
AnswerA
solution
! R1
configure terminal
interface gigabitethernet 0/0
no speed 100
no duplex full
negotiation auto
end

Why this answer

The link is down because R1 is forcing speed 100 and full-duplex while R2 is using auto-negotiation. When one side is hard-coded and the other is set to auto, auto-negotiation fails and the link does not come up. The fix is to enable auto-negotiation on R1 by removing the manual speed and duplex settings with the 'no speed' and 'no duplex' commands, and then using 'negotiation auto'.

For the 5 km distance, a standard 1000BASE-SX SFP (550 m) is insufficient; a 1000BASE-LX SFP (up to 10 km) is required. The candidate must also replace the SFP module with a compatible LX SFP.

Exam trap

Students often forget that auto-negotiation must be enabled on both sides for Gigabit Ethernet; hard-coding one side breaks the link. Also, they may confuse SFP types: SX for short range, LX for long range. Always verify distance requirements when selecting fiber optics.

Why the other options are wrong

B

The specific factual error is that hard-coding speed and duplex on one side while the other uses auto-negotiation prevents the link from coming up, and 1000BASE-SX cannot reach 5 km.

C

The specific factual error is that 1000BASE-SX is designed for short-range multimode fiber, not long distances.

D

The specific factual error is that GigabitEthernet interfaces can operate at 100 Mbps, but the SFP module requires 1000 Mbps; additionally, the speed/duplex mismatch prevents the link from coming up.

160
PBQhard

You are connected to WLC-1 via the management interface (192.168.1.100/24). The wireless network 'CustomerNet' uses WPA3-Personal, but clients are failing to associate. The SSID is hidden and the correct VLAN is 30. Configure the WLAN and SSID parameters to allow successful client associations and verify the configuration.

Network Topology
Cisco APWLC-1Clients

Hints

  • Remember to create the interface before assigning it to the WLAN.
  • WPA3-Personal uses a pre-shared key (PSK) but the command is 'security wpa3'.
  • The SSID broadcast must be enabled ('broadcast-ssid enable') for clients to discover it.
A.Create a new interface 'vlan30' with VLAN 30, then create a new WLAN with SSID 'CustomerNet', set security to WPA3-Personal, enable SSID broadcast, and assign the 'vlan30' interface.
B.Modify the existing GuestNet WLAN: change security to WPA3-Personal, enable SSID broadcast, and change the interface to 'guest' (VLAN 20).
C.Create a new WLAN with SSID 'CustomerNet', set security to WPA2-PSK, enable SSID broadcast, and assign the 'guest' interface (VLAN 20).
D.Modify the GuestNet WLAN: change security to WPA3-Personal, keep SSID broadcast disabled, and change the interface to a new interface mapped to VLAN 30.
AnswerA
solution
! WLC-1
config terminal
interface customer
vlan 30
ip address 192.168.30.1 255.255.255.0
exit
wlan 3
ssid CustomerNet
broadcast-ssid enable
security wpa3
security wpa akm psk set-key ascii 0 CiscoSecure123
interface customer
no shutdown
end

Why this answer

The GuestNet WLAN (ID 2) currently uses WPA2 with PSK, but clients expect WPA3-Personal. Additionally, the SSID is hidden (broadcast disabled) and the interface is set to guest (VLAN 20) instead of the required VLAN 30. To fix, create a new WLAN (or modify WLAN 2) to use WPA3-Personal, enable SSID broadcast, and assign it to a new interface mapped to VLAN 30.

Configure the interface first, then apply to the WLAN.

Exam trap

A common trap is to assume that modifying the existing WLAN is sufficient, but you must also ensure the correct VLAN interface exists and is assigned. Additionally, candidates often forget that a hidden SSID must be broadcast for clients to discover it, especially when clients are failing to associate.

Why the other options are wrong

B

The specific factual error is that the interface remains set to 'guest' (VLAN 20) instead of being changed to VLAN 30 as required.

C

The specific factual errors are using WPA2-PSK (clients expect WPA3-Personal) and assigning the wrong VLAN (20 instead of 30).

D

The specific factual error is that the SSID broadcast remains disabled, which means clients cannot see the SSID and will not attempt to associate.

161
MCQhard

A network engineer notices that after issuing the no shutdown command on interface GigabitEthernet0/0 of a router, the interface remains down. The output of show interfaces GigabitEthernet0/0 displays 'GigabitEthernet0/0 is up, line protocol is down'. The physically connected switch port is also administratively down. What is the most likely cause?

A.The connected switch port is administratively down.
B.Mismatched encapsulation types on the router and switch.
C.Speed and duplex mismatch between the router and switch.
D.Incorrect native VLAN configuration on the trunk link.
AnswerA

The switch port in administratively down state causes the router's line protocol to stay down because no Layer 2 connectivity can be established.

Why this answer

The show interfaces output indicates that the router interface is physically up (Layer 1 is functional) but the line protocol is down (Layer 2 is not active). The most common cause for this specific combination is that the connected switch port is administratively down (shutdown), which prevents the switch from sending any keepalive frames or establishing a link. Since the switch port is not forwarding traffic, the router's line protocol cannot come up, even though the router interface itself is no longer in shutdown mode.

Exam trap

Cisco often tests the distinction between 'administratively down' on the local device versus the remote device; candidates may mistakenly think that issuing 'no shutdown' on the router is sufficient, overlooking that the remote switch port must also be enabled for the line protocol to come up.

Why the other options are wrong

B

Candidates often attribute line protocol down to encapsulation issues, missing the clear indication that the switch port is shut down.

C

Duplex mismatch is a common cause of interface issues, so candidates may assume it without considering the explicitly stated admin-down condition.

D

Candidates may recall VLAN mismatch as a cause for line protocol down on trunk links, forgetting that the scenario gives a clear admin-down state.

162
PBQhard

You are managing a Cisco WLC (WLC-1) with IP 10.10.10.10. A wireless client reports it can see the SSID 'CorpNet' but fails to associate. The SSID is configured for WPA3, but the client only supports WPA2. Additionally, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a mismatch. Your task: reconfigure the WLAN to use WPA2-PSK with AES encryption, correct the VLAN assignment to 10, and ensure the SSID is hidden. Also, verify that management access via the WLC web UI is restricted to the 192.168.1.0/24 subnet.

Network Topology
APWLC-1Client

Hints

  • The client cannot join because WPA3 is required but the client only supports WPA2.
  • The WLAN is on VLAN 100, but the AP is on VLAN 10 — this mismatch prevents client traffic from being properly bridged.
  • Management access is open to all; restrict it to the subnet that contains your admin workstation.
A.Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
B.Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.
C.Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.
D.Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
AnswerA
solution
! WLC-1
config wlan 1
no security wpa3
security wpa2
security wpa2 akm psk
security wpa2 encryption aes
no security wpa3 pmf
interface VLAN10
no broadcast-ssid
end
config management
management http subnet 192.168.1.0 255.255.255.0
management https subnet 192.168.1.0 255.255.255.0
end

Why this answer

The client cannot associate because the WLAN requires WPA3 (PMF required) but the client only supports WPA2. Also, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a VLAN mismatch that prevents client traffic from reaching the correct subnet. The SSID is broadcast (visible), and management access is open to all subnets.

To fix: change the WLAN security to WPA2-PSK with AES, disable PMF, map the WLAN to the management interface (VLAN 10), disable SSID broadcast, and restrict HTTP/HTTPS access to subnet 192.168.1.0/24.

Exam trap

The exam trap is that candidates may overlook the VLAN mismatch or the requirement to disable PMF when switching from WPA3 to WPA2. Also, they might forget to restrict both HTTP and HTTPS, or confuse the management subnet with the WLC IP address. Always verify client capabilities and VLAN assignments.

Why the other options are wrong

B

The specific factual error: TKIP is deprecated and not used with WPA2-PSK; PMF must be disabled for WPA2-only clients; VLAN 100 is incorrect; SSID broadcast should be disabled; HTTPS access must also be restricted.

C

The specific factual error: WPA3-PSK requires PMF and is incompatible with WPA2-only clients; the allowed subnet for management is 192.168.1.0/24, not 10.10.10.0/24.

D

The specific factual error: PMF is not supported by all WPA2 clients and can cause association issues; SSID broadcast should be disabled to hide the SSID.

163
PBQhard

You are connected to R1. The link between R1's GigabitEthernet0/0 and R2's GigabitEthernet0/0 should operate at 1 Gbps full duplex, but the interface is showing errors and only negotiating at 100 Mbps half duplex. Diagnose and fix the fault, then verify the link is stable at the correct speed and duplex.

Network Topology
Gi0/010.1.1.1/30Gi0/010.1.1.2/30Cat6 cableR1R2

Hints

  • The interface is manually forced to 100 Mbps half duplex; check the duplex and speed configuration.
  • Auto-negotiation requires both 'duplex' and 'speed' to be in default (no explicit command).
  • CRC errors indicate a duplex mismatch; R2 is likely set to auto-negotiate.
A.Remove the manual speed and duplex settings on R1's GigabitEthernet0/0 with 'no speed' and 'no duplex' to allow auto-negotiation.
B.Change the duplex setting to 'full' and speed to '1000' on R1's GigabitEthernet0/0.
C.Replace the cable between R1 and R2 with a crossover cable.
D.Configure R2's GigabitEthernet0/0 with 'speed 100' and 'duplex half' to match R1's settings.
AnswerA
solution
! R1
enable
configure terminal
interface gigabitEthernet 0/0
no duplex
no speed
end
copy running-config startup-config

Why this answer

The interface was manually configured with 'duplex half' and 'speed 100', which forced the link to 100 Mbps half duplex, causing CRC errors due to duplex mismatch. The correct fix is to remove these manual settings and allow auto-negotiation, or explicitly set both sides to 'speed 1000' and 'duplex full'. Since the remote side (R2) is set to auto (default), the simplest correction is to use 'no duplex' and 'no speed' on R1 to re-enable auto-negotiation.

After the commands are applied, the interface should show 'Full-duplex, 1000Mb/s' and CRC errors should stop incrementing.

Exam trap

The exam trap is that candidates may think manually setting the correct speed and duplex is always the best approach, but they must consider the remote device's configuration. Auto-negotiation is the default and preferred method for Gigabit Ethernet; manual settings should be used consistently on both ends.

Why the other options are wrong

B

The specific factual error is that manually setting speed and duplex on one side while the other side is set to auto can lead to a mismatch; auto-negotiation is required for proper link establishment.

C

The specific factual error is that Auto-MDIX eliminates the need for crossover cables on modern interfaces; cable type is not the cause of the problem.

D

The specific factual error is that matching the incorrect settings does not achieve the desired speed and duplex; it only prevents errors at a lower performance level.

164
Matchingmedium

Drag and drop the PDU names on the left to the correct OSI model layers on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application Layer (Layer 7)

Transport Layer (Layer 4)

Network Layer (Layer 3)

Data Link Layer (Layer 2)

Physical Layer (Layer 1)

Why these pairings

In the OSI model, each layer processes a specific Protocol Data Unit (PDU): Data is the term for application information at Layer 7, a segment is the Transport layer (Layer 4) PDU, a packet belongs to the Network layer (Layer 3), a frame is the Data Link layer (Layer 2) PDU, and bits are transmitted at the Physical layer (Layer 1). This pairing follows the standard OSI terminology without involving other layers.

Exam trap

Be careful not to swap the PDU names for Transport (segment) and Network (packet). Also, remember that 'Message' is the Application layer PDU, not 'Data'.

165
Matchingmedium

Match the network management function to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends event and log messages to a logging server

Synchronizes device clocks

Provides a framework for monitoring and management information exchange

Transfers files such as configurations or IOS images without strong built-in security

Why these pairings

Syslog is used to send event and log messages to a logging server for centralized monitoring. NTP synchronizes device clocks to ensure consistent timestamps across the network. SNMP provides a framework for monitoring and exchanging management information between network devices and management systems.

TFTP transfers files such as configurations or IOS images but lacks strong built-in security, making it suitable for simple file transfers in controlled environments. The other protocols (NetFlow, RADIUS) are not part of this matching exercise.

Exam trap

Cisco exams often test the specific purposes of these tools—avoid confusing TFTP with more secure file transfer protocols (SCP/FTP) or mixing up Syslog (logging) with SNMP (monitoring).

166
MCQhard

An engineer is deploying a new Cisco Catalyst 9300 switch in a campus wiring closet. The uplink to the distribution switch uses a 1000BASE-LX SFP module. After connecting the fiber, the interface shows 'up/up' but the engineer notices that the 'input errors' counter is incrementing rapidly, with many CRC errors, runts, and giants being reported. What is the most likely cause of these input errors?

A.Replace the SFP with a 1000BASE-SX module.
B.Check the fiber distance and ensure it is within the 5 km limit for 1000BASE-LX; if over, use a single-mode fiber extender.
C.Configure the interface with 'speed 100' and 'duplex full' to match the SFP capabilities.
D.Replace the fiber patch cable with a CAT6a copper cable and use a 1000BASE-T SFP.
AnswerB

The 1000BASE-LX SFP supports up to 5 km over single-mode fiber. If the distance exceeds this, signal attenuation causes errors. A fiber extender or different optics would be needed.

Why this answer

The 1000BASE-LX standard uses long-wavelength laser optics (1300 nm) over single-mode fiber with a maximum distance of 5 km. Exceeding this limit causes signal attenuation and dispersion, generating bit errors that corrupt the frame check sequence (FCS). Cisco IOS counts these as CRC errors.

Runts (frames shorter than 64 bytes) and giants (frames longer than 1518 bytes) also appear because the damaged frames are misinterpreted. Option B correctly identifies the distance limit as the root cause and recommends verifying it or using a fiber extender. Options A and D propose incorrect media, and option C would break the link since 1000BASE-LX operates at fixed 1000/full speed.

Exam trap

Learners often misdiagnose runts and giants as a duplex mismatch, but when CRC errors are present alongside them, the issue is a physical-layer impairment—such as excessive fiber distance—rather than a configuration error.

Why the other options are wrong

A

1000BASE-SX uses multimode fiber with a maximum 550 m distance, which is far shorter than 1000BASE-LX and would not resolve a distance issue.

C

The SFP is fixed at 1000 Mbps full-duplex; manually setting 'speed 100' and 'duplex full' would cause a speed mismatch and prevent the link from coming up.

D

Copper cabling (CAT6a) and a 1000BASE-T SFP are limited to 100 m and cannot solve a fiber distance problem.

167
MCQmedium

A network technician is troubleshooting a connectivity issue between two hosts on different subnets. During the analysis, the technician captures packets and observes that the data link layer frames are being stripped and rebuilt at each router hop. Which layer of the OSI model is responsible for encapsulating the original data into segments before transmission from the source host?

A.Network layer
B.Transport layer
C.Data Link layer
D.Application layer
AnswerB

The Transport layer (Layer 4) is responsible for segmenting upper-layer data and adding a header to create segments (TCP) or datagrams (UDP), enabling reliable or connectionless communication.

Why this answer

The Transport layer (Layer 4) is responsible for encapsulating the original data into segments. Protocols such as TCP (RFC 793) or UDP (RFC 768) add a header containing source and destination port numbers, sequence numbers, and other control information to form a segment. This segmentation occurs at the source host before the data is passed down to the Network layer for routing.

Exam trap

Cisco often tests the distinction between encapsulation layers by describing a Layer 2 behavior (frame stripping/rebuilding) in the scenario to mislead candidates into selecting the Data Link layer, when the question specifically asks about the layer that creates segments at the source host.

Why the other options are wrong

A

The Network layer (Layer 3) encapsulates segments into packets and adds logical addressing (IP addresses) for routing across networks, but it does not perform the initial segmentation of data into segments.

C

The Data Link layer (Layer 2) encapsulates packets into frames and adds physical addressing (MAC addresses) for delivery on a local network segment, but it does not perform segmentation of data into segments.

D

The Application layer (Layer 7) provides the interface for applications to generate data, but it does not perform segmentation or encapsulation into segments. Segmentation occurs at the Transport layer.

168
Multi-Selectmedium

Which two statements accurately describe the role of a default gateway on an IPv4 host?

Select 2 answers
A.It is the next-hop path used for destinations outside the local subnet.
B.It is typically an IP address on the same local subnet as the host.
C.It replaces the need for a subnet mask.
D.It is the same thing as a DNS server.
E.It is used only for broadcast traffic.
AnswersA, B

This is correct because that is the core purpose of a default gateway.

Why this answer

A default gateway gives the host a next hop for traffic that is not destined for the local subnet. In plain language, it is the local router or Layer 3 interface the host uses when the destination is somewhere else. The host still needs its IP address and subnet mask to decide what is local, but once it decides something is remote, the default gateway becomes the path out.

The most common mistake is treating the default gateway like a DNS server or assuming it replaces the subnet mask. It does not. The two correct answers are the ones focused on off-subnet forwarding and the fact that the gateway must be reachable on the host’s own local network.

Exam trap

Avoid confusing the default gateway with DNS functions or thinking it replaces the subnet mask.

Why the other options are wrong

C

The subnet mask is still required for the host to determine whether a destination is local or remote. The default gateway only comes into play for remote destinations; without the subnet mask, the host cannot make that determination.

D

A DNS server resolves domain names to IP addresses, while a default gateway forwards packets to other networks. They are separate services; a host can have a default gateway without a DNS server and vice versa.

E

The default gateway is used for unicast traffic destined to other subnets, not just broadcast. Broadcast traffic is typically confined to the local subnet and does not require a gateway.

169
PBQhard

You are connected via the console to SW1, a Cisco Catalyst 2960 switch. The network administrator reports that users in VLAN 10 (Sales) cannot ping the default gateway 192.168.10.1, which is on R1's GigabitEthernet0/1 interface. SW1's interface GigabitEthernet0/1 connects to R1 and is configured as an access port in VLAN 10. R1's interface GigabitEthernet0/1 is configured with IP 192.168.10.1/24 and no shutdown. However, the link between them is up but the line protocol is down on both sides.

Network Topology
G0/1G0/1linkR1SW1

Hints

  • Check the interface status on both sides for speed/duplex mismatch.
  • Use 'show interfaces' to see if there are CRC errors or runts.
  • Manually set speed and duplex to the same values on both ends.
A.Configure the switchport to use the same speed and duplex settings as the router interface.
B.Change the switchport mode to trunk to allow VLAN 10 traffic to pass to the router.
C.Assign the IP address 192.168.10.1 to the switch's VLAN 10 interface.
D.Enable CDP on both devices to verify neighbor information.
AnswerA
solution
! R1
interface GigabitEthernet0/1
duplex full
speed 100

! SW1
interface GigabitEthernet0/1
duplex full
speed 100

Why this answer

The line protocol down indicates a Layer 1 or Layer 2 issue. The switch was likely set to auto-negotiate while the router defaulted to auto, but mismatch can occur. Setting both sides to 100 Mbps full duplex resolves the issue.

Exam trap

Do not confuse 'line protocol down' with IP addressing or VLAN issues. The line protocol down is a Layer 1/2 problem, often caused by speed/duplex mismatch. Always check physical and data link layer first.

Why the other options are wrong

B

The problem is Layer 1/2, not VLAN tagging. A trunk is used when multiple VLANs need to traverse the link, but the line protocol down indicates a physical or data link issue.

C

The switch's SVI (VLAN interface) is used for management, not for routing user traffic. The problem is at Layer 1/2, not Layer 3.

D

CDP requires the line protocol to be up to exchange information. Enabling CDP does not resolve speed/duplex mismatches.

170
MCQeasy

Which OSI layer is responsible for end-to-end segmentation, port numbers, and reliability functions such as acknowledgments?

A.Network
B.Data Link
C.Transport
D.Session
AnswerC

Correct. TCP and UDP operate at the transport layer.

Why this answer

The Transport layer (Layer 4) is responsible for end-to-end segmentation, port numbers for identifying applications, and reliability functions like acknowledgments and retransmission. The Network layer (Layer 3) handles logical addressing and routing between networks. The Data Link layer (Layer 2) manages local frame delivery and error detection.

The Session layer (Layer 5) controls dialog management and synchronization, not segmentation or ports.

Exam trap

Don't confuse the Transport Layer's end-to-end functions with the Network Layer's routing or the Data Link Layer's local communication roles.

Why the other options are wrong

A

The Network layer provides logical addressing and routing, not end-to-end segmentation or port numbers.

B

The Data Link layer handles local frame delivery and error detection, not end-to-end reliability or port numbers.

D

The Session layer manages dialog control and synchronization, not segmentation, port numbers, or reliability acknowledgments.

171
PBQhard

You are connected to R1. The network has R1, R2, and a multilayer switch MLS1. Configure IPv4 and IPv6 addressing on R1's interfaces so that R1 can ping both R2 (198.51.100.2) and MLS1 (203.0.113.2) via IPv4. Additionally, configure IPv6 on G0/1 using EUI-64 with prefix 2001:db8:1::/64 and verify that R1 can ping the IPv6 address of MLS1 (2001:db8:1::2). The current configuration has incorrect subnet masks and missing IPv6 settings, causing reachability failures.

Hints

  • The subnet mask on both interfaces is too large; it should be /30.
  • IPv6 is not enabled on G0/1 yet; use the 'ipv6 address' command with EUI-64.
  • After changing the mask, the ping should work because the devices will be on the same subnet.
A.Change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/64.
B.Change the subnet mask on G0/0 to 255.255.255.0, change G0/1 to 255.255.255.0, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/64.
C.Change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the static address 2001:db8:1::1/64.
D.Change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/32.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.252
exit
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.252
ipv6 address 2001:db8:1::/64 eui-64
exit

Why this answer

The interfaces on R1 were configured with subnet masks that were not /30, which is required for these point-to-point links. With an incorrect mask, R1 does not consider the neighboring IPs (198.51.100.2 and 203.0.113.2) as directly connected, preventing ARP resolution and IPv4 reachability. Additionally, IPv6 was missing on G0/1.

To fix, change the subnet mask on G0/0 to 255.255.255.252, change G0/1 to 255.255.255.252, then configure IPv6 on G0/1 with the EUI-64 address using the prefix 2001:db8:1::/64. After these changes, pings succeed.

Exam trap

This question tests your understanding of subnet masks and their impact on Layer 3 reachability. A common trap is to focus only on IPv6 and forget that incorrect IPv4 subnet masks can prevent ARP resolution, even if IPv6 is configured correctly. Also, pay close attention to the exact requirements: EUI-64 and the correct prefix length.

Why the other options are wrong

B

The specific factual error is that /24 masks are too large for point-to-point links and do not match the expected subnets for R2 and MLS1.

C

The specific factual error is that the IPv6 address should be configured with the EUI-64 keyword, not a static address.

D

The specific factual error is that the prefix length must be /64 as specified in the question; a /32 prefix is incorrect for this scenario.

172
MCQmedium

A switch port and a host NIC have a duplex mismatch. Which symptom is most likely?

A.Increased late collisions and poor performance
B.Incorrect VLAN tagging on trunks
C.OSPF area mismatch errors
D.A change in the subnet mask on the host
AnswerA

Correct. Duplex mismatch commonly leads to collisions and poor performance.

Why this answer

A duplex mismatch often causes collisions, frame errors, and degraded throughput, especially on the half-duplex side. It is a classic physical/link layer performance problem.

Exam trap

Don't confuse duplex mismatch symptoms with total connectivity loss or latency-only issues; focus on error and collision symptoms.

Why the other options are wrong

B

VLAN tagging on trunks is a Layer 2 function that deals with VLAN identification using 802.1Q tags. Duplex mismatch is a physical-layer issue affecting how data is sent and received (simultaneous vs. one direction at a time) and has no impact on VLAN tagging.

C

OSPF area mismatch errors are Layer 3 routing protocol issues that prevent OSPF neighbors from forming. Duplex mismatch is a Layer 1/2 problem that affects frame delivery and collision detection, not routing protocol adjacency.

D

A change in subnet mask is a Layer 3 IP configuration change that affects network/host identification. Duplex mismatch is a physical-layer issue and does not alter IP addressing or subnet masks.

173
Multi-Selectmedium

Which TWO interface errors are most likely caused by a mismatch in duplex settings between two connected switches?

Select 2 answers
A.Runts
B.Giants
C.CRC errors
D.Input errors
E.Output errors
F.Flaps
AnswersA, C

Runts are frames smaller than 64 bytes, often caused by collisions on a half-duplex link due to a duplex mismatch.

Why this answer

A duplex mismatch occurs when one switch operates at full duplex while the other operates at half duplex. On the half-duplex side, frames arriving while the interface is transmitting are considered collisions, causing the frame to be truncated into fragments (runts). On the full-duplex side, the switch does not detect collisions but may receive incomplete frames, which are counted as runts if they are less than 64 bytes.

CRC errors also spike because the truncated or corrupted frames fail the Frame Check Sequence (FCS) validation.

Exam trap

Cisco often tests the distinction between runts and giants, where candidates mistakenly think giants are caused by duplex mismatch, but giants are actually linked to jumbo frames or faulty hardware, not duplex negotiation issues.

Why the other options are wrong

B

Giants are frames exceeding the maximum size (typically 1518 bytes) and are caused by MTU misconfiguration, faulty NICs, or software errors, not by duplex mismatch. Duplex mismatch does not affect frame size; it causes collisions and CRC errors.

D

Input errors is a broad counter that includes runts, CRC errors, frame errors, and others. While duplex mismatch can contribute to some input errors, it is not a specific error type. The question asks for 'interface errors' most likely caused by duplex mismatch, and input errors is too generic.

E

Output errors include collisions, late collisions, and underruns. While collisions can occur due to duplex mismatch, output errors are not exclusively caused by duplex mismatch; they can result from other issues like cable faults or interface congestion. The question asks for errors 'most likely' caused by duplex mismatch, and runts and CRC errors are more directly linked.

F

Flaps refer to an interface repeatedly going up and down, typically due to physical layer issues like loose cables, faulty transceivers, or power fluctuations. Duplex mismatch does not cause interface flaps; it causes errors on the link but the interface remains up.

174
MCQhard

A user reports intermittent connectivity to the corporate web server at 10.1.1.100. The user's PC (IP 192.168.1.50/24, gateway 192.168.1.1) can ping the gateway and other local hosts, but pings to the web server time out every few seconds. The network administrator runs a traceroute from the PC and checks the local ARP cache. What is the most likely cause of the intermittent connectivity?

A.The default gateway 192.168.1.1 is not configured to route traffic to the 10.1.1.0/24 network.
B.The web server at 10.1.1.100 has a duplicate IP address conflict with another device on the same subnet.
C.The user's PC has an incorrect subnet mask configured, preventing communication with the web server.
D.The web server is powered off or has a faulty network interface card.
AnswerB

The ARP cache shows an entry for 192.168.1.100, which is the web server's IP but on the wrong subnet (should be 10.1.1.x). This indicates that a device on the local subnet (192.168.1.0/24) is using the IP 192.168.1.100, causing the user's PC to associate the web server's IP with a local MAC address. This leads to intermittent connectivity as the PC may send traffic to the wrong device.

Why this answer

The intermittent connectivity and successful pings to the gateway and local hosts, combined with a traceroute that likely shows the first hop succeeding but subsequent hops failing, point to a duplicate IP address conflict on the web server's subnet. When two devices share the same IP address (10.1.1.100), the switch's MAC address table flips between the two MAC addresses, causing packets to reach the correct server only intermittently. This explains why pings time out every few seconds rather than failing consistently.

Exam trap

Cisco often tests the distinction between consistent failures (e.g., routing misconfiguration or server down) and intermittent failures (e.g., duplicate IP or STP convergence), and the trap here is assuming a routing issue (Option A) when the symptom is intermittent, not constant.

Why the other options are wrong

A

The traceroute shows the first hop (gateway) responds, indicating the gateway is reachable and routing is functioning. If the gateway lacked a route to 10.1.1.0/24, it would typically send an ICMP Destination Unreachable (Network Unreachable) message, not cause intermittent timeouts. The issue is more specific to ARP confusion at the local subnet.

C

The ipconfig /all output shows the correct subnet mask (255.255.255.0) and gateway (192.168.1.1). The PC can ping the gateway and other local hosts, confirming the subnet mask is correct. An incorrect subnet mask would prevent communication with the gateway or local hosts, not just the remote server.

D

If the web server were powered off or had a faulty NIC, the traceroute would likely show no response from any hop beyond the gateway, and the ARP cache would not show an entry for 192.168.1.100. The presence of an ARP entry for that IP indicates that a device is responding to ARP requests, contradicting a complete hardware failure.

175
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch with an IPv4 management address 192.168.1.10/24, an IPv6 address 2001:db8:1::1/64, and a default gateway 192.168.1.1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

Correct order:

Enter global configuration mode – all subsequent configuration commands require this mode.

Enter interface configuration mode for VLAN 1 – the management SVI must be selected to apply IP settings.

Assign the IPv4 address 192.168.1.10 255.255.255.0 – sets the switch's management IPv4 address and subnet mask.

Enable the interface with the no shutdown command – activates the SVI so it can send and receive traffic.

Assign the IPv6 address 2001:db8:1::1/64 – enables IPv6 processing and statically configures a global unicast address.

Exit interface configuration mode to return to global configuration mode – required because the default gateway command is a global configuration command, not an interface subcommand.

Set the default gateway to 192.168.1.1 using the ip default-gateway command – provides the next-hop router for IPv4 traffic leaving the local subnet.

176
MCQhard

A user on VLAN 10 reports that they cannot ping the default gateway at 192.168.10.1 from their PC with IP 192.168.10.50/24. The switch interface connecting to the PC is up/up, and the PC shows a valid IP configuration. What is the most likely cause of this connectivity failure?

A.Change the switchport mode to trunk to allow VLAN 10 traffic.
B.Configure an SVI for VLAN 10 with an IP address in the 192.168.10.0/24 subnet.
C.Change the PC's IP address to a different subnet, such as 192.168.20.0/24.
D.Recreate VLAN 10 and reassign the port to it.
AnswerB

This creates a Layer 3 interface on the switch that can serve as the default gateway for hosts in VLAN 10.

Why this answer

The PC and default gateway are on the same subnet (192.168.10.0/24), but the switch lacks a Layer 3 interface for VLAN 10. Without an SVI (Switch Virtual Interface) configured with an IP address in that subnet, the switch cannot route traffic to the gateway or respond to ARP requests from the PC, breaking connectivity even though the access port is up/up.

Exam trap

Cisco often tests the misconception that a VLAN alone provides Layer 3 connectivity, when in fact an SVI or a separate router-on-a-stick configuration is required for inter-VLAN routing and default gateway functionality.

Why the other options are wrong

A

A trunk port is used to carry multiple VLANs between switches, not to connect an end device like a PC. Configuring the switchport as trunk would break connectivity because the PC expects an access port.

C

Changing the PC's IP subnet would not resolve the issue because the PC would still need a default gateway on its new subnet. The root cause is the missing SVI on the switch, not the PC's IP address.

D

Recreating VLAN 10 and reassigning the port does not address the missing SVI. The VLAN already exists and the port is correctly assigned; the issue is at Layer 3, not Layer 2.

177
MCQhard

A host is configured with IP address 192.168.50.94/27. Which subnet contains that host?

A.192.168.50.32/27
B.192.168.50.64/27
C.192.168.50.96/27
D.192.168.50.0/27
AnswerB

This is correct because .94 falls within the .64 through .95 block.

Why this answer

A /27 subnet has a block size of 32. In simple terms, the fourth-octet ranges are 0–31, 32–63, 64–95, 96–127, and so on. Because 94 falls inside the 64–95 range, the network address for the host’s subnet is 192.168.50.64/27.

This kind of question tests whether you can move from prefix length to block size and then place the host inside the correct interval. The most common mistake is choosing a nearby boundary like 96 or 32 without calculating the actual block that contains the address.

Exam trap

Always calculate the subnet range using the block size derived from the prefix length to avoid choosing incorrect boundaries.

Why the other options are wrong

A

The subnet 192.168.50.32/27 covers addresses 192.168.50.32 to 192.168.50.63. The host address 192.168.50.94 is outside this range, so it does not belong to this subnet.

C

The subnet 192.168.50.96/27 covers addresses 192.168.50.96 to 192.168.50.127. The host address 192.168.50.94 is below this range, so it does not belong to this subnet.

D

The subnet 192.168.50.0/27 covers addresses 192.168.50.0 to 192.168.50.31. The host address 192.168.50.94 is far above this range, so it does not belong to this subnet.

178
Matchingmedium

Drag and drop the PDU names on the left to the correct OSI model layers on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Transport layer PDU (TCP)

Data Link layer PDU

Network layer PDU

Physical layer PDU

Application layer PDU

Why these pairings

The correct matches are: Segment → Transport layer PDU, Packet → Network layer PDU, Frame → Data Link layer PDU, Bits → Physical layer PDU, and Data → Application layer PDU. No encapsulation term is included in this exercise.

Exam trap

Be careful not to confuse the PDU names (segment vs. packet) and the direction of encapsulation. Many candidates mistakenly think encapsulation adds headers when going up the stack, but it actually adds them when going down.

179
Multi-Selectmedium

Which TWO statements accurately describe characteristics of copper and fiber optic cabling used in modern Ethernet networks?

Select 2 answers
A.Copper UTP cables can reliably transmit data up to 500 meters without a repeater.
B.Fiber optic cables are immune to electromagnetic interference (EMI).
C.Multi-mode fiber typically uses laser-based transmitters for short-range communication.
D.Single-mode fiber is designed for long-distance transmission with a narrow core.
E.Fiber optic cabling is generally less expensive per meter than copper cabling.
AnswersB, D

Fiber uses light, not electricity, so it is not affected by EMI, making it suitable for noisy environments.

Why this answer

Option B is correct because fiber optic cables transmit data as light pulses through glass or plastic cores, which are completely unaffected by electromagnetic interference (EMI), unlike copper cables that rely on electrical signals and are susceptible to EMI. Option D is correct because single-mode fiber uses a narrow core (typically 9 microns) and laser transmitters to support long-distance transmission (up to tens of kilometers) with low signal loss. Option A is wrong because copper UTP cables are limited to 100 meters without a repeater, not 500 meters.

Option C is wrong because multi-mode fiber typically uses LED or VCSEL transmitters for short-range communication, while laser-based transmitters are used with single-mode fiber. Option E is wrong because fiber optic cabling is generally more expensive per meter than copper cabling, though installation and equipment costs may differ.

Exam trap

Cisco often tests the distinction between multi-mode and single-mode fiber transmitters, where candidates mistakenly associate laser-based transmitters with multi-mode fiber instead of correctly identifying them with single-mode fiber's long-distance, narrow-core design.

Why the other options are wrong

A

Copper UTP cables have a maximum segment length of 100 meters for Ethernet, not 500 meters without a repeater.

C

Multi-mode fiber typically uses LED or VCSEL transmitters, not laser-based transmitters; lasers are used with single-mode fiber for long distances.

E

Fiber optic cabling is generally more expensive per meter than copper cabling, not less expensive.

180
Drag & Dropmedium

Which of the following shows the correct order of steps to troubleshoot a suspected duplex mismatch and CRC errors on a Cisco IOS-XE interface?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The proper troubleshooting flow requires moving through the correct configuration hierarchy: from privileged EXEC mode you first enter global configuration mode. Then you specify the affected interface to enter interface configuration mode, where the duplex and speed settings are applied. After making the changes, you exit all configuration modes back to privileged EXEC and use show commands to verify the interface status.

Option A follows this exact sequence. Option B is wrong because it tries to enter interface configuration without global config. Option C mistakenly attempts to set duplex/speed globally, which is not allowed.

Option D not only omits global config but also exits to the wrong mode, leaving you in global configuration instead of privileged EXEC for verification.

Exam trap

A common trap is to forget that you must enter global configuration mode before interface configuration mode. Another trap is to think that duplex and speed can be set globally, but they are interface-specific. Always remember the correct hierarchy: privileged EXEC -> global config -> interface config.

181
MCQhard

An IPv6 host successfully reaches neighbors on its local segment, but it cannot reach remote IPv6 destinations. The host has a global unicast address and a correct prefix length. Which missing item is the strongest suspect?

A.A usable default router or next-hop route for off-link IPv6 traffic
B.A NAT rule translating IPv6 to IPv4
C.A VLAN trunk on the host NIC
D.A second global unicast address on the same interface
AnswerA

This is correct because the host needs a next hop to reach remote IPv6 destinations.

Why this answer

The strongest suspect is the absence of a usable default router learned through IPv6 router advertisements or equivalent configuration. While local connectivity works because the host can communicate on its own link, remote IPv6 destinations require a next hop off the local segment. Option B is wrong because IPv6-to-IPv4 NAT is unnecessary for native IPv6 communication and would not be the primary cause of off-link failure.

Option C is wrong because a VLAN trunk on the host NIC is for carrying multiple VLANs, not for enabling off-link routing. Option D is wrong because a second global unicast address does not provide a default route; it only adds another local address.

Exam trap

Don't confuse local connectivity success with overall network configuration correctness. Always check for a default route when remote communication fails.

Why the other options are wrong

B

NAT rules are not required for native IPv6 communication and would not be the first suspect when a host cannot reach remote IPv6 destinations.

C

A VLAN trunk on the host NIC relates to Layer 2 segmentation, not to providing a default route for off-link IPv6 traffic.

D

A second global unicast address on the same interface does not supply the missing default route needed to reach off-link destinations.

182
PBQhard

You are connected to the Cisco WLC (WLC-1) via its management IP 192.168.1.10. The wireless network 'CorpNet' is configured but clients cannot associate. Troubleshoot and resolve the issue: clients report 'Association failed' and the SSID is not visible in site surveys. Ensure that after your fix, the SSID is broadcast, WPA3 is used, and the WLAN is mapped to VLAN 20. Also, verify the WLC management interface is accessible over HTTPS.

Network Topology
switchWLC-1clients

Hints

  • Check if the WLAN is enabled and broadcasting the SSID.
  • Verify that the WLAN is mapped to a user VLAN, not the management interface.
  • Ensure HTTPS is enabled for web management access.
A.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
B.Enable the WLAN, set Broadcast SSID to Enabled, change the interface to the management interface, and enable the HTTPS server.
C.Enable the WLAN, keep Broadcast SSID Disabled for security, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
D.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, but leave HTTPS disabled for security.
AnswerA
solution
! WLC-1
config wlan 1 enable
config wlan 1 broadcast-ssid enable
config wlan 1 interface vlan20
config interface create vlan20 20
config interface address vlan20 192.168.20.1 255.255.255.0
config wlan 1 interface vlan20
ip http secure-server

Why this answer

The WLAN was disabled, the SSID was hidden (Broadcast SSID Disabled), and it was incorrectly mapped to the management interface instead of a user VLAN. Additionally, HTTPS access was disabled. The solution: enable the WLAN, enable SSID broadcast, change the interface to a VLAN 20 interface (e.g., create a dynamic interface 'vlan20' with VLAN 20), and enable the HTTPS server for management access.

Note: On an AireOS WLC, the correct commands use `config wlan enable <wlan_id>`, `config wlan broadcast-ssid enable <wlan_id>`, and `config network secureweb enable` for HTTPS.

Exam trap

This question tests your ability to identify multiple misconfigurations simultaneously. Common traps: confusing management interface with user VLANs, thinking hidden SSID is acceptable when broadcast is required, and overlooking the HTTPS requirement. Also, ensure you use AireOS-specific commands, not IOS commands like `ip http secure-server`.

Always verify all requirements in the question.

Why the other options are wrong

B

The specific factual error: The management interface is for WLC management traffic, not client data. Client traffic should be on a separate user VLAN.

C

The specific factual error: Broadcast SSID must be enabled for the SSID to be visible. Disabling it hides the SSID, which contradicts the requirement to make it visible.

D

The specific factual error: HTTPS must be enabled for management access. Disabling it would block HTTPS connections to the WLC.

183
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of IPv4 and IPv6 parameters for host connectivity, including default gateway, DNS, and subnet masks?

Select 2 answers
A.The subnet mask determines the DNS server address used by the host.
B.The default gateway must be on the same subnet as the host's IP address.
C.IPv6 hosts can only obtain their IP address via DHCPv6.
D.The command 'ipconfig /all' displays both IPv4 and IPv6 configuration details.
E.A host can reach any remote network if its default gateway is configured with any IP address.
AnswersB, D

For a host to send traffic to a remote network, it must use a default gateway that is reachable on its local subnet.

Why this answer

Option B is correct because a host's default gateway must be on the same subnet to be reachable at Layer 2; otherwise, a circular dependency occurs. Option D is correct because the 'ipconfig /all' command displays both IPv4 and IPv6 configuration details, including IP address, subnet mask, default gateway, and DNS servers. Option A is wrong because the subnet mask determines the network and host portions of an IP address, not the DNS server address.

Option C is wrong because IPv6 hosts can obtain their IP address via SLAAC, DHCPv6, or static configuration; the phrase 'can only' makes it incorrect. Option E is wrong because the default gateway must be reachable (on the same subnet) and configured with an IP address that belongs to a router interface on that subnet, not just any IP address.

Exam trap

Cisco often tests the misconception that IPv6 hosts require DHCPv6 for address assignment, when in fact SLAAC is a common and valid method, and the question's wording 'can only' is the trap that eliminates Option C.

Why the other options are wrong

A

The subnet mask is used to determine the network portion of an IP address and the host portion, not the DNS server address. DNS server addresses are configured separately, either manually or via DHCP.

C

IPv6 hosts can obtain their IP address via Stateless Address Autoconfiguration (SLAAC), which does not require DHCPv6. DHCPv6 is optional and used for stateful configuration or to provide additional parameters.

E

The default gateway must be on the same subnet as the host's IP address; otherwise, the host cannot send Ethernet frames to it because the gateway's MAC address would not be reachable via ARP. An arbitrary IP address would not work.

184
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of IPv4 and IPv6 parameters for host connectivity?

Select 2 answers
A.On a Windows host, the default gateway IPv4 address must be on the same subnet as the host's IPv4 address.
B.The IPv6 default gateway can be any global unicast address on the internet.
C.The subnet mask is used to define the host portion of an IPv4 address.
D.A DNS server address can be statically configured on a host or obtained dynamically via DHCP.
E.Configuring a DNS server is mandatory for a host to communicate with any other device on the same subnet.
AnswersA, D

The default gateway must be reachable directly via Layer 2; therefore it must share the same network/subnet as the host.

Why this answer

Option A is correct because for a host to reach outside its subnet, the default gateway's IP must be in the same subnet; otherwise the host cannot ARP for the gateway's MAC and traffic will fail. Option D is correct because DNS server addresses can be set manually or assigned via DHCP. Option B is wrong because IPv6 gateways must be on the same local link, not any global unicast address on the internet.

Option C is wrong because the subnet mask defines the network/subnet portion of an IPv4 address, not the host portion. Option E is wrong because DNS is used for name resolution; local IP communication on the same subnet works without DNS.

Exam trap

Cisco often tests the misconception that a default gateway can be any routable address, but the trap here is that both IPv4 and IPv6 default gateways must be on the same local subnet as the host for Layer 2 reachability.

Why the other options are wrong

B

An IPv6 default gateway must be on the same local link, not just any globally routable address.

C

The subnet mask identifies the network bits, not the host bits; the host portion is the inverse of the mask.

E

DNS resolves names to IPs; hosts on the same subnet can communicate with IP addressing alone, making DNS optional.

185
MCQhard

A host address is 172.16.8.70/26. What is the network address of its subnet?

A.172.16.8.0
B.172.16.8.64
C.172.16.8.70
D.172.16.8.128
AnswerB

This is correct because 70 falls within the 64–127 /26 block.

Why this answer

A /26 uses blocks of 64 addresses. In plain language, the fourth-octet subnet ranges are 0–63, 64–127, 128–191, and 192–255. Since the host address ends in 70, it belongs to the 64–127 block. That means the network address of the subnet is 172.16.8.64.

This is a standard subnetting calculation. The key is to identify the correct block based on the prefix and then choose the first address in that block as the network address.

Exam trap

A frequent exam trap is mistaking the host IP address for the network address or selecting the wrong subnet block based on the subnet mask. Candidates often pick 172.16.8.0 because it looks like a common network address or 172.16.8.128 assuming it’s the next block, but these do not contain the host 172.16.8.70 under a /26 mask. The trap arises from not calculating subnet ranges correctly or misunderstanding how subnet masks segment the address space into fixed blocks.

This mistake leads to incorrect subnet identification and can cause routing or addressing errors in real networks.

Why the other options are wrong

A

172.16.8.0 is incorrect because the /26 subnet blocks cover 0–63, 64–127, etc., and the host address 70 does not fall within the 0–63 range. Selecting this ignores the actual subnet boundaries defined by the mask.

C

172.16.8.70 is incorrect because this is the host address itself, not the network address. The network address must be the first address in the subnet block, not a host address within it.

D

172.16.8.128 is incorrect because this subnet block starts at 128, which is above the host address 70. The host does not belong to this subnet, so this cannot be the network address.

186
Matchingmedium

Drag and drop the cable types and transceivers on the left to their corresponding distance limits or interface diagnostics on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters maximum segment length

550 meters maximum segment length

5 km maximum segment length

300 meters over multimode fiber

Displays interface errors, speed, and duplex

Why these pairings

Each cable type or transceiver has a specified maximum distance based on IEEE standards and fiber-optic characteristics. Cat5e UTP supporting 1000BASE-T is limited to 100 meters due to signal attenuation and the 1000BASE-T standard. Multimode fiber OM3 with 1000BASE-SX (short wavelength) reaches up to 550 meters because of modal dispersion and the SX transceiver's power budget.

Singlemode fiber with 1000BASE-LX (long wavelength) can transmit up to 5 kilometers due to lower attenuation and reduced dispersion in single-mode fiber. The SFP-10G-SR (short-reach 10 Gigabit) transceiver over OM3 multimode fiber has a maximum distance of 300 meters per the 10GBASE-SR standard. The 'show interfaces' command displays critical interface diagnostics such as input/output errors, speed, duplex settings, and CRC errors, which are essential for troubleshooting link issues.

Exam trap

Be careful not to confuse the distance limits of multimode vs. single-mode fiber. Remember: SX = short reach (hundreds of meters), LX = long reach (kilometers), ER = extended reach (tens of kilometers). Copper is always 100m.

187
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the TCP three-way handshake between a PC (192.168.1.10) and a web server (192.168.2.20). Note: Only three of the four steps are part of the actual handshake. Omit the step that is not part of the three-way handshake.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The three-way handshake between specific IP addresses follows the same SYN, SYN-ACK, ACK sequence, with the client (PC) initiating and the server responding, leading to a connection ready for application data.

Exam trap

Remember that the client always initiates the handshake with a SYN, and the final ACK comes from the client. The server never sends a standalone ACK; it combines SYN and ACK in one segment.

188
MCQmedium

Which rule does a router apply first when selecting a route for a destination packet?

A.Lowest metric across all protocols
B.Oldest route in the routing table
C.Longest prefix match
D.Default route if one exists
AnswerC

Correct. Most-specific route wins first.

Why this answer

Routers first look for the most specific matching prefix. Administrative distance and metrics matter when competing routes exist for the same destination prefix length.

Exam trap

Remember, prefix length is the primary factor in route selection, not administrative distance or metrics.

Why the other options are wrong

A

The router first uses the longest prefix match to select a route; metrics are only compared among routes from the same routing protocol or when administrative distance is equal. Comparing metrics across different protocols is not the first step.

B

Route age is not a primary selection criterion; routers use longest prefix match first, then administrative distance, then metric. Older routes are not preferred over newer ones in the selection process.

D

A default route is only used when no other route matches the destination; the router first checks for more specific matches using the longest prefix match. The default route is the least preferred.

189
Multi-Selectmedium

Which single OSI model layer is responsible for both end‑to‑end reliable data delivery and segmenting data into smaller units?

Select 2 answers
A.Transport layer (Layer 4)
B.Data Link layer (Layer 2)
C.Network layer (Layer 3)
D.Session layer (Layer 5)
E.Transport layer (Layer 4) and Network layer (Layer 3)
AnswersA, E

The Transport layer ensures end-to-end reliable data delivery (e.g., TCP) and segments data into segments (PDU name: segment).

Why this answer

The Transport layer (Layer 4) is the only layer that ensures end‑to‑end reliable delivery using protocols like TCP that provide acknowledgements, sequencing, and retransmissions. At the same time, it segments large application data streams into smaller segments suitable for transmission. The Data Link layer (Layer 2) handles hop‑by‑hop framing but not end‑to‑end reliability.

The Network layer (Layer 3) routes packets but does not guarantee delivery. The Session layer (Layer 5) manages sessions, not reliability or segmentation.

Exam trap

Many learners mistakenly pick the Network layer (Layer 3) because they associate it with IP and packet delivery; however, IP is connectionless and unreliable, while end‑to‑end reliable delivery is exclusively a function of the Transport layer.

Why the other options are wrong

B

The Data Link layer handles framing and error detection on a single link, not end‑to‑end reliability or segmentation across the entire network.

C

The Network layer provides routing and logical addressing but does not guarantee delivery or perform segmentation of data from applications.

D

The Session layer manages dialog control between applications, not data segmentation or reliable transport mechanisms.

190
MCQmedium

Exhibit: A laptop has IP address 10.20.30.44/27. Which address is its directed broadcast for that subnet?

A.10.20.30.31
B.10.20.30.32
C.10.20.30.63
D.10.20.30.64
AnswerC

That is the directed broadcast address for 10.20.30.32/27.

Why this answer

A /27 gives a block size of 32 addresses. The host 10.20.30.44 falls in the 10.20.30.32 to 10.20.30.63 subnet, so the broadcast address is 10.20.30.63.

Exam trap

Avoid confusing the network address or a host address with the broadcast address. Remember, the broadcast address is the last address in the subnet.

Why the other options are wrong

A

10.20.30.31 is the broadcast address of the previous /27 subnet (10.20.30.0/27), not the subnet containing 10.20.30.44. The host 10.20.30.44 belongs to the 10.20.30.32/27 subnet, so its broadcast is 10.20.30.63.

B

10.20.30.32 is the network address (subnet ID) of the subnet 10.20.30.32/27, not the broadcast address. The network address is the first address in the subnet and is used to identify the subnet itself.

D

10.20.30.64 is the network address of the next /27 subnet (10.20.30.64/27), not the broadcast of the current subnet. The broadcast address for 10.20.30.32/27 is 10.20.30.63.

191
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to diagnose a client connectivity issue using the OSI bottom-up method.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The bottom-up approach starts at Layer 1 (physical connectivity), then moves to Layer 3 (IP configuration and gateway ping), and finally to Layer 7 (DNS resolution). No Layer 2 step is included in these steps. Verifying IP configuration, such as DHCP and subnet mask, is a Layer 3 activity, not Layer 2.

This method ensures systematic isolation of the problem from the physical layer upward.

Exam trap

The trap is that candidates may skip Layer 1 and go straight to IP configuration or ping, thinking those are the most common issues. Remember: always start at the bottom of the OSI model to methodically isolate the problem.

192
PBQhard

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 interface has MAC address 001e.4a7b.9c0d. You need to configure an IPv6 address on this interface using EUI-64, with the subnet 2001:db8:abcd:1::/64.

Hints

  • Enable IPv6 globally first if not already done.
  • Use the 'ipv6 address' command with the 'eui-64' keyword.
  • The interface must have IPv6 enabled to use EUI-64.
A.ipv6 address 2001:db8:abcd:1::/64 eui-64
B.ipv6 address 2001:db8:abcd:1::/64
C.ipv6 address 2001:db8:abcd:1::/64 link-local
D.ipv6 enable
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:abcd:1::/64 eui-64
ipv6 enable

Why this answer

The 'ipv6 address 2001:db8:abcd:1::/64 eui-64' command configures the IPv6 address using EUI-64, which generates the interface ID from the MAC address. This command alone enables IPv6 on the interface and assigns the global address; the 'ipv6 enable' command is not strictly necessary and is only required if a link-local address is needed without a global address. Option B would configure a static interface ID, not EUI-64.

Option C incorrectly uses the 'link-local' keyword, which is not valid in this context. Option D only enables IPv6 for link-local addressing without assigning a global unicast address.

Exam trap

Remember that EUI-64 requires the 'eui-64' keyword after the prefix. Without it, the address is static. Also, 'ipv6 enable' only creates a link-local address, not a global one.

Why the other options are wrong

B

The command lacks the 'eui-64' keyword, so it does not generate the interface ID from the MAC address.

C

The 'link-local' keyword is used for link-local addresses (fe80::/10), not for global prefixes.

D

The command does not assign the specified subnet prefix; it only activates IPv6 processing.

193
MCQhard

A host address is 192.168.14.222/28. Which address is the broadcast address of its subnet?

A.192.168.14.207
B.192.168.14.223
C.192.168.14.208
D.192.168.14.224
AnswerB

This is correct because .222 belongs to the 208-223 /28 subnet.

Why this answer

A /28 subnet has a block size of 16. In practical terms, the fourth-octet blocks are 0-15, 16-31, and so on. Because 222 falls within the 208-223 block, the broadcast address is the last address in that block: 192.168.14.223.

This is a subnet-boundary question that depends on identifying the correct /28 block before choosing the broadcast address.

Exam trap

Be careful not to confuse the broadcast address with the network address of the next subnet or a host address within the subnet.

Why the other options are wrong

A

192.168.14.207 is the broadcast address of the previous /28 subnet (192.168.14.192/28), not the subnet containing 192.168.14.222.

C

192.168.14.208 is the network address (subnet ID) of the /28 subnet containing .222, not the broadcast address.

D

192.168.14.224 is the network address of the next /28 subnet (192.168.14.224/28), not the broadcast of the current subnet.

194
Multi-Selectmedium

Which TWO of the following are correct regarding Cisco SFP/SFP+ transceivers and their supported cable types?

Select 2 answers
A.A standard SFP+ fiber transceiver can be used with Category 6a UTP cable to achieve 10 Gbps over 100 meters.
B.A 1000BASE-T SFP transceiver can operate over Category 5e UTP cable up to 100 meters.
C.A 10GBASE-LR SFP+ transceiver supports distances up to 10 kilometers over single-mode fiber.
D.An SFP transceiver for 1000BASE-SX can achieve distances up to 5 kilometers over multimode fiber.
E.SFP+ transceivers are backward compatible with SFP slots and can operate at 1 Gbps if the module supports it.
AnswersB, C

The 1000BASE-T standard uses twisted-pair copper cabling (Category 5e or better) and supports distances up to 100 meters. SFP transceivers for 1000BASE-T are available and widely used.

Why this answer

Correct answers are B and C. A 1000BASE-T SFP transceiver operates over Cat 5e or better UTP up to 100 meters as defined by IEEE 802.3ab, making B true. A 10GBASE-LR SFP+ transceiver supports up to 10 km over single-mode fiber, making C true.

Option A is false because standard SFP+ fiber transceivers are not designed for UTP cabling; they require fiber or direct‑attach copper cables. (10GBASE‑T copper SFP+ modules exist but are rarely used in CCNA contexts and are not the typical SFP+ referenced.) Option D is false because 1000BASE‑SX has a maximum distance of 550 meters over multimode fiber, not 5 km. Option E is false because SFP+ transceivers have a larger form factor and do not fit into SFP slots; only SFP modules can fit into SFP+ slots (backward compatibility works the other way).

Exam trap

Cisco often tests the misconception that SFP/SFP+ transceivers are exclusively fiber-optic, causing candidates to forget that 1000BASE-T copper SFPs exist and operate over standard UTP cabling, or they confuse the distance limits of 1000BASE-SX (multimode) with those of 1000BASE-LX (single-mode).

Why the other options are wrong

A

Standard SFP+ fiber transceivers are not designed for copper UTP cabling; they require fiber or direct-attach copper cables.

D

1000BASE-SX (short wavelength) uses multimode fiber and typically supports distances up to 220m (with 62.5/125µm fiber) or 550m (with 50/125µm fiber), not 5 km. Longer distances require single-mode fiber and 1000BASE-LX.

E

SFP+ transceivers themselves are not backward compatible with SFP slots; rather, SFP+ slots can accept SFP modules. The statement is misleading because it suggests SFP+ transceivers can be used in SFP slots, which is generally not true as SFP slots are designed for 1 Gbps modules.

195
MCQmedium

A network administrator is troubleshooting a Windows 10 workstation that cannot access the internet. The workstation receives an IPv4 address starting with 169.254.x.x. The network uses DHCP, and other workstations on the same subnet are working correctly. What is the most likely cause of this issue?

A.The workstation's DNS server settings are incorrect.
B.The workstation's network cable is unplugged or faulty, preventing DHCP communication.
C.The DHCP server has exhausted its address pool.
D.The workstation's default gateway is misconfigured.
AnswerB

A physical connectivity issue (e.g., unplugged or faulty cable) prevents the workstation from reaching the DHCP server, causing it to fall back to APIPA. This is the most common cause when only one workstation is affected.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address assigned by Windows when DHCP fails. Since other workstations on the same subnet work correctly, the DHCP server and network are functional, isolating the issue to the specific workstation. A faulty or unplugged network cable would prevent the workstation from sending DHCP Discover messages, causing it to fall back to APIPA.

Exam trap

Cisco often tests the distinction between DHCP failure symptoms (APIPA) and other connectivity issues, trapping candidates who confuse DNS or gateway misconfigurations with the inability to obtain an IP lease.

Why the other options are wrong

A

Incorrect DNS settings prevent name resolution but do not affect IP address assignment. The workstation would still receive a valid IP from DHCP, not an APIPA address.

C

If the DHCP pool were exhausted, all workstations would fail to obtain addresses and use APIPA. The scenario states other workstations are working correctly, so pool exhaustion is not the cause.

D

A misconfigured default gateway would prevent internet access but the workstation would still receive a valid IP from DHCP. APIPA addresses are only assigned when DHCP fails entirely.

196
Multi-Selectmedium

Which two statements accurately describe subnet masks in IPv4?

Select 2 answers
A.It identifies the network-versus-host split in an IPv4 address.
B.It helps a host determine whether a destination is local or remote.
C.It resolves hostnames into IP addresses.
D.It encrypts packets before they leave the host.
E.It replaces the need for a default gateway.
AnswersA, B

This is correct because that is the primary function of the subnet mask.

Why this answer

A subnet mask tells the host which part of the IPv4 address refers to the network and which part refers to the host. In plain language, it helps the device determine whether a destination is local or remote. That decision is essential because it affects whether the host uses ARP directly or forwards traffic to the default gateway.

The wrong answers usually attribute unrelated behaviors to the subnet mask, such as encryption or hostname resolution. The two correct answers are the ones that preserve its role in defining local scope and address structure.

Exam trap

Avoid confusing subnet mask functions with encryption or DNS, as these are unrelated to IP address segmentation.

Why the other options are wrong

C

Subnet masks are used solely for IP addressing and routing purposes, not for name resolution. Hostname-to-IP-address resolution is performed by the Domain Name System (DNS), which is a completely different protocol and service.

D

Subnet masks do not provide any encryption or security functionality. Encryption of packets is performed by protocols such as IPsec, TLS, or other cryptographic mechanisms, which operate independently of subnet masking.

E

A default gateway is still required for any traffic destined to a different subnet. The subnet mask only defines the local network boundary; it does not provide routing to other networks. Without a default gateway, a host cannot send packets off its subnet.

197
MCQhard

A host address is 192.168.50.158/27. Which address is the network address of its subnet?

A.192.168.50.128
B.192.168.50.159
C.192.168.50.160
D.192.168.50.96
AnswerA

This is correct because 158 belongs to the 128-159 /27 subnet.

Why this answer

A /27 subnet has a block size of 32. In practical terms, the relevant ranges in the last octet are 0-31, 32-63, 64-95, 96-127, 128-159, and so on. Because 158 falls in the 128-159 block, the network address is 192.168.50.128.

This is a block-identification question. Once you identify the correct /27 block, the network address is the first address in that range.

Exam trap

Ensure you calculate the correct block range for the subnet mask given, not just any multiple of the block size.

Why the other options are wrong

B

192.168.50.159 is the broadcast address for the 192.168.50.128/27 subnet, not the network address. The broadcast address is used to send packets to all hosts in the subnet and cannot be assigned to a host.

C

192.168.50.160 is the network address of the next /27 subnet (160-191), not the subnet containing 158. The /27 mask creates subnets with a block size of 32, so the subnet boundaries are multiples of 32.

D

192.168.50.96 is the network address of the 96-127 /27 subnet, which is an earlier subnet. The address 158 falls in the 128-159 range, not the 96-127 range.

198
PBQmedium

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 interface has MAC address 0011.2233.4455. You must configure the interface to generate an IPv6 link-local address using the 'ipv6 enable' command, and also assign a global unicast address 2001:db8:1::/64 using EUI-64. The interface is currently administratively down.

Network Topology
G0/0linkR1SW1

Hints

  • EUI-64 derives the interface ID from the MAC address.
  • The 'ipv6 enable' command generates a link-local address.
  • The interface must be administratively brought up.
A.R1(config-if)# ipv6 enable R1(config-if)# ipv6 address 2001:db8:1::/64 eui-64 R1(config-if)# no shutdown
B.R1(config-if)# ipv6 address fe80::/10 eui-64 R1(config-if)# ipv6 address 2001:db8:1::/64 eui-64 R1(config-if)# no shutdown
C.R1(config-if)# ipv6 address 2001:db8:1::/64 eui-64 R1(config-if)# no shutdown
D.R1(config-if)# ipv6 enable R1(config-if)# ipv6 address 2001:db8:1::1/64 R1(config-if)# no shutdown
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 enable
ipv6 address 2001:db8:1::/64 eui-64
no shutdown

Why this answer

The ipv6 enable command explicitly creates a link-local address as required by the scenario. The global unicast address with the eui-64 keyword automatically derives the interface ID from the MAC address. Option B is incorrect because it tries to manually configure a link-local address with eui-64, which is unnecessary and invalid.

Option C omits the ipv6 enable command, failing the explicit requirement. Option D assigns a static host portion instead of using eui-64.

Exam trap

When the question specifically mandates the ipv6 enable command for link-local generation, do not omit it; simply configuring a global unicast address will also create a link-local address, but it does not meet the stated objective.

Why the other options are wrong

B

Manually configuring a link-local address with the eui-64 keyword is invalid; link-local addresses are automatically generated.

C

This option does not include the required ipv6 enable command, so it does not satisfy the explicit scenario requirement.

D

Uses a static host address (::1/64) instead of the eui-64 keyword, so the interface ID will not be generated from the MAC address.

199
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue on R1. The serial link to R2 on interface Serial0/1 is using HDLC encapsulation, and the physical cable has been verified as good. The engineer has confirmed that the encapsulation type matches on both routers and that the clock rate is correctly configured on the DCE end. Based on the output, what is the most likely cause of the line protocol down state on Serial0/1?

A.The encapsulation type is mismatched between R1 and R2.
B.The clock rate has not been configured on the DCE end of the serial link.
C.The IP address configured on Serial0/1 conflicts with another interface.
D.The keepalive packets are not being received, causing the protocol to stay down.
AnswerD

With encapsulation and clocking confirmed, the up/down state on a serial link running HDLC points to a keepalive failure—the router is not receiving keepalive messages from the other end.

Why this answer

The exhibit shows Serial0/1 with status 'up' and protocol 'down' (up/down). This indicates Layer 1 is operational but the Layer 2 Data Link layer is not. Since the engineer already verified that encapsulation (HDLC) matches on both ends and the clock rate is correctly set, the only remaining common cause for a serial interface in up/down state is a keepalive failure.

HDLC sends periodic keepalive messages across the link; if they are not received, the line protocol remains down.

Exam trap

Candidates often see 'up/down' on a serial interface and immediately diagnose encapsulation mismatch or clocking issues. However, the scenario explicitly states that encapsulation is matched and clocking is correct, so the trap is an encapsulation mismatch. Test-takers who overlook this detail will select option A.

Why the other options are wrong

A

Candidates might fixate on the up/down status and assume encapsulation mismatch without considering the explicitly stated troubleshooting steps.

B

Students often associate up/down with missing clock rate, but the question precludes this by confirming correct configuration.

C

Some learners confuse Layer 3 problems (IP issues) with the line protocol status that reflects Layer 2 health.

200
MCQhard

A network technician is troubleshooting connectivity between two directly connected Cisco switches. Hosts on VLAN 10 connected to SwitchA cannot ping the default gateway on SwitchB. The interface on SwitchB shows up/up, but the interface on SwitchA shows up/down. The technician examines the interface configuration and status on SwitchA. What is the most likely cause of this issue?

A.Replace the Ethernet cable because it is faulty.
B.Configure both interfaces with the same duplex and speed settings, either both auto or both manually set to full-duplex and 1000 Mbps.
C.Issue the 'shutdown' and 'no shutdown' commands on the interface to recover from err-disabled state.
D.Check the VLAN configuration on SwitchA because the interface is administratively down.
AnswerB

The line protocol being down with up/up on the remote suggests a duplex mismatch, which can occur when one side is manually set and the other is auto-negotiating. Setting both sides consistently resolves the issue.

Why this answer

The interface on SwitchA shows up/down, meaning Layer 1 is active but the line protocol is down. This is commonly caused by a speed mismatch between the two ends. A duplex mismatch, in contrast, typically results in both interfaces showing up/up with CRC errors.

Therefore, the most likely cause is that the speed settings differ—for example, one interface is set to auto-negotiate while the other is hard-coded to a specific speed. Configuring both interfaces with identical speed and duplex settings, either both auto or both manually configured, resolves the issue.

Exam trap

The trap is that up/down is often misinterpreted as a faulty cable or an err-disabled state, but it actually points to a speed mismatch or auto-negotiation failure, not a duplex mismatch.

Why the other options are wrong

A

The interface status shows 'up, line protocol is down', which indicates a Layer 2 issue, not a physical cable fault. Additionally, no CRC, runts, giants, or collisions are reported, so the cable is likely not faulty.

C

The interface status is 'up, line protocol is down', not 'err-disabled'. The err-disabled state would show 'err-disabled' in the interface status, and a shutdown/no shutdown would be appropriate only for err-disabled recovery.

D

The interface status is 'up', not 'administratively down'. An administratively down interface would show 'administratively down, line protocol is down'. VLAN configuration issues typically cause the interface to be up/up but unable to forward traffic, not up/down.

201
PBQmedium

You are connected to the console of R1. The network administrator reports that hosts on VLAN 10 cannot ping the default gateway (192.168.10.1). R1's GigabitEthernet0/1 is connected to a switch with trunk port allowing VLAN 10 and 20. The interface configuration on R1 appears correct, but the VLAN 10 interface is not operational.

Network Topology
G0/1 .1trunkR1SW1

Hints

  • Check the status of the subinterface.
  • Verify that the physical interface is not administratively down.
  • Confirm that the encapsulation command is correct.
A.The physical interface GigabitEthernet0/1 was administratively down.
B.The VLAN 10 subinterface was configured with the wrong encapsulation dot1q VLAN ID.
C.The switch port connected to R1 was not configured as a trunk.
D.The VLAN 10 subinterface was missing the 'no shutdown' command.
AnswerA
solution
! R1
interface GigabitEthernet0/1
no shutdown
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0

Why this answer

The GigabitEthernet0/1 interface was administratively down (missing 'no shutdown' in the initial config). Although the subinterface had 'no shutdown', the physical interface must also be up. Bringing up the physical interface resolved the issue.

Exam trap

Do not assume that subinterfaces can be independently brought up; always check the physical interface state first. A common trap is to focus on subinterface configuration while ignoring the parent interface.

Why the other options are wrong

B

The specific factual error is that the subinterface would still show as up/up (though traffic would not be forwarded) if the encapsulation were wrong; the problem is the physical interface being down.

C

The specific factual error is that the switch trunk configuration is given as correct; the problem is on the router side, not the switch.

D

The specific factual error is that subinterfaces do not have an independent administrative state; they rely on the physical interface being up.

202
Drag & Dropmedium

Drag and drop the following steps into the correct order to replace a faulty SFP on a Cisco switch and verify the fiber link.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to physically replace the SFP first because installing the new module before connecting the cable prevents potential damage to the connector or fiber from inserting the cable into an empty port. After the SFP is seated, you connect the cable to establish the physical link. Finally, you verify the link status and check for errors (using commands like show interface) to confirm the replacement was successful and the link is operational.

Wrong orders either verify before the change (making the verification meaningless) or connect the cable before installing the SFP, which can damage the equipment.

Exam trap

Candidates often confuse the order of operations when replacing hardware. Remember: always install the hardware first, then connect cables, and finally verify. Do not verify before the change is complete.

203
MCQhard

A host is configured as 192.168.50.130/25. Which address is the broadcast address for its subnet?

A.192.168.50.127
B.192.168.50.128
C.192.168.50.255
D.192.168.50.254
AnswerC

This is correct because the upper /25 block runs through .255, which is the broadcast address.

Why this answer

A /25 divides the /24 into two blocks: 0–127 and 128–255. In plain language, because the host ends in 130, it belongs to the upper half, which starts at 128 and ends at 255. The last address in that block is the broadcast address, so the broadcast is 192.168.50.255.

This is a classic subnetting pattern because it tests whether you can identify not just the subnet, but also the reserved last address in that subnet.

Exam trap

A frequent exam trap is mistaking the network address or a high usable host address for the broadcast address. Candidates often select 192.168.50.128, confusing it as the broadcast because it is the start of the upper subnet, or 192.168.50.254, assuming it is the broadcast since it is near the subnet's end. The trap lies in not recognizing that the broadcast address is always the highest address in the subnet, which in this case is 192.168.50.255.

Misidentifying these addresses leads to incorrect subnet calculations and can cause network communication failures in real scenarios.

Why the other options are wrong

A

192.168.50.127 is the broadcast address for the lower /25 subnet (192.168.50.0/25), not the subnet containing 192.168.50.130. Since the host IP is in the upper subnet, this option is incorrect.

B

192.168.50.128 is the network address of the upper /25 subnet (192.168.50.128/25), not the broadcast address. Network addresses cannot be assigned to hosts or used as broadcast addresses, so this option is incorrect.

D

192.168.50.254 is a valid usable host address within the upper /25 subnet. It is not the broadcast address, so this option is incorrect.

204
Matchingmedium

Drag and drop the OSI layer names on the left to the correct PDU names on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Segment

Packet

Frame

Bits

Data

Why these pairings

OSI layers and their PDUs: Physical=bits, Data Link=frames, Network=packets, Transport=segments, Session=data (or upper layer data).

Exam trap

A common trap is confusing the PDU names between layers, especially mixing up frames and packets or segments and packets. Remember the order: bits (Layer 1), frames (Layer 2), packets (Layer 3), segments (Layer 4).

205
PBQhard

You are connected to R1. The network has three routers: R1, R2, and R3. R1's G0/0 is connected to R2's G0/0, and R1's G0/1 is connected to R3's G0/1. The goal is to configure R1 so that it can ping both R2 (192.0.2.2/30) and R3 (2001:db8:1::2/64). Currently, R1 cannot ping R2 due to a wrong subnet mask on R1's G0/0, and R3 is using an IPv6 EUI-64 address but R1 has been given a static IPv6 address that conflicts. Fix both issues and verify connectivity.

Hints

  • Check the subnet mask on G0/0; it should be /30, not /24.
  • R3 uses EUI-64; to avoid duplicate address, R1 should also use EUI-64 on G0/1.
  • After changing the mask, verify the interface is still up and the route is correct.
A.On G0/0, change the subnet mask to 255.255.255.252; on G0/1, remove the static IPv6 address and configure an EUI-64 address.
B.On G0/0, change the IP address to 192.0.2.2/30; on G0/1, change the IPv6 address to 2001:db8:1::2/64.
C.On G0/0, change the subnet mask to 255.255.255.0; on G0/1, change the IPv6 address to 2001:db8:1::1/64 with EUI-64.
D.On G0/0, change the IP address to 192.0.2.2/30; on G0/1, remove the static IPv6 address and configure an EUI-64 address.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
exit
interface GigabitEthernet0/1
no ipv6 address 2001:db8:1::1/64
ipv6 address 2001:db8:1::/64 eui-64
end

Why this answer

The problem has two issues. First, R1's G0/0 has IP 192.0.2.1 but its subnet mask is incorrectly set to 255.255.255.0 (/24) instead of the required 255.255.255.252 (/30) that matches R2's /30. This mask mismatch causes R1 to misclassify the subnet, preventing successful ping to R2.

The fix is to change the mask to 255.255.255.252. Second, R1's G0/1 is configured with a static IPv6 address 2001:db8:1::1/64, but R3 uses EUI-64 and generates its address as 2001:db8:1::2. This duplicate address risk breaks communication.

The correct solution is to remove the static IPv6 address and enable EUI-64 on G0/1, allowing R1 to derive a unique address from the prefix. Options B and D incorrectly change R1's IPv4 address to 192.0.2.2, which duplicates R2's address. Option B also sets a static IPv6 address of ::2, duplicating R3's address.

Option C changes the mask to /24, which would temporarily allow communication but violates the intended point-to-point /30 design and does not adopt best practices; it also incorrectly applies a static IPv6 address with EUI-64, which is unnecessary and could still conflict.

Exam trap

Trap: Candidates often confuse IP address conflicts with subnet mask mismatches. Here, the mask on G0/0 is wrong, not the IP. For IPv6, they may think any static address works, but EUI-64 is needed to avoid duplication when the neighbor uses it.

Always verify subnet masks match on point-to-point links and use EUI-64 when the neighbor does.

Why the other options are wrong

B

The specific factual error: 192.0.2.2 is already used by R2, causing an IP conflict; static assignment on G0/1 does not guarantee uniqueness.

C

The specific factual error: /24 mask is too large and does not match the /30 subnet; EUI-64 cannot be applied alongside a static address—it replaces the interface ID.

D

The specific factual error: 192.0.2.2 is already assigned to R2, so R1 cannot use it; the correct fix is to adjust the mask, not the IP.

206
PBQmedium

You are connected to the console of R1. The output of 'show interfaces serial0/0/0' displays that the interface is administratively down (status: administratively down, line protocol is down). The network administrator reports that the serial link between R1 and R2 was recently configured but is not working. You need to troubleshoot and restore connectivity. The serial interface on R1 is Serial0/0/0, and the link is a point-to-point HDLC connection.

Network Topology
S0/0/0S0/0/0serial cableR1R2

Hints

  • Check the interface status with show interfaces.
  • Look for 'administratively down' in the output.
  • Use the no shutdown command to enable the interface.
A.Enter interface configuration mode for Serial0/0/0 and issue the 'no shutdown' command.
B.Enter global configuration mode and issue the 'clock rate 64000' command.
C.Enter interface configuration mode for Serial0/0/0 and issue the 'encapsulation ppp' command.
D.Enter privileged EXEC mode and issue the 'clear interface serial0/0/0' command.
AnswerA
solution
! R1
interface Serial0/0/0
no shutdown

Why this answer

The interface status 'administratively down' indicates the interface has been manually shut down with the 'shutdown' command. Issuing 'no shutdown' in interface configuration mode re-enables it, bringing the line protocol up and restoring connectivity. Option B is incorrect because clock rate configuration is necessary only if R1 is the DCE and clocking is missing; the issue here is the administrative state, not clocking.

Option C is incorrect because changing the encapsulation to PPP would not resolve an administratively down state and could create a mismatch. Option D is wrong because 'clear interface' only resets counters and does not change the interface's administrative status.

Exam trap

The trap is that candidates may overlook the 'administratively down' status and instead focus on clocking or encapsulation issues. Always check the interface status first; if it says 'administratively down', the fix is 'no shutdown'.

Why the other options are wrong

B

The specific factual error: The 'clock rate' command configures the clocking rate on a DCE serial interface, not the administrative state.

C

The specific factual error: The encapsulation command changes the Layer 2 protocol but does not affect the administrative state of the interface.

D

The specific factual error: The 'clear interface' command does not enable an administratively down interface; it only resets statistics.

207
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue between two routers connected via a serial link. The engineer runs the show interfaces Serial0/0/0 command on R1. Based on the output, what is the most likely cause of the problem?

A.The interface is configured with the wrong encapsulation type.
B.The interface is administratively shut down.
C.The serial cable is disconnected or has a physical fault.
D.The DCE end of the serial link is missing a clock rate configuration.
AnswerD

The output explicitly states 'DCE, no clock rate set'. On a serial WAN link, the data communications equipment (DCE) must supply the clock signal. Without the clock rate command, the line protocol cannot come up, regardless of all other settings being correct.

Why this answer

The output shows that the interface is up (line protocol is down), and the serial cable is physically connected. The absence of a clock rate on the DCE end of a serial link causes the line protocol to remain down because the receiving router cannot synchronize bit timing. Option D is correct because the DCE device must provide a clock signal for the serial link to establish Layer 2 connectivity.

Exam trap

Cisco often tests the distinction between 'interface is up, line protocol is down' (Layer 1 up, Layer 2 down) and 'interface is down, line protocol is down' (Layer 1 fault), tricking candidates into thinking a physical cable issue is the cause when the real problem is a missing clock rate on the DCE.

Why the other options are wrong

A

Many candidates assume that a Layer 2 protocol down on a serial link is always caused by an encapsulation mismatch, overlooking the explicit clocking issue displayed in the output.

B

Novice engineers might misinterpret 'line protocol is down' as an indication that the interface is disabled, without reading the full status line.

C

The trap: candidates see 'line protocol is down' and immediately think of a physical problem, missing the clear distinction that the interface itself is 'up'.

208
Drag & Dropmedium

Drag and drop the following steps into the correct order to enable a third-party SFP transceiver and verify its diagnostics on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Cisco switches by default only support Cisco-branded SFP transceivers. To use a third-party transceiver, the command `service unsupported-transceiver` must be enabled in global configuration mode. After configuring the interface, the `show interfaces transceiver` command displays diagnostic information including temperature, voltage, and optical power, which helps verify proper operation.

209
MCQhard

A host address is 192.168.88.66/27. Which address is the network address of the subnet?

A.192.168.88.32
B.192.168.88.64
C.192.168.88.95
D.192.168.88.96
AnswerB

This is correct because .66 is in the 64-95 /27 subnet.

Why this answer

A /27 subnet has a block size of 32. In practical terms, the fourth-octet ranges are 0-31, 32-63, 64-95, and so on. Because 66 falls within the 64-95 block, the network address is 192.168.88.64.

This is a classic subnet-boundary calculation. The key step is identifying the correct block first.

Exam trap

Avoid assuming the host address is in the first or last subnet without calculating the correct range.

Why the other options are wrong

A

192.168.88.32 is the network address of the previous /27 subnet (32-63). Since the host address 192.168.88.66 falls in the 64-95 range, the correct network address is 192.168.88.64, not 192.168.88.32.

C

192.168.88.95 is the broadcast address for the /27 subnet that starts at 192.168.88.64. The broadcast address is the last address in the subnet, used to send packets to all hosts in that subnet, not the network address.

D

192.168.88.96 is the network address of the next /27 subnet (96-127). The host 192.168.88.66 is not in that range; it belongs to the subnet starting at 192.168.88.64.

210
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a suspected duplex mismatch and CRC errors on a Cisco switch interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Troubleshooting starts from privileged EXEC, checking errors, identifying the problematic interface, then configuring the correct duplex setting.

Exam trap

The exam trap is that candidates often skip the initial step of entering privileged EXEC mode, thinking they can directly check errors or configure. Remember that 'show' and 'configure' commands require the appropriate mode.

211
MCQmedium

Why does traceroute reveal each router hop along a path?

A.Each router appends its hostname to the packet payload
B.Each router sends an ARP response back to the source
C.Each router decrements TTL or hop limit, and expired packets trigger ICMP messages
D.Each switch on the path sends a syslog message to the source host
AnswerC

Correct. TTL or hop-limit expiry creates the hop-by-hop responses.

Why this answer

Traceroute sends packets with increasing TTL or hop-limit values. When the value expires, the router that drops the packet returns an ICMP message, identifying that hop.

Exam trap

Don't confuse traceroute's use of TTL and ICMP Time Exceeded messages with ping's use of ICMP Echo Requests.

Why the other options are wrong

A

Routers do not modify packet payloads to add hostnames during normal forwarding. Traceroute relies on ICMP Time Exceeded messages generated by routers when TTL expires, not on payload modifications. Adding hostnames would violate IP packet integrity and is not a standard function.

B

ARP (Address Resolution Protocol) operates only within a local network segment to map IP addresses to MAC addresses. It is not used for path discovery across multiple routed hops. Traceroute uses TTL expiry to trigger ICMP responses, not ARP replies.

D

Switches operate at Layer 2 and do not decrement TTL or generate ICMP Time Exceeded messages for traceroute. Syslog is a logging protocol used for network device event reporting, not for hop-by-hop path discovery. Traceroute relies on ICMP or UDP/TCP probes, not syslog messages.

212
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a client PC that cannot connect to a remote web server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order follows Cisco's bottom-up troubleshooting methodology: first verify local IP configuration with ipconfig, then confirm the local TCP/IP stack with a loopback ping, then verify the NIC and IP binding by pinging the assigned address. Next, test connectivity to the default gateway to ensure the local subnet and router are reachable. After that, attempt to reach the remote server's IP address with ping.

If that fails, use traceroute to identify where along the path the packets are lost. This sequence efficiently isolates the fault domain from the local device to the internetwork.

213
Matchingmedium

Match the security feature to its main purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on defined permit and deny rules

Helps block rogue DHCP servers and build trusted binding information

Validates ARP traffic against trusted information to reduce ARP spoofing

Limits and controls MAC addresses learned on a switch port

Why these pairings

ACLs are correct because they use permit and deny statements to filter traffic based on source/destination IP, protocol, or port. DHCP Snooping is correct because it identifies trusted ports and builds a DHCP binding table to block rogue DHCP servers and prevent spoofed DHCP messages. DAI is correct because it leverages the DHCP Snooping binding table to validate ARP packets, dropping those that do not match trusted bindings and thus preventing ARP spoofing attacks.

Port Security is correct because it restricts the number and specific MAC addresses learned on a switch port, mitigating MAC flooding and unauthorized device access.

Exam trap

Avoid confusing the general term 'security' with specific functions. Firewalls filter traffic; they do not encrypt, detect endpoint malware, or provide centralized log analysis. Each security tool has a defined purpose.

214
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Windows 10 host with a static IPv4 address, subnet mask, and default gateway.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order begins with opening Network and Sharing Center to access network settings. Then, you must click 'Change adapter settings' to see the list of network connections. Right-clicking the appropriate adapter and selecting Properties opens its configuration.

Selecting IPv4 and clicking Properties allows you to set the IP parameters. Choosing 'Use the following IP address' enables the fields for static input. Finally, entering the IP address, subnet mask, and default gateway followed by OK/Close applies the configuration.

This sequence follows the logical navigation of the Windows GUI to reach the static IP assignment interface.

215
PBQhard

You are connected to R1. The network administrator reports that hosts on VLAN 10 cannot communicate with the server attached to R2's GigabitEthernet0/1 interface. Troubleshoot and resolve the issue. Identify the root cause and apply the necessary fix on R1.

Network Topology
G0/0192.168.1.1/30linkG0/1192.168.1.5/30G0/1192.168.1.6/30linklinkR2R1Switch1Hosts in VLAN10

Hints

  • The high input error count on G0/0 suggests a Layer 1 issue, possibly duplex mismatch.
  • Compare the configured duplex on R1's G0/0 with the typical auto-negotiation settings on a switch.
  • Reverting to auto-negotiation on both speed and duplex is often the solution for such mismatches.
A.Configure 'no duplex' and 'no speed' under interface GigabitEthernet0/0 to enable auto-negotiation.
B.Change the duplex setting on GigabitEthernet0/0 to half-duplex using 'duplex half'.
C.Apply 'speed 100' and 'duplex full' on GigabitEthernet0/0 to match a common switch configuration.
D.Clear the interface counters on GigabitEthernet0/0 with 'clear counters gigabitethernet0/0' without changing any configuration.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no duplex
no speed
end
clear counters GigabitEthernet0/0

Why this answer

The issue is a duplex mismatch on GigabitEthernet0/0. R1 is configured with 'duplex full' and 'speed 1000', but the connected switch port is likely set to auto-negotiate or is set to half-duplex. This causes high input errors (1500) and degraded performance.

The fix is to set R1's G0/0 to auto-negotiate both speed and duplex, matching the switch's configuration. Enter interface configuration mode for G0/0, issue 'no duplex' and 'no speed' to revert to auto, then clear the interface counters with 'clear counters gigabitethernet0/0'.

Exam trap

The exam trap is that candidates often focus on speed mismatches or clearing counters, but the real issue is duplex mismatch. Remember that on GigabitEthernet interfaces, auto-negotiation is the default and recommended setting; static duplex/speed settings can cause mismatches and errors.

Why the other options are wrong

B

The specific factual error is that manually setting half-duplex does not resolve a mismatch; it may create a new mismatch or degrade performance further.

C

The specific factual error is that GigabitEthernet interfaces usually operate at 1000 Mbps; setting speed to 100 may cause the interface to not come up or to underperform.

D

The specific factual error is that clearing counters is a diagnostic step, not a fix. The root cause (duplex mismatch) remains unaddressed.

216
PBQhard

You are troubleshooting a client connectivity issue on VLAN 10. The client PC1 is connected to switch SW1, which is connected to router R1 acting as the default gateway. PC1 can ping its own IP and the default gateway (10.1.10.1) but cannot reach the internet. From the provided router outputs, identify the fault and apply the necessary fix on R1.

Network Topology
G0/0.1010.1.10.1/24G0/0.1010.1.10.1/24PC1SW1R1ISP

Hints

  • Check if R1 has a default route
  • Look at the Gateway of last resort in the routing table
  • The missing command is under global configuration mode
A.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 10.1.10.254
B.Configure a static route on R1: ip route 8.8.8.8 255.255.255.255 10.1.10.254
C.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 10.1.10.1
D.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
AnswerA
solution
! R1
configure terminal
ip route 0.0.0.0 0.0.0.0 10.1.10.254
end

Why this answer

PC1 can ping its own IP and the gateway (10.1.10.1) but not the internet (8.8.8.8). The router R1 has no default route to forward traffic to the internet. The fix is to configure a default route on R1 pointing to the next-hop IP address of the upstream router (e.g., 10.1.10.254) or an exit interface.

After adding the default route, R1 will be able to forward traffic outside the local subnet.

Exam trap

Trap: Candidates often confuse the client's default gateway with the router's next-hop for internet traffic. They may also think a host route to the specific destination is sufficient, or that using an exit interface alone is always valid. Remember: for internet access, a default route (0.0.0.0/0) is needed, and on Ethernet, always specify a next-hop IP.

Why the other options are wrong

B

The specific factual error is that a host route does not provide general internet access; it only covers the specified destination.

C

The specific factual error is that the next-hop must be a different device (upstream router), not the router's own interface IP.

D

The specific factual error is that on Ethernet interfaces, a next-hop IP is required to avoid potential ARP resolution problems; using only the exit interface is not the standard practice.

217
Multi-Selectmedium

Which three of the following are characteristics of wireless LAN (WLAN) operation in the 2.4 GHz and 5 GHz bands? (Choose three.)

Select 3 answers
.The 5 GHz band offers more non-overlapping channels than the 2.4 GHz band.
.The 2.4 GHz band generally provides longer range than 5 GHz for the same transmit power.
.Both bands can be used simultaneously by dual-band access points.
.The 2.4 GHz band supports higher data rates than the 5 GHz band.
.The 5 GHz band experiences more interference from Bluetooth devices.
.Both bands require a license for operation in enterprise environments.

Why this answer

The 5 GHz band offers more non-overlapping channels (up to 23 or 25, depending on regulatory domain) compared to the 2.4 GHz band, which has only three non-overlapping channels (1, 6, 11). The 2.4 GHz band generally provides longer range due to better propagation characteristics and lower attenuation through obstacles. Dual-band access points can operate simultaneously on both bands, allowing clients to connect on either frequency.

Exam trap

Cisco often tests the misconception that the 2.4 GHz band has more channels or that 5 GHz always provides longer range, but the correct understanding is that 5 GHz has more non-overlapping channels and 2.4 GHz offers better range due to lower frequency propagation.

218
Multi-Selectmedium

Which TWO statements accurately describe the characteristics and deployment considerations for fiber optic cabling in a modern enterprise network?

Select 2 answers
A.Single-mode fiber (SMF) typically uses a larger core diameter than multimode fiber (MMF).
B.Multimode fiber (MMF) is generally preferred for longer-distance links, such as between buildings on a campus network.
C.A 1000BASE-LX SFP transceiver operating over single-mode fiber can support distances up to 10 km.
D.When using a 10GBASE-SR SFP+ transceiver over OM3 multimode fiber, the maximum supported distance is 300 meters.
E.Fiber optic cabling is immune to electromagnetic interference (EMI), making it ideal for environments with high electrical noise.
AnswersD, E

10GBASE-SR over OM3 fiber (50/125 µm, 2000 MHz*km bandwidth) supports distances up to 300 meters. Over OM4 fiber, the distance increases to 400 meters.

Why this answer

The correct statements are that 10GBASE-SR over OM3 multimode fiber supports up to 300 meters and that fiber optic cabling is immune to electromagnetic interference (EMI), making it ideal for electrically noisy environments. Single-mode fiber actually has a smaller core diameter than multimode, making option A incorrect. Multimode fiber is designed for shorter links, so option B is wrong.

Standard 1000BASE-LX SFP transceivers over single-mode fiber are limited to 5 km, not 10 km, so option C is inaccurate.

Exam trap

Cisco often tests the misconception that single-mode fiber has a larger core diameter than multimode fiber, when in fact the opposite is true, and that multimode fiber is suitable for long-haul links, whereas it is actually limited to shorter distances due to modal dispersion.

Why the other options are wrong

A

Single-mode fiber has a smaller core diameter (typically 9 microns) than multimode (50 or 62.5 microns), so this reverses the relationship.

B

Multimode fiber’s larger core introduces modal dispersion, limiting it to shorter distances; long-distance links use single-mode fiber.

C

IEEE 1000BASE-LX specifies a maximum distance of 5 km over single-mode fiber; 10 km is beyond the standard CCNA curriculum.

219
MCQhard

A host address is 192.168.1.14/29. Which address is the broadcast address for that host’s subnet?

A.192.168.1.7
B.192.168.1.14
C.192.168.1.15
D.192.168.1.16
AnswerC

This is correct because the host is in the 8–15 /29 block, whose broadcast is .15.

Why this answer

A /29 uses blocks of 8 addresses. In plain language, the subnets in the last octet move in increments of 8: 0–7, 8–15, 16–23, and so on. Since the host address ends in 14, it belongs to the 8–15 block. In that block, the last address is the broadcast address, so the broadcast is 192.168.1.15.

This is a classic subnetting pattern because it requires you to place the host inside the correct block and then identify the last address in that block rather than guessing based on the host value itself.

Exam trap

Be careful not to confuse the network address or the next subnet's network address with the broadcast address.

Why the other options are wrong

A

192.168.1.7 is the broadcast address for the /29 block 0–7, which does not contain host .14. The host .14 is in the block 8–15, so its broadcast is .15.

B

192.168.1.14 is the host address itself, not the broadcast address. The broadcast address is always the last address in the subnet, which is .15 for the block 8–15.

D

192.168.1.16 is the network address of the next /29 block (16–23), not the broadcast address for the block containing .14. The broadcast address must be the last address in the same block as the host.

220
PBQhard

You are troubleshooting a wireless client association failure on a Cisco WLC. The client is unable to connect to the corporate SSID 'CorpNet' and reports an authentication error. Review the WLC configuration and fix the issue so that the client can associate and obtain an IP address from VLAN 100. The WLC management IP is 192.168.1.10/24.

Hints

  • Check the security settings — the client may not support WPA3.
  • Verify if the SSID is hidden — the client cannot scan for it.
  • Ensure the VLAN assigned to the WLAN matches the client's subnet.
A.Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
B.Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.
C.Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.
D.Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.
AnswerA
solution
! WLC
configure terminal
wlan CorpNet 1 CorpNet
security wpa2
security wpa akm psk
security wpa psk ascii 7 1234567890abcdef
no security wpa3-sae
broadcast-ssid enable
interface wlan 1
vlan 100
end

Why this answer

The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.

Exam trap

Be careful not to confuse the management interface VLAN with the client data VLAN. Also, remember that SSID broadcast must be enabled for clients to discover the network, and security settings must match client capabilities. Always verify DHCP scope placement matches the client VLAN.

Why the other options are wrong

B

The specific factual error is that WPA3-only security may not be supported by the client, and changing the management interface IP does not resolve the client VLAN assignment issue.

C

The specific factual errors are: WPA3 may not be compatible, disabling SSID broadcast hides the network, and DHCP scope must be on the same VLAN as the client (VLAN 100).

D

The specific factual errors are: SSID broadcast must be enabled for client discovery, and the WLAN interface must be mapped to VLAN 100, not VLAN 1.

221
MCQhard

A network engineer is troubleshooting an issue where a Windows 10 workstation (Host-A) cannot reach the internet, but can ping the local default gateway. The engineer runs 'ipconfig /all' on Host-A and reviews the output. What is the most likely cause of the problem?

A.The subnet mask is incorrect.
B.The default gateway is missing or incorrect.
C.The DNS server is configured as a public DNS server that may be unreachable due to network policy or firewall.
D.The host has obtained an APIPA address (169.254.x.x).
AnswerC

The DNS server 8.8.8.8 is a public server; if not reachable from the local network, name resolution fails.

Why this answer

Host-A can ping the default gateway, which confirms that Layer 3 connectivity to the local network is working and that the subnet mask and default gateway are correctly configured. The inability to reach the internet despite this connectivity points to a name resolution failure, likely caused by an incorrect or unreachable DNS server. A public DNS server (e.g., 8.8.8.8) may be blocked by corporate firewall policy, preventing Host-A from resolving internet domain names.

Exam trap

The trap here is that candidates assume a successful ping to the gateway means all Layer 3 connectivity is fine, overlooking that DNS is a separate service that can fail even when IP connectivity is intact.

Why the other options are wrong

A

The subnet mask 255.255.255.0 is correct for a /24 network, so it is not the cause of the problem.

B

The default gateway is correctly set to 192.168.1.1, and the host can ping it, so the gateway is not missing or incorrect.

D

The IPv4 address is 192.168.1.100, which is a valid private address, not an APIPA address (169.254.x.x). APIPA addresses are used when DHCP fails, but here the host has a proper address.

222
PBQhard

You are connected to R1. The link between R1 and R2 is experiencing intermittent connectivity and poor performance. Review the provided show interface output to identify the root cause(s) of the issue, then apply the necessary configuration changes to resolve the problem and restore full connectivity. Output from R1: ``` GigabitEthernet0/0 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is aaaa.bbbb.cccc (bia aaaa.bbbb.cccc) Internet address is 192.168.1.1/30 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, link type is auto, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters 00:01:23 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 150 packets input, 1500 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 150 input errors, 150 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 200 packets output, 2000 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ```

Hints

  • CRC errors often indicate a duplex mismatch between the two connected devices.
  • Check the current duplex setting on R1's interface—it is set to auto, but the high error count suggests the other end is not negotiating correctly.
  • To fix, manually set both speed and duplex on the interface to match the expected settings of the neighbor.
A.Configure the interface with 'speed 1000' and 'duplex full' to match R2's settings, then clear counters.
B.Replace the faulty cable between R1 and R2 to eliminate CRC errors caused by physical layer issues.
C.Disable autonegotiation on the interface with 'no negotiation auto' to force the link to use the configured speed and duplex.
D.Increase the interface MTU to reduce fragmentation and improve performance on the link.
AnswerA
solution
! R1
interface GigabitEthernet0/0
speed 1000
duplex full

Why this answer

The show interface output reveals that R1's GigabitEthernet0/0 is operating at half-duplex, 100 Mb/s, yet it is accumulating a high number of CRC errors (150 in 1 minute 23 seconds). This indicates a speed/duplex mismatch with R2, which is likely set to full-duplex at 1000 Mb/s. To resolve, you must manually configure R1 to match R2's proper settings by issuing the 'speed 1000' and 'duplex full' commands, then clearing the counters to start fresh monitoring.

The other options are incorrect because they do not address the mismatch: replacing the cable would not fix a configuration issue; disabling autonegotiation alone may not fix the mismatch if the hard-coded values are still wrong; and increasing the MTU does not affect CRC errors caused by duplex mismatch.

Exam trap

CRC errors on a link are often misinterpreted as faulty cabling, but the presence of CRC errors on an interface that is up/up but operating at a mismatched speed or duplex strongly indicates a configuration mismatch between the two ends.

Why the other options are wrong

B

Replacing the cable does not solve a duplex/speed mismatch because the errors are caused by configuration, not physical layer damage.

C

Disabling autonegotiation alone does not guarantee the interface will use the correct speed and duplex; it still requires manual configuration of the correct values.

D

Increasing the MTU addresses fragmentation issues, not CRC errors resulting from duplex or speed mismatches.

223
PBQhard

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 has MAC address 0011.2233.4455. You need to configure an IPv6 global unicast address on this interface using EUI-64 format, based on the prefix 2001:db8:acad:1::/64. The interface is currently configured with an IPv4 address only.

Network Topology
G0/0192.168.1.1/24R1SW1

Hints

  • EUI-64 uses the MAC address to form the interface ID.
  • The prefix length is /64.
  • Use the 'ipv6 address' command with the eui-64 option.
A.R1(config-if)# ipv6 address 2001:db8:acad:1:0211:22ff:fe33:4455/64
B.R1(config-if)# ipv6 address 2001:db8:acad:1:0011:22ff:fe33:4455/64
C.R1(config-if)# ipv6 address 2001:db8:acad:1:0211:2233:4455:5566/64
D.R1(config-if)# ipv6 address 2001:db8:acad:1::/64 eui-64
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:acad:1::/64 eui-64

Why this answer

The EUI-64 process inserts FF:FE in the middle of the MAC and flips the U/L bit. The command configures the IPv6 address automatically based on the prefix and the interface MAC.

Exam trap

The exam trap is that candidates often forget to flip the U/L bit or confuse the EUI-64 process with simply inserting FF:FE. Also, some may provide the configuration command instead of the actual address. Always remember: flip the seventh bit of the first byte (change 00 to 02, 01 to 03, etc.) and insert FF:FE after the first 24 bits.

Why the other options are wrong

B

The specific factual error is that the U/L bit was not flipped. The EUI-64 process requires flipping the seventh bit of the first byte of the MAC address.

C

The specific factual error is that FF:FE was not inserted between the first and second halves of the MAC address. The EUI-64 format requires the insertion of FF:FE.

D

The specific factual error is that the question asks for the resulting IPv6 address, not the configuration command. The command 'ipv6 address ... eui-64' is used to enable EUI-64, but the answer should be the actual address.

224
PBQhard

You are troubleshooting connectivity between R1 and R2. The link is down, and you need to identify and fix the issue. Examine the provided 'show interfaces' output and running configuration, then apply the necessary commands to restore connectivity.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the running configuration for the 'shutdown' command.
  • The interface status shows 'administratively down' if it is shutdown.
  • Use the 'no shutdown' command under the interface configuration mode.
A.Enter interface configuration mode for the down interface and issue the 'no shutdown' command.
B.Enter global configuration mode and issue the 'interface reset' command to reset the interface counters.
C.Enter interface configuration mode and issue the 'speed' command to set the interface speed to match the connected device.
D.Enter interface configuration mode and issue the 'no keepalive' command to disable keepalives.
AnswerA
solution
! R1
interface gigabitEthernet 0/0
no shutdown

Why this answer

The interface is administratively down because the 'shutdown' command is present. The line protocol is down because the interface is disabled. To fix this, you must issue the 'no shutdown' command on the interface.

After that, the interface will come up, and the line protocol will become up if the other side is properly configured.

Exam trap

The trap is that candidates may focus on physical layer issues (speed/duplex) or protocol issues (keepalives) instead of recognizing the clear 'administratively down' indication. Always check the interface status first: if it says 'administratively down', the solution is 'no shutdown'.

Why the other options are wrong

B

The specific factual error: 'interface reset' is not a real command; the correct command to reset counters is 'clear counters'.

C

The specific factual error: speed mismatch causes line protocol issues but not administrative down state.

D

The specific factual error: 'no keepalive' affects line protocol detection but does not change administrative state.

225
MCQhard

A network engineer notices that a critical link between two Cisco Catalyst 9300 switches is flapping every few minutes. The link uses a 10GBASE-SR SFP+ module on one end and a 10GBASE-LR SFP+ module on the other. The interface logs show 'Link error recovery - will restart'. The distance between the switches is 500 meters. Which command output best confirms the root cause of the flapping?

A.show interfaces status
B.show interfaces transceiver
C.show interfaces gigabitethernet1/0/1
D.show logging
AnswerB

This command displays the transceiver type, diagnostic monitoring, and can confirm the SFP+ mismatch (e.g., 10GBASE-SR vs 10GBASE-LR).

Why this answer

The correct answer is B because the 'show interfaces transceiver' command displays the optical parameters (e.g., transmit power, receive power, temperature) of the SFP+ modules. The mismatch between a 10GBASE-SR (multimode, 300m max) and a 10GBASE-LR (single-mode, 10km max) over 500 meters causes excessive attenuation and signal loss, triggering the 'Link error recovery - will restart' flapping. This command confirms the root cause by showing abnormal receive power levels or a missing/different transceiver type.

Exam trap

Cisco often tests the distinction between symptom-identifying commands (like 'show logging') and root-cause-identifying commands (like 'show interfaces transceiver'), trapping candidates who stop at seeing the error message without investigating the physical layer mismatch.

Why the other options are wrong

A

It does not show the transceiver type or diagnostic information.

C

It only shows the interface is err-disabled due to link-flap, not the root cause.

D

It indicates a problem but does not provide the specific transceiver details.

← PreviousPage 3 of 6 · 390 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Infrastructure and Connectivity questions.