CCNA Network Services and Security Questions

75 of 478 questions · Page 3/7 · Network Services and Security · Answers revealed

151
MCQmedium

A user reports that their desk port stopped working immediately after they connected a small switch. The interface shows err-disabled, and the log mentions BPDU Guard. What most likely happened?

A.The port received a BPDU and BPDU Guard shut it down.
B.DHCP snooping blocked the user's ARP requests.
C.Port security moved the port to protect mode.
D.The trunk native VLAN matched incorrectly.
AnswerA

This matches the symptom and the log message.

Why this answer

BPDU Guard is commonly enabled on PortFast access ports to protect the topology. If the port receives a BPDU, the switch assumes another switch may have been connected and places the port into err-disabled state. That is exactly the protective behavior you want at the edge.

Exam trap

A frequent exam trap is mistaking BPDU Guard triggers for issues caused by DHCP snooping or port security. Candidates may incorrectly assume that DHCP snooping blocking ARP or port security violations cause the err-disabled state when the log explicitly mentions BPDU Guard. Another pitfall is confusing native VLAN mismatches on trunks as the cause, but these do not generate BPDU Guard errors.

The key is to recognize that BPDU Guard specifically responds to receiving BPDUs on PortFast-enabled ports, which signals an unexpected switch connection and leads to err-disable. Misreading the log or symptoms can lead to selecting incorrect answers that do not align with BPDU Guard’s function.

Why the other options are wrong

B

Incorrect. DHCP snooping blocks unauthorized DHCP messages but does not cause BPDU Guard to err-disable a port. The log specifically mentions BPDU Guard, so DHCP snooping is unrelated here.

C

Incorrect. Port security violations cause err-disable states but are triggered by MAC address violations, not by receiving BPDUs. The log message points to BPDU Guard, not port security.

D

Incorrect. A trunk native VLAN mismatch causes VLAN tagging issues but does not trigger BPDU Guard or err-disable a port due to BPDU reception. This option does not explain the BPDU Guard log message.

152
MCQmedium

Which protocol is most directly responsible for keeping device clocks synchronized across a network?

A.NTP
B.TFTP
C.DHCP
D.CDP
AnswerA

This is correct because NTP is used to synchronize clocks across devices.

Why this answer

The correct protocol is NTP. In plain language, NTP helps devices agree on the current time so that logs, authentication events, monitoring data, and troubleshooting records line up accurately. Without consistent time, a network team may see events from multiple devices but be unable to reconstruct the actual sequence correctly.

This matters more than many people realize because accurate time underpins many operational workflows. Syslog messages, security events, and monitoring alerts become much easier to trust when devices are synchronized. DHCP, TFTP, and CDP are useful for other purposes, but they do not exist to align device clocks. NTP is the protocol specifically associated with time synchronization.

Exam trap

A frequent exam trap is selecting DHCP, TFTP, or CDP as the protocol responsible for clock synchronization. DHCP is often confused because it deals with network configuration, but it does not synchronize time. TFTP might seem relevant due to its role in transferring files like configurations, but it has no time-related function.

CDP is a Cisco proprietary protocol for device discovery and neighbor information exchange, not for time services. Candidates must recognize that only NTP is designed specifically to keep device clocks synchronized across a network, which is critical for accurate logging and event correlation.

Why the other options are wrong

B

TFTP is incorrect because it is a simple file transfer protocol used for tasks like configuration file transfers, not for synchronizing device clocks.

C

DHCP is incorrect because it provides IP addressing and network configuration to clients but does not handle time synchronization between devices.

D

CDP is incorrect because it is a Cisco proprietary protocol for device discovery and neighbor information exchange, not for clock synchronization.

153
Multi-Selectmedium

A security policy requires administrators to permit SSH to network devices but block insecure remote CLI access. Which two actions support that goal?

Select 2 answers
A.Enable SSH on the VTY lines and use local or AAA authentication
B.Disable Telnet access on the VTY lines
C.Enable CDP globally
D.Configure the console line for transport input ssh
AnswersA, B

SSH provides encrypted remote management.

Why this answer

To meet the requirement, the device should allow encrypted SSH access and explicitly avoid Telnet for remote management.

Exam trap

A frequent exam trap is selecting options related to the console line or CDP when the question focuses on securing remote CLI access. The console line is for local physical access and does not support SSH, so configuring SSH there does not meet the requirement. Similarly, enabling CDP is unrelated to securing management access and does not block insecure protocols like Telnet.

Another common mistake is assuming that enabling SSH alone is sufficient without disabling Telnet, which leaves an insecure access method open. Candidates must carefully distinguish between local and remote access methods and ensure insecure protocols are explicitly blocked on VTY lines.

Why the other options are wrong

C

Enabling CDP globally is incorrect because CDP is a device discovery protocol and does not secure or restrict remote CLI access, so it does not support the goal of blocking insecure access.

D

Configuring the console line for transport input ssh is incorrect because the console line is for local physical access and does not support SSH, so this does not enforce secure remote access.

154
PBQmedium

You are connected to R1 via console. R1 has two interfaces: GigabitEthernet0/0 (10.0.0.1/30, connected to ISP) and GigabitEthernet0/1 (192.168.1.1/24, connected to internal LAN). The LAN hosts (192.168.1.0/24) need to access the internet. Configure dynamic NAT with PAT (overload) on R1 using a NAT pool so that internal hosts share the public IP 10.0.0.1 when accessing the internet. Assume the ISP router is already configured and reachable.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30PCsLANR1ISPInternet

Hints

  • Define an ACL to match internal traffic.
  • Create a NAT pool with the public IP address.
  • Apply overload to allow multiple hosts to share the public IP.
A.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 10.0.0.1 10.0.0.1 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
B.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 10.0.0.1 10.0.0.2 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
C.access-list 1 permit any ip nat pool PUBLIC 10.0.0.1 10.0.0.1 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC overload interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside
D.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
AnswerA
solution
! R1
ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255
ip nat pool PUBLIC_POOL 10.0.0.1 10.0.0.1 netmask 255.255.255.252
ip nat inside source list NAT_ACL pool PUBLIC_POOL overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

Option A is correct because it creates an ACL matching only the internal subnet (192.168.1.0/24), defines a NAT pool containing only the single public IP 10.0.0.1, enables PAT with the 'overload' keyword, and correctly assigns inside/outside interfaces. Option B is wrong because the pool includes 10.0.0.2, which is the ISP's IP and would cause conflicts, plus it lacks the 'overload' keyword so PAT is not activated. Option C is wrong because the ACL uses 'any', potentially matching unintended traffic, and the interface roles are reversed (G0/0 as inside, G0/1 as outside), breaking the NAT translation direction.

Option D is incorrect because while it implements PAT correctly, it uses interface overload rather than a NAT pool, which does not meet the explicit requirement to use a pool.

Exam trap

Pay close attention to the exact requirements: the question specifies a pool with IP 10.0.0.1, not interface overload. Also ensure ACL matches only the internal subnet, and interfaces are correctly designated as inside/outside.

Why the other options are wrong

B

The pool range includes 10.0.0.2 (the ISP's IP) and lacks the overload keyword, so PAT is disabled.

C

The ACL permits all traffic (any) and the inside/outside interfaces are reversed.

D

This uses interface overload instead of a NAT pool, contradicting the pool requirement.

155
Multi-Selectmedium

Which TWO statements correctly describe the behavior of PAT (Port Address Translation) as configured on a Cisco router?

Select 2 answers
A.PAT translates multiple internal addresses to a single public IP address by using unique source port numbers.
B.PAT requires a 1:1 mapping of internal to external IP addresses.
C.PAT can only be configured with a pool of public IP addresses.
D.PAT uses both IP addresses and port numbers to track translations.
E.PAT translations are always static and never time out.
AnswersA, D

PAT distinguishes between multiple internal hosts sharing the same public IP by assigning a different source port for each session. The router maintains a translation table that tracks the original internal IP and port along with the assigned public IP and port.

Why this answer

PAT (Port Address Translation) translates multiple internal private IP addresses to a single public IP address by assigning unique source port numbers to each session, allowing many internal hosts to share one public IP. This is correctly described in option A. Option D is also correct because PAT uniquely identifies each translation by both the IP address and the port number, enabling the router to demultiplex return traffic.

Option B is wrong because PAT uses many-to-one mapping, not 1:1; a 1:1 mapping is characteristic of static NAT. Option C is incorrect because PAT can operate with a single public IP address (often the outside interface address) rather than requiring a pool. Option E is false because PAT translations are dynamically created and time out after a period of inactivity; they are not static.

Exam trap

Cisco often tests the misconception that PAT requires a pool of public IPs or a 1:1 mapping, when in fact PAT is designed for many-to-one translation using port numbers, and can operate with a single public IP address.

Why the other options are wrong

B

PAT does not require a 1:1 mapping; it allows many internal addresses to share a single public IP. A 1:1 mapping is characteristic of static NAT, not PAT.

C

PAT can be configured with either a single public IP address (using the interface address) or a pool of public IP addresses. It does not require a pool; a single address is sufficient for PAT overload.

E

PAT translations are dynamic and have a timeout (default 86400 seconds for general translations, but shorter for TCP/UDP). They are removed after the session ends or the timeout expires.

156
PBQhard

You are connected to R1, a branch router. Configure an extended ACL named BRANCH_IN that permits only HTTP (TCP port 80) traffic from the internal network 192.168.1.0/24 to the web server at 203.0.113.10, and permits ICMP echo-reply from any source to any destination. Apply the ACL inbound on the interface facing the internal network. Then verify that only the specified traffic is allowed.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/30HostsInternal LANR1ISPWeb Server

Hints

  • The ACL is defined but not yet applied to an interface.
  • Consider which direction traffic from the internal network flows relative to the interface.
  • Use 'ip access-group' under the correct interface configuration mode.
A.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in
B.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN out
C.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in
D.ip access-list extended BRANCH_IN permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 permit icmp any any echo-reply ! interface GigabitEthernet0/0 ip access-group BRANCH_IN in ! interface GigabitEthernet0/1 ip access-group BRANCH_IN in
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip access-group BRANCH_IN in

Why this answer

Option A is correct because it creates an extended ACL that permits TCP port 80 from the internal 192.168.1.0/24 to the web server 203.0.113.10 and permits only ICMP echo-reply, then applies it inbound on the internal interface G0/0, matching the requirement. Option B is wrong because the ACL is applied outbound on G0/0, but traffic from internal hosts to the web server exits via the WAN interface (G0/1), not G0/0. Option C is wrong because it permits all ICMP (any any) instead of only echo-reply, allowing unnecessary ICMP traffic.

Option D is wrong because it applies the ACL inbound on both G0/0 and G0/1; applying it on G0/1 would incorrectly filter inbound traffic from the ISP, potentially blocking the web server's responses.

Exam trap

Pay close attention to the direction of traffic flow. The ACL must be applied inbound on the interface that receives traffic from the internal network. Also, be precise with ICMP types: 'echo-reply' is the response to a ping, not the initial echo request.

Why the other options are wrong

B

The ACL is applied in the wrong direction. Applying it outbound would filter traffic leaving the interface, not entering it.

C

The ACL permits all ICMP traffic instead of only echo-reply. This violates the requirement to permit only ICMP echo-reply.

D

Applying the ACL to an additional interface (G0/1) is unnecessary and may cause unintended filtering. The requirement specifies only one interface.

157
Matchingmedium

Drag and drop the AAA and 802.1X terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses UDP; encrypts only the password in the packet

Uses TCP; encrypts the entire packet

Port-based authentication using EAPoL frames

RADIUS server that validates credentials in 802.1X

Global command to enable AAA on IOS-XE

Why these pairings

AAA components: authentication verifies identity, authorization grants rights, accounting logs activities. 802.1X roles: supplicant is the client, authenticator is the switch/AP, and authentication server (RADIUS) validates and authorizes.

Exam trap

Candidates often confuse the roles in 802.1X or mix up AAA components. Remember that authentication is about identity verification, authorization is about permissions, and accounting is about logging. In 802.1X, the supplicant is the client, the authenticator is the network device, and the authentication server validates credentials.

158
MCQhard

A network technician is troubleshooting a DHCP relay issue. The router at the branch office is supposed to forward DHCP requests from local clients to a central DHCP server. Clients connected to Gi0/1 are not receiving IP addresses. The technician verifies that the DHCP server is reachable from the router, that no ACLs are blocking DHCP traffic, and that the DHCP scope on the server has available leases. Upon checking the running configuration, the technician notices that the ip helper-address command is applied to interface Gi0/0 (the WAN link toward the server) instead of Gi0/1. What should the technician do next?

A.Check the DHCP server logs for any error or warning messages related to the clients' requests.
B.Move the ip helper-address command from interface Gi0/0 to interface Gi0/1.
C.Issue the show ip interface brief command to ensure that interface Gi0/1 is in an up/up state.
D.Remove the ip helper-address from Gi0/0 and then reapply it to the same interface to ensure the command is active.
AnswerB

DHCP relay requires the helper address to be configured on the interface that faces the DHCP clients (the broadcast domain where clients send their DHCPDISCOVER messages). By moving the command to Gi0/1, the router will correctly intercept and forward client requests to the DHCP server.

Why this answer

The ip helper-address command must be configured on the interface that receives DHCP broadcasts from clients—in this case, Gi0/1, the LAN-facing interface. Placing it on the WAN interface (Gi0/0) means the router never sees the client broadcasts and therefore never relays them. Moving the command to Gi0/1 enables the router to intercept DHCP discoveries and forward them as unicast packets to the DHCP server.

This action directly addresses a common DHCP relay misconfiguration at the network services layer.

Exam trap

The most common incorrect next step is checking DHCP server logs (Option A). Candidates often assume the problem lies on the server side when clients fail to obtain addresses, overlooking the relay placement configuration on the router. Another trap is to reapply the helper address on the same WAN interface, hoping it will take effect.

Why the other options are wrong

A

This skips the obvious configuration mismatch and targets the wrong component. It assumes the issue is on the server side rather than the router's DHCP relay placement.

C

This action investigates Layer 1/2 status when the problem is already identified as a Layer 3 (DHCP relay) configuration error. It skips applying the fix and delays resolution.

D

Candidates might think the command simply didn't take effect and that reapplying it solves the problem, misunderstanding the directional requirement of DHCP relay placement.

159
MCQhard

A network engineer has implemented DHCP snooping on a Cisco switch to prevent unauthorized DHCP servers. The switch's VLAN 100 SVI is configured with ip helper-address to relay DHCP requests to a legitimate server in VLAN 200. Clients in VLAN 100 cannot obtain IP leases, even though the DHCP server is reachable from the switch and has available addresses.

A.The ip helper-address command has been incorrectly applied to VLAN 100 instead of VLAN 200.
B.The switch port that connects to the DHCP server's VLAN is not configured as a trusted DHCP snooping port.
C.DHCP snooping must be disabled globally because it conflicts with the configured DHCP relay agent.
D.The DHCP server lacks a valid default gateway, preventing replies from reaching the relay agent's SVI subnet.
AnswerB

DHCP snooping classifies ports as trusted or untrusted. Server-originated DHCP messages (Offer/ACK) are only allowed on trusted ports. The server's response comes from VLAN 200, so the interface facing that server must be trusted.

Why this answer

DHCP snooping treats all switch ports as untrusted by default, which blocks DHCP server messages (OFFER, ACK) from entering the switch. Even though the switch itself can reach the DHCP server, the relayed reply from the server arrives on a port that is not trusted, so DHCP snooping drops the packet before it can be forwarded to the client. Configuring the port connecting to the DHCP server as a trusted port allows the server's responses to pass through the switch, resolving the issue.

Exam trap

Cisco often tests the interaction between DHCP snooping and DHCP relay, where candidates mistakenly think the relay bypasses snooping or that the issue is with the helper-address configuration, rather than the untrusted port blocking the server's unicast reply.

Why the other options are wrong

A

Many engineers mistakenly think the helper should reside on the server VLAN; however, it must reside on the client-facing L3 interface.

C

A common misconception is that DHCP relay bypasses snooping, but snooping still inspects the server's unicast response and drops it unless the ingress port is trusted.

D

Candidates often suspect routing issues, but verified reachability eliminates this. The problem lies in the snooping policy, not IP connectivity.

160
MCQmedium

A switch stack is running PVST+. Users on VLAN 40 lose connectivity for roughly 30 seconds every time the uplink on SW2 flaps. Based on the exhibit, which change would most directly improve convergence for this VLAN?

A.Configure spanning-tree mode rapid-pvst.
B.Increase the bridge priority on SW2 for VLAN 40.
C.Disable PortFast on all access ports.
D.Convert the uplink to a routed port.
AnswerA

Rapid PVST+ is the direct fix for slow STP convergence in this case.

Why this answer

The output shows VLAN 40 is still using the legacy IEEE STP process, which converges much more slowly than Rapid PVST+. Moving the switch to rapid-pvst mode gives VLAN 40 the faster proposal/agreement behavior that typically cuts convergence time from tens of seconds to a few seconds.

Exam trap

A frequent exam trap is selecting options that change the root bridge election or port roles, such as increasing bridge priority, assuming this will speed up convergence. While root bridge placement affects path selection, it does not reduce the inherent delay caused by legacy STP timers. Another trap is disabling PortFast on access ports, which only affects edge port transitions and does not influence uplink link flap recovery times.

Additionally, converting uplinks to routed ports changes the network design and removes STP from those ports, which is not the intended solution for VLAN-specific STP convergence delays. The key mistake is confusing topology optimization with protocol speed improvements.

Why the other options are wrong

B

Increasing bridge priority changes root bridge election but does not speed up the STP convergence process, so it does not resolve the 30-second connectivity loss.

C

Disabling PortFast affects only edge ports and does not influence the convergence time of uplink ports or VLANs experiencing link flaps.

D

Converting the uplink to a routed port removes it from STP but alters network design and does not specifically improve VLAN 40’s STP convergence speed.

161
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be translated to the outside interface IP (198.51.100.1) using PAT (NAT overload). Additionally, a static NAT entry must map host 192.168.1.10 to 203.0.113.10. The current configuration is incomplete and contains errors. Correct the configuration so that both translations work properly.

Network Topology
G0/0 inside192.168.1.1/24G0/1 outside198.51.100.1/24R1

Hints

  • Check the direction of NAT on each interface (inside vs outside).
  • The PAT command requires the keyword 'overload' to enable port address translation.
  • The access list must match the inside local network, not a different subnet.
A.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.10 203.0.113.10
B.interface GigabitEthernet0/1 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.10 203.0.113.10
C.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 10.0.0.0 0.255.255.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 ip nat inside source static 192.168.1.10 203.0.113.10
D.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
AnswerA
solution
! R1
interface GigabitEthernet0/1
ip nat outside
exit
ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

Why this answer

The configuration has three issues: 1) GigabitEthernet0/1 is incorrectly set as 'ip nat inside' instead of 'ip nat outside'. 2) The PAT command is missing the 'overload' keyword. 3) Access-list 1 permits 10.0.0.0/8, not the inside subnet 192.168.1.0/24. The commands fix these: change the interface to 'ip nat outside', add 'overload' to the PAT command, and update the ACL to permit the correct inside network.

Exam trap

Watch out for three common mistakes: 1) Forgetting to set the outside interface as 'ip nat outside'. 2) Using an ACL that does not match the inside network. 3) Omitting the 'overload' keyword for PAT. Also, do not add protocol/port to static NAT unless specifically required.

Why the other options are wrong

B

The specific factual error is that the interface facing the outside (public) network is incorrectly configured as 'ip nat inside'.

C

The specific factual errors are: 1) The ACL does not match the correct inside network. 2) The 'overload' keyword is omitted, preventing PAT from working.

D

The specific factual error is that the static NAT command includes protocol and port, limiting the translation to TCP port 80 only.

162
MCQmedium

Why is NTP especially valuable when a company uses a centralized Syslog server?

A.It synchronizes device clocks so centralized log timestamps can be correlated accurately.
B.It assigns the Syslog server its IP address.
C.It replaces the need for Syslog entirely.
D.It encrypts all Syslog messages automatically.
AnswerA

This is correct because time alignment improves the usefulness of centralized logs.

Why this answer

NTP is especially valuable because it aligns device clocks, which makes centralized log timestamps much easier to interpret. In practical terms, if devices disagree on time, the combined log stream becomes harder to trust and correlate. NTP improves the timeline accuracy of operational and security analysis.

This is why NTP and Syslog are often discussed together. One centralizes events, and the other makes those events easier to line up correctly.

Exam trap

A common exam trap is to confuse NTP’s role with other network functions such as IP addressing or encryption. Some candidates incorrectly think NTP assigns IP addresses to devices or encrypts Syslog messages. This misunderstanding leads to selecting options that describe unrelated functions.

NTP’s sole purpose is to synchronize clocks across devices, enabling accurate timestamping of logs. Misinterpreting this can cause candidates to overlook the critical importance of time alignment in centralized logging environments, which is the core reason NTP is valuable when using a centralized Syslog server.

Why the other options are wrong

B

Incorrect because NTP does not assign IP addresses; IP addressing is handled by DHCP or manual configuration, not time synchronization protocols.

C

Incorrect because NTP does not replace Syslog; NTP provides time synchronization, while Syslog collects and centralizes log messages from devices.

D

Incorrect because NTP does not encrypt Syslog messages; encryption requires separate protocols such as TLS or IPsec, not time synchronization services.

163
PBQhard

You are connected to R1 via console. R1 is a router that connects two internal subnets (192.168.1.0/24 and 192.168.2.0/24) to the internet via a serial link to ISP. Currently, no ACL is applied. Your task is to configure an extended named ACL on R1 that permits only HTTP (TCP/80) and HTTPS (TCP/443) traffic from the 192.168.1.0/24 subnet to the internet, and denies all other traffic from that subnet. Traffic from 192.168.2.0/24 must be permitted without restriction. Apply the ACL inbound on the interface facing the internal subnets. Additionally, verify that the implicit deny is not blocking necessary traffic by ensuring that the ACL correctly handles the traffic.

Network Topology
G0/0192.168.1.1/24serialR1ISP

Hints

  • Traffic from 192.168.1.0/24 enters R1 through G0/0, so apply the ACL inbound on G0/0.
  • The ACL must include a permit statement for 192.168.2.0/24 to avoid being blocked by implicit deny.
  • Use the 'eq' keyword to match specific port numbers for HTTP (80) and HTTPS (443).
A.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/0 ip access-group FILTER in
B.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/0 ip access-group FILTER out
C.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/1 ip access-group FILTER in
D.ip access-list extended FILTER permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit tcp 192.168.1.0 0.0.0.255 any eq 443 permit ip 192.168.2.0 0.0.0.255 any interface g0/0 ip access-group FILTER in interface g0/1 ip access-group FILTER in
AnswerA
solution
! R1
ip access-list extended FILTER
permit tcp 192.168.1.0 0.0.0.255 any eq 80
permit tcp 192.168.1.0 0.0.0.255 any eq 443
permit ip 192.168.2.0 0.0.0.255 any
interface gigabitEthernet0/0
ip access-group FILTER in

Why this answer

The task required an extended ACL to permit HTTP/HTTPS from 192.168.1.0/24 and all traffic from 192.168.2.0/24. The candidate must create a named ACL (e.g., FILTER), add two permit statements for TCP/80 and TCP/443 from 192.168.1.0 0.0.0.255 to any, then a permit ip from 192.168.2.0 0.0.0.255 to any. The ACL is applied inbound on G0/0 (the interface facing 192.168.1.0/24) because traffic from that subnet enters R1 through G0/0.

Applying it outbound on G0/0 would be incorrect, as it would only filter traffic leaving that subnet, not entering. Also, the ACL must be applied on the correct interface to avoid blocking traffic from 192.168.2.0/24, which enters via G0/1.

Exam trap

The most common trap is confusing inbound vs outbound ACL application. Remember: inbound ACL filters traffic entering the interface; outbound ACL filters traffic leaving the interface. For traffic originating from a subnet, apply the ACL inbound on the interface connected to that subnet.

Why the other options are wrong

B

The ACL is applied in the wrong direction. For traffic originating from 192.168.1.0/24, the ACL must be applied inbound on the interface where that traffic enters the router (G0/0).

C

The ACL is applied on the wrong interface. The interface facing the restricted subnet (192.168.1.0/24) is G0/0, not G0/1.

D

The ACL should only be applied on the interface where the restricted subnet traffic enters (G0/0). Applying it on G0/1 is redundant and could inadvertently filter traffic from 192.168.2.0/24 if the ACL is modified later.

164
MCQmedium

A network engineer successfully logs in to a router, but cannot enter configuration mode because the command is rejected by policy. Which AAA function is controlling this behavior?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Correct. Authorization controls what actions the user may perform.

Why this answer

Authentication confirms identity. Authorization determines which commands, privilege levels, or resources that authenticated user is permitted to access.

Exam trap

A common exam trap is confusing authentication with authorization. Candidates often think that if a user cannot enter configuration mode, it means the login failed, which is incorrect. Authentication only confirms the user's identity during login.

Once authenticated, authorization controls what commands or modes the user can access. Misunderstanding this distinction leads to incorrect answers. The question states the user successfully logged in, so the failure to enter configuration mode is due to authorization restrictions, not authentication failure.

Why the other options are wrong

A

Authentication is the process of verifying a user's identity during login. Since the engineer successfully logged in, authentication has already succeeded and is not preventing command execution.

C

Accounting records user activities and commands for auditing purposes but does not grant or deny access to commands or configuration modes, so it cannot be the cause of the command rejection.

D

Encryption protects data confidentiality during transmission but does not control user access or command permissions, so it is unrelated to the inability to enter configuration mode.

165
MCQhard

Inside hosts can reach the internet only one at a time. What is the most likely NAT issue?

A.The NAT statement is missing the overload keyword
B.The access list should deny the inside subnet
C.The inside and outside interface roles are reversed in the exhibit
D.NAT cannot be used with RFC1918 addresses
AnswerA

PAT requires overload when multiple hosts share one public address.

Why this answer

Without overload, dynamic NAT uses one public address per internal session mapping. PAT with overload is what lets many inside hosts share a single outside interface address at the same time.

Exam trap

A frequent exam trap is assuming that reversing the inside and outside interface roles causes the symptom of only one host accessing the internet at a time. While interface roles are critical for NAT operation, reversing them typically prevents translation altogether rather than limiting it to a single host. Another trap is thinking that the ACL should deny the inside subnet to fix the issue, but denying the inside subnet in the ACL stops all translations, causing no internet access.

The real cause is missing the overload keyword, which is essential for PAT to allow multiple hosts to share one public IP simultaneously.

Why the other options are wrong

B

Denying the inside subnet in the ACL would prevent any NAT translation from occurring, which would block all inside hosts from reaching the internet, not just limit access to one at a time.

C

Reversing inside and outside interface roles typically stops NAT from functioning entirely rather than allowing only one host at a time. The symptom points more directly to missing overload.

D

NAT is specifically designed to translate RFC1918 private IP addresses to public IP addresses. Saying NAT cannot be used with RFC1918 addresses is incorrect and contradicts common practice.

166
MCQhard

Two static routes exist for the 203.0.113.0/24 network: one pointing to ISP-A with an administrative distance of 10, and another pointing to ISP-B with an administrative distance of 5. Packets for that subnet are leaving through ISP-B. What explains this behavior?

A.The ISP-B route has a lower administrative distance.
B.Static routes with a higher next-hop IP are preferred.
C.The router always prefers the route configured last.
D.The route names force policy-based routing.
AnswerA

AD 5 beats AD 10 for the same prefix.

Why this answer

The route via ISP-B has a lower administrative distance, so it wins for the identical /24 prefix. For routes to the same destination and mask, the router compares AD before considering anything else between different route sources.

Exam trap

A frequent exam trap is assuming that the next-hop IP address or the order in which static routes are configured affects route selection. Candidates might incorrectly believe that a higher next-hop IP or the last configured route is preferred, but Cisco routers do not use these factors in route preference. Another common mistake is thinking that route names or descriptions influence routing decisions or enforce policy-based routing, which they do not.

The key is to remember that administrative distance is the primary factor in route selection when multiple routes to the same prefix exist.

Why the other options are wrong

B

This option is incorrect because the next-hop IP address does not influence route preference. Cisco routers do not consider the numeric value of the next-hop IP when selecting routes.

C

This option is incorrect because the router does not prefer routes based on the order they were configured. Route selection depends on administrative distance and metrics, not configuration sequence.

D

This option is incorrect because route names or descriptions are only for human readability and do not enforce policy-based routing. Policy-based routing requires explicit configuration beyond naming.

167
Matchingmedium

Match each access-control term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Limiting access to only what is necessary

Credential store maintained on the device itself

Why these pairings

AAA is a framework for controlling access. Authentication verifies identity, authorization grants permissions, and accounting logs activities. Identification is the initial claim, and auditing is the review of logs.

Exam trap

The exam often tests the distinction between authentication (verifying identity) and authorization (granting permissions). Many candidates mix these up. Also, remember that accounting is about logging, not access decisions.

168
MCQmedium

On a user access port, port security is configured with a maximum of 2 MAC addresses and violation mode restrict. A third unauthorized device is connected through a small unmanaged switch. What happens?

A.The port goes err-disabled immediately.
B.Traffic from the unauthorized MAC is dropped, but the interface stays up.
C.The switch learns the third MAC after aging out the first one instantly.
D.All traffic from the port is flooded to the VLAN for analysis.
AnswerB

That is the expected behavior in restrict mode.

Why this answer

In restrict mode, frames from unknown MAC addresses are dropped, the violation counter increments, and logging or SNMP traps can be generated. Unlike shutdown mode, the interface does not go err-disabled.

Exam trap

A common exam trap is confusing the restrict violation mode with shutdown mode. Candidates often mistakenly believe that any violation causes the port to go err-disabled immediately. However, restrict mode only drops unauthorized traffic and keeps the interface up, allowing legitimate devices to continue communicating.

This misunderstanding can lead to selecting the wrong answer, especially when the question specifies restrict mode. Remember that shutdown mode is the one that disables the port on violation, not restrict mode. Misreading the violation mode or assuming default behavior without verification is a frequent pitfall.

Why the other options are wrong

A

Option A states that the port goes err-disabled immediately, which matches the shutdown violation mode behavior, not restrict mode. Since the question specifies restrict mode, this option is incorrect.

C

Option C suggests that the switch instantly ages out the first learned MAC address to learn the third one, which is incorrect. Port security does not age out addresses immediately upon violation; the maximum limit is strictly enforced.

D

Option D claims that all traffic from the port is flooded to the VLAN for analysis, which is not how port security functions. Port security drops unauthorized traffic rather than flooding it, making this option invalid.

169
PBQhard

You are connected to R1. The network uses OSPF between R1 and R2. Configure an extended ACL on R1 so that hosts in VLAN 10 (192.168.10.0/24) can reach the web server at 203.0.113.100 only via HTTP/HTTPS, and hosts in VLAN 20 (192.168.20.0/24) can reach it via any TCP service except HTTP/HTTPS. All other traffic to the server must be denied. Apply the ACL outbound on the interface facing the server. Currently, the ACL is missing the permit for VLAN 20 traffic, causing connectivity loss.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkG0/1203.0.113.1/24203.0.113.100/24linkR2R1Web Server

Hints

  • The current ACL blocks HTTP/HTTPS from all sources, but VLAN 20 should be allowed to use those ports.
  • Use the 'range' keyword to permit a contiguous set of ports for VLAN 20, excluding ports 80 and 443.
  • Remember to deny all other traffic to the server after the permits.
A.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 79, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 81 442, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 444 65535, then deny ip any any
B.Add a permit statement for VLAN 20 before the deny statements: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
C.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443
D.Add a deny statement for VLAN 20 HTTP/HTTPS before the existing permit statements: deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443, then add a permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_HTTP
ip access-list extended BLOCK_HTTP
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 80
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 443
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 1 79
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 81 442
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 444 65535
deny ip any 203.0.113.100 0.0.0.0
end
clear access-list counters BLOCK_HTTP

Why this answer

The ACL BLOCK_HTTP is applied inbound on G0/0, which is the interface toward the server. The first two deny statements incorrectly block HTTP/HTTPS from any source, including VLAN 20 which should be allowed. The correct approach is to permit HTTP/HTTPS only for VLAN 10, and permit all other TCP services (except HTTP/HTTPS) for VLAN 20, then deny all other traffic.

The solution removes the overly broad deny statements and adds specific permits for VLAN 20 to reach the server on any TCP port except 80 and 443, followed by an explicit deny ip any any to enforce the implicit deny.

Exam trap

The trap is that the existing deny statements for HTTP/HTTPS are too broad; they block VLAN 20's required access. Candidates might think they need to add permits before the denies, but they must also ensure the permits for VLAN 20 exclude HTTP/HTTPS. Another trap is forgetting to add an explicit deny at the end, though the implicit deny exists, the question explicitly states 'All other traffic to the server must be denied' so an explicit deny is good practice.

Why the other options are wrong

B

The specific factual error is that the permit statement does not exclude ports 80 and 443. It allows all TCP ports, which is too permissive.

C

The specific factual error is that the permit statements allow the very ports that should be denied for VLAN 20. This misinterprets the requirement.

D

The specific factual error is that the permit statement is too broad and overrides the deny statements. The correct approach is to permit only non-HTTP/HTTPS ports, not all ports.

170
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a local subnet and enable a DHCP relay agent on a different interface to forward client requests to that server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The DHCP server must be configured first on the local subnet, then the relay agent on the remote interface to forward requests; verification ensures both server and relay function correctly.

Exam trap

Do not confuse the order of configuration: the DHCP server must be configured first, then the relay agent. Verification should be performed after both are configured to test end-to-end functionality.

171
Multi-Selecteasy

Which two statements correctly describe syslog severity levels?

Select 2 answers
A.Level 0 is the most severe
B.Level 7 is debugging
C.Higher numbers always mean more critical issues
D.Severity levels are used only by NTP
E.Syslog has only four severity levels
AnswersA, B

Emergency is the highest severity.

Why this answer

Syslog uses numbered severity levels where lower numbers indicate more critical events. Level 0 (Emergency) is the most severe, and Level 7 (Debugging) is the least. Option D is incorrect because severity levels are a syslog function, not specific to NTP.

Option E is wrong because syslog defines eight severity levels (0–7), not four.

Exam trap

A common mistake is assuming that higher syslog severity numbers mean more critical issues, but the opposite is true—lower numbers indicate higher severity.

Why the other options are wrong

D

Severity levels are a fundamental part of the syslog protocol and are not limited to or used only by NTP.

E

Syslog defines eight severity levels (0 through 7), not four.

172
MCQhard

Refer to the exhibit. A network administrator notices that newly connected devices on the 192.168.1.0/24 subnet are failing to obtain IP addresses via DHCP and are instead assigning themselves APIPA addresses. The administrator issues the show ip dhcp pool command on the router and receives the output shown. What is the most likely cause of this issue?

A.DHCP snooping is blocking DHCP Offer messages on the VLAN.
B.The DHCP pool has an address conflict, causing all addresses to be marked as ineligible.
C.The lease time is set to 7 days, causing old devices to hold IP addresses long after disconnecting.
D.The pool's subnet mask is incorrectly configured as /24 instead of /25, limiting available addresses.
AnswerC

The 'Lease expiration' of 7 days combined with 'Current bindings: 253' reveals that the pool stays exhausted because leases take a week to expire, starving new clients of addresses.

Why this answer

The exhibit shows 'Current bindings: 253' out of 'Total addresses: 254', meaning only one free IP remains. 'Lease expiration' is 7 days, indicating that devices that have disconnected still hold their bindings for up to a week, preventing new clients from obtaining addresses. This explains the APIPA fallback.

Exam trap

Many candidates choose option A, suspecting DHCP snooping blocks Offer messages, but the exhibit contains no reference to snooping or blocked traffic—the straightforward cause is pool exhaustion due to a long lease time.

Why the other options are wrong

A

Candidates often prematurely blame security features when DHCP fails, ignoring the pool statistics right in front of them.

B

A common mistake is assuming that conflicts always fill up a pool, but the zero value directly disproves this.

D

Misunderstanding subnet sizing often leads candidates to blame the mask, but the exhibit confirms the mask is appropriate for the pool size.

173
MCQmedium

A router is configured as follows: interface g0/1 ip address 172.16.1.1 255.255.255.0 ip helper-address 10.20.20.10 Hosts on 172.16.1.0/24 are not receiving addresses from the DHCP server at 10.20.20.10. The server is reachable by ping from the router. What is the purpose of the ip helper-address command in this scenario?

A.It converts DHCP unicast replies into broadcasts on the client segment
B.It forwards certain UDP broadcasts, including DHCP requests, to a remote server
C.It provides DNS resolution for DHCP clients before they receive an address
D.It creates a static route to the DHCP server
AnswerB

Correct. This is correct. The command relays certain UDP broadcasts, including DHCP client requests, to a server on another subnet. That is why DHCP can work even when the server is not local to the client VLAN.

Why this answer

The ip helper-address command exists to solve a broadcast-boundary problem. DHCP clients begin by sending broadcast traffic because they do not yet have a valid IP configuration. Routers normally do not forward broadcasts between subnets, so if the DHCP server lives on a different network, the client request would stop at the router.

The helper-address function listens for that local broadcast and relays it as unicast traffic to the remote DHCP server. In plain language, it lets a client on one VLAN ask a DHCP server on another VLAN for an address. The command is not a routing statement and it is not a DNS feature.

It is a relay mechanism for broadcast-based UDP services such as DHCP.

Exam trap

A frequent exam trap is confusing the ip helper-address command as a feature that converts DHCP unicast replies into broadcasts on the client segment. In reality, the router forwards DHCP client broadcasts as unicast to the server, not the other way around. Another mistake is assuming the command creates static routes or provides DNS resolution, which it does not.

Misunderstanding these functions leads to incorrect troubleshooting and answer choices, especially when the DHCP server is reachable by ping but clients still fail to get addresses due to missing broadcast relay.

Why the other options are wrong

A

Option A incorrectly states that the ip helper-address converts DHCP unicast replies into broadcasts. The command actually relays client broadcast requests as unicast to the server, not the reverse. This reverses the direction of the relay function and misunderstands the broadcast boundary issue.

C

Option C incorrectly claims the command provides DNS resolution for DHCP clients before they receive an address. DNS resolution is unrelated to the ip helper-address function, which only relays UDP broadcasts like DHCP requests and does not perform name resolution.

D

Option D mistakenly suggests that the command creates a static route to the DHCP server. Routing and static routes are separate functions; the ip helper-address does not affect routing tables but only relays broadcast traffic as unicast.

174
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an issue where syslog messages at severity 6 (informational) and severity 7 (debugging) are not being sent to the syslog server at 192.168.100.50, even though the device appears to generate these messages locally. Based on the exhibit, what is the most likely cause?

A.The logging buffer is full, preventing new informational and debug messages from being sent to the syslog server.
B.The syslog server IP address 192.168.100.50 is unreachable from the router.
C.The trap logging level is set to errors (severity 3), filtering out informational and debug messages.
D.Console logging is disabled, so only severity 3 and lower messages appear.
AnswerC

The 'Trap logging: level errors (3)' line in the exhibit explicitly limits syslog messages sent to the syslog server to severity 0–3. Informational (6) and debug (7) are higher in numeric value (less severe) and are dropped by this filter.

Why this answer

The exhibit shows 'Trap logging: level errors (3)'. This filter level means only syslog messages with severity 0 (emergency) through 3 (errors) are forwarded to the syslog server. Severity 6 (informational) and 7 (debugging) are above this threshold and are therefore excluded.

The log buffer, however, is set to 'debugging' level, so those messages appear locally but are not sent to the server.

Exam trap

The presence of informational and debug messages in the local buffer (like %SYS-6-CLOCKUPDATE and %SYS-7-DEBUG) might mislead candidates into thinking the server connection is faulty or that the buffer is the issue. In reality, the trap logging level (errors) filters them out before transmission.

Why the other options are wrong

A

Candidates may associate local buffer behavior with remote logging, but the buffer is just local storage, independent of trap forwarding.

B

A reachability problem would affect all severities equally, not selectively filter only informational and debug messages.

D

Candidates may confuse console and trap logging, but each destination has its own independent severity level.

175
Matchingmedium

Match each security control or idea to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Secures remote management sessions

Provides authentication, authorization, and accounting framework

Limits access to only what is necessary

Centralizes visibility into device events and messages

Why these pairings

SSH encrypts remote CLI sessions, ensuring secure management access. AAA is a framework that defines how users are authenticated, what they are authorized to do, and how their actions are accounted for. The least privilege principle restricts users to only the permissions essential for their role, minimizing potential damage.

Syslog collects and centralizes log messages from devices, providing visibility into network events and aiding in troubleshooting and security monitoring.

Exam trap

Candidates often confuse SSH with Telnet or other remote-access methods; SSH is specifically for encrypted management sessions, not generic remote connectivity. Additionally, AAA is sometimes misinterpreted as only authentication, but it encompasses authorization and accounting as well.

176
MCQmedium

Exhibit: An administrator wants inside hosts in 192.168.10.0/24 to reach the internet using one public IP address on the edge router. Which feature is being used?

A.Static NAT
B.Policy-based routing
C.PAT overload
D.Port security
AnswerC

The overload keyword indicates PAT using one outside interface address.

Why this answer

When many inside private addresses share one public address and are differentiated by Layer 4 port numbers, the router is using PAT. Cisco documentation often calls this NAT overload.

Exam trap

Be careful not to confuse the different types of NAT. Remember, PAT is specifically for sharing one public IP among many devices using port numbers.

Why the other options are wrong

A

Static NAT requires a one-to-one mapping between an inside local address and an inside global address, which would consume multiple public IPs if multiple hosts need internet access. It does not allow multiple inside hosts to share a single public IP.

B

Policy-based routing (PBR) is used to override the routing table based on policies (e.g., source/destination IP, protocol), not to perform address translation. It does not modify IP addresses or enable multiple hosts to share a single public IP.

D

Port security is a switchport security feature that restricts MAC addresses allowed on a port to prevent unauthorized access. It does not perform IP address translation or enable internet access for multiple hosts.

177
Drag & Dropmedium

Which of the following sequences correctly orders the steps to plan, configure, and apply an extended ACL that permits HTTP traffic from the 192.168.1.0/24 subnet to the server at 10.0.0.1, and deny all other IP traffic, applied inbound on interface GigabitEthernet0/1?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then create ACL with permit statement, then deny all, then enter interface, then apply ACL inbound.

Exam trap

Be careful with the order of ACL entries: always place more specific permits before general denies. Also, remember that ACLs must be created before they can be applied, and the direction (inbound/outbound) must match the requirement.

178
Matchingmedium

Match each security-related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protection against unauthorized disclosure

Protection against unauthorized modification

Ensuring systems and data can be accessed when needed

Recording activity or usage details

Why these pairings

Confidentiality ensures data is only accessible to authorized parties, directly matching 'protection against unauthorized disclosure.' Integrity safeguards data from tampering, aligning with 'protection against unauthorized modification.' Availability guarantees that systems and data are reachable when required, fitting 'ensuring systems and data can be accessed when needed.' Accounting provides a trail of user activity, corresponding to 'recording activity or usage details.' Each term maps precisely to its defined security objective in the CIA triad and operational security.

Exam trap

Students often confuse Accounting with Authentication or Authorization; Accounting specifically involves recording what actions were taken, not granting or denying access.

179
Matchingmedium

Match each security control idea to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits access to only what is necessary

Provides encrypted remote administration

Disables an edge port if a BPDU is received

Limits and controls MAC address learning on a switch port

Why these pairings

Least privilege restricts users and processes to only the access rights necessary for their tasks, reducing the attack surface. SSH provides encrypted remote management, preventing eavesdropping and credential theft during administrative sessions. BPDU Guard immediately disables an edge port if a BPDU is received, safeguarding the network from unauthorized switches and potential loops.

Port security limits the number and identity of allowed MAC addresses on a switch port, blocking MAC flooding and unauthorized device access.

Exam trap

The exam often tests your ability to differentiate between security controls that sound similar but have distinct functions. Do not assume that a firewall can do everything; each control has a specific role.

180
MCQmedium

Which DHCP message does the client send to formally accept an offered address?

A.DISCOVER
B.OFFER
C.REQUEST
D.ACK
AnswerC

Correct. REQUEST is the client's acceptance step.

Why this answer

In the DORA process, the client sends DHCPREQUEST after receiving an offer. The server then responds with DHCPACK if the lease is granted.

Exam trap

Be careful not to confuse the direction of messages in the DHCP process. Remember which messages are client-initiated and which are server responses.

Why the other options are wrong

A

The DISCOVER message is used by the client to locate available DHCP servers, not to accept an offered address. It is the first step in the DORA process.

B

The OFFER message is sent by the DHCP server to propose an IP address to the client, not by the client to accept it. The client cannot send an OFFER.

D

The ACK message is sent by the DHCP server to confirm the lease after receiving the REQUEST, not by the client. The client does not send ACK.

181
PBQhard

You are connected to R1. Configure DHCP services so that hosts on VLAN 10 (192.168.10.0/24) can obtain IP addresses from R1. Additionally, configure the switch SW1 to prevent rogue DHCP server attacks on that VLAN. The current configuration has a misconfigured helper-address and an excluded-address range that is too broad.

Network Topology
G0/0.10192.168.10.1/24SW1R1Hosts

Hints

  • The helper-address should point to the DHCP server itself, not an external address.
  • The excluded-address range is too wide; leave room for hosts to get IPs.
  • On the switch, only the port connecting to the legitimate DHCP server should be trusted.
A.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as trusted.
B.On R1, change the helper-address to 192.168.10.255 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set all ports as trusted.
C.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.254. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
D.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
interface GigabitEthernet0/0.10
no ip helper-address 10.0.0.2
ip helper-address 192.168.10.1
end

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
interface GigabitEthernet0/2
no ip dhcp snooping limit rate 10
ip dhcp snooping limit rate 15
end

Why this answer

The helper-address on R1's subinterface points to 10.0.0.2 instead of the DHCP server's IP (R1 itself, which is the server). The excluded-address range excludes all addresses in the subnet, preventing any host from getting an IP. The fix: change helper-address to 192.168.10.1 (loopback or interface IP of R1), and narrow the excluded range to the first 10 addresses (or just the gateway).

On SW1, enable DHCP snooping globally and for VLAN 10, and mark the port facing R1 (G0/1) as trusted; other ports should be untrusted to block rogue servers.

Exam trap

Watch out for two common traps: (1) The helper-address must be the DHCP server's unicast IP, not a broadcast address. (2) DHCP snooping trusted ports are for server connections; untrusted ports are for clients. Misplacing these will break DHCP or security.

Why the other options are wrong

B

The helper-address must be a unicast IP address of the DHCP server, not a broadcast address. Additionally, only ports connected to legitimate DHCP servers should be trusted; all other ports must be untrusted to block rogue servers.

C

The excluded-address range should only reserve a few addresses (e.g., for the gateway and static assignments), not the entire subnet. The port connected to the DHCP server must be trusted to allow DHCP server messages; untrusted ports block such messages.

D

DHCP snooping requires that ports connected to legitimate DHCP servers be configured as trusted. Untrusted ports are for client-facing ports where rogue servers might appear; they drop DHCP server messages.

182
MCQhard

A network engineer notices that hosts in the 192.168.2.0/24 network connected to router R1's GigabitEthernet0/1 interface cannot reach the Internet. R1 has a standard ACL 10 configured as 'access-list 10 permit 192.168.1.0 0.0.0.255' and applied inbound on interface GigabitEthernet0/0, which connects to the 192.168.1.0/24 LAN. What is the most likely cause?

A.The implicit deny at the end of ACL 10 is blocking all outbound traffic from the 192.168.2.0/24 network.
B.The ACL is filtering return traffic from the Internet that enters G0/0, because it is applied inbound on that interface instead of outbound.
C.The router is not performing inter-VLAN routing between the 192.168.1.0 and 192.168.2.0 networks.
D.The ACL is missing a permit statement for the 192.168.2.0/24 network to allow traffic from that subnet.
AnswerB

Inbound ACLs on G0/0 inspect packets arriving from the Internet. The ACL permits only source 192.168.1.0/24, so return packets from Internet hosts with random source IPs are denied by the implicit deny, breaking connectivity for 192.168.2.0/24 hosts.

Why this answer

The ACL 10 is applied inbound on the G0/0 interface that faces the 192.168.1.0/24 LAN and the Internet. Inbound ACLs on that interface examine packets entering the router on G0/0, such as return traffic from the Internet. Since the ACL permits only source IPs from 192.168.1.0/24, all return traffic from the Internet destined for 192.168.2.0/24 hosts is denied by the implicit deny.

This blocks replies, preventing connectivity. The ACL direction is incorrect for filtering egress traffic; an outbound ACL would be needed to filter packets leaving G0/0, and even then the source would still be denied unless explicitly permitted.

Exam trap

Many candidates assume that adding a permit statement for the 192.168.2.0/24 source subnet would fix the issue, overlooking that the ACL direction determines which traffic is inspected. The ACL is applied inbound on the LAN-facing interface, which filters packets entering the router from that interface, not packets exiting it.

Why the other options are wrong

A

Misunderstanding of ACL direction leads candidates to think that the implicit deny blocks any traffic leaving the interface.

C

Confusing ACL filtering with routing functionality; ACLs do not prevent the router from routing between connected subnets unless they explicitly deny the traffic on the appropriate interface and direction.

D

Candidates often try to add a permit for the source subnet of the initiating traffic, neglecting the direction of the ACL. Because the ACL is inbound on the egress interface, outbound traffic is not filtered.

183
Multi-Selectmedium

Which four of the following are characteristics or configuration requirements of NTP client/server operation in a secure enterprise network? (Choose all that apply. There are four correct answers.)

Select 4 answers
.An NTP client can synchronize time with multiple NTP servers for redundancy.
.NTP uses UDP port 123 for communication between clients and servers.
.NTP authentication can be used to verify that time updates come from a trusted source.
.The NTP server must be in the same subnet as the NTP client to synchronize.
.NTP stratum levels indicate the distance from the reference clock; a lower stratum number is more accurate.
.A Cisco device configured as an NTP server will automatically become the stratum 1 server for all clients.

Why this answer

NTP clients can synchronize with multiple servers to provide redundancy and improve accuracy through algorithms like Marzullo's algorithm. NTP uses UDP port 123 for all communication, as specified in RFC 5905. NTP authentication (using symmetric keys or MD5 hashes) ensures that time updates originate from a trusted source, preventing spoofing attacks.

The stratum level indicates the distance from the primary reference clock; a lower stratum number (e.g., 1) is closer to the authoritative time source and thus more accurate.

Exam trap

Cisco often tests the misconception that NTP requires same-subnet connectivity or that a Cisco router can automatically become stratum 1, when in fact NTP works across routed networks and stratum 1 requires a dedicated reference clock.

184
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The security policy requires that only SSH traffic (TCP port 22) from the internal network (192.168.1.0/24) be permitted to reach the router itself, and all other inbound traffic to the router from internal hosts should be blocked. Additionally, the router must be hardened for SSH access: generate RSA keys of 2048 bits, set SSH version 2, enable SSH on vty lines, and disable Telnet. Currently, there is no security configuration. Configure R1 to meet these requirements.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30Internal HostsLANR1WANISP

Hints

  • Use an extended ACL to filter traffic destined to the router itself (not through it).
  • The access-class command applies the ACL to VTY lines.
  • Generate RSA keys only after setting a domain name.
A.ip access-list extended VTY_ACL permit tcp 192.168.1.0 0.0.0.255 any eq 22 deny ip any any ! line vty 0 4 access-class VTY_ACL in transport input ssh login local ! username admin secret cisco ip domain-name example.com crypto key generate rsa modulus 2048 ip ssh version 2
B.ip access-list standard VTY_ACL permit 192.168.1.0 0.0.0.255 deny any ! line vty 0 4 access-class VTY_ACL in transport input ssh login local ! username admin secret cisco crypto key generate rsa modulus 2048 ip ssh version 2
C.ip access-list extended VTY_ACL permit tcp any any eq 22 deny ip any any ! line vty 0 4 access-class VTY_ACL in transport input ssh login local ! username admin secret cisco crypto key generate rsa modulus 2048 ip ssh version 2
D.ip access-list extended VTY_ACL permit tcp 192.168.1.0 0.0.0.255 any eq 22 deny ip any any ! line vty 0 4 access-class VTY_ACL out transport input ssh login local ! username admin secret cisco crypto key generate rsa modulus 2048 ip ssh version 2
AnswerA
solution
! R1
ip access-list extended VTY_ACL
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny ip any any
line vty 0 4
access-class VTY_ACL in
transport input ssh
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
username admin secret cisco

Why this answer

The extended ACL VTY_ACL permits SSH from the internal subnet and denies all other IP traffic. The access-class command applies it inbound to VTY lines. SSH hardening includes generating 2048-bit RSA keys, setting SSH version 2, and disabling Telnet by specifying transport input ssh.

A local username is required for SSH authentication. Note that a domain name (e.g., ip domain-name example.com) must be configured before generating RSA keys; without it, the crypto key generation fails or requires interactive input.

Exam trap

Pay attention to the direction of the access-class on VTY lines: it must be 'in' to filter incoming connections. Also, remember that standard ACLs cannot filter by port; you need an extended ACL for that. Finally, always specify the source network in the ACL to restrict access to the intended subnet.

Why the other options are wrong

B

Standard ACLs lack the ability to filter by protocol or port number, making them unsuitable for this requirement.

C

The source address in the permit statement is 'any', which allows SSH from all networks, including the ISP side, which is not desired.

D

Applying access-class outbound on VTY lines would filter traffic going out from the router to the user, which is not the intended direction for controlling who can connect to the router.

185
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication for all login methods. The RADIUS server is at 203.0.113.10 with key 'CiscoKey123'. Then troubleshoot why the 802.1X port on interface GigabitEthernet0/1 remains in unauthorized state. The port is configured for dot1x port-control auto, but authentication fails. Ensure that the AAA authentication default method uses RADIUS first, then local fallback, and that the RADIUS server is correctly reachable and configured for authentication.

Network Topology
G0/0192.0.2.1/30203.0.113.10linkR1RADIUS Server

Hints

  • The RADIUS server configuration is missing entirely.
  • AAA authentication method list must be defined to use RADIUS first.
  • Check that the RADIUS server is reachable via ping 203.0.113.10.
A.Configure RADIUS server with IP 203.0.113.10 and key 'CiscoKey123', then configure AAA authentication login default group radius local.
B.Change the interface port-control to 'force-authorized' to bypass authentication and bring the port up.
C.Configure AAA authentication login default local radius to use local authentication first, then RADIUS.
D.Add the command 'aaa new-model' and configure the RADIUS server with IP 203.0.113.10 and key 'CiscoKey123'.
AnswerA
solution
! R1
radius server RADIUS-SERVER
address ipv4 203.0.113.10 auth-port 1812 acct-port 1813
key CiscoKey123
exit
aaa authentication login default group radius local

Why this answer

The issue is twofold: First, AAA is not fully configured — 'aaa new-model' is present but no RADIUS server or authentication method list is defined. Second, the RADIUS server configuration is missing. To fix, configure the RADIUS server with IP and key using the 'radius server' block, then create an AAA authentication login default list that uses RADIUS first then local fallback (e.g., 'aaa authentication login default group radius local').

The port configuration is correct for 802.1X, but without AAA and RADIUS, authentication cannot proceed; the switch will not contact the RADIUS server, causing the port to remain unauthorized. Option D is incorrect because while 'aaa new-model' and RADIUS server configuration are necessary steps, they alone do not create an authentication method list; without 'aaa authentication login default group radius local', the RADIUS server is never referenced for login authentication.

Exam trap

Trap: Candidates often forget that configuring a RADIUS server alone is not enough; you must also create an AAA authentication method list that references RADIUS. Additionally, the order of methods in the list matters: 'radius local' means RADIUS first, local fallback; 'local radius' means local first, which would not meet the requirement.

Why the other options are wrong

D

Configuring 'aaa new-model' and a RADIUS server alone does not create an authentication method list; the AAA authentication default must explicitly reference the RADIUS server group.

186
MCQhard

Which switch security feature uses DHCP snooping bindings to validate ARP packets and help stop ARP spoofing?

A.PortFast
B.Dynamic ARP Inspection
C.UDLD
D.HSRP preemption
AnswerB

Correct. DAI is designed to mitigate ARP spoofing.

Why this answer

Dynamic ARP Inspection compares ARP information to trusted bindings, often learned through DHCP snooping, to block forged ARP packets.

Exam trap

A common exam trap is selecting PortFast, UDLD, or HSRP preemption as the answer because these features are well-known switch security or stability mechanisms. However, PortFast only speeds up STP port transitions and does not inspect ARP packets. UDLD focuses on detecting unidirectional links and does not validate ARP traffic.

HSRP preemption deals with gateway redundancy and has no role in ARP security. The key to avoiding this trap is recognizing that only Dynamic ARP Inspection uses DHCP snooping bindings to validate ARP packets and stop ARP spoofing.

Why the other options are wrong

A

PortFast is a feature that allows switch ports to bypass the usual STP listening and learning states to quickly transition to forwarding. It does not perform any ARP packet validation or security checks, so it cannot prevent ARP spoofing.

C

UDLD (Unidirectional Link Detection) is designed to detect and disable unidirectional links between switches to prevent network loops or blackholes. It does not inspect or validate ARP packets and thus does not stop ARP spoofing.

D

HSRP preemption is a feature related to first-hop redundancy protocols that allows a higher priority router to take over as the active gateway. It does not provide any ARP packet validation or protection against ARP spoofing.

187
Matchingmedium

Match each operations or assurance technology to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized event and message reporting

Monitoring and management information exchange

Visibility into traffic flows and conversations

Clock synchronization for consistent timing

Why these pairings

Each technology serves a specific assurance purpose: Syslog provides centralized event and message reporting, SNMP enables monitoring and management information exchange, NetFlow offers visibility into traffic flows and conversations, and NTP ensures clock synchronization for consistent timing across network devices.

Exam trap

Be careful not to confuse the functions of NetFlow (flow analysis) and IP SLA (performance measurement), or SNMP (management) and Syslog (logging). Also, remember that SPAN is for local mirroring and RSPAN for remote mirroring; the 'R' stands for remote.

188
MCQhard

A network engineer notices that an NMS at 10.1.1.200 cannot poll a router that has SNMPv2c configured with community string 'public'. What is causing this issue?

A.SNMPv2c is not enabled on the router.
B.The SNMP community 'public' has an access list that only permits host 10.1.1.100.
C.The NMS is using the wrong community string.
D.The router's SNMP agent is not listening on the interface facing 10.1.1.200.
AnswerB

The ACL applied to the community string restricts inbound SNMP requests to the permitted IP address. Since the NMS is 10.1.1.200, the router discards its polls, preventing a response.

Why this answer

The SNMP community 'public' has an ACL that permits only host 10.1.1.100, so the NMS at 10.1.1.200 is explicitly denied. No other condition explains the symptom because the community string matches, SNMPv2c is enabled by the configuration, and the agent listens on all interfaces by default.

Exam trap

Candidates often assume the NMS has the wrong community string when polling fails, but here the string matches; the ACL restriction produces the same timeout behavior as a community mismatch, making C a tempting misconception.

Why the other options are wrong

A

Many believe SNMP requires an additional global command to start; on Cisco IOS, a community string entry enables the agent.

C

Polling failures are often attributed to community string errors, but when the string matches, an ACL restriction produces identical symptoms.

D

Candidates may assume the agent must be bound to an interface, but Cisco IOS SNMP agents respond on any interface unless limited by an ACL or VRF.

189
MCQmedium

A network team wants centralized logging and also wants log timestamps from different devices to line up accurately. Which combination best supports that goal?

A.Syslog and NTP
B.DHCP and STP
C.PAT and EtherChannel
D.ARP and CDP
AnswerA

This is correct because Syslog centralizes log collection and NTP aligns timestamps across devices.

Why this answer

The right combination is Syslog plus NTP. In plain language, Syslog gives the team a central place to collect and review device messages, while NTP makes sure the timestamps on those messages are consistent across the network. Centralized logs are useful on their own, but without synchronized clocks, incident timelines can become confusing and misleading.

This pairing is a common operational best practice. Syslog handles the collection side, and NTP handles the time-correlation side. Other services such as DHCP, STP, or NAT do not solve this combination of requirements. The best answer is the one that recognizes that centralized logging and time synchronization are complementary, not competing, services.

Exam trap

Don't confuse network management protocols like DHCP or NAT with logging and time synchronization functions.

Why the other options are wrong

B

DHCP dynamically assigns IP addresses and STP prevents loops in Layer 2 networks; neither provides centralized logging or time synchronization. Without NTP, timestamps from different devices would not align, making log correlation impossible.

C

PAT (a form of NAT) translates private IP addresses to public ones, and EtherChannel bundles multiple links for redundancy and bandwidth; neither offers centralized logging or time synchronization. These technologies are unrelated to the goal.

D

ARP resolves IP addresses to MAC addresses, and CDP discovers directly connected Cisco devices; neither provides centralized logging or time synchronization. These protocols are for neighbor discovery and Layer 2 resolution, not for log management.

190
PBQhard

You are connected to R1, a Cisco IOS-XE router acting as the network's DNS client. The network uses a local DNS server at 203.0.113.10 for internal name resolution. Users report that the hostname 'fileserver.courseiva.local' cannot be resolved, while other names work fine. Diagnose and fix the DNS resolution failure so that 'fileserver.courseiva.local' resolves correctly.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/30203.0.113.10/24linkR2R1DNS Server

Hints

  • Check if the DNS server is reachable and if other names resolve.
  • The NXDOMAIN status means the domain name does not exist in the DNS zone.
  • The router configuration appears correct; the problem is on the DNS server.
A.Add an A record for 'fileserver' on the DNS server.
B.Configure the 'ip domain-lookup' command on R1 to enable DNS resolution.
C.Change the DNS server address on R1 to 8.8.8.8.
D.Add a static host entry on R1 using 'ip host fileserver.courseiva.local 192.0.2.10'.
AnswerA
solution
! R1

Why this answer

The DNS server is reachable (ping successful) and resolves other names (e.g., webserver.courseiva.local) correctly. However, 'fileserver.courseiva.local' returns NXDOMAIN, indicating the A record is missing from the DNS zone. Since the router is not the DNS server, the fix must be applied on the DNS server itself — not on R1.

The candidate should understand that the problem is a missing DNS record, not a router configuration issue. The solution involves adding an A record for 'fileserver' (with the appropriate IP address) on the DNS server. On R1, verify connectivity to the DNS server and confirm that the domain lookup and name-server settings are correct, which they are.

No router CLI changes are needed.

Exam trap

Candidates often confuse client-side DNS configuration issues with server-side record problems. Remember: if some names resolve but others don't, the DNS server is reachable and functional; the missing record is the culprit. Do not change router settings unnecessarily.

Why the other options are wrong

B

The specific factual error is that 'ip domain-lookup' is a global command that enables DNS resolution; if it were disabled, no names would resolve.

C

The specific factual error is that the DNS server is functioning for other records; the problem is specific to one hostname, not the server address.

D

The specific factual error is that static entries bypass DNS but do not address the root cause; the DNS server should have the record for all clients.

191
MCQmedium

An ACL entry reads: access-list 25 permit 192.168.8.0 0.0.0.15 Which address range does this statement match?

A.192.168.8.0 through 192.168.8.15
B.192.168.8.0 through 192.168.8.31
C.192.168.8.0 through 192.168.8.7
D.Only host 192.168.8.15
AnswerA

That is the correct range for a wildcard of 0.0.0.15.

Why this answer

A wildcard of 0.0.0.15 means the last 4 bits can vary, which corresponds to a block size of 16 addresses. Starting at 192.168.8.0, the range is 192.168.8.0 through 192.168.8.15.

Exam trap

Be careful not to confuse the block size determined by the wildcard mask with a full subnet or miscalculate the starting address.

Why the other options are wrong

C

This range uses a wildcard mask of 0.0.0.7, not 0.0.0.15.

192
Matchingmedium

Drag and drop the DNS record types on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Aliases one hostname to another canonical name

Specifies mail exchange servers for a domain

Lists authoritative name servers for a zone

Maps an IP address to a hostname (reverse lookup)

Why these pairings

These are standard DNS record types as defined in RFCs and tested in networking certifications like CCNA.

Exam trap

Be careful not to confuse A and AAAA records (IPv4 vs IPv6) or to think that CNAME or MX records directly map names to IP addresses. The A record is the only one that directly maps a name to an IPv4 address.

193
MCQmedium

Why is centralized logging especially useful when combined with NTP?

A.Because synchronized clocks make centralized log timelines easier to analyze accurately.
B.Because NTP assigns the Syslog server its IP address.
C.Because Syslog replaces authentication when NTP is present.
D.Because centralized logging blocks unauthorized traffic automatically.
AnswerA

This is correct because NTP improves the usefulness of centralized logs by aligning timestamps.

Why this answer

Centralized logging is much more useful when device clocks are synchronized because the timestamps can be correlated properly. In practical terms, collecting messages in one place is valuable, but if one router thinks it is 9:00 and another thinks it is 9:17, the event sequence becomes confusing. NTP solves that time-alignment problem.

This is a common operations best practice. Syslog provides the central visibility, and NTP makes the timeline trustworthy.

Exam trap

A common exam trap is to mistakenly believe that NTP provides IP addressing or security functions such as blocking unauthorized traffic. Some may also incorrectly assume that syslog replaces authentication mechanisms when NTP is present. These misconceptions arise because candidates confuse the distinct roles of NTP and syslog.

NTP strictly synchronizes time, while syslog collects logs. Neither assigns IP addresses nor enforces access control. Understanding this separation is crucial to avoid selecting incorrect answers that attribute unrelated functions to NTP or centralized logging.

Why the other options are wrong

B

Option B is incorrect because NTP does not assign IP addresses to syslog servers or any devices. IP addressing is handled by DHCP or manual configuration, not by NTP.

C

Option C is incorrect because syslog does not replace authentication mechanisms. NTP and syslog are unrelated to access control or authentication processes in Cisco networks.

D

Option D is incorrect because centralized logging improves visibility into network events but does not block unauthorized traffic. Traffic enforcement is managed by firewalls, ACLs, or other security features.

194
Multi-Selectmedium

A switchport connected to an employee PC must allow the normal endpoint to connect but immediately err-disable the port if a switch is plugged in. Which two features should be configured on that access port?

Select 2 answers
A.spanning-tree bpduguard enable
B.switchport port-security maximum 1
C.spanning-tree portfast
D.storm-control broadcast level 5.00
AnswersA, C

BPDU Guard shuts down an access port that unexpectedly receives BPDUs from another switch.

Why this answer

For edge access ports, PortFast brings the port up quickly for end devices, and BPDU Guard protects against someone connecting a switch by err-disabling the interface when BPDUs arrive.

Exam trap

A frequent exam trap is selecting 'switchport port-security maximum 1' as a solution to prevent unauthorized switches. While port security limits MAC addresses, it does not detect BPDUs or immediately disable the port if a switch is connected. This can allow a switch to connect and cause Layer 2 loops.

Another trap is confusing storm control with BPDU Guard; storm control only limits broadcast traffic rates and does not err-disable ports on BPDU reception. Candidates must understand that only BPDU Guard combined with PortFast provides the immediate err-disable protection for access ports against switch connections.

Why the other options are wrong

B

'switchport port-security maximum 1' limits MAC addresses but does not detect BPDUs or err-disable the port on switch connections, so it does not meet the requirement to immediately disable the port on switch attachment.

D

'storm-control broadcast level 5.00' limits broadcast traffic but does not err-disable the port upon detecting a switch or BPDUs, so it does not fulfill the requirement to disable the port immediately if a switch is plugged in.

195
Matchingmedium

Match each service or protocol to the problem it most directly helps solve.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Users can reach a service by IP but not by hostname

Clients do not receive IP settings automatically

Device clocks and log timestamps do not line up

Administrators need centralized event and message collection

Why these pairings

Each service or protocol directly addresses a specific networking problem as described.

Exam trap

Be careful not to confuse the primary function of each protocol. For example, DHCP can provide additional options like NTP server, but its core purpose is IP address assignment. Similarly, SNMP monitors devices but does not perform traffic analysis.

Focus on the most direct problem each service solves.

196
Multi-Selectmedium

Which three of the following are characteristics of DHCP snooping on a Cisco switch? (Choose three.)

Select 3 answers
.It differentiates trusted and untrusted ports to filter DHCP messages.
.It builds and maintains a DHCP snooping binding database.
.It prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports.
.It encrypts DHCP traffic between the client and the server.
.It replaces the DHCP server's IP address with a static route.
.It requires all DHCP servers to be connected to untrusted ports.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages by differentiating trusted and untrusted ports. It builds and maintains a DHCP snooping binding database to track valid IP-to-MAC address assignments. Additionally, it prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports, typically using the 'ip dhcp snooping limit rate' command.

Exam trap

Cisco often tests that DHCP snooping's rate-limiting feature specifically targets DHCP starvation attacks, not rogue server attacks, and that the binding database is used for both IP source guard and dynamic ARP inspection integration.

197
PBQhard

You are connected to R1. The network has two routers: R1 (192.168.1.0/24 LAN) and R2 (Internet gateway). R1's inside LAN (192.168.1.0/24) must be translated to the public IP 203.0.113.1 using PAT (NAT overload) for Internet access. Additionally, the server at 192.168.1.100 must be reachable from the Internet via static NAT to 203.0.113.5. The current configuration is broken. Identify and fix the issues so that both PAT and static NAT work correctly.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/29S0/0/010.0.0.1/30inside hostsLANR1InternetWANR2

Hints

  • Check which interfaces are marked as inside and outside — the public IP interface should be outside.
  • The ACL used for PAT must match the inside local network, not a different subnet.
  • The PAT command must include the keyword 'overload' to enable port address translation.
A.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat outside', and ensure the PAT command includes 'overload'.
B.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat inside', and ensure the PAT command includes 'overload'.
C.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat outside', and remove the 'overload' keyword from the PAT command.
D.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat inside', and remove the 'overload' keyword from the PAT command.
AnswerA
solution
! R1
configure terminal
no ip nat inside source list 10 interface GigabitEthernet0/1
ip nat inside source list 10 interface GigabitEthernet0/1 overload
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
end

Why this answer

The configuration had three issues: 1) ACL 10 permitted 10.0.0.0/8 instead of the actual inside subnet 192.168.1.0/24, so no traffic matched PAT. 2) The PAT command was missing the 'overload' keyword, which is required for Port Address Translation; without it, the device attempts one-to-one dynamic NAT. 3) The interface facing the public network (G0/1) was incorrectly configured as 'ip nat inside' instead of 'ip nat outside'. The fix is to correct the ACL to permit 192.168.1.0 0.0.0.255, ensure the PAT command includes 'overload', and change G0/1 to 'ip nat outside'.

Exam trap

A common trap is confusing inside and outside interface designations. Remember: the interface facing the private network is 'ip nat inside', and the interface facing the public network is 'ip nat outside'. Also, PAT requires the 'overload' keyword; without it, you get dynamic NAT (one-to-one).

Why the other options are wrong

B

The specific factual error is that the interface with the public IP (203.0.113.1) must be configured as 'ip nat outside', not 'ip nat inside'. Marking it as inside would cause asymmetric NAT behavior and break translation.

C

The specific factual error is that PAT requires the 'overload' keyword. Without it, the router performs dynamic NAT (one-to-one translation), which would not support multiple hosts sharing a single public IP.

D

The specific factual errors are: (1) the interface with the public IP must be 'ip nat outside', and (2) PAT requires the 'overload' keyword. Both are violated here.

198
Multi-Selectmedium

Which TWO DNS record types are most commonly used together to verify both forward and reverse DNS mappings for an IPv6 address?

Select 2 answers
A.A record
B.AAAA record
C.CNAME record
D.PTR record
E.MX record
AnswersB, D

The AAAA record is the standard record type for mapping a domain name to an IPv6 address.

Why this answer

The AAAA record (Quad-A record) maps a domain name to an IPv6 address, making it the standard type for forward IPv6 lookups. The PTR record performs the reverse mapping—from an IPv6 address back to a domain name. Administrators routinely check both records with tools like nslookup or dig to ensure forward and reverse DNS consistency, which is critical for services such as email and security logging.

The other options (A, CNAME, MX) do not directly provide a domain-to-IPv6 mapping or its reverse verification.

Exam trap

Cisco often tests the misconception that an A record can be used for IPv6 addresses, but the A record is strictly for IPv4 (RFC 1035), while the AAAA record is the correct type for IPv6 (RFC 3596).

Why the other options are wrong

A

An A record maps a hostname to an IPv4 address, not an IPv6 address. Since the question specifically asks about IPv6, this record type is incorrect.

C

A CNAME record creates an alias from one domain name to another, not a direct mapping to an IP address. It does not provide the IP address itself, so it cannot verify the mapping to an IPv6 address.

E

MX records specify mail exchange servers for a domain and are used for email routing, not for mapping domain names to IP addresses. They do not provide IPv6 address mappings.

199
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, followed by the diagnostic workflow using nslookup and dig to identify a missing or incorrect A-record.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The standard DNS resolution sequence ends with the client receiving the A-record. Troubleshooting uses nslookup first for basic checks, then dig +trace for detailed path analysis.

Exam trap

Do not confuse the client's initial query destination (configured DNS server, not root) and remember the troubleshooting order: nslookup before dig +trace. Also, avoid inserting extra steps like explicit cache returns.

200
MCQhard

A router is performing PAT for inside users. Which detail allows multiple inside sessions to share one public IPv4 address at the same time?

A.Use of transport-layer port numbers to distinguish sessions
B.Replacement of all MAC addresses with broadcast addresses
C.Automatic conversion of every subnet into a /32
D.Requirement that every inside host use the same private IP address
AnswerA

This is correct because PAT relies on port values to multiplex many sessions through one public address.

Why this answer

PAT works because it uses transport-layer port numbers to keep different conversations distinct even when they share the same public IP address. In plain language, the router rewrites and tracks port information so that return traffic can be matched back to the correct inside host and application session. That is what makes one public address usable for many simultaneous internal users.

This is a key difference between PAT and simple static NAT. Static NAT creates a fixed one-to-one relationship, while PAT creates many simultaneous translations differentiated by port values. The correct answer is the one that identifies port-based tracking as the reason the design scales beyond a single host.

Exam trap

Remember, PAT uses port numbers to differentiate sessions, not MAC addresses, IP addresses, or VLAN IDs.

Why the other options are wrong

B

PAT does not replace MAC addresses with broadcast addresses; MAC addresses are used for local network segment communication and are not involved in NAT/PAT operations. Broadcast addresses are used for sending packets to all hosts on a subnet, which would not help in distinguishing individual sessions.

C

PAT does not convert subnets into /32 addresses; it translates private IP addresses and port numbers to a single public IP address with different port numbers. Changing subnet masks to /32 would imply host-specific routing, which is not how PAT functions.

D

PAT does not require all inside hosts to use the same private IP address; in fact, each host typically has a unique private IP address. PAT translates these unique private addresses to the same public IP but with different port numbers to maintain session uniqueness.

201
MCQhard

A host can reach local devices but cannot reach the Internet. The host has a correct IP address and subnet mask, but no default gateway. What is the best explanation?

A.The host can reach only local subnet destinations because it lacks a next hop for remote networks
B.The host automatically uses ARP to reach all Internet destinations directly
C.The subnet mask alone should be enough to reach all networks
D.The host can still reach Internet destinations if proxy ARP is enabled on the router.
AnswerA

This is correct because without a default gateway, the host has no normal path for off-subnet traffic.

Why this answer

The host can communicate only within its own local subnet because it lacks the next-hop information needed for off-subnet traffic. A valid IP address and subnet mask are not enough by themselves when the destination lies on another network. Option D is incorrect because proxy ARP, while it may allow some off-subnet reachability in specific scenarios, is not a reliable replacement for a default gateway and does not enable general Internet access.

Exam trap

A frequent exam trap is to think that the subnet mask alone enables a host to reach all networks. Candidates may incorrectly believe that ARP or other mechanisms can resolve remote IP addresses without a default gateway. This mistake overlooks the fact that ARP operates only on the local subnet and cannot resolve IP addresses beyond it.

Without a default gateway, the host has no next-hop router to forward off-subnet traffic, so it cannot reach Internet destinations or other remote networks. Understanding this limitation is crucial to avoid selecting incorrect answers that confuse local address resolution with routing.

Why the other options are wrong

B

ARP operates only on the local subnet and cannot resolve IP addresses beyond it, so the host cannot use ARP to reach all Internet destinations directly.

C

The subnet mask defines the local network boundary but does not provide a route to other networks; a default gateway or specific route is required for off-subnet traffic.

D

Proxy ARP may allow a host without a default gateway to reach some off-subnet destinations if the router responds to ARP requests for remote IPs, but this is not a general solution and does not enable reliable Internet access.

202
PBQhard

You are connected to the multilayer switch MLS1 in a branch network. The DHCP server on router R1 is supposed to serve the 192.168.20.0/24 VLAN 20, but clients in VLAN 20 are not receiving IP addresses. Additionally, a rogue DHCP server has been detected on VLAN 20. Configure MLS1 to enable DHCP snooping on VLAN 20, set the trust state on the uplink port to R1, and limit the rate of DHCP packets on access ports. Then, on R1, correct the DHCP configuration so that the pool for VLAN 20 uses the correct default-router (192.168.20.1) and DNS server (8.8.8.8), and ensure that the excluded-address range is not too large (exclude only the first 10 addresses). Verify the solution.

Network Topology
G0/010.0.0.2/30G0/010.0.0.1/30linkG0/1 access VLAN 20192.168.20.0/24linkSiMLS1R1Clients

Hints

  • On MLS1, DHCP snooping must be globally enabled and then applied to VLAN 20.
  • The uplink to R1 must be trusted; access ports should have rate limiting to prevent DHCP starvation.
  • On R1, the excluded-address range was too broad; only exclude the first 10 addresses. The default-router and DNS server were incorrect.
A.On MLS1: ip dhcp snooping, ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
B.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.254, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
C.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.10.1 dns-server 4.4.4.4
D.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8, but no ip dhcp snooping enabled globally on MLS1
AnswerA
solution
! R1
configure terminal
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN20_POOL
default-router 192.168.20.1
dns-server 8.8.8.8
end

! MLS1
ip dhcp snooping
ip dhcp snooping vlan 20
interface GigabitEthernet0/0
ip dhcp snooping trust
exit
interface GigabitEthernet0/1
ip dhcp snooping limit rate 10
end

Why this answer

The problem had three faults: First, the DHCP pool on R1 had a wrong default-router (192.168.10.1 instead of 192.168.20.1) and an incorrect DNS server (4.4.4.4 instead of 8.8.8.8). Second, the excluded-address range was too large (excluding all addresses from .1 to .254 effectively blocked all dynamic assignments; corrected to exclude only .1 through .10). Third, DHCP snooping was disabled on MLS1, allowing a rogue DHCP server.

To enable DHCP snooping, both the global `ip dhcp snooping` command and the VLAN-specific `ip dhcp snooping vlan 20` command are required. With snooping enabled, the uplink port Gig0/0 was set as trusted and the access port Gig0/1 was configured with rate limiting to prevent DHCP starvation attacks.

Exam trap

Watch for three separate issues: DHCP pool misconfiguration (default-router, DNS, excluded range), DHCP snooping not enabled globally, and the need to set trust on the uplink. Candidates often forget the global 'ip dhcp snooping' command or misconfigure the excluded range.

Why the other options are wrong

B

The excluded-address range is too large; it should only exclude the first 10 addresses (1-10) to allow dynamic allocation from .11 onward.

C

The default-router must be the gateway for VLAN 20 (192.168.20.1), and the DNS server should be 8.8.8.8 as specified.

D

The global 'ip dhcp snooping' command is required to activate the feature; omitting it leaves DHCP snooping disabled entirely.

203
MCQhard

An ACL permits only tcp 10.10.10.0/24 host 192.0.2.10 eq 443 and has no other permit entries. What happens to an ICMP echo request from 10.10.10.5 to 192.0.2.10?

A.It is permitted because the destination matches
B.It is denied by the implicit deny
C.It is permitted because the packet matches the source network stated in the ACE.
D.It is permitted only if the source port is 443
AnswerB

Correct. Traffic not explicitly permitted is denied.

Why this answer

ACLs end with an implicit deny. Since the only explicit permit is for HTTPS traffic, the ICMP packet is denied.

Exam trap

Remember that ACLs have an implicit deny all rule. Just because a source or destination is specified doesn't mean all traffic types are allowed.

Why the other options are wrong

A

The ACL only permits TCP traffic from 10.10.10.0/24 to host 192.0.2.10 on port 443. ICMP is not TCP, so even though the destination matches, the protocol does not match, and the packet is not permitted.

C

Although the source IP matches the ACE's source network, the ACE only permits TCP traffic; ICMP is a different protocol, so the packet is denied by the implicit deny.

D

ICMP does not use TCP ports; it uses ICMP type and code. The ACL entry specifies TCP port 443, which is irrelevant for ICMP traffic. Even if the source port were 443, ICMP packets do not have TCP ports.

204
Multi-Selectmedium

Which three of the following statements about Network Address Translation (NAT) are correct? (Choose three.)

Select 3 answers
.Static NAT provides a one-to-one mapping between a private IP and a public IP.
.Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis.
.PAT (Port Address Translation) allows multiple internal hosts to share a single public IP address.
.NAT eliminates the need for any routing in a network.
.Dynamic NAT always assigns the same public IP to a given internal host.
.PAT requires a unique public IP for every concurrent session.

Why this answer

Static NAT provides a one-to-one mapping between a private IP and a public IP, ensuring that a specific internal host always uses the same public address. Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis, so internal hosts compete for available addresses. PAT (Port Address Translation) allows multiple internal hosts to share a single public IP by differentiating sessions via unique port numbers, which is the most common form of NAT used in home and small office routers.

Exam trap

Cisco often tests the misconception that dynamic NAT provides a fixed mapping like static NAT, or that PAT requires multiple public IPs, when in fact PAT is designed to share a single public IP among many hosts.

205
MCQmedium

Why is NTP especially useful when devices send logs to a centralized Syslog server?

A.It helps align device clocks so centralized log timestamps can be correlated more accurately.
B.It assigns the Syslog server an IP address.
C.It replaces the need for a Syslog server.
D.It encrypts every Syslog message automatically.
AnswerA

This is correct because consistent time improves the usefulness of centralized logs.

Why this answer

NTP is especially useful because synchronized clocks make the log timestamps more meaningful and easier to correlate. In plain language, if each device thinks the current time is different, the sequence of events in the centralized log becomes confusing. NTP helps align time across devices so the logs tell a more accurate story.

This is an operational best practice. Syslog collects the messages, and NTP makes their timing consistent. The correct answer is the one focused on timestamp correlation.

Exam trap

Avoid confusing NTP's function with security or data optimization features; focus on its role in time synchronization.

Why the other options are wrong

B

NTP is a protocol for clock synchronization, not for IP address assignment. IP addresses are assigned via DHCP or static configuration, and NTP operates at the application layer to synchronize time over the network. Therefore, NTP does not assign IP addresses to any device, including Syslog servers.

C

NTP and Syslog serve entirely different purposes. NTP synchronizes clocks, while Syslog is a protocol for sending log messages to a centralized server. NTP cannot replace Syslog because it does not collect, store, or forward log messages.

Both are often used together but are independent services.

D

NTP does not provide encryption for Syslog messages or any other data. NTP is solely responsible for time synchronization and does not include security features like encryption. Syslog messages are typically sent in clear text unless additional security measures like TLS or SSH are implemented.

206
Multi-Selectmedium

Which two actions are reasonable examples of basic device-hardening practice?

Select 2 answers
A.Disable unused services or interfaces where practical
B.Use SSH instead of Telnet for remote management
C.Allow anonymous administrative login for convenience
D.Place all traffic in VLAN 1 so it is easier to remember
E.Remove authentication from VTY lines
AnswersA, B

This is correct because reducing unnecessary exposure is a basic hardening principle.

Why this answer

Basic hardening is about reducing unnecessary exposure and making administrative access safer. In plain language, this usually means disabling services or interfaces that are not needed and preferring secure management protocols such as SSH. These choices shrink the attack surface and improve the security of routine device administration without requiring advanced security products.

The wrong answers in hardening questions often suggest convenience at the expense of security, such as leaving insecure access methods enabled or removing authentication. CCNA-level security expects you to recognize that strong fundamentals often come from disciplined configuration choices rather than from complex tools alone.

Exam trap

Avoid choosing convenience over security; protocols like Telnet and HTTP are easy but insecure for management.

Why the other options are wrong

C

Allowing anonymous administrative login means no authentication is required, which completely bypasses access control. This violates the principle of least privilege and exposes the device to unauthorized configuration changes.

D

VLAN 1 is the default VLAN and is often targeted in VLAN hopping attacks. Using VLAN 1 for all traffic violates the security best practice of segregating traffic and using dedicated VLANs for management, user data, and voice.

E

Removing authentication from VTY lines means anyone can connect to the device via Telnet or SSH without a password. This is a critical security flaw that allows unauthorized remote access.

207
MCQmedium

Which service would a client most directly rely on to convert `server.example.com` into an IP address?

A.DNS
B.ARP
C.NTP
D.CDP
AnswerA

This is correct because DNS resolves hostnames into IP information.

Why this answer

The client relies on DNS for name resolution. In plain language, DNS is the service that lets devices and users use readable names instead of memorizing numeric IP addresses. When the client needs to reach `server.example.com`, DNS helps translate that hostname into the IP-related information needed for actual communication.

This is different from DHCP, which supplies address configuration, and from NTP, which synchronizes time. It is also different from ARP, which resolves local IPv4 addresses to MAC addresses. The correct answer is the one associated specifically with hostname resolution.

Exam trap

A frequent exam trap is mistaking ARP for DNS because both involve address resolution. However, ARP only resolves IPv4 addresses to MAC addresses within the same local network segment and does not translate hostnames to IP addresses. Candidates might also confuse NTP or CDP as name resolution services, but NTP is for time synchronization, and CDP discovers directly connected Cisco devices.

Misunderstanding these roles leads to selecting incorrect answers, especially since the question specifically asks about converting a hostname to an IP address, which only DNS performs.

Why the other options are wrong

B

ARP is incorrect because it only resolves IPv4 addresses to MAC addresses on the local network segment and does not translate hostnames to IP addresses.

C

NTP is incorrect since it is used for synchronizing time between devices and does not perform any form of hostname or IP address resolution.

D

CDP is incorrect because it is a Cisco proprietary protocol used for discovering directly connected Cisco devices, not for resolving hostnames to IP addresses.

208
Matchingmedium

Match each observation to the service area it most strongly suggests first.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

The given observations directly map to network services: 'Application works by IP but not by name' indicates the host can reach the destination but cannot resolve its name to an IP address, pointing to a DNS issue. 'Host does not receive IP settings automatically' means the DHCP process failed, so the host cannot obtain an IP address automatically, implicating the DHCP service. 'Device logs show inconsistent timestamps' reveals that time synchronization is broken, which is the role of NTP. Finally, 'Operations team cannot review centralized event messages' suggests that logging messages are not being sent to a central server, indicating a problem with the syslog service.

Exam trap

Do not confuse service functions: DNS resolves names to IPs, not IP assignment; DHCP provides automatic IP assignment, not name resolution; NTP synchronizes time, not event logs; syslog centralizes event messages, not time synchronization.

209
MCQhard

A controller-based WLAN uses 5 GHz in an open office. Clients keep disconnecting when users roam between APs, but signal strength remains strong. Based on the exhibit, what is the most likely problem?

A.A transmit power mismatch is creating asymmetric coverage around AP-3.
B.The SSID must use 2.4 GHz only for roaming to work.
C.WPA2 cannot support roaming between APs.
D.The WLAN needs a different DHCP scope on each AP.
AnswerA

One AP is far louder than the rest, which often causes roaming instability.

Why this answer

The APs are transmitting at much higher power than the clients, creating a coverage imbalance. Clients may hear the AP well enough to stay associated too long, while the AP cannot reliably hear the weaker client at the same cell edge. That leads to sticky-client and roaming issues even when RSSI looks strong.

Exam trap

A common exam trap is assuming that roaming issues are caused by encryption protocols like WPA2 or by requiring 2.4 GHz operation only. Candidates may also mistakenly believe that DHCP scopes must be unique per AP to support roaming. These misconceptions distract from the real issue: transmit power mismatch causing asymmetric coverage.

The APs transmitting at much higher power than clients cause sticky client problems, where clients do not roam properly despite strong signal strength. Understanding this subtle power imbalance is critical to avoid selecting incorrect answers related to encryption or DHCP.

Why the other options are wrong

B

Incorrect because roaming works on 5 GHz and is often preferred there; restricting SSID to 2.4 GHz is unnecessary and unrelated to the problem.

C

Incorrect because WPA2 supports roaming; encryption type does not cause clients to disconnect when roaming between APs.

D

Incorrect because DHCP scopes are shared in controller-based WLANs; separate DHCP scopes per AP are not required for roaming functionality.

210
MCQmedium

Which syslog severity is more critical: level 2 or level 5?

A.Level 5
B.Level 2
C.They are equal
D.It depends on platform model
AnswerB

Correct. Lower number means higher urgency.

Why this answer

In syslog, lower numeric values indicate higher severity. Level 2 is therefore more critical than level 5.

Exam trap

Remember, in syslog, lower numbers mean higher severity. Don't confuse this with other systems where higher numbers might indicate higher priority.

Why the other options are wrong

A

Level 5 (notice) is less critical than level 2 (critical) because in syslog, lower numbers indicate higher severity. Level 5 is closer to informational messages, while level 2 indicates a critical condition that requires immediate action.

C

Syslog severity levels are strictly ordered from 0 (most critical) to 7 (least critical). Level 2 and level 5 are distinct values with different meanings, so they are not equal in severity.

D

The syslog severity level numbering is standardized across all platforms that implement syslog (RFC 5424). The ordering from 0 (emergency) to 7 (debugging) is consistent regardless of the device vendor or model.

211
MCQhard

An administrator wants to block all Telnet access to a router’s VTY lines and allow only SSH. Which change most directly supports that goal?

A.Configure the VTY lines to accept SSH and not Telnet.
B.Enable PortFast on the VTY lines.
C.Use DHCP snooping to protect the VTY lines.
D.Increase the OSPF hello interval.
AnswerA

This is correct because it directly restricts the management protocol accepted on the router.

Why this answer

The most direct change is to configure the VTY lines to accept only SSH, which removes Telnet as an accepted protocol. Option B (PortFast) is a spanning-tree feature that speeds up port transition on access ports and has nothing to do with VTY access. Option C (DHCP snooping) is a Layer 2 security feature to prevent rogue DHCP servers; it does not affect VTY line protocols.

Option D (OSPF hello interval) is an OSPF timer adjustment, unrelated to remote access security. Therefore, only option A directly achieves the goal.

Exam trap

Avoid assuming that ACLs or global commands can replace specific VTY line configurations for protocol restriction.

Why the other options are wrong

B

PortFast is a spanning-tree feature for switch ports, not related to VTY line protocols.

C

DHCP snooping is a Layer 2 security feature against rogue DHCP servers, irrelevant to Telnet/SSH access.

D

Increasing the OSPF hello interval affects OSPF neighbor discovery, not remote access to the router.

212
Matchingmedium

Match each service to the kind of problem it most directly helps solve.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname works incorrectly or cannot be resolved into IP information

Clients need automatic IP configuration

Device timestamps do not line up consistently

Administrators need centralized event and log collection

Why these pairings

DNS solves the problem of remembering IP addresses. DHCP eliminates manual IP configuration. FTP enables file transfers.

SSH provides encrypted remote access. RADIUS and TACACS+ are AAA protocols, with RADIUS commonly used for network access and TACACS+ for device administration.

Exam trap

A common trap is confusing the roles of RADIUS and TACACS+, or thinking that services like DNS or DHCP have overlapping functions. Remember that DNS resolves names, DHCP assigns IPs, FTP transfers files, SSH secures remote access, RADIUS handles network access, and TACACS+ handles device administration.

213
MCQhard

A device administrator can log in securely over SSH, but the organization still insists on restricting source IP ranges and keeping detailed logs. Which statement best explains that decision?

A.Because secure transport alone does not remove the need for source restriction and accountability controls.
B.Because SSH is less secure than Telnet and must be compensated for.
C.Because logs automatically enforce ACL policy.
D.Because source IP restriction replaces the need for authentication.
AnswerA

This is correct because layered controls address different management-plane risks.

Why this answer

The decision reflects defense in depth. SSH encrypts the session and authenticates users, but it does not limit which source IPs can connect or provide audit trails. Source IP restriction reduces the attack surface by allowing only trusted hosts, and logging provides accountability and forensic evidence.

Option B is incorrect because SSH is more secure than Telnet, not less. Option C is incorrect because logs record events but do not enforce ACLs. Option D is incorrect because source IP restriction complements authentication rather than replacing it.

Exam trap

A frequent exam trap is to believe that using SSH alone fully secures remote device access, leading to the mistaken idea that source IP restrictions and logging are redundant. This overlooks that SSH only encrypts the session and authenticates users but does not limit which hosts can connect or provide audit trails. Ignoring source IP filtering increases exposure to brute-force or credential compromise attacks from unauthorized IPs.

Similarly, neglecting logging removes visibility into who accessed the device and when, hindering incident response. The trap is confusing transport security with comprehensive access control and accountability.

Why the other options are wrong

B

SSH is more secure than Telnet, so this option incorrectly suggests it is less secure and requires compensation.

C

Logs record activity but do not automatically enforce ACL policy; enforcement is a separate function.

D

Source IP restriction limits allowed hosts but does not replace the need for user authentication.

214
PBQhard

You are connected to R1 via the console. R1 is configured as an NTP client that should synchronize with the NTP server at 203.0.113.1. You need to verify that R1 is synchronizing correctly and also ensure that the system clock is updated. Additionally, configure R1 to act as an NTP server for downstream devices on the internal network 192.168.1.0/24.

Network Topology
G0/0192.168.1.1/24G0/110.0.0.1/30PCsInternalR1WANNTP server

Hints

  • Check if the NTP server is reachable and the clock is synchronized.
  • The 'master' command sets the stratum level for downstream clients.
  • Use broadcast on the internal interface to distribute time.
A.Use 'show ntp status' to verify synchronization, 'clock set' to update the system clock, and configure 'ntp master' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
B.Use 'show ntp associations' to verify synchronization, 'clock update' to update the system clock, and configure 'ntp server' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
C.Use 'show ntp status' to verify synchronization, 'clock set' to update the system clock, and configure 'ntp server' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
D.Use 'show ntp associations' to verify synchronization, 'clock set' to update the system clock, and configure 'ntp master' and 'ntp broadcast' on the interface facing 192.168.1.0/24.
AnswerA
solution
! R1
ntp server 203.0.113.1
ntp master 4
interface GigabitEthernet0/0
ntp broadcast

Why this answer

The correct verification command is 'show ntp status' because it displays the synchronization state and stratum level. 'show ntp associations' shows configured peers but not the sync state. After NTP sync is established, the system clock is automatically updated; 'clock set' is not typically required but remains a valid command to manually adjust the clock. 'clock update' is not a valid IOS command. To make R1 an NTP server for downstream devices, use the global command 'ntp master 4', not 'ntp server' (which makes the router a client).

Then, on the interface facing 192.168.1.0/24 (G0/0), apply 'ntp broadcast' to send NTP broadcasts so clients can synchronize without polling. Option A correctly combines these steps while other options mix incorrect commands or verification methods.

Exam trap

Be careful to distinguish 'show ntp status' (synchronization state) from 'show ntp associations' (peer list); also remember that 'ntp master' is a global command, while 'ntp broadcast' is applied per interface.

Why the other options are wrong

B

Uses invalid 'clock update' command and incorrectly uses 'ntp server' instead of 'ntp master' to make R1 an NTP server for downstream.

C

Uses 'ntp server' instead of 'ntp master' to make R1 an NTP server; 'ntp server' configures R1 as a client, not a server.

D

Uses 'show ntp associations' which does not show synchronization status; 'show ntp status' is needed for that.

215
Multi-Selectmedium

Which two statements accurately describe DNS and DHCP?

Select 2 answers
A.DNS resolves names to IP information, while DHCP dynamically assigns addressing information to clients.
B.DHCP is used primarily to translate private addresses into public addresses.
C.DNS can help users reach services by hostname instead of remembering numeric IP addresses.
D.DHCP replaces the need for subnet masks and default gateways.
E.DNS and DHCP are both Layer 1 technologies.
AnswersA, C

This is correct because it states the core job of each service accurately.

Why this answer

DNS and DHCP solve very different problems, even though both are common infrastructure services. DNS helps devices and users find systems by name. In simple terms, it means people can type a hostname rather than memorizing numeric IP addresses. DHCP automatically gives clients important IP settings such as an address, subnet mask, default gateway, and often DNS server information.

The trick in comparison questions is not to blend their roles together. DHCP does not perform NAT, and it does not eliminate the need for addressing details; it actually supplies them.

Exam trap

A frequent exam trap is confusing DHCP with NAT or assuming DHCP replaces the need for subnet masks and default gateways. Some candidates mistakenly believe DHCP translates private IP addresses to public ones, but this is the role of NAT, not DHCP. Additionally, DHCP does not remove the need for subnet masks or default gateways; instead, it provides these parameters automatically to clients.

Misunderstanding these distinctions can lead to incorrect answers, especially when questions ask about the functions of IP services. Carefully distinguishing DHCP’s role in dynamic addressing from NAT’s role in address translation is essential to avoid this trap.

Why the other options are wrong

B

DHCP does not translate private addresses to public; that is the function of NAT.

D

DHCP does not replace the need for subnet masks and default gateways; it actually provides them automatically.

E

DNS and DHCP operate at the Application Layer (Layer 7), not Layer 1.

216
MCQhard

Based on the exhibit, which configuration should be added to restore DHCP service for clients in VLAN 30?

A.ip helper-address 10.99.99.20 under interface Vlan30
B.switchport mode trunk under interface Vlan30
C.ip default-gateway 10.99.99.20 under interface Vlan30
D.spanning-tree portfast under interface Vlan30
AnswerA

This is correct because the VLAN 30 SVI must relay DHCP requests toward the remote server.

Why this answer

The correct fix is to add an IP helper address pointing to the remote DHCP server on the Layer 3 interface for VLAN 30. In practical terms, the clients are sending DHCP discovery as a broadcast, and the server is on another subnet. The SVI for VLAN 30 is the local gateway that must relay those requests toward the server.

This is one of the most exam-realistic campus troubleshooting scenarios because it tests both subnet boundaries and the role of the local gateway interface.

Exam trap

A common exam trap is confusing the ip helper-address command with ip default-gateway or Layer 2 commands like switchport mode trunk. Candidates might incorrectly apply switchport commands to an SVI, which is a Layer 3 interface, or think setting ip default-gateway will relay DHCP requests. These mistakes cause DHCP broadcasts to fail reaching the remote server, leading to no IP address assignment for clients.

Understanding that ip helper-address is the DHCP relay mechanism on Layer 3 interfaces is critical to avoid this trap.

Why the other options are wrong

B

Incorrect. The command switchport mode trunk is a Layer 2 switchport configuration and cannot be applied to an SVI, which is a Layer 3 interface. This does not affect DHCP relay.

C

Incorrect. The ip default-gateway command sets the default gateway for management traffic on a Layer 2 device and does not relay DHCP broadcasts. It does not restore DHCP service for clients.

D

Incorrect. The spanning-tree portfast command is used on physical Layer 2 switchports to speed up port transitions and has no effect on DHCP relay or SVIs.

217
Multi-Selectmedium

Which two statements accurately describe the value of named administrative accounts?

Select 2 answers
A.They improve accountability by tying actions to specific individuals.
B.They improve traceability during audits or incident reviews.
C.They replace the need for authorization controls.
D.They can be used only with Telnet and not SSH.
E.They exist only for wireless guest administration.
AnswersA, B

This is correct because named identities make it easier to attribute actions accurately.

Why this answer

Named administrative accounts are valuable because they tie actions to individual identities and make access review more meaningful. In practical terms, when multiple people share one generic admin account, accountability becomes weaker. Named identities improve traceability and support auditing, investigations, and operational review.

This is a core secure-administration concept and a good reasoning item rather than just a memorization exercise.

Exam trap

Beware of confusing named accounts with other security measures like password policies or role-based access control.

Why the other options are wrong

C

Named accounts provide identification and authentication, but authorization (what actions an account can perform) is a separate control typically enforced via privilege levels, role-based access control (RBAC), or command authorization (e.g., using TACACS+). Replacing authorization with identity alone would violate the principle of least privilege.

D

Named accounts are protocol-agnostic and work with any management protocol, including SSH, HTTPS, and SNMPv3. Telnet is insecure and rarely used in modern networks; named accounts are actually more important with secure protocols to maintain accountability without compromising security.

E

Named administrative accounts are used across all network device administration, including routers, switches, firewalls, and wireless controllers. Wireless guest administration typically uses separate guest accounts or captive portal authentication, not administrative accounts.

218
MCQhard

A collector is not receiving flow records from a branch router. Based on the exhibit, what is the most likely issue?

A.The export destination port 2055 is invalid for flow export.
B.The exporter source interface does not match what the collector expects.
C.NetFlow can run only on serial interfaces.
D.The router must use TCP instead of UDP to export flows.
AnswerB

Exports are sourced from Loopback0 instead of the accepted 10.99.99.2 address.

Why this answer

The exporter is configured to send records out the wrong interface. NetFlow exports must use a source interface that has a valid path to the collector and typically matches the interface the collector expects. The collector IP itself is correct in the example, but the source interface selection is wrong.

Exam trap

A common exam trap is to focus on the export destination port or protocol when flow records are not received. Since UDP port 2055 is the default and valid port for NetFlow exports, candidates might incorrectly assume the port is wrong. Another trap is thinking NetFlow only works on serial interfaces, leading to confusion when Ethernet interfaces are used.

The real issue often lies in the source interface configuration, where the router exports flow records from an interface IP address that the collector does not expect or trust, causing the collector to drop the data silently.

Why the other options are wrong

A

Option A is incorrect because UDP port 2055 is the standard and valid port for NetFlow exports. Changing the port is possible but not necessary if the collector is configured to listen on 2055, so the port is unlikely the issue.

C

Option C is incorrect because NetFlow can run on various interface types, including Ethernet and serial. Limiting NetFlow to serial interfaces is a misconception and does not explain why the collector is not receiving data.

D

Option D is incorrect because NetFlow exports use UDP, not TCP. Changing the transport protocol to TCP is not supported for NetFlow exports and would not resolve the issue of missing flow records.

219
Multi-Selectmedium

Which two statements accurately describe why NetFlow is useful for operations teams?

Select 2 answers
A.It helps identify which conversations or applications contribute to link utilization.
B.It can provide more detail than simple interface counters alone.
C.It replaces the need for all routing protocols.
D.It is the main wireless encryption protocol for guest access.
E.It eliminates the usefulness of Syslog.
AnswersA, B

This is correct because NetFlow provides flow-level visibility.

Why this answer

NetFlow is useful because it helps teams move beyond simple interface utilization and see which traffic conversations are responsible for usage. In practical terms, it can reveal which hosts, protocols, or applications are contributing to the traffic profile, making it valuable for troubleshooting, capacity planning, and security investigations. Option E is incorrect because NetFlow does not eliminate the usefulness of Syslog; Syslog provides device event logging while NetFlow provides traffic flow data, and both tools complement each other in network operations.

Exam trap

A frequent exam trap is mistaking NetFlow for a routing protocol, a security mechanism, or a replacement for Syslog.

Why the other options are wrong

C

Option C is incorrect because NetFlow does not replace routing protocols; it is a monitoring technology that provides visibility into traffic flows but does not perform routing functions or influence path selection.

D

Option D is incorrect as NetFlow is unrelated to wireless encryption protocols. Wireless encryption standards like WPA2 or WPA3 handle security, whereas NetFlow focuses on traffic flow monitoring.

E

Option E is incorrect because NetFlow does not eliminate the usefulness of Syslog. Syslog provides event logging and system messages, which complement NetFlow’s traffic flow data for comprehensive network monitoring.

220
MCQhard

An administrator sees high interface utilization through SNMP graphs but wants to identify which conversations are responsible. Which addition best closes that visibility gap?

A.NetFlow
B.Another DHCP scope
C.A new STP priority
D.A larger OSPF metric
AnswerA

This is correct because NetFlow adds detailed visibility into traffic conversations behind utilization.

Why this answer

NetFlow provides conversation-level visibility into which hosts and applications are consuming bandwidth, closing the gap left by SNMP's interface totals. A new DHCP scope assigns IP addresses but offers no traffic insight. An STP priority manages loop-free topology and does not affect monitoring.

A larger OSPF metric influences routing path selection, not traffic analysis.

Exam trap

Avoid assuming all network monitoring tools provide the same level of detail. Understand the specific capabilities of each tool.

Why the other options are wrong

B

A DHCP scope handles address assignment and has no role in traffic conversation visibility.

C

An STP priority manages spanning-tree topology and does not provide bandwidth usage details.

D

A larger OSPF metric affects routing path selection but does not reveal which conversations are using bandwidth.

221
PBQmedium

You are connected to R1 via console. R1's GigabitEthernet0/0 (203.0.113.1/30) connects to the internet, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal LAN hosts need to access the internet using PAT (overload) with the public IP 203.0.113.1 assigned to GigabitEthernet0/0. An internal web server at 192.168.1.100 must be accessible from the internet via static NAT to 203.0.113.5. Your task is to configure NAT/PAT on R1.

Network Topology
G0/010.0.0.1/30G0/010.0.0.1/30G0/1192.168.1.1/24linkG0/1192.168.1.1/24InternetR1Internal LAN

Hints

  • First define which internal addresses should be translated using an access list.
  • Use a NAT pool with a single IP for PAT overload.
  • Apply the nat inside and outside commands on the correct interfaces.
A.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
B.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
C.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
D.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside
AnswerA
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252
ip nat inside source list 1 pool PUBLIC overload
ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside

Why this answer

The access list selects the internal LAN traffic. The NAT pool uses the single public IP for overload. The static NAT translates the internal web server's HTTP traffic to a second public IP.

The interface commands mark inside and outside for NAT processing.

Exam trap

Pay close attention to the specific public IP address requirement. Using 'ip nat inside source list ... interface ... overload' uses the interface's IP, which may not be the exact IP specified. Also, remember that 'overload' is required for PAT, and inside/outside must be correctly assigned.

Why the other options are wrong

B

The command 'ip nat inside source list ... interface ... overload' uses the interface's IP address for translation, not the pool address 203.0.113.1. The requirement specifies using the public IP 203.0.113.1, which is assigned to the interface but may not be the interface's primary IP if multiple IPs are configured.

C

Without 'overload', the router will attempt to allocate a unique public IP for each internal session, but the pool has only one IP, so only one translation can exist at a time. PAT (overload) is required to allow multiple internal hosts to share the single public IP.

D

The 'ip nat inside' command should be on the LAN interface (GigabitEthernet0/1) and 'ip nat outside' on the internet-facing interface (GigabitEthernet0/0). Reversing them causes NAT to fail because the router does not know which traffic is internal.

222
Matchingmedium

Match each term to the question it most directly answers.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Who are you?

What are you allowed to do?

What happened during the session?

Can the service or data be used when needed?

Why these pairings

Authentication verifies a user's identity, answering 'Who are you?'. Authorization defines what an authenticated user is permitted to do, answering 'What are you allowed to do?'. Accounting records the actions and resources used during a session, answering 'What happened during the session?'.

Availability ensures that services and data are accessible when required, answering 'Can the service or data be used when needed?'.

Exam trap

Learners often confuse authentication with authorization. Authentication proves identity, while authorization defines what that identity is permitted to do.

223
Matchingmedium

Match each network-assurance item to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized event and message reporting

Monitoring and management data exchange

Traffic-flow visibility

Clock synchronization for reliable timelines

Why these pairings

Syslog provides a centralized mechanism for collecting and storing event logs and system messages from network devices, making it ideal for event and message reporting. SNMP allows network management systems to query devices and receive traps, enabling monitoring and management data exchange. NetFlow captures traffic flow details such as source, destination, and volume, offering visibility into how traffic moves through the network.

NTP synchronizes device clocks to a reference source, ensuring accurate timestamps in logs and flow data for reliable correlation and troubleshooting.

Exam trap

Do not confuse uptime with time-based performance metrics like latency or jitter. Uptime is strictly about operational continuity, not packet timing.

224
MCQeasy

Users can reach a server by IP address but not by hostname. Which service should be checked first?

A.NTP
B.DNS
C.QoS
D.HSRP
AnswerB

Correct. This symptom strongly suggests a DNS issue.

Why this answer

If the server is reachable by IP but not by name, the likely issue is name resolution, which points to DNS.

Exam trap

A common exam trap is selecting NTP, QoS, or HSRP as the cause when users cannot reach a server by hostname. NTP synchronizes time and does not affect name resolution. QoS prioritizes traffic but does not translate hostnames to IP addresses.

HSRP provides gateway redundancy and does not influence DNS functionality. Choosing any of these distractors wastes time and leads to incorrect troubleshooting. The key is to recognize that hostname resolution depends solely on DNS, so DNS must be the first service checked when IP connectivity exists but hostname access fails.

Why the other options are wrong

A

NTP (Network Time Protocol) is responsible for synchronizing clocks across devices but does not handle hostname resolution or IP address translation, so it cannot cause hostname access failures.

C

QoS (Quality of Service) manages traffic prioritization and bandwidth allocation but does not perform any function related to hostname resolution or IP address translation.

D

HSRP (Hot Standby Router Protocol) provides gateway redundancy and failover but does not influence DNS or the ability to resolve hostnames to IP addresses.

225
Matchingmedium

Match each access-control concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Limiting access to only what is necessary

Credential store used directly on the device

Why these pairings

Authentication is correctly matched with 'Verification of identity' because it confirms who the user is. Authorization is correctly matched with 'Determination of allowed actions' because it defines what the user can do. Least privilege is correctly matched with 'Limiting access to only what is necessary' as it enforces minimal permissions.

Local database is correctly matched with 'Credential store used directly on the device' as it stores credentials locally for authentication.

Exam trap

Do not confuse 'subject' with 'object' or 'ACL'. Remember: subjects act, objects are acted upon. The subject is the 'who' requesting access, not the 'what' being accessed or the rules governing access.

← PreviousPage 3 of 7 · 478 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Services and Security questions.