CCNA Network Services and Security Questions

75 of 478 questions · Page 6/7 · Network Services and Security · Answers revealed

376
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to a WAN link to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN with hosts needing Internet access. The ISP has allocated public IP pool 203.0.113.16/28 (203.0.113.17-203.0.113.30). The internal LAN should use NAT overload (PAT) to translate all internal traffic to the public IP 203.0.113.18. The router currently has no NAT configuration. Configure NAT overload on R1 to allow internal hosts to access the Internet.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30Internal HostsLANR1WANISP

Hints

  • Think about which interfaces are inside and outside the NAT domain.
  • The overload keyword enables PAT.
  • Use an ACL to define which internal addresses are eligible for translation.
A.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
B.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/1 overload interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
C.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 pool ISP_POOL overload ip nat pool ISP_POOL 203.0.113.18 203.0.113.18 netmask 255.255.255.240 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
D.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
AnswerC
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

The requirement is to translate all internal traffic to the specific public IP 203.0.113.18, not the physical interface's address. Option C achieves this with a NAT pool containing that IP and the overload keyword, enabling PAT. Option A translates to the interface's IP (10.0.0.1), contradicting the requirement.

Option B references the wrong interface in the translation command and lacks overload, while Option D omits the overload keyword entirely, providing only one-to-one NAT.

Exam trap

A common pitfall is assuming the outside interface's IP satisfies a translation requirement when a specific public IP from a pool is explicitly mandated.

Why the other options are wrong

A

Uses the outside interface IP (10.0.0.1) instead of the required 203.0.113.18.

B

The translation command uses the inside interface, which would not provide the correct source address for outbound traffic.

D

Missing the 'overload' keyword, so only one-to-one NAT occurs, preventing multiple hosts from sharing the IP.

377
PBQhard

You are connected to R1. The network uses private IP 10.10.10.0/24 on the inside and must reach the Internet via the outside interface G0/1 with public IP 203.0.113.1/29. Configure PAT (NAT overload) so that inside hosts can access the Internet, and also configure a static NAT for the internal server 10.10.10.100 to public IP 203.0.113.2. The current configuration has errors: the inside and outside interfaces are swapped, the ACL is incorrectly defined, and the overload keyword is missing. Fix all issues.

Network Topology
G0/0 inside10.10.10.1/2410.10.10.0/24G0/1 outside203.0.113.1/29Inside hostsswitchR1Internet

Hints

  • Check which interface is marked inside and which is outside — the private IP network should be inside.
  • The ACL must match the actual inside subnet, not a different network.
  • PAT requires the 'overload' keyword on the ip nat inside source command.
A.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
B.On G0/0: ip nat outside; on G0/1: ip nat inside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
C.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 192.168.1.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
D.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip nat outside
ip nat inside
exit
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
no access-list 10
access-list 10 permit 10.10.10.0 0.0.0.255
ip nat inside source list 10 interface GigabitEthernet0/1 overload

Why this answer

The configuration had three faults: (1) The inside interface (G0/0 with private IP) was marked 'ip nat outside', and the outside interface (G0/1 with public IP) was marked 'ip nat inside' — these must be swapped. (2) The ACL 10 permitted 192.168.1.0/24 instead of the actual inside subnet 10.10.10.0/24. (3) The NAT command 'ip nat inside source list 10 interface GigabitEthernet0/1' was missing the 'overload' keyword, which is required for PAT. The static NAT was correctly defined. After fixing all three, inside hosts will be able to access the Internet using PAT.

Exam trap

Watch out for three common NAT configuration mistakes: swapping inside/outside interface designations, using an ACL that does not match the actual inside network, and forgetting the 'overload' keyword for PAT. Always verify the interface IP addresses and the ACL permit statement.

Why the other options are wrong

B

The specific factual error is that the 'ip nat inside' and 'ip nat outside' commands are applied to the wrong interfaces. The inside interface must be the one facing the internal network, and the outside interface must be the one facing the external network.

C

The specific factual error is that the ACL does not match the correct inside network. The ACL in the NAT configuration must permit the exact private IP range used on the inside network.

D

The specific factual error is the omission of the 'overload' keyword. PAT (overload) is required to allow multiple inside hosts to share a single public IP address by using different source ports.

378
Multi-Selecthard

A technician reports that users on a guest wireless SSID can reach the internet but can also browse internal file shares, which should be blocked. Which two design actions most directly address that issue?

Select 2 answers
A.Place guest clients in a separate VLAN or VRF from internal users
B.Apply ACL policy that denies guest access to internal subnets while permitting internet access
C.Increase the AP transmit power
D.Disable DHCP on the guest WLAN
AnswersA, B

Segmentation is the core control that isolates guest traffic from corporate resources.

Why this answer

Guest access should be isolated through segmentation and policy enforcement. Separate broadcast domains and ACLs are the practical way to allow internet-only access.

Exam trap

A common exam trap is to confuse wireless coverage or connectivity settings with security controls. For example, disabling DHCP on the guest WLAN might seem like a way to block guest access to internal resources, but it actually prevents guests from obtaining IP addresses, breaking their internet connectivity rather than isolating internal file shares. Similarly, increasing AP transmit power affects signal reach but does nothing to separate guest traffic from internal users.

The trap is to overlook the necessity of logical segmentation and explicit ACL policies, which are the correct mechanisms to enforce access restrictions in Cisco wireless networks.

Why the other options are wrong

C

Incorrect. Increasing AP transmit power only affects wireless coverage and does not provide any mechanism to isolate guest traffic or block access to internal resources.

D

Incorrect. Disabling DHCP on the guest WLAN disrupts guest connectivity by preventing IP address assignment and does not effectively isolate guest traffic from internal networks.

379
MCQhard

A network administrator is configuring a Layer 2 EtherChannel between two switches. Switch A uses 'channel-group 1 mode active', and Switch B uses 'channel-group 1 mode desirable'. All member interfaces are trunk ports with identical allowed VLANs. The EtherChannel fails to form. What is the most likely cause?

A.The switches are using different EtherChannel negotiation protocols.
B.A Layer 2 EtherChannel cannot carry trunk links.
C.The channel-group number must be different on each switch.
D.The member interfaces must be in access mode before the bundle can form.
AnswerA

LACP active cannot form a channel with PAgP desirable.

Why this answer

The two switches are using different negotiation protocols: LACP (active) on one side and PAgP (desirable) on the other. EtherChannel requires both sides to use the same protocol, so this protocol mismatch prevents the bundle from forming. The other settings—trunking, VLAN configuration, and channel-group number—are correctly configured and do not cause the failure.

Exam trap

Ensure both sides of an EtherChannel use the same negotiation protocol; mismatches are a common setup error.

Why the other options are wrong

B

This option is incorrect because a Layer 2 EtherChannel can indeed carry trunk links, allowing multiple VLANs to be transmitted over the same logical link. The issue with the EtherChannel not forming is more likely related to mismatched negotiation protocols or other configuration errors.

C

This option is wrong because the channel-group number must be the same on both switches for an EtherChannel to form. Different numbers would prevent the aggregation of the links.

D

This option is wrong because a Layer 2 EtherChannel can indeed carry trunk links, allowing multiple VLANs to be transmitted over the same link. Therefore, the inability to form the EtherChannel is not due to the mode of the member interfaces.

380
Multi-Selectmedium

Which four of the following are true statements regarding the operation of DHCP snooping on a Cisco switch? (Choose all that apply. There are four correct answers.)

Select 4 answers
.DHCP snooping distinguishes trusted and untrusted ports.
.By default, all ports are considered untrusted for DHCP snooping.
.DHCP snooping can rate-limit DHCP messages to prevent denial-of-service attacks.
.DHCP snooping builds and maintains a DHCP snooping binding database (also called a binding table).
.DHCP snooping prevents rogue DHCP servers by allowing only authorized servers on any port.
.DHCP snooping requires an external DHCP server to be configured on the switch.

Why this answer

The four correct statements are true because DHCP snooping is a security feature that operates by classifying switch ports as trusted or untrusted. By default, all ports are untrusted, meaning they cannot send DHCP server messages (OFFER, ACK, NAK) unless explicitly configured as trusted. Rate-limiting DHCP messages on untrusted ports mitigates DHCP starvation attacks, and the binding database (MAC-to-IP mapping) is built from DHCP ACK messages to prevent IP spoofing.

The incorrect statement "DHCP snooping requires an external DHCP server to be configured on the switch" is false because DHCP snooping itself does not require the switch to act as a DHCP server; it simply relies on DHCP messages from a legitimate server reachable through a trusted port.

Exam trap

Cisco often tests the misconception that DHCP snooping can be configured to allow authorized servers on any port, but the feature strictly enforces that only trusted ports can source DHCP server messages, regardless of the server's IP or MAC address.

381
MCQhard

Exhibit: Users on the inside network can open connections to a web server in the DMZ, but return traffic is denied by an ACL on the outside interface. Which statement best explains the issue?

A.The ACL should match the source port 80 on returning traffic, not the destination port 80
B.HTTP traffic can never be filtered with a standard ACL
C.The ACL must be applied outbound on the inside interface only
D.NAT automatically bypasses interface ACLs
AnswerA

Return packets from the server use source port 80 and a random high destination port on the client.

Why this answer

An ACL applied inbound on the outside interface will evaluate the return traffic entering from the DMZ or outside toward the router. If it permits only destination port 80 inbound, the returning packets will not match because their destination is an ephemeral client port, not 80.

Exam trap

A frequent exam trap is believing that return HTTP traffic will have destination port 80, just like the outbound request. This misconception causes candidates to configure ACLs that only permit inbound packets with destination port 80, which blocks legitimate return traffic because the return packets have source port 80 and a high-numbered destination port. Misunderstanding this port reversal leads to ACLs that deny return traffic, causing connectivity failures despite correct outbound rules.

Another trap is confusing NAT behavior, incorrectly assuming NAT bypasses ACLs, which it does not. This misunderstanding can cause candidates to overlook ACL port matching issues.

Why the other options are wrong

B

Incorrect. While standard ACLs cannot filter by port, extended ACLs can. The issue here is port matching on return traffic, not the inability to filter HTTP with ACLs.

C

Incorrect. ACL placement varies, but the key problem is the ACL’s port matching logic on the outside interface inbound direction, not just interface selection.

D

Incorrect. NAT does not bypass ACLs. ACLs still process packets after NAT translation, so NAT is not the cause of return traffic denial.

382
MCQeasy

In AAA, which function determines what an authenticated user is allowed to do after login?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Correct. Authorization controls what the user may do.

Why this answer

Authentication verifies identity. Authorization determines permitted actions. Accounting records activity.

Exam trap

Don't confuse authentication with authorization; they serve different purposes in AAA.

Why the other options are wrong

A

Authentication is the process of verifying a user's identity, not determining their permissions. In the context of this question, it does not address what actions an authenticated user is allowed to perform.

C

Accounting refers to the tracking and logging of user activities and resource usage, not the permissions or access rights granted to users after authentication. Therefore, it does not determine what an authenticated user is allowed to do.

D

Encryption is a process that secures data by converting it into a coded format, but it does not determine user permissions or access rights after authentication. Therefore, it is not relevant to the function of managing user privileges post-login.

383
MCQhard

After enabling DHCP snooping on VLAN 10, a technician finds that clients in that VLAN are no longer receiving IP addresses from the DHCP server. The server is connected to port Gi0/24. What is the most likely cause?

A.The port Gi0/24 has not been configured as a trusted port for DHCP snooping.
B.The DHCP server is on a different subnet, and the VLAN 10 SVI does not have an ip helper-address configured.
C.The DHCP snooping database location was not configured, causing the switch to discard all DHCP server messages.
D.The DHCP snooping binding table does not contain an entry for the DHCP server’s MAC address, so offers are being discarded.
AnswerA

DHCP snooping immediately blocks all DHCP server messages on untrusted ports. Because Gi0/24 is the uplink to the DHCP server, it must be explicitly set as trusted (ip dhcp snooping trust), otherwise the switch will drop the DHCP offers sent by the server.

Why this answer

DHCP snooping classifies all ports as untrusted by default, and an untrusted port drops DHCP server messages (OFFER/ACK) to prevent rogue servers. Because the uplink Gi0/24 was not explicitly configured as a trusted port with ip dhcp snooping trust, the legitimate DHCP offers from the server are being discarded, so clients never receive addresses. The other options are not the cause: an ip helper-address would still be needed if the server were remote and was working before snooping (so it is already in place); the DHCP snooping database is not required for traffic forwarding; and the binding table does not need to contain the server’s MAC to permit server traffic.

Exam trap

D. Candidates often misunderstand the role of the DHCP snooping binding table and think the switch must have learned the server’s MAC to allow DHCP traffic, but the binding table is used to filter client traffic, not to authorize servers.

Why the other options are wrong

B

This option assumes that the loss of DHCP service is due to a missing relay agent, but the symptom started only after enabling snooping, not after an infrastructure change that would affect the relay path.

C

The idea that a missing database causes immediate traffic blocking is a common misinterpretation of the database’s role—it is purely for persistency, not for runtime filtering.

D

Many candidates assume that DHCP snooping uses a reverse-check against the binding table for any DHCP server messages, but the filtering is based solely on the trusted/untrusted port state, not on a learned server entry.

384
PBQhard

You are connected to SW1, a multilayer switch. Configure DHCP snooping and an IP helper-address so that clients in VLAN 20 receive IP addresses from the DHCP server at 10.0.0.2. The DHCP server is already configured with a pool for 192.168.20.0/24, but clients are not getting addresses. Identify and correct the issues in the current configuration.

Network Topology
G0/010.0.0.1/30G0/1SW1DHCP ServerClient

Hints

  • Check the helper-address on VLAN 20 — is it pointing to the correct server IP?
  • DHCP snooping must be enabled globally and for the specific VLAN.
  • The port towards the DHCP server must be configured as trusted.
A.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
B.Enable DHCP snooping globally and on VLAN 20, configure interface G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
C.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and keep the ip helper-address as 10.0.0.3 because that is the correct server address.
D.Enable DHCP snooping globally and on VLAN 20, configure both interfaces G0/0 and G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
AnswerA
solution
! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 20
interface gigabitethernet0/0
ip dhcp snooping trust
interface vlan20
no ip helper-address 10.0.0.3
ip helper-address 10.0.0.2
end
write memory

Why this answer

The DHCP relay helper-address was pointing to 10.0.0.3 instead of the actual server at 10.0.0.2. Also, DHCP snooping was not enabled. After enabling DHCP snooping globally and on VLAN 20, configure the uplink to the DHCP server as a trusted port (G0/0) and the access port (G0/1) as untrusted (default).

Finally, correct the helper-address to 10.0.0.2. These steps allow DHCP broadcasts from VLAN 20 to be relayed to the server and prevent rogue DHCP attacks.

Exam trap

A common trap is to trust all ports or to forget that the ip helper-address must match the actual DHCP server IP. Also, candidates may confuse which port should be trusted: only the port facing the legitimate DHCP server should be trusted, not client-facing ports.

Why the other options are wrong

B

The specific factual error is that the access port (G0/1) should be untrusted, not trusted. Only the uplink port to the legitimate DHCP server should be trusted.

C

The specific factual error is that the ip helper-address must be set to the actual DHCP server IP (10.0.0.2), not 10.0.0.3.

D

The specific factual error is that only the uplink port (G0/0) should be trusted; trusting the access port (G0/1) allows any device connected to that port to act as a DHCP server.

385
Multi-Selectmedium

A network team wants to collect flow-level traffic statistics from routers to identify top talkers and bandwidth consumers. Which two statements about NetFlow are correct?

Select 2 answers
A.It summarizes traffic into flows instead of capturing every packet payload
B.It is primarily used to distribute time from an authoritative clock
C.It can help identify which conversations consume the most bandwidth
D.It replaces routing protocols by advertising reachability information
AnswersA, C

NetFlow tracks metadata about flows, not full payload captures.

Why this answer

NetFlow provides visibility into who is talking to whom, with what protocols and volume, making it valuable for capacity planning, troubleshooting, and security analysis.

Exam trap

A frequent exam trap is mistaking NetFlow for protocols that distribute time or routing information. For example, option B incorrectly associates NetFlow with NTP, which synchronizes clocks, and option D wrongly suggests NetFlow replaces routing protocols by advertising reachability. These misconceptions arise because candidates may not clearly differentiate between monitoring technologies and control plane protocols.

Remember, NetFlow only summarizes traffic flows for analysis and does not participate in routing or time synchronization. Confusing these roles can lead to selecting incorrect answers under exam pressure.

Why the other options are wrong

B

Option B is incorrect because distributing time from an authoritative clock is the function of NTP, not NetFlow, which is a traffic monitoring protocol.

D

Option D is incorrect because NetFlow does not replace routing protocols or advertise reachability information; it only monitors traffic flows.

386
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Layer 3 switch to perform DHCP relay agent and DHCP snooping for a remote DHCP server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

Correct order: 1) Create DHCP pool on the server to have valid lease parameters; 2) Assign IP address to the SVI so it can act as the gateway and relay agent for the subnet; 3) Globally enable DHCP snooping to activate the feature; 4) Enable snooping on the client VLAN so that only that VLAN’s DHCP traffic is filtered; 5) Set the interface facing the server as trusted to allow DHCP replies; 6) Configure ip helper-address on the SVI to forward client DHCP broadcasts to the server. Each step depends on the previous: the server must be ready; the SVI needs an IP before the helper can be applied; snooping must be globally on before per-VLAN settings; trusted port must be defined before relayed replies are accepted; finally, the helper address enables the actual relay.

387
MCQmedium

A network administrator is troubleshooting a new branch office where hosts in VLAN 20 on switch SW1 cannot obtain IP addresses from the DHCP server located at 192.168.10.5 in the main data center. The router R1 is configured as the default gateway for VLAN 20 with interface GigabitEthernet0/1.20. The administrator verifies that the DHCP server is reachable and has available addresses. What configuration change should the administrator make to resolve the issue?

A.Configure a static IP address on the DHCP server to ensure it is always reachable.
B.Configure the 'ip helper-address 192.168.10.5' command on the router interface GigabitEthernet0/1.20.
C.Enable DHCP snooping globally on the switch SW1.
D.Increase the DHCP lease time on the server to 30 days.
AnswerB

The ip helper-address command enables the router to forward DHCP broadcasts as unicasts to the specified DHCP server, allowing clients in VLAN 20 to obtain IP addresses from the remote server.

Why this answer

The correct answer is B because the DHCP server is on a different subnet than the hosts in VLAN 20. By default, DHCP broadcasts are not forwarded across routers. The 'ip helper-address 192.168.10.5' command on the router's subinterface GigabitEthernet0/1.20 converts the broadcast DHCP request into a unicast and forwards it to the DHCP server, allowing the hosts to obtain IP addresses.

Exam trap

Cisco often tests the misconception that DHCP issues across subnets are caused by server availability or switch security features, when the real problem is the lack of a DHCP relay agent (ip helper-address) on the router interface facing the client VLAN.

Why the other options are wrong

A

A static IP on the server does not forward broadcasts across subnets; the server's reachability is not the issue.

C

Enabling DHCP snooping without proper configuration could block legitimate DHCP traffic, and it does not solve the broadcast forwarding issue.

D

The problem is not about lease duration; clients cannot receive any DHCP offers because broadcasts are not forwarded.

388
MCQeasy

Which protocol is preferred over Telnet for remote CLI management because it encrypts the session?

A.FTP
B.SSH
C.TFTP
D.SNMPv1
AnswerB

Correct. SSH secures the remote management session.

Why this answer

SSH encrypts credentials and management traffic, making it the standard secure replacement for Telnet.

Exam trap

A frequent exam trap is selecting Telnet or other protocols like FTP or TFTP for remote CLI management because they are familiar or commonly mentioned in networking contexts. Telnet is often mistakenly chosen because it provides remote access, but it sends all data unencrypted, exposing credentials to attackers. FTP and TFTP are file transfer protocols and do not support interactive command-line management sessions.

SNMPv1 is used for network monitoring, not secure CLI access, and lacks encryption. Candidates must recognize that only SSH encrypts the session, making it the secure and preferred protocol for remote management in Cisco environments.

Why the other options are wrong

A

FTP is designed for transferring files between devices and does not provide an interactive command-line interface for remote device management. It also lacks encryption for session data, making it unsuitable for secure remote CLI access.

C

TFTP is a simple file transfer protocol used mainly for transferring configuration files or IOS images. It does not support interactive remote CLI sessions and lacks encryption, so it cannot replace Telnet for secure management.

D

SNMPv1 is a protocol used for network monitoring and management but does not provide an interactive CLI interface. It also lacks encryption, making it unsuitable for secure remote management sessions.

389
Multi-Selectmedium

Which three options are valid ways to secure administrative access to a Cisco IOS device? (Choose three.)

Select 3 answers
.Create a local username and password with the 'username name secret password' command.
.Configure an ACL on the VTY lines to restrict source IP addresses.
.Use the 'enable secret' command to set a privileged EXEC password.
.Disable all unused ports using the 'shutdown' command.
.Set the 'service password-encryption' command to encrypt all passwords in transit.
.Configure CDP globally to verify neighbor devices before login.

Why this answer

All three correct options are valid methods to secure administrative access. Creating a local username/password with the 'username name secret password' command provides authentication for login (e.g., via SSH, console, or VTY). Configuring an ACL on VTY lines restricts which source IP addresses can initiate administrative sessions, adding a layer of network-based access control.

Using 'enable secret' protects privileged EXEC mode with a strong hashed password. The three wrong options do not directly secure administrative access: 'shutdown' disables ports (port security, not administrative access), 'service password-encryption' only encrypts passwords in the running configuration (not in transit), and CDP is a neighbor discovery protocol unrelated to authentication.

Exam trap

Cisco often tests the distinction between 'enable secret' (hashed) and 'enable password' (weak encryption), and candidates may mistakenly think only one method is valid, but all three options here are correct and commonly used together for layered security.

390
MCQmedium

A PC in VLAN 30 must obtain an address from a DHCP server in VLAN 99. Which feature is required on the Layer 3 interface for VLAN 30?

A.Port security
B.DHCP snooping
C.DHCP relay
D.Dynamic ARP inspection
AnswerC

Correct. DHCP relay is what allows a client to reach a server on another subnet.

Why this answer

DHCP Discover messages are broadcasts and do not cross Layer 3 boundaries on their own. DHCP relay, commonly configured with ip helper-address, forwards the requests to a server on another subnet.

Exam trap

A frequent exam trap is selecting DHCP snooping or port security as the solution for inter-VLAN DHCP communication. DHCP snooping is often misunderstood as a relay mechanism, but it only validates DHCP messages to prevent unauthorized servers and does not forward broadcasts between VLANs. Similarly, port security controls MAC address access on switchports but does not affect DHCP message forwarding.

Candidates may also confuse Dynamic ARP Inspection with DHCP relay, but DAI only inspects ARP traffic for security purposes. The key mistake is overlooking that DHCP broadcasts are Layer 2 broadcasts and require DHCP relay on the Layer 3 interface to reach servers in other VLANs.

Why the other options are wrong

A

Port security restricts MAC addresses on switchports to enhance security but does not forward DHCP broadcasts or enable clients in one VLAN to reach DHCP servers in another VLAN. It does not facilitate inter-VLAN DHCP communication.

B

DHCP snooping is a security feature that validates DHCP messages to prevent rogue DHCP servers but does not relay DHCP requests between VLANs. It cannot replace DHCP relay functionality needed for inter-VLAN DHCP address assignment.

D

Dynamic ARP Inspection inspects ARP traffic to prevent ARP spoofing attacks but does not forward DHCP messages or enable DHCP communication between VLANs. It is unrelated to DHCP relay or inter-VLAN DHCP address assignment.

391
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure dynamic NAT with overload (PAT) using a pool of public IP addresses.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The NAT pool must be defined first because it is referenced by the overload rule. Next, the access list identifies the inside local addresses that will be translated. The inside and outside interfaces are then labeled with 'ip nat inside' and 'ip nat outside' respectively, enabling NAT on those interfaces.

Finally, the overload rule is applied, linking the ACL and the pool on the specified interfaces to complete the configuration.

392
Multi-Selectmedium

A branch office uses PAT overload on the edge router. Inside users can reach the internet, but return traffic for a newly deployed server must be mapped to a specific inside host. Which two statements are correct?

Select 2 answers
A.A static NAT entry can provide a consistent public-to-private mapping for the server
B.PAT overload is designed mainly for many-to-one outbound address sharing
C.Dynamic NAT always supports inbound access without additional configuration
D.NAT is unrelated to whether private addresses can reach the public internet
AnswersA, B

Static NAT is appropriate when inbound connections must always reach the same inside host.

Why this answer

PAT overload is great for many inside clients sharing a public IP for outbound sessions. A public-facing server that needs predictable inbound reachability typically requires static NAT or static PAT.

Exam trap

A frequent exam trap is assuming that PAT overload can handle inbound connections to a specific inside host because it manages many-to-one address sharing. However, PAT overload dynamically assigns ports for outbound sessions and does not reserve a fixed public IP and port combination for inbound traffic. This misconception leads to incorrect answers suggesting dynamic NAT or PAT overload can support inbound server access without additional configuration.

The key is recognizing that only static NAT provides a consistent public-to-private mapping necessary for inbound connectivity to a server.

Why the other options are wrong

C

Option C is incorrect because dynamic NAT does not guarantee a fixed public IP address for any inside host, so it cannot reliably support inbound access without additional static configuration.

D

Option D is incorrect because NAT and PAT are directly related to enabling private IP addresses to communicate with the public internet, making them central to edge router configurations in branch offices.

393
MCQmedium

A user can reach a remote web server by IP address but not by hostname. Which service should be checked first?

A.DNS
B.STP
C.PAT
D.Port security
AnswerA

This is correct because DNS is responsible for resolving hostnames into IP information.

Why this answer

DNS should be checked first. In plain language, the path to the server appears to work because the user can reach it by numeric address. The missing function is the translation from hostname to IP-related information, and that is exactly what DNS provides.

This is one of the clearest service-troubleshooting patterns in networking. If IP works but the name fails, DNS becomes the strongest first suspect. The correct answer is therefore the name-resolution service rather than a routing or switching feature.

Exam trap

A frequent exam trap is selecting PAT or STP as the cause when a user cannot reach a server by hostname but can by IP address. Candidates may mistakenly associate PAT with all IP-related issues, but PAT only translates IP addresses and ports for outbound traffic and does not resolve hostnames. Similarly, STP manages Layer 2 loop prevention and does not affect Layer 3 name resolution.

Confusing these services with DNS leads to incorrect troubleshooting steps. The key is to recognize that DNS is the only service responsible for translating hostnames to IP addresses, so it must be checked first when name resolution fails but IP connectivity succeeds.

Why the other options are wrong

B

STP manages Layer 2 loop prevention and does not handle hostname resolution. It cannot cause issues with accessing a server by hostname versus IP address.

C

PAT translates IP addresses and ports for outbound connections but does not perform hostname resolution. Problems with PAT would affect IP connectivity, not just name resolution.

D

Port security restricts switch port access based on MAC addresses and does not influence DNS or hostname resolution, so it is unrelated to the problem.

394
MCQmedium

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows: interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.0 ip nat inside ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.10.0 0.0.0.255 Based on this configuration, which change is required to make PAT work correctly?

A.Apply ip nat enable on both interfaces.
B.Replace overload with pool.
C.Swap the inside and outside NAT roles on the two interfaces.
D.Change access-list 1 to a standard ACL numbered 100.
AnswerC

This is correct because NAT depends on the router knowing which side is private and which side is public. The current configuration labels them the wrong way round. PAT with overload on the WAN interface is fine, but the interface roles must match the traffic direction.

Why this answer

The problem is that the router has the NAT directions backwards. In simple terms, the interface facing the private LAN should be marked as inside, and the interface facing the public or WAN side should be marked as outside. Here, GigabitEthernet0/0 uses the private address 192.168.10.1, but it is configured as outside. GigabitEthernet0/1 uses the public address 203.0.113.10, but it is configured as inside. That reverses the translation logic and breaks normal PAT behavior.

Technically, the command `ip nat inside source list 1 interface GigabitEthernet0/1 overload` is otherwise reasonable for dynamic PAT using the WAN interface address. The ACL also correctly identifies the inside local subnet. The essential fix is to mark G0/0 as `ip nat inside` and G0/1 as `ip nat outside`. Once the directions are corrected, PAT can create and track translations properly for outbound traffic and returning sessions.

Exam trap

A frequent exam trap is confusing the NAT inside and outside interface roles. Candidates may see the private IP on an interface and mistakenly assign it as 'ip nat outside' or vice versa. This reverses the translation direction, causing return traffic to fail despite correct ACLs and overload commands.

The trap exploits the assumption that the public IP must be inside or that the interface with the ACL is always inside. Understanding that NAT roles depend on network topology, not just IP addresses, is crucial to avoid this error.

Why the other options are wrong

A

Applying 'ip nat enable' on both interfaces is incorrect because Cisco IOS uses 'ip nat inside' and 'ip nat outside' to define NAT roles. The problem is not enabling NAT but assigning the correct directional roles to interfaces.

B

Replacing 'overload' with a pool is unnecessary since PAT uses 'overload' to allow multiple inside hosts to share one outside IP. The issue is not the translation method but the reversed inside/outside interface roles.

D

Changing access-list 1 to a standard ACL numbered 100 does not address the core problem. ACL 1 is valid for identifying inside local addresses, and the failure is due to reversed NAT interface roles, not the ACL number.

395
PBQhard

You are connected to R1 (a router acting as DHCP server) via the console. Configure R1 to provide DHCP addresses for VLAN 10 (192.168.10.0/24) on the switch SW1, which is connected via R1's G0/0. Exclude the first 10 addresses (192.168.10.1-10) and the last address (192.168.10.254). Set the default gateway to 192.168.10.1 and DNS server to 203.0.113.10. On SW1, enable DHCP snooping globally and for VLAN 10, configure G0/1 as trusted toward R1, and ensure the ip helper-address on the switch's VLAN 10 SVI points to R1's G0/0 IP. The current config has a wrong helper-address and an oversized excluded range; identify and fix all issues.

Network Topology
G0/1 (SW1) to G0/0 (R1 10.0.0.1/30)SW1R1

Hints

  • Check the excluded-address range on R1 — it might be too broad.
  • Verify the helper-address on SW1's VLAN 10 SVI — it should be the DHCP server's interface IP, not a different subnet.
  • DHCP snooping requires the uplink to the DHCP server to be configured as trusted.
A.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
B.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 192.168.10.1.
C.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface Vlan10: ip helper-address 10.0.0.1.
D.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.10.254

! SW1
interface Vlan10
no ip helper-address 192.168.20.1
ip helper-address 10.0.0.1
exit
interface GigabitEthernet0/1
ip dhcp snooping trust

Why this answer

The DHCP server R1 had an excluded range that covered the entire subnet (192.168.10.1 through 192.168.10.254), preventing any addresses from being assigned. This was corrected by first removing that oversized exclusion, then setting the excluded range to 192.168.10.1 192.168.10.10 and adding 192.168.10.254 as a separate excluded address. On SW1, the ip helper-address pointed to 192.168.20.1 (wrong), which should be R1's G0/0 IP 10.0.0.1.

Also, DHCP snooping was enabled globally and for VLAN 10, but G0/1 (link to R1) was not trusted; it was set to trusted. These changes allow DHCP requests from VLAN 10 to be relayed to R1 and trusted from the correct interface. Option A is technically incomplete because it fails to include the removal of the original oversized exclusion.

Exam trap

A common trap is to add new exclusions without removing the old ones; Cisco IOS does not overwrite exclusions—it appends. You must explicitly remove the original oversized range or no addresses will be leased.

Why the other options are wrong

B

This option omits the `ip dhcp snooping trust` on G0/1 and uses the wrong helper-address (192.168.10.1, which is the default gateway, not R1's interface IP 10.0.0.1).

C

This option omits both the `ip dhcp snooping trust` on G0/1 and does not include the separate exclusion for 192.168.10.254.

D

This option leaves the oversized excluded range (192.168.10.1 to 192.168.10.254) intact, which blocks all address assignments, and uses the wrong helper-address (10.0.0.1 but on SW1's VLAN 10 SVI it is missing the trust on G0/1).

396
Matchingmedium

Match each ACL-related term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

ACL type that primarily matches on source address

ACL type that can match source, destination, and protocol details

Mask used to define which address bits must match

Unstated deny that exists at the end of the ACL

Why these pairings

Standard ACLs use source IP only; extended ACLs use more criteria. Named ACLs use names; inbound/outbound specify direction. Implicit deny is the default deny-all at the end of any ACL.

Exam trap

Be careful not to confuse the types of ACLs: standard vs. extended. Also, remember that named ACLs are not a separate type; they are just an alternative naming method. Implicit deny is a behavior, not an ACL type.

397
Multi-Selectmedium

Which four of the following are characteristics or functions of a stateless firewall, such as an extended access control list (ACL) on a Cisco router? (Choose four.)

Select 4 answers
.It examines each packet individually without considering the state of a connection.
.It can filter traffic based on source and destination IP addresses.
.It can inspect the application-layer payload to detect malicious content.
.It can filter traffic based on source and destination port numbers.
.It automatically allows return traffic for established connections.
.It uses an ordered list of permit or deny rules, processing packets in sequence until a match is found.

Why this answer

A stateless firewall, such as a Cisco extended ACL, processes each packet independently without tracking the state of a connection. It makes filtering decisions solely based on static fields in the packet header, such as source/destination IP addresses and port numbers, and applies rules in a sequential order until a match is found. This is why options about per-packet inspection, IP/port filtering, and sequential rule processing are correct.

Exam trap

Cisco often tests the misconception that stateless firewalls can automatically handle return traffic or inspect application data, leading candidates to confuse stateless ACLs with stateful firewalls or next-generation firewalls.

398
MCQmedium

Exhibit: A branch router receives time from an NTP server, but the show output marks the server with a tilde instead of an asterisk. What does that mean?

A.That server is the current system clock source
B.The server is reachable but not the one currently selected for synchronization
C.NTP authentication has disabled the server permanently
D.The router is acting as an NTP master for that server
AnswerB

It is seen by the router, but it is not the chosen source.

Why this answer

In Cisco NTP output, the asterisk (*) indicates the current synchronization source. The tilde (~) specifically means the server is statically configured and reachable but has not been selected for synchronization. This differs from the plus sign (+), which denotes a candidate for synchronization.

Therefore, the router is not using that server as its active time source.

Exam trap

Be careful not to confuse the tilde (~) with the asterisk (*) or other symbols that indicate different statuses in NTP output.

Why the other options are wrong

A

In NTP, an asterisk (*) indicates the selected time source, while a tilde (~) means the server is reachable but not selected. Option A describes the asterisk, not the tilde.

C

A tilde (~) indicates the server is reachable but not synchronized; a permanently disabled server due to authentication would show a period (.) or not appear at all.

D

In the context of NTP, a tilde (~) indicates the server is reachable but not selected as the synchronization source. The router acting as an NTP master would be indicated by the 'master' command or stratum level, not by the tilde symbol.

399
MCQhard

Clients can join the Guest SSID and authenticate successfully, but they never receive an IP address. The DHCP scope for the guest network exists on the server. Based on the exhibit, what is the most likely cause?

A.The AP trunk is not allowing VLAN 300.
B.The DHCP server must use TCP instead of UDP.
C.The SSID name must match the DHCP pool name.
D.The AP should be configured as an access port for VLAN 1.
AnswerA

That prevents guest client traffic from reaching the proper VLAN.

Why this answer

The Guest SSID is mapped to VLAN 300, but the switch trunk toward the AP allows only VLANs 10,20,30. Client traffic for the guest WLAN never reaches the correct VLAN upstream, so DHCP requests for that WLAN fail. Authentication can still succeed depending on how the WLAN is designed.

Exam trap

A common exam trap is to incorrectly assume that DHCP issues stem from the DHCP server configuration or protocol errors, such as believing DHCP must use TCP instead of UDP. Another tempting mistake is thinking the SSID name must match the DHCP pool name, which is false because DHCP scopes are based on VLAN subnets, not SSID naming. Additionally, some candidates mistakenly configure the access point port as an access port on VLAN 1, which prevents multiple VLANs from passing and breaks guest VLAN connectivity.

These traps distract from the core issue of VLAN trunk misconfiguration preventing DHCP traffic.

Why the other options are wrong

B

Incorrect. DHCP uses UDP, not TCP. Changing the protocol to TCP is not valid and would cause DHCP to fail entirely, which is not the issue here since clients authenticate successfully.

C

Incorrect. DHCP scopes are tied to VLAN subnets, not SSID names. The SSID name does not need to match the DHCP pool name for clients to receive IP addresses.

D

Incorrect. Configuring the AP port as an access port on VLAN 1 restricts traffic to a single VLAN. Since multiple SSIDs typically map to different VLANs, the port must be a trunk to carry all VLANs, including VLAN 300 for the guest SSID.

400
MCQhard

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch port connected to a single PC. The port is in the 'authorized' state, but the PC cannot reach any network resources beyond its directly connected switch. The switch is configured to use RADIUS for authentication. What is the most likely cause of this issue?

A.The switchport is in access mode and not trunking, so the PC cannot reach other VLANs.
B.The RADIUS server is not returning a VLAN assignment, so the port remains in the default VLAN, but the PC needs to be in a different VLAN to reach resources.
C.The switch is not configured with 'aaa new-model' and therefore AAA is not enabled.
D.The PC is not configured for 802.1X supplicant, so it cannot authenticate properly.
AnswerB

The 'show authentication sessions' output does not show a VLAN assigned, meaning the RADIUS server did not include the VLAN attribute. The switch uses the configured access VLAN (10) by default. If the PC needs to be in a different VLAN to reach resources, this is the root cause.

Why this answer

The RADIUS server can return a VLAN assignment as part of the Access-Accept message (via RADIUS attribute 64 or 81). If the server does not send a VLAN, the port remains in the configured access VLAN (often VLAN 1). If the PC needs to be in a different VLAN to reach network resources, it will be isolated even though 802.1X authentication succeeded and the port is authorized.

Exam trap

Cisco often tests the distinction between authentication success and post-authentication authorization, tricking candidates into thinking that a successful 802.1X authentication automatically grants full network access, when in fact the RADIUS server must also return the correct VLAN assignment.

Why the other options are wrong

A

Access mode is correct for a single PC; trunking is not needed for basic connectivity.

C

AAA is functioning, as evidenced by successful authentication.

D

The port status is 'Authorized', indicating successful authentication.

401
MCQeasy

Why is Telnet generally discouraged for network device administration?

A.It cannot cross routed networks
B.It sends credentials and commands in clear text
C.It supports only local usernames
D.It works only from the console port
AnswerB

Correct. Lack of encryption is the key weakness.

Why this answer

Telnet sends all data, including credentials and commands, in clear text, making it vulnerable to eavesdropping. Option A is wrong because Telnet can traverse routed networks using TCP port 23. Option C is incorrect because Telnet can use local usernames as well as external AAA servers.

Option D is false because Telnet works over network interfaces, not exclusively from the console port.

Exam trap

Don't confuse protocol support or bandwidth usage with security features. Focus on encryption and data protection.

Why the other options are wrong

A

Telnet can cross routed networks because it operates at the application layer over TCP/IP.

C

Telnet supports both local usernames and external authentication via AAA servers like RADIUS or TACACS+.

D

Telnet connects via a virtual terminal line (VTY) over the network, not solely from the console port.

402
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (192.168.1.1/24) connects to the management network, and GigabitEthernet0/1 (10.0.0.1/30) connects to the core. You need to restrict SSH access to R1 from only the management subnet 192.168.1.0/24. Additionally, SSH should be configured with a domain name 'example.com' and a modulus of 2048 bits. The username 'admin' with password 'Cisco123' should be created for SSH login.

Hints

  • Generate RSA keys after setting domain name.
  • Use an access-class on the VTY lines to restrict source IP.
  • Disable telnet by specifying only ssh transport.
A.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT in transport input ssh login local username admin secret Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
B.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT out transport input ssh login local username admin secret Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
C.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT in transport input telnet ssh login local username admin secret Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
D.ip access-list standard MGMT permit 192.168.1.0 0.0.0.255 line vty 0 4 access-class MGMT in transport input ssh login local username admin password Cisco123 ip domain-name example.com crypto key generate rsa modulus 2048
AnswerA
solution
! R1
crypto key generate rsa modulus 2048
access-list 10 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 10 in
transport input ssh

Why this answer

SSH requires RSA keys for encryption. The access-class applies an ACL to incoming VTY connections, allowing only the management subnet. Setting 'transport input ssh' disables less secure protocols like Telnet.

Exam trap

Pay attention to the direction of access-class (in vs out), the transport input setting (ssh only vs telnet ssh), and the use of 'secret' vs 'password' for the username command. These are common traps in CCNA exams.

Why the other options are wrong

B

The access-class must be applied 'in' to restrict incoming SSH sessions; 'out' controls traffic initiated from the router.

C

The transport input command should be 'ssh' only to disable Telnet.

D

The 'secret' keyword should be used for secure password storage; 'password' is less secure.

403
PBQhard

You are troubleshooting DNS resolution issues from R1. Using nslookup and dig commands, diagnose why the router cannot resolve the hostname 'fileserver.courseiva.com' to an IP address, and why reverse lookup for IP address 198.51.100.10 fails. Determine the appropriate fix to ensure successful forward and reverse DNS resolution.

Network Topology
G0/010.0.0.1/30203.0.113.1linkR1DNS Server

Hints

  • The DNS server returns NXDOMAIN for both queries, indicating missing records on the server.
  • Use 'nslookup' to test forward lookup and 'nslookup <ip>' for reverse lookup.
  • The router's DNS configuration is correct; the fault lies in the DNS server's zone data.
A.Add an A record for 'fileserver.courseiva.com' pointing to 198.51.100.10 and a PTR record for 198.51.100.10 pointing to 'fileserver.courseiva.com' on the DNS server.
B.Configure the 'ip host' command on R1 to statically map 'fileserver.courseiva.com' to 198.51.100.10.
C.Enable 'ip domain-lookup' and configure the correct DNS server IP on R1 using 'ip name-server 203.0.113.1'.
D.Add only an A record for 'fileserver.courseiva.com' on the DNS server.
AnswerA
solution
! R1
! No configuration changes are needed on R1; the DNS server must be updated.
! Add A record: fileserver.courseiva.com -> 198.51.100.10
! Add PTR record: 198.51.100.10 -> fileserver.courseiva.com

Why this answer

The DNS resolution failures are due to two issues: the A record for 'fileserver.courseiva.com' does not exist on the DNS server (NXDOMAIN response), and the PTR record for reverse lookup of 198.51.100.10 is missing. To resolve the forward lookup, you must add an A record mapping the hostname to an IP address on the DNS server (e.g., 198.51.100.10). For the reverse lookup, you need to add a PTR record mapping the IP address 198.51.100.10 to the hostname.

On R1, the DNS configuration is correct (ip domain-lookup enabled, name-server 203.0.113.1), but the DNS server lacks the necessary records. The solution involves configuring the DNS server (not R1) to add the missing records. On R1, ensure that the DNS server is reachable and that the domain lookup is enabled; no additional CLI changes are required on the router.

Exam trap

Cisco exams often test the distinction between DNS client configuration on the router and DNS server records. Do not assume that DNS issues are always due to router misconfiguration; verify the DNS server's records first.

Why the other options are wrong

B

The 'ip host' command creates a static host table entry on the router, bypassing DNS. It does not fix reverse lookup and is not the intended solution for missing DNS records.

C

The problem is not with R1's DNS client configuration but with missing records on the DNS server. Repeating correct configuration does not resolve the missing records.

D

Reverse lookup requires a PTR record. Without it, the reverse query for 198.51.100.10 will still fail.

404
MCQhard

A branch office uses PAT for user Internet access. The administrator notices that inside users can browse out, but an internal server still cannot be reached consistently from outside. Which change is most appropriate?

A.Add a static NAT mapping for the server while leaving PAT in place for user traffic.
B.Replace PAT with DHCP relay.
C.Disable NAT entirely because PAT is preventing inbound routing.
D.Put the server in the native VLAN.
AnswerA

This is correct because static NAT provides the server with a stable public identity.

Why this answer

The most appropriate change is to add a static NAT mapping for the internal server while keeping PAT for ordinary user traffic. In practical terms, PAT solves the many-users-outbound problem by allowing shared use of a public address. But an inbound-published server needs a stable, predictable public identity. That requirement is different from the requirement for user browsing.

This is a common NAT design distinction. PAT and static NAT can coexist because they solve different problems. The best answer is the one that preserves PAT for users while giving the server a fixed public translation.

Exam trap

A frequent exam trap is to confuse the role of PAT and static NAT, leading to the incorrect assumption that disabling NAT or changing VLANs will fix inbound server reachability. Disabling NAT entirely stops all address translation, breaking Internet access for all internal hosts. Changing VLANs, such as moving a server to the native VLAN, does not affect NAT or public accessibility.

Another trap is to replace PAT with unrelated features like DHCP relay, which does not influence NAT or inbound connections. Understanding that static NAT is required for stable inbound access while PAT supports outbound user traffic avoids these mistakes.

Why the other options are wrong

B

Incorrect because DHCP relay is unrelated to NAT or inbound server reachability; it only forwards DHCP messages across subnets and does not solve NAT issues.

C

Incorrect because disabling NAT removes all address translation, preventing private IP addresses from reaching the Internet and breaking outbound connectivity for users.

D

Incorrect because placing the server in the native VLAN affects Layer 2 segmentation but does not provide a public IP address or influence NAT behavior for inbound access.

405
MCQmedium

A network team wants all devices to timestamp logs consistently so event correlation works across routers, switches, and firewalls. Which service should they configure first?

A.DNS
B.DHCP
C.NTP
D.TFTP
AnswerC

NTP synchronizes time across devices.

Why this answer

NTP provides consistent time across the infrastructure. Syslog carries log messages, but if device clocks are wrong, the log entries will still be hard to correlate. Accurate time is a foundational service for troubleshooting and forensics.

Exam trap

A common exam trap is selecting DHCP or DNS as the service to synchronize device clocks. DHCP only assigns IP addresses and related network parameters, while DNS resolves domain names to IP addresses; neither service manages time synchronization. Another tempting but incorrect choice is TFTP, which is used for transferring files such as configurations or IOS images, not for time services.

Candidates might confuse the need for consistent network services with time synchronization, but only NTP provides the accurate, network-wide clock synchronization required for consistent log timestamps. Misunderstanding this leads to incorrect answers and potential operational issues in real networks.

Why the other options are wrong

A

DNS is responsible for resolving domain names to IP addresses and does not provide any mechanism for synchronizing device clocks or timestamps.

B

DHCP dynamically assigns IP addresses and other network configuration parameters to clients but does not handle time synchronization or timestamp consistency.

D

TFTP is a simple file transfer protocol used for transferring configuration files or IOS images but does not provide time synchronization services.

406
MCQhard

Why is shutting down unused switch ports considered a useful hardening measure?

A.Because it removes unused active connection points and reduces attack surface.
B.Because it converts all other ports into trunks.
C.Because it replaces VLAN segmentation.
D.Because it forces devices to use SSH.
AnswerA

This is correct because unused enabled ports are avoidable exposure points.

Why this answer

Shutting down unused switch ports reduces attack surface by removing unnecessary active connection points. This is a simple but effective control because it eliminates the risk of unauthorized physical access. Option B is incorrect because disabling a port does not change its mode to trunk; trunking is a separate configuration.

Option C is incorrect because shutting down ports does not replace VLAN segmentation; VLANs provide logical separation, while port shutdown is a physical access control. Option D is incorrect because shutting down ports does not force devices to use SSH; SSH is an application-layer protocol for secure remote management, unrelated to port shutdown.

Exam trap

Don't confuse port security measures with performance improvements or unrelated security features like VLAN isolation.

Why the other options are wrong

B

Disabling a port does not convert it into a trunk; trunking is a separate configuration for carrying multiple VLANs.

C

Shutting down ports does not replace VLAN segmentation; VLANs provide logical separation, while port shutdown is a physical access control.

D

Shutting down ports does not force devices to use SSH; SSH is a management protocol unrelated to port state.

407
Matchingeasy

Match each security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies identity

Determines permitted actions

Records activity

Grants only required access

Why these pairings

Authentication is the process of verifying that the user or device is who they claim to be, which matches 'Verifies identity'. Authorization determines what actions an authenticated entity is allowed to perform, matching 'Determines permitted actions'. Accounting tracks and records the activities of authenticated users, corresponding to 'Records activity'.

Least privilege grants only the minimum access needed for a task, aligning with 'Grants only required access'. These are foundational security principles for access control.

Exam trap

Do not confuse AAA with other security features that have 'access' or 'security' in their names. AAA is specifically about user authentication, authorization, and accounting, not about filtering traffic or preventing specific attacks.

408
Multi-Selectmedium

Select the options that correctly pair the security principle or control with its meaning.

Select 2 answers
A.Confidentiality ensures that data is accessible only to authorized users.
B.Integrity ensures that data is always available when needed.
C.Non-repudiation ensures that a user cannot deny having performed an action.
D.Authorization verifies the identity of a user or device.
AnswersA, C

Confidentiality is the principle of preventing unauthorized access to information, ensuring that only those with proper permissions can view or read data.

Why this answer

Confidentiality ensures data is accessible only to authorized users; integrity ensures data accuracy and trustworthiness (not availability); non-repudiation ensures accountability by preventing denial of actions; authorization grants permissions (not identity verification, which is authentication). Option B is wrong because integrity is about data correctness, not availability. Option D is wrong because authorization determines permissions, while authentication verifies identity.

Exam trap

Be careful not to confuse integrity with availability, and authorization with authentication. Remember: integrity = data accuracy, availability = data accessible; authentication = who you are, authorization = what you can do.

Why the other options are wrong

B

Integrity ensures data accuracy and trustworthiness, not availability; availability is a separate principle.

D

Authorization grants permissions to resources; identity verification is the role of authentication.

409
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the router's G0/0 interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then create ACL with deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq telnet, then permit ip any any, then enter interface G0/0, then apply ACL inbound. This order ensures the ACL is created before being applied, and the specific source/destination networks match the requirement.

Exam trap

Be careful with the order of operations: ACLs must be created before they can be applied, and the order of entries within the ACL matters. Also, remember that 'ip access-group' is an interface command, not global.

410
Multi-Selectmedium

Which three of the following are security best practices for implementing AAA on a Cisco router? (Choose three.)

Select 3 answers
.Use a local username database as a fallback method if the AAA server is unreachable.
.Enable AAA new-model before configuring any AAA methods.
.Configure TACACS+ for detailed command authorization and accounting.
.Set the authentication login method to 'none' for console access.
.Use RADIUS for command-level authorization.
.Disable the enable secret password when using AAA servers.

Why this answer

Using a local username database as a fallback method ensures that if the AAA server becomes unreachable, administrators can still authenticate via the router's local accounts. This is a standard best practice to prevent lockout. Enabling 'aaa new-model' is mandatory before any AAA configuration, as it activates the AAA subsystem on the router.

TACACS+ is the preferred protocol for command authorization and accounting because it encrypts the entire packet and supports per-command authorization, unlike RADIUS which only encrypts the password.

Exam trap

Cisco often tests the misconception that RADIUS can be used for command authorization, but the trap is that RADIUS only supports authentication and accounting for network access, not the granular command-level control that TACACS+ provides.

411
Matchingmedium

Match each service to the problem it most directly helps solve.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Users can reach servers by IP but not by hostname

Hosts are not receiving addressing automatically

Logs from different devices have inconsistent times

Engineers want centralized event messages

Why these pairings

DNS resolves hostnames to IP addresses, so without it users can reach servers by IP but not by hostname. DHCP automatically assigns IP addresses, so without it hosts do not receive addressing automatically. NTP synchronizes clocks across devices, so without it logs from different devices show inconsistent time stamps.

Syslog forwards event messages to a central server, solving the need for centralized event logging.

Exam trap

Do not confuse services that use timestamps (like Syslog or NetFlow) with the service that provides the timestamps (NTP). The question asks which service directly solves the problem of clock synchronization.

412
Multi-Selectmedium

Which two statements accurately describe good management-plane security practice on network devices?

Select 2 answers
A.Use secure management protocols such as SSH instead of less secure remote-access methods.
B.Restrict management access to trusted source networks where possible.
C.Prefer shared generic admin accounts for convenience.
D.Disable all logging to reduce device workload.
E.Rely only on SSID names to protect router management.
AnswersA, B

This is correct because encrypted management access is a core best practice.

Why this answer

Good management-plane security combines multiple layers of control. In practical terms, using secure protocols such as SSH is important, but so is restricting which sources may connect, controlling who is authorized, and maintaining visibility into administrative activity. Strong management security is not usually one setting by itself.

This is a layered-control question rather than a single-technology question.

Exam trap

A common exam trap is selecting only one security measure, such as using SSH, and ignoring the importance of restricting management access sources. Candidates might assume that encrypted protocols alone provide complete security, but without source filtering, attackers can still attempt unauthorized connections. Another trap is choosing options that suggest disabling logging or using shared admin accounts, which weaken security by reducing accountability and visibility.

The exam tests understanding that management-plane security is multi-layered, requiring both secure protocols and access restrictions to effectively protect network devices.

Why the other options are wrong

C

Incorrect because shared generic admin accounts reduce traceability and accountability, making it difficult to audit who made changes or accessed the device, which weakens security.

D

Incorrect because disabling logging removes visibility into management activities, hindering the ability to detect unauthorized access or troubleshoot issues, which is counterproductive to security.

E

Incorrect because SSID names pertain to wireless network identification and do not provide any protection for router management-plane access or protocols.

413
PBQhard

You are connected to R1 via the console. R1 is the DHCP server for the 192.168.50.0/24 LAN. Configure DHCP on R1 to assign addresses from 192.168.50.10 to 192.168.50.200, with default gateway 192.168.50.1 and DNS server 8.8.8.8. Also, configure R1 to act as a DHCP relay agent for the 10.0.0.0/30 link to reach a remote DHCP server at 203.0.113.10. Then, troubleshoot and fix a misconfiguration that causes clients on VLAN 50 to not receive IP addresses.

Network Topology
G0/0:192.168.50.1/24G0/1:10.0.0.1/30linkR1VLAN 50 clientsRemote DHCP server at

Hints

  • Check the excluded-address range — it may be too large.
  • A helper-address on the same subnet as the DHCP server is not needed.
  • The relay agent must be configured on the interface that receives the client broadcasts.
A.[CORRECT] The DHCP pool is misconfigured: the excluded-address range covers most of the pool (192.168.50.1 through 192.168.50.200), but leaves 192.168.50.201-254 assignable, violating the requirement. The correct configuration should exclude 192.168.50.1-9 (gateway) and 192.168.50.201-254 (upper end). The 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed. The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1.
B.The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9, but the helper-address on GigabitEthernet0/0 is correct because it forwards DHCP requests to the remote server. The relay agent configuration is missing on GigabitEthernet0/1.
C.The DHCP pool is correctly configured with excluded-address 192.168.50.1 192.168.50.9. The issue is that the 'ip helper-address' on GigabitEthernet0/1 is missing; it should be added to forward requests to the remote server. Additionally, the 'ip helper-address' on GigabitEthernet0/0 is correct because it forwards requests from VLAN 50 to the remote server.
D.The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9. The 'ip helper-address' on GigabitEthernet0/0 should be removed. The relay agent configuration is correct because 'ip helper-address 203.0.113.10' is already configured on GigabitEthernet0/1.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.50.1 192.168.50.200
ip dhcp excluded-address 192.168.50.1 192.168.50.9
interface GigabitEthernet0/0
no ip helper-address 203.0.113.10
exit
interface GigabitEthernet0/1
ip helper-address 203.0.113.10
exit

Why this answer

The DHCP pool is misconfigured: the excluded-address range of 192.168.50.1 through 192.168.50.200 covers most of the pool, but leaves addresses 192.168.50.201 to 192.168.50.254 assignable, which violates the requirement to assign addresses only from 192.168.50.10 to 192.168.50.200. To meet the requirement, you must exclude both the lower range (192.168.50.1 to 192.168.50.9, reserving the gateway) and the upper range (192.168.50.201 to 192.168.50.254). Additionally, the 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed.

The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1 so that broadcasts from the 10.0.0.0/30 subnet are forwarded.

Exam trap

A single 'ip dhcp excluded-address' range does not limit the DHCP pool to only the desired contiguous range; you must explicitly exclude all addresses you do not want assigned, even those at the upper end. Ensure you create multiple excluded-address ranges when the pool is not contiguous.

Why the other options are wrong

B

The specific factual error is that a helper-address should not be configured on an interface where the router itself is the DHCP server for that subnet.

C

The specific factual error is that the helper-address on the LAN interface is not needed and would cause issues, and the excluded-address range is actually correct in this option, but the question's misconfiguration is the excluded-address being too broad.

D

The specific factual error is that the helper-address on the interface facing the remote server is not configured, so DHCP broadcasts from the 10.0.0.0/30 subnet will not be forwarded.

414
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic from a private network to the Internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

PAT configuration requires first entering global config, defining the traffic with an ACL, specifying the outside interface, then applying the NAT overload command referencing the ACL and outside interface.

Exam trap

The exam trap here is that candidates often confuse the order of steps, especially when the ACL and interface are both referenced in the NAT command. Remember that you must define the ACL and configure the interface with 'ip nat outside' before applying the NAT overload command.

415
MCQmedium

Users on VLAN 20 are not receiving IPv4 addresses from the centralized DHCP server at 10.50.0.10. Users in other VLANs are working normally. Based on the exhibit, which change should fix the issue for VLAN 20 clients?

A.Change the helper address on interface Vlan20 to 10.50.0.10.
B.Convert the VLAN 20 user ports to trunk mode.
C.Configure a default gateway on the user PCs manually.
D.Disable DHCP snooping on VLAN 20.
AnswerA

That points DHCP relay to the actual DHCP server.

Why this answer

The SVI for VLAN 20 is forwarding DHCP requests to the wrong helper address. DHCP relay depends on the Layer 3 interface for that VLAN sending client broadcasts to the correct server. Trunks, access ports, and the DHCP pool name on the server are not the first issue shown here.

DHCP snooping can filter DHCP server replies on untrusted ports, but since other VLANs are working and no trust misconfiguration is indicated, the root cause is the incorrect ip helper-address on Vlan20.

Exam trap

A frequent exam trap is assuming that user ports must be trunks or that disabling DHCP snooping will fix DHCP address assignment issues. In reality, user ports should remain in access mode to maintain VLAN membership, and DHCP snooping is unrelated to this specific forwarding problem because the exhibit shows a misconfigured helper address while other VLANs function normally. Another common mistake is thinking that manually configuring a default gateway on clients solves DHCP problems, but DHCP discovery requires proper relay configuration on the Layer 3 interface.

Misconfiguring or omitting the ip helper-address on the VLAN interface causes DHCP requests to fail, which is the core issue here.

Why the other options are wrong

D

Disabling DHCP snooping is unnecessary because the other VLANs work, and the scenario does not indicate a trust misconfiguration; the real problem is the incorrect helper address on Vlan20.

416
MCQmedium

Two switches are configured to form an EtherChannel, but the bundle never comes up. Which explanation best describes this scenario?

A.The switches are using different native VLANs.
B.LACP active on one side is incompatible with mode on on the other side.
C.Both sides must use PAgP desirable mode.
D.The interfaces must be configured as routed ports first.
AnswerB

That is exactly why the channel does not negotiate properly.

Why this answer

One side is using LACP active mode and the other side is forcing a static channel-group with mode on. Those modes are not compatible. LACP needs active or passive on both sides, while PAgP uses desirable or auto, and static mode on expects a manual bundle on the other side.

Exam trap

Ensure you match the correct protocol and mode on both sides of the link; mixing protocols or incompatible modes will prevent channel formation.

Why the other options are wrong

A

This option is wrong because different native VLANs do not prevent an EtherChannel from forming; they can still establish a link if other configurations are compatible. The primary issue in this scenario is related to LACP mode mismatches.

C

This option is incorrect because EtherChannel can use either PAgP or LACP for negotiation, and both protocols can operate independently of each other. The requirement for both sides to use PAgP in desirable mode is not a necessity for EtherChannel to function.

D

This option is wrong because EtherChannel can be configured on switch ports without needing to convert them to routed ports. Routed ports are not necessary for EtherChannel to function, as it operates at Layer 2.

417
MCQhard

A network team wants visibility into which flows are consuming the most bandwidth between internal subnets. Which technology is most directly associated with that goal?

A.NetFlow
B.Syslog
C.DHCP relay
D.PortFast
AnswerA

This is correct because NetFlow is specifically associated with traffic-flow visibility and analysis.

Why this answer

NetFlow provides visibility into traffic flows, allowing administrators to identify which flows (e.g., between internal subnets) are consuming the most bandwidth by showing source/destination, protocols, and traffic volume. Syslog only records system logs and events, not flow-level data. DHCP relay forwards DHCP broadcasts across subnets but offers no traffic analysis.

PortFast is an STP optimization that speeds up port transition to forwarding; it does not monitor bandwidth usage.

Exam trap

A frequent exam trap is mistaking Syslog or DHCP relay as solutions for traffic flow visibility. Syslog only records system events and error messages, not detailed traffic usage. DHCP relay simply forwards DHCP requests and does not analyze bandwidth.

Another trap is confusing PortFast, which is an STP feature to speed up port activation, with traffic monitoring technologies. Candidates must recognize that only NetFlow provides granular flow data needed to identify bandwidth consumption between internal subnets, making it the correct choice.

Why the other options are wrong

B

Syslog is incorrect because it only records system events, error messages, and notifications. It does not provide detailed traffic flow or bandwidth usage information, so it cannot help identify which flows consume the most bandwidth.

C

DHCP relay is incorrect as its function is to forward DHCP broadcast requests from clients to DHCP servers across different subnets. It does not analyze or report on traffic flows or bandwidth consumption.

D

PortFast is incorrect because it is a Spanning Tree Protocol feature that allows edge ports to transition quickly to the forwarding state. It has no role in traffic flow analysis or bandwidth monitoring.

418
MCQhard

A network administrator is troubleshooting an issue where hosts in the 192.168.20.0/24 subnet cannot reach the Internet, while hosts in 192.168.10.0/24 can. The router is configured for PAT overload using a dynamic pool on the outside interface. The administrator collects the configuration shown in the exhibit. What is the most likely cause of the connectivity problem for the 192.168.20.0/24 subnet?

A.The wildcard mask in access list 20 is incorrect; it matches only the network address.
B.The NAT pool does not have enough IP addresses to support both subnets.
C.Interface GigabitEthernet0/2 is missing the ip nat inside command.
D.Access list 10 is incorrectly applied to the NAT pool, causing a conflict.
AnswerA

Access list 20 uses mask 0.0.0.0, which matches only the single address 192.168.20.0. To encompass the entire 192.168.20.0/24 subnet, the mask must be 0.0.0.255.

Why this answer

The issue is that access list 20, used to define which internal addresses are eligible for NAT, has a wildcard mask of 0.0.0.0. This wildcard mask matches only the exact address 192.168.20.0, not the entire 192.168.20.0/24 subnet. For a /24 subnet, the correct wildcard mask should be 0.0.0.255, which would match all addresses from 192.168.20.1 to 192.168.20.254.

Because the ACL matches only the network address (192.168.20.0), no host traffic from that subnet is translated, breaking Internet connectivity.

Exam trap

Cisco often tests the distinction between matching the network address versus matching the host range in ACLs used for NAT, where candidates incorrectly assume that using the network address with a wildcard mask of 0.0.0.0 will match all hosts in the subnet.

Why the other options are wrong

B

NAT pool size is not a limiting factor with PAT overload; a single address can serve thousands of hosts.

C

The interface is correctly configured for NAT inside.

D

Applying multiple access lists to the same pool is allowed and does not create a conflict.

419
Multi-Selectmedium

Which two statements accurately describe the purpose of least privilege in administration and operations?

Select 2 answers
A.It limits users and administrators to the permissions they actually need.
B.It helps reduce unnecessary exposure and the impact of mistakes or misuse.
C.It means no administrator should ever have any configuration access.
D.It replaces the need for logging and accounting.
E.It exists only on wireless guest networks.
AnswersA, B

This is correct because least privilege is fundamentally about constraining permission scope.

Why this answer

Least privilege is about limiting access to what is actually needed. In practical terms, it reduces unnecessary exposure and helps contain the impact of mistakes, misuse, or compromised accounts. It is not about refusing all access. It is about granting enough access to do the job, but not more than that.

This is a central principle in secure administration and role design.

Exam trap

Avoid confusing least privilege with either unrestricted access or complete denial of access.

Why the other options are wrong

C

This option is incorrect because the principle of least privilege does not imply that administrators should have no configuration access; rather, it means they should only have the access necessary to perform their job functions.

D

This option is incorrect because least privilege does not eliminate the need for logging and accounting; instead, it complements these practices by ensuring that access is limited while still requiring oversight and tracking of actions taken by users.

E

This option is incorrect because the principle of least privilege applies to all network environments, not just wireless guest networks. It is a fundamental security concept that should be implemented across all systems and user roles.

420
MCQmedium

An engineer applies this command on an access interface connected to a user PC: switchport port-security violation restrict. What happens if a second unauthorized MAC address appears on the port?

A.The port immediately goes err-disabled.
B.Frames from the unauthorized MAC are dropped and the violation is counted while the port stays up.
C.The switch forwards the traffic but logs a warning.
D.The port transitions to listening and learning states.
AnswerB

That is the defining behavior of restrict.

Why this answer

With restrict mode, the switch drops frames from the violating MAC, increments the violation counter, and can generate notifications. Unlike shutdown mode, the interface stays up. Unlike protect mode, the switch records the violation.

Exam trap

A frequent exam trap is mistaking the restrict violation mode for shutdown mode. Many candidates incorrectly believe that a violation in restrict mode causes the port to go err-disabled immediately, but this behavior only occurs with the shutdown mode. Another common confusion is between restrict and protect modes; protect silently drops unauthorized frames without incrementing violation counters or generating alerts, whereas restrict does both.

Misunderstanding these differences can lead to incorrect answers about port behavior during security violations. Remember, restrict mode blocks unauthorized MAC addresses but keeps the port active and counts violations, which is a key distinction in Cisco port security.

Why the other options are wrong

A

Option A describes the shutdown violation mode behavior, where the port immediately goes err-disabled upon detecting a second unauthorized MAC address. Since the command specifies 'violation restrict', the port does not disable but stays up, so this option is incorrect.

C

Option C is incorrect because port security never forwards traffic from unauthorized MAC addresses. The switch drops such frames to enforce security policies, so forwarding violating traffic is not possible.

D

Option D is incorrect because listening and learning states refer to Spanning Tree Protocol (STP) port states, not port security violation responses. Port security violation modes do not cause STP state changes.

421
Matchingeasy

Match each basic security term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Protection against unauthorized disclosure

Protection against unauthorized modification

Why these pairings

Authentication is the process of verifying the claimed identity of a user or device, confirming 'who you are'. Authorization determines what resources or actions an authenticated entity is allowed to access, essentially 'what you can do'. Confidentiality ensures that sensitive information is not disclosed to unauthorized individuals, protecting data from being read.

Integrity guarantees that data has not been altered in an unauthorized manner, preserving its accuracy and trustworthiness.

Exam trap

Many learners confuse authentication (proving identity) with authorization (granting permissions); remember that authentication always comes first, and the two serve different security purposes.

422
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to ISP router, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal network uses 192.168.1.0/24 and needs to access the internet. Configure NAT overload on R1 so that internal hosts are translated to the IP address of GigabitEthernet0/0 when accessing the internet.

Network Topology
G0/010.0.0.1/30G0/1192.168.1.1/24InternetISPR1LANPCs

Hints

  • Define inside and outside interfaces separately.
  • Use the ACL to identify which traffic to translate.
  • The overload keyword enables PAT.
A.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
B.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
C.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
D.R1(config)# access-list 1 permit any R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
AnswerA
solution
! R1
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside

Why this answer

NAT overload (PAT) allows multiple internal hosts to share a single public IP by using different source ports. The ACL identifies the internal network, and the interfaces are marked as inside/outside. The 'overload' keyword enables port address translation.

Option B fails because it translates to the wrong interface (GigabitEthernet0/1) instead of the public-facing interface (GigabitEthernet0/0). Option C is missing the required 'overload' keyword, so it performs dynamic NAT without PAT, which is insufficient for multiple hosts. Option D uses an overly broad ACL ('permit any') that does not match only the internal network (192.168.1.0/24) as required by the stem.

Exam trap

The most common traps are: (1) confusing inside and outside interfaces when specifying the NAT source, (2) forgetting the 'overload' keyword for PAT, and (3) using an overly permissive ACL like 'permit any' instead of restricting to the internal network. Always verify interface roles and the ACL scope.

Why the other options are wrong

B

The 'ip nat inside source list' command must specify the outside interface (the one with the public IP) for translation, not the inside interface.

C

NAT overload (PAT) requires the 'overload' keyword to enable port address translation. Without it, the router performs dynamic NAT, which is insufficient for sharing a single public IP among many hosts.

D

The ACL should match only the internal network that requires translation. Using 'permit any' would translate all traffic, including traffic that should not be translated, potentially breaking connectivity or causing security risks.

423
PBQhard

You are connected to R1, a Cisco IOS-XE router. The network uses a DNS server at 203.0.113.10 for name resolution. Users report that 'ping server.example.com' fails, but 'ping 203.0.113.50' succeeds. Assume proper routing is configured between R1 and the DNS server. Diagnose and resolve the DNS resolution issue so that the hostname resolves correctly, and verify the fix using appropriate Cisco IOS commands (e.g., ping, show hosts, debug domain).

Network Topology
G0/010.0.0.1/30203.0.113.10/24linkR1DNS Server

Hints

  • Compare the output of nslookup and dig; nslookup may show cached or incorrect data.
  • The DNS server 203.0.113.10 is returning NXDOMAIN, meaning the A record is missing.
  • Configure a different DNS server that has the correct A record for server.example.com.
A.Configure R1 to use a different DNS server, such as 198.51.100.10, that has the correct A record for server.example.com.
B.Add the command 'ip domain lookup' under global configuration to enable DNS resolution on R1.
C.Clear the DNS cache on R1 using 'clear ip dns cache' to remove any stale entries.
D.Configure the router to use the IP address 203.0.113.50 as the DNS server instead of 203.0.113.10.
AnswerA
solution
! R1
configure terminal
no ip name-server 203.0.113.10
ip name-server 198.51.100.10
end
write memory

Why this answer

The issue is that the DNS server at 203.0.113.10 does not have a valid A record for server.example.com, returning NXDOMAIN. Since ping to the IP address works, connectivity is fine. To resolve, configure R1 to use a different DNS server (e.g., 198.51.100.10) that has the correct A record.

After configuration, verify with 'show hosts' to see the resolved hostname entry and 'ping server.example.com' to confirm successful resolution. The options involving DNS cache clearing or enabling domain lookup are irrelevant because the problem lies with the DNS server itself, not with caching or disabled DNS lookup.

Exam trap

Do not confuse DNS caching with authoritative DNS responses; use 'show hosts' and 'ping' to verify resolution, not nslookup or dig, which are not available on Cisco IOS routers.

Why the other options are wrong

B

The specific factual error is that 'ip domain lookup' is not the cause of the problem; it is already enabled by default.

C

The specific factual error is that the problem is not a cached negative response; the DNS server itself lacks the record.

D

The specific factual error is that 203.0.113.50 is a host address, not a DNS server address.

424
MCQhard

A network engineer notices that after removing a standard ACL that was applied inbound on the internet-facing interface, the router is now receiving IP packets from the internet with source IP addresses in the 10.0.0.0/8 range, which were previously blocked. What is the most likely cause?

A.The original standard ACL only had a permit statement, so after removal the permit still takes effect because the ACL remains in the running configuration.
B.The ip access-group command on the interface remains but is missing the referenced ACL, causing the router to default to denying all ingress traffic except the previously permitted 10.0.0.0/8.
C.Removing the ACL from the interface eliminates the implicit deny at the end and restores the default permit all behavior, allowing all incoming traffic.
D.The ACL was reapplied in the outbound direction instead of inbound, so it now blocks traffic leaving the interface but not entering it.
AnswerC

Before removal, the applied ACL permitted only 10.0.0.0/8 and denied everything else (implicit deny all), which correctly blocked spoofed RFC 1918 traffic. Once the ACL is de-applied, the interface has no access list, so all traffic is permitted, including the previously blocked spoofed packets.

Why this answer

When an ACL is removed from an interface using 'no ip access-group', the interface reverts to its default behavior of permitting all traffic. The previous ACL's implicit deny all no longer applies, so spoofed RFC 1918 source addresses that were once blocked are now allowed to enter.

Exam trap

Many candidates assume that removing an ACL from an interface still leaves some residual filtering based on the ACL's permit statements, but in reality the interface returns to a wide-open permit-all state.

Why the other options are wrong

A

Candidates may think that the ACL itself, if still configured, continues to filter traffic even when not applied to an interface.

B

A common misunderstanding is that the access-group line can persist without a valid ACL and cause some default behavior; in fact the entire command is removed.

D

Some candidates may confuse direction changes with removal and assume the ACL is still filtering traffic in some way, but the symptom clearly indicates no filtering at all.

425
MCQhard

What is the strongest explanation for why hosts in VLAN 40 are receiving addresses from the wrong DHCP scope?

A.The relay path is sending requests to the wrong DHCP scope or server target.
B.The VLAN 40 SVI must be changed to a trunk port.
C.DHCP can provide only one scope in the entire network.
D.The clients must use static addresses before DHCP relay can work.
AnswerA

This is correct because the clients are receiving addresses, but from the wrong network scope.

Why this answer

Option A is correct because the DHCP relay agent (typically configured on the VLAN 40 SVI with the 'ip helper-address' command) is forwarding client broadcast requests to a DHCP server that either has no scope for VLAN 40 or has a scope configured for a different subnet. This causes the server to assign an address from the wrong scope, as the relay agent does not filter by scope—it simply forwards the packet to the configured server IP.

Exam trap

Cisco often tests the misconception that DHCP can only serve one scope per network, when in fact the issue is typically a misconfigured relay path or server scope mapping, not a protocol limitation.

Why the other options are wrong

B

This option is wrong because an SVI (Switched Virtual Interface) for a VLAN cannot be configured as a trunk port; it must be an access port. VLANs are typically assigned to access ports, and changing the SVI to a trunk would not resolve DHCP scope issues.

C

This option is incorrect because DHCP can support multiple scopes across different VLANs, allowing for distinct address ranges for each VLAN. Thus, having multiple scopes is not a limitation of DHCP itself.

D

This option is incorrect because DHCP relay does not require clients to use static addresses; it is designed to facilitate dynamic IP address assignment. Static addresses would not affect the relay process or the DHCP server's ability to assign addresses from the correct scope.

426
PBQhard

You are connected to R1. The inside network 192.168.10.0/24 must be able to reach the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.2/30. Additionally, the internal server at 192.168.10.100 must be statically mapped to public IP 203.0.113.10. The current configuration is incomplete and contains errors. Fix the NAT configuration on R1 so that both requirements are met.

Hints

  • Check the NAT direction on the outside interface.
  • The overload keyword is missing from the PAT command.
  • The ACL must match the entire inside subnet, not just one host.
A.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
B.ip access-list standard 100 permit host 192.168.10.100 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
C.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
D.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat inside
AnswerA
solution
! R1
configure terminal
interface gigabitEthernet0/1
no ip nat inside
ip nat outside
exit
ip nat inside source list 100 interface gigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
end

Why this answer

The correct configuration is a standard ACL matching the entire 192.168.10.0/24 subnet, a PAT statement with the overload keyword, and the outside interface correctly configured as ip nat outside. Option A achieves all three. Option B fails because its ACL only matches the server host, so only 192.168.10.100 can use the PAT translation.

Option C omits the overload keyword, meaning only one inside host can translate at a time – PAT is not enabled. Option D configures the external interface as ip nat inside instead of outside, blocking translation of outbound traffic.

Exam trap

Watch out for three common traps: (1) forgetting the overload keyword when PAT is needed; (2) using an ACL that only matches the server instead of the whole subnet; (3) confusing inside and outside interface configuration. Always verify the ACL scope and the presence of overload for PAT.

Why the other options are wrong

B

The ACL must match the entire inside network (192.168.10.0/24), not just the server IP.

C

The overload keyword is required to enable PAT (port address translation) for sharing a single public IP among multiple inside hosts.

D

The interface facing the internet must be configured as ip nat outside; inside interfaces are those facing the internal network.

427
MCQhard

Exhibit: Hosts on the inside network can reach the internet, but inbound connections to a published web server fail. Static NAT is configured. What is the most likely missing piece?

A.A default route on the inside host
B.An ACL permit entry allowing TCP port 80 or 443 to the translated address
C.PAT overload on the outside interface
D.DHCP relay toward the web server
AnswerB

NAT alone does not override an inbound filtering policy.

Why this answer

Static NAT provides the address translation, but traffic still must be permitted by an inbound ACL or firewall policy on the outside interface. Option A is incorrect because a default route on the inside host affects outbound traffic, not inbound connections. Option C is wrong since PAT overload is for many-to-one translation and is not required here, and it would not block inbound traffic if static NAT is already configured.

Option D is incorrect because DHCP relay does not influence inbound access to a web server; it only forwards DHCP requests from clients to a remote DHCP server.

Exam trap

Many candidates assume that static NAT alone guarantees inbound access, forgetting that an inbound ACL on the outside interface must explicitly permit the traffic.

Why the other options are wrong

A

A default route on the inside host controls outbound traffic, not inbound connections from the internet.

C

PAT overload is used for many-to-one translation and would not block inbound traffic if static NAT is already configured.

D

DHCP relay forwards DHCP requests to a remote server and does not affect inbound HTTP/HTTPS access to a web server.

428
MCQhard

A company wants an internal web server to be reachable consistently from the Internet using one known public IPv4 address. Which NAT approach best fits that requirement?

A.Static NAT
B.PAT overload
C.No NAT, because private IPv4 addresses are publicly routable
D.DHCP relay
AnswerA

This is correct because static NAT gives the server a permanent public mapping.

Why this answer

Static NAT is the best fit because it creates a fixed one-to-one relationship between the inside server and the public address. In practical terms, outside clients need a stable public identity for the server. They cannot rely on a translated address that changes session by session. Static NAT gives that predictability.

This is different from PAT, which is designed for many inside users sharing fewer public addresses for outbound traffic. The question is about publishing a server, not conserving addresses for client browsing. That is why static NAT is the strongest answer.

Exam trap

A frequent exam trap is selecting PAT overload as the solution for making an internal server reachable from the Internet. PAT is primarily designed for outbound traffic from multiple internal hosts sharing a single public IP, not for inbound access to a specific server. Another trap is thinking private IPv4 addresses are publicly routable, which they are not, so no NAT would fail to provide Internet reachability.

Also, confusing DHCP relay with NAT functions can mislead candidates, as DHCP relay only forwards DHCP messages and does not affect public IP mappings or server accessibility from the Internet.

Why the other options are wrong

B

PAT overload is incorrect because it is designed for many internal hosts sharing a single public IP for outbound traffic, not for providing a fixed public IP for inbound server access.

C

No NAT is incorrect since private IPv4 addresses are not routable on the public Internet; without NAT, the internal server cannot be reached from outside the private network.

D

DHCP relay is unrelated to NAT or public reachability; it only forwards DHCP requests across subnets and does not provide any public IP mapping for internal servers.

429
Multi-Selectmedium

A network operations team wants centralized logging from routers and switches and also wants meaningful severity filtering. Which two statements about syslog are correct?

Select 2 answers
A.Devices can send log messages to a remote syslog server for central storage
B.Severity levels allow filtering based on how serious an event is
C.Syslog is used to assign IP addresses dynamically to endpoints
D.Syslog entries replace SNMP counters for interface statistics
AnswersA, B

Centralization helps with monitoring, retention, and incident response.

Why this answer

Syslog provides centralized event reporting by allowing devices to send log messages to a remote server (option A is correct). Severity levels enable filtering based on event seriousness (option B is correct). Option C is incorrect because syslog does not assign IP addresses dynamically—that is the role of DHCP.

Option D is incorrect because syslog logs events and does not replace SNMP counters, which remain the primary method for collecting interface statistics.

Exam trap

Be careful not to confuse syslog's use of UDP with TCP, and remember that syslog can send to multiple servers.

Why the other options are wrong

C

Syslog is not used for IP address assignment; that function is performed by DHCP.

D

Syslog does not replace SNMP counters for interface statistics; SNMP remains the primary method for collecting such data.

430
MCQmedium

Which security concept is most closely associated with ensuring data has not been altered in an unauthorized way?

A.Integrity
B.Availability
C.Accounting
D.Confidentiality
AnswerA

This is correct because integrity is concerned with preventing or detecting unauthorized changes to data.

Why this answer

The concept is integrity. In plain language, integrity is about making sure data remains accurate and trustworthy and that unauthorized changes can be detected or prevented. If confidentiality is about stopping the wrong people from seeing data, integrity is about stopping the wrong people from changing it. Availability, meanwhile, focuses on access to systems and services when needed.

This distinction matters because CCNA questions often group security vocabulary together and rely on candidates to separate them cleanly. Integrity is not the same as authentication or accounting, and it is not simply about whether a service is online. It specifically focuses on the correctness and trustworthiness of data or system state. That is why integrity is the correct answer here.

Exam trap

A frequent exam trap is mistaking confidentiality for integrity because both relate to data security. Confidentiality prevents unauthorized users from viewing data, but it does not guarantee that the data has not been altered. Another trap is confusing availability with integrity; availability ensures systems and data are accessible when needed but does not protect against unauthorized changes.

Candidates might also select accounting, which tracks user activity but does not ensure data correctness. Understanding these distinctions is crucial to avoid selecting the wrong security concept under exam pressure.

Why the other options are wrong

B

Availability is incorrect because it focuses on ensuring that systems and data are accessible when needed, not on preventing unauthorized data modification.

C

Accounting is incorrect since it involves logging and tracking user activities and network events but does not guarantee that the data itself has not been altered.

D

Confidentiality is incorrect because it protects data from unauthorized disclosure but does not ensure that the data has not been changed or tampered with.

431
MCQmedium

A team wants to know which internal hosts are sending the most traffic to a specific data center subnet. Which technology is most directly associated with that visibility goal?

A.NetFlow
B.Syslog
C.DHCP
D.PortFast
AnswerA

This is correct because NetFlow is designed to provide traffic-flow visibility.

Why this answer

NetFlow is the best fit because it provides visibility into traffic flows and conversations. In practical terms, it helps answer questions like who is talking to whom, over which protocols and ports, and how much traffic is being exchanged. That makes it useful for capacity, troubleshooting, and unusual-traffic analysis.

This is different from Syslog, which reports device events, and from general SNMP polling, which focuses more on device and interface counters.

Exam trap

A common exam trap is selecting Syslog or DHCP when asked about traffic visibility. Syslog focuses on logging system events and device messages, not on analyzing who is sending traffic or how much. DHCP is solely for IP address assignment and does not provide any traffic flow data.

Candidates might confuse these because they are familiar Cisco technologies, but neither provides the flow-level traffic insight that NetFlow offers. Misunderstanding the purpose of these protocols leads to incorrect answers, especially under time pressure.

Why the other options are wrong

B

Syslog is incorrect because it focuses on logging device events and messages rather than providing traffic flow or volume information necessary for identifying heavy traffic sources.

C

DHCP is incorrect since it only assigns IP addresses and network settings to hosts and does not offer any insight into traffic patterns or flow data.

D

PortFast is incorrect because it is a Spanning Tree Protocol feature that accelerates port forwarding state transitions and does not relate to traffic monitoring or analysis.

432
Matchingeasy

Match each HTTP method to its common REST API action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update or replace a resource

Remove a resource

Why these pairings

GET retrieves data; POST creates; PUT replaces; PATCH partially updates; DELETE removes; OPTIONS queries available methods.

Exam trap

Be careful not to confuse PUT (full replacement) with PATCH (partial update). Also, remember that GET is read-only and should not create or modify data.

433
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then define the RADIUS server, then configure AAA authentication, then enable 802.1X globally, and finally apply per-interface 802.1X settings.

Exam trap

Do not confuse the order: the RADIUS server must be defined before AAA authentication, and AAA must be configured before enabling 802.1X globally. A common trap is to enable 802.1X too early.

434
MCQmedium

An engineer wants users to get fast link-up on access ports but also wants the switch to disable a port if another switch is connected and sends BPDUs. Which combination of features best meets that requirement?

A.PortFast and BPDU Guard
B.DHCP snooping and DAI
C.Root Guard and VTP pruning
D.Port security and CDP
AnswerA

Correct. This is correct. PortFast provides fast host connectivity, and BPDU Guard protects the port by shutting it down if BPDUs are received from a connected switch.

Why this answer

PortFast and BPDU Guard are the classic edge-port combination for this requirement. PortFast helps a user-facing interface begin forwarding quickly so a PC or phone does not wait through the normal spanning-tree transition delay. BPDU Guard adds protection by monitoring that same port for BPDUs.

If a switch is accidentally or intentionally connected and starts participating in spanning tree, BPDU Guard reacts by disabling the port to protect the Layer 2 topology. In plain language, users get quick connectivity when the port is used correctly, but the network still protects itself against someone plugging in a switch where only an endpoint should exist. That is exactly what the requirement asks for.

Exam trap

Avoid confusing BPDU Guard with other guard features like Root Guard or Loop Guard, which serve different purposes.

Why the other options are wrong

B

DHCP snooping and DAI (Dynamic ARP Inspection) do not address the requirement of disabling a port upon receiving BPDUs; they focus on protecting against rogue DHCP servers and ARP spoofing, respectively.

C

Root Guard and VTP pruning do not address the requirement of quickly enabling access ports and disabling them upon receiving BPDUs. Root Guard is used to prevent a port from becoming a root port, while VTP pruning optimizes VLAN traffic, neither of which directly manage port states based on BPDU reception.

D

Port security and CDP do not provide the necessary functionality to disable a port when BPDUs are received. Port security can limit the number of MAC addresses but does not specifically address BPDU handling.

435
MCQhard

A router performing PAT is using a single public IPv4 address for many inside hosts. Which value most often distinguishes one inside flow from another on the same outside address?

A.TTL
B.DSCP
C.TCP or UDP source port
D.MAC address of the host
AnswerC

Correct. PAT uses port numbers to distinguish flows.

Why this answer

PAT commonly multiplexes sessions by translating Layer 4 source port numbers.

Exam trap

A common exam trap is selecting TTL or DSCP as the distinguishing value for inside flows in PAT. TTL is often mistaken because it changes during routing, but it does not uniquely identify sessions. DSCP is related to Quality of Service and does not influence NAT translations.

Another trap is thinking MAC addresses can be used to differentiate flows; however, MAC addresses are stripped and replaced at each routed hop, so they are irrelevant in PAT. The correct distinguishing factor is the TCP or UDP source port number, which PAT uses to multiplex multiple inside hosts over a single public IP address.

Why the other options are wrong

A

TTL is not the main distinguishing value PAT uses because it changes as packets traverse routers and does not uniquely identify individual flows in NAT translations.

B

DSCP is a QoS marking used to prioritize traffic and does not play a role in NAT or PAT flow differentiation, so it cannot distinguish inside flows sharing one outside IP.

D

MAC addresses are Layer 2 addresses that are not preserved across routed NAT boundaries, so they cannot be used to distinguish flows in PAT.

436
MCQmedium

Exhibit: A network engineer wants to identify which applications are consuming most WAN bandwidth over time. Which feature should be enabled on the router?

A.NTP authentication
B.NetFlow
C.DNS forwarding
D.DHCP snooping
AnswerB

NetFlow provides detailed flow-based traffic visibility.

Why this answer

NetFlow records conversations and traffic characteristics so an external collector can analyze top talkers, protocols, and usage trends. Syslog and SNMP have different purposes.

Exam trap

A frequent exam trap is mistaking features like DHCP snooping or DNS forwarding as tools for bandwidth monitoring. DHCP snooping is a Layer 2 security mechanism that prevents unauthorized DHCP servers but does not provide traffic usage data. DNS forwarding helps resolve domain names faster but does not track or analyze bandwidth consumption.

Another trap is confusing NTP authentication, which secures time synchronization, with traffic profiling tools. Candidates must recognize that only NetFlow collects detailed flow information necessary to identify which applications consume the most WAN bandwidth over time.

Why the other options are wrong

A

NTP authentication protects the integrity of time synchronization between devices but does not provide any mechanism for monitoring or analyzing network traffic flows or bandwidth usage.

C

DNS forwarding improves domain name resolution efficiency but does not collect or analyze traffic flow information related to bandwidth consumption.

D

DHCP snooping is a security feature that prevents unauthorized DHCP servers at Layer 2 and does not provide any traffic profiling or bandwidth monitoring capabilities.

437
MCQhard

A small office uses PAT for user Internet access. What mechanism does PAT use to allow many users to share one public address while keeping their sessions distinct?

A.Use transport-layer port values to distinguish multiple inside sessions behind one outside address.
B.Convert all inside hosts to the same private IP address.
C.Increase the size of the NAT pool to include multiple public addresses.
D.Configure static NAT mappings for each inside host.
AnswerA

This is correct because PAT uses ports to separate many sessions sharing one public IP.

Why this answer

PAT (Port Address Translation) distinguishes multiple inside sessions by rewriting the source port number for each connection while using the same public IP address. This transport-layer port translation allows many internal hosts to share one outside address without conflict. The correct answer identifies the use of port numbers, which is the core mechanism.

Increasing the NAT pool or using static NAT would not enable sharing of a single public address. Changing private IPs to be identical or disabling routes are irrelevant to PAT's operation.

Exam trap

A common mistake is thinking PAT requires all inside hosts to have the same private IP or that adding more public IPs is the primary method for sharing a single address.

Why the other options are wrong

B

Converting all inside hosts to the same private IP would cause addressing conflicts and break basic connectivity, not enable PAT.

C

Increasing the NAT pool provides more public addresses but does not allow many users to share one public address via port translation.

D

Static NAT requires a dedicated public IP per host, preventing many-to-one sharing.

438
MCQmedium

A DHCP server is located on a different VLAN from the clients. Which feature is required so the clients can still receive addresses?

A.DHCP snooping
B.DHCP relay
C.Port security
D.NAT overload
AnswerB

Correct. DHCP relay enables cross-VLAN DHCP service.

Why this answer

DHCP relay forwards client broadcasts to a remote server as unicast, typically using ip helper-address on the Layer 3 interface.

Exam trap

A common exam trap is selecting DHCP snooping as the solution for clients on different VLANs to receive DHCP addresses. DHCP snooping is a security mechanism that filters DHCP messages to prevent rogue servers but does not forward DHCP broadcasts across VLANs. Another tempting but incorrect choice is port security, which controls MAC address access on switch ports but does not affect DHCP broadcast forwarding.

NAT overload is unrelated to DHCP address assignment and only translates IP addresses for outbound traffic. The key misunderstanding is confusing DHCP relay’s role in forwarding broadcasts with security or address translation features.

Why the other options are wrong

A

DHCP snooping is a security feature that prevents unauthorized DHCP servers by filtering DHCP messages. It does not forward DHCP broadcasts across VLANs, so it cannot enable clients on different VLANs to receive addresses.

C

Port security restricts the number and identity of MAC addresses on switch ports to enhance security. It does not affect DHCP broadcast forwarding or enable clients to receive addresses from servers on different VLANs.

D

NAT overload translates multiple private IP addresses to a single public IP address for outbound traffic. It does not address the issue of forwarding DHCP broadcasts between VLANs or enable DHCP clients to obtain addresses from remote servers.

439
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.1, with the ACL applied inbound on the router's GigabitEthernet0/0 interface, and then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Create the ACL permitting HTTP from the source network to the destination host. Apply it inbound on the correct interface.

Then exit and verify.

Exam trap

Pay attention to the direction of ACL application (inbound vs outbound) and the specific verification command. Also, ensure you exit configuration mode before verifying, as some show commands are available in config mode but the standard workflow is to exit first.

440
MCQmedium

Which term in the CIA triad refers to ensuring systems and data remain accessible when needed?

A.Availability
B.Integrity
C.Accounting
D.Confidentiality
AnswerA

This is correct because availability is about ensuring systems and data can be accessed when needed.

Why this answer

The term is availability. In plain language, availability means that authorized users should be able to reach systems, services, and data when they actually need them. If a service is down, overwhelmed, or otherwise unreachable, availability has been affected. This is different from confidentiality, which focuses on preventing unauthorized disclosure, and integrity, which focuses on preventing unauthorized change.

This distinction matters because the CIA triad appears often in security foundations and exam questions. Availability is not about whether data is secret or whether it has been altered; it is about whether the service is usable. That is why availability is the best answer here.

Exam trap

A frequent exam trap is confusing availability with confidentiality or integrity because all three belong to the CIA triad. Candidates may incorrectly choose confidentiality, thinking about data protection, or integrity, focusing on data accuracy. However, availability specifically means ensuring systems and data remain accessible when needed.

Misreading the question or overthinking the triad components leads to selecting the wrong term. Remember, availability is about uptime and access, not secrecy or correctness, which are confidentiality and integrity respectively.

Why the other options are wrong

B

Integrity is incorrect because it focuses on protecting data from unauthorized changes, not on ensuring access or uptime of systems and data.

C

Accounting is incorrect as it is part of the AAA framework (Authentication, Authorization, Accounting) and not a component of the CIA triad, so it does not relate to system availability.

D

Confidentiality is incorrect because it deals with preventing unauthorized disclosure of information, not with ensuring that systems and data are accessible when required.

441
Matchingmedium

Drag and drop the AAA terms on the left to their correct definitions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device before granting access.

Determines what resources or services a user is allowed to access.

Tracks and logs user activities, such as login time and commands executed.

A Cisco proprietary protocol that separates authentication, authorization, and accounting.

An open standard protocol that combines authentication and authorization in one packet.

Why these pairings

AAA components: Authentication verifies identity, Authorization controls access, Accounting logs activities. RADIUS is an open standard that combines authentication and authorization, while TACACS+ is a Cisco proprietary protocol that separates all three functions.

Exam trap

Do not confuse the AAA components with the protocols used to implement them. The question asks for the definition of Authentication, not for a protocol like RADIUS or TACACS+. Also, ensure you distinguish between Authentication (identity) and Authorization (permissions).

442
MCQmedium

R1 receives an OSPF route to 10.55.0.0/16 and already has a static route to 10.55.10.0/24. Which route will be used for traffic sent to 10.55.10.25?

A.The OSPF /16 route, because dynamic routes override static routes learned later.
B.The static /24 route, because it is the longest-prefix match.
C.Both routes equally, because they point to the same major network.
D.Neither route, because overlapping routes are invalid.
AnswerB

Route lookup prefers the most specific matching prefix.

Why this answer

The static /24 route is more specific than the OSPF /16 route, so longest-prefix match wins. Administrative distance is only compared among routes to the same prefix length.

Exam trap

Remember that the longest-prefix match rule takes precedence over administrative distance when routes have different prefix lengths.

Why the other options are wrong

A

This option is incorrect because static routes are preferred over dynamic routes in OSPF when both are present, regardless of when they were learned. The static route to 10.55.10.0/24 will be used due to its longer prefix match.

C

This option is incorrect because OSPF routes do not share equal preference with static routes; the static /24 route will be preferred due to its longer prefix length, making it the best match for the specific destination IP.

D

This option is incorrect because overlapping routes are valid in routing protocols like OSPF, and both routes can coexist in the routing table. The static route to 10.55.10.0/24 is valid and will be preferred due to its longer prefix length.

443
PBQhard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2/30 (key 'cisco123') so that console and VTY login use RADIUS first, then local authentication. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on R1 is stuck in the unauthorized state. The RADIUS server is reachable but authentication fails. Verify using 'show aaa servers' and 'show dot1x interface GigabitEthernet0/1 details'.

Network Topology
G0/010.0.0.1/3010.0.0.2/30linkR1RADIUS Server

Hints

  • Check the RADIUS server's shared key configuration.
  • The key 'cisco123' might be incorrect; verify with the server administrator.
  • Use 'debug radius authentication' to see authentication failures.
A.Configure 'aaa authentication login default group RADIUS local' and correct the RADIUS server key to match the actual server key.
B.Configure 'aaa authentication login default group radius local' and verify the RADIUS server IP address is correct.
C.Configure 'aaa authentication login default group radius local' and enable 802.1X globally with 'dot1x system-auth-control'.
D.Configure 'aaa authentication login default local' and remove the RADIUS server configuration.
AnswerA
solution
! R1
configure terminal
radius server RADIUS
key correctkey
end

Why this answer

The RADIUS server is reachable but AAA and 802.1X authentication fail because the pre-shared key on R1 does not match the server's actual key. The correct repair is to first apply 'aaa authentication login default group RADIUS local' to correctly reference the RADIUS server by its name, then set the matching key under 'radius server RADIUS'. Once the key matches, the switch port will transition to authorized state.

Exam trap

Do not assume reachability equals authentication success; always verify the shared key matches. Also, when using new-style RADIUS server configuration, the AAA method must use the server name directly (not the generic 'radius' group) unless a custom server group is defined.

Why the other options are wrong

B

Verifying the IP address is redundant because the server is already reachable; the root cause is a mismatched shared key.

C

Enabling 802.1X globally will not fix a key mismatch and is not the reason for the port remaining unauthorized when RADIUS is reachable.

D

Using only local authentication removes the required RADIUS-first method and does not resolve the key issue.

444
Matchingmedium

Match each operations term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Repeated collection of data by the management system

Event notification sent by the device

Indicator of how serious a logged event is

Visibility into traffic flows and conversations

Why these pairings

Polling matches 'Repeated collection of data by the management system' because an NMS periodically requests data from devices (SNMP Get/GetNext). Traps are event notifications sent by the device without a prior request. Syslog severity indicates the importance of a logged event (0=emergency to 7=debug).

NetFlow provides visibility into traffic flows by collecting metadata about communications between endpoints.

Exam trap

A common mistake is confusing SNMP traps with SNMP polling: traps are unsolicited alerts from the device, while polling is periodic retrieval initiated by the management system.

445
MCQeasy

Which STP role identifies the port on a non-root switch that has the best path back to the root bridge?

A.Designated port
B.Root port
C.Alternate port
D.Disabled port
AnswerB

That is the correct STP role.

Why this answer

The root port is the single port on a non-root switch that provides the lowest-cost path toward the root bridge. Designated ports forward away from the root for a segment, and alternate ports are backup paths.

Exam trap

A frequent exam trap is mistaking the designated port for the root port. While both forward traffic, the designated port is selected per LAN segment to forward frames away from the root bridge, not necessarily providing the best path back to the root. Another trap is confusing the alternate port with the root port; alternate ports are backup paths kept in blocking state and do not forward traffic unless the root port fails.

Candidates often overlook that the root port is unique per non-root switch and always represents the lowest-cost path to the root bridge, which is the key to answering this question correctly.

Why the other options are wrong

A

Designated ports are selected for each LAN segment to forward traffic away from the root bridge, but they do not represent the best path back to the root bridge on a non-root switch. Therefore, this option is incorrect.

C

Alternate ports serve as backup paths and remain in a blocking state unless the root port fails. They do not identify the best path back to the root bridge, so this option is incorrect.

D

Disabled ports do not participate in STP forwarding or path selection and are not related to identifying the best path back to the root bridge, making this option incorrect.

446
MCQhard

A standard ACL and an extended ACL are both available for a design. Which requirement most strongly indicates that an extended ACL is needed?

A.The policy must distinguish traffic by destination, protocol, or port.
B.The policy needs to match only one source subnet.
C.The ACL must be placed near the destination.
D.The network uses IPv6 instead of IPv4.
AnswerA

This is correct because those requirements need extended ACL granularity.

Why this answer

An extended ACL is most strongly indicated when the policy must match not just on source address, but also on destination, protocol, or port information. In practical terms, if the requirement is something like “block HTTP but allow SSH” or “deny traffic to one server but not another,” a standard ACL is too limited because it mainly matches only the source. Option B (matching only one source subnet) can be done with a standard ACL, so it does not demand an extended ACL.

Option C (placement near destination) is a guideline for standard ACLs, not a reason to choose an extended ACL. Option D (IPv6) is irrelevant because the scenario explicitly states both ACL types are available and standard ACLs do not exist for IPv6—this question is about IPv4 ACLs.

Exam trap

Remember that standard ACLs can only filter based on source IP addresses. If the requirement involves protocols or ports, think extended ACL.

Why the other options are wrong

B

Matching only one source subnet can be accomplished with a standard ACL, so this does not strongly indicate a need for an extended ACL.

C

Placing an ACL near the destination is a characteristic of standard ACLs, not a criterion that selects an extended ACL.

D

The scenario assumes both standard and extended ACLs are available; standard ACLs do not exist for IPv6, so this requirement does not apply to the IPv4 ACL choice.

447
MCQhard

Why is the combination of strong authentication and centralized logging generally better than using either one alone?

A.Authentication helps prevent unauthorized access, while centralized logging improves visibility and investigation.
B.They are redundant because both perform exactly the same function.
C.Centralized logging makes authentication unnecessary.
D.Strong authentication removes the need for device event records.
AnswerA

This is correct because the two controls complement each other.

Why this answer

The combination is better because strong authentication helps prevent unauthorized access, while centralized logging helps detect, review, and investigate activity across the environment. In plain language, one control focuses more on prevention, while the other improves visibility and accountability. Together they create a stronger security posture than either one alone.

This is an important design mindset. Security is stronger when controls complement each other instead of trying to solve every problem with one mechanism. The correct answer is the one focused on prevention plus visibility.

Exam trap

Avoid assuming that two controls can cover all security needs or that combining them simplifies architecture.

Why the other options are wrong

B

Option B is incorrect because strong authentication and centralized logging serve distinct functions; authentication secures access while logging tracks and analyzes events, enhancing security and compliance.

C

This option is incorrect because centralized logging does not eliminate the need for authentication; both are essential for a comprehensive security posture. Authentication verifies user identity, while logging tracks access and actions for auditing and incident response.

D

This option is wrong because strong authentication does not eliminate the need for device event records; both are essential for comprehensive security management. Device event records provide critical insights into system activity, which strong authentication alone cannot address.

448
PBQhard

You are connected to R1. Configure R1 as a DHCP server for the 192.168.100.0/24 subnet, reserving the first 10 addresses and the address 192.168.100.254 for static assignments, with default gateway 192.168.100.1 and DNS server 8.8.8.8. Then, on the same router, enable DHCP relay for the 10.1.1.0/24 subnet by configuring the helper address pointing to the DHCP server at 192.168.100.1. Finally, verify that the DHCP pool is correctly configured and that the helper address is set.

Hints

  • Check the default-router in the DHCP pool — it should be the gateway address, not an excluded address.
  • The helper-address on G0/1 must point to the DHCP server interface IP, not to a reserved address.
  • Examine the excluded-address list to understand which addresses are reserved.
A.The default-router is incorrectly set to 192.168.100.254 instead of 192.168.100.1, and the ip helper-address on G0/1 points to 192.168.100.254 instead of 192.168.100.1.
B.The default-router is correctly set to 192.168.100.1, but the ip helper-address on G0/1 points to 192.168.100.254 instead of 192.168.100.1.
C.The default-router is incorrectly set to 192.168.100.254 instead of 192.168.100.1, but the ip helper-address on G0/1 correctly points to 192.168.100.1.
D.Both the default-router and the ip helper-address are correctly configured as 192.168.100.1.
AnswerA
solution
! R1
configure terminal
ip dhcp pool POOL_100
default-router 192.168.100.1
exit
interface GigabitEthernet0/1
ip helper-address 192.168.100.1
end
copy running-config startup-config

Why this answer

The configuration has two critical errors. First, the default-router in the DHCP pool is incorrectly set to 192.168.100.254, which is an excluded address meant for static assignment, not the actual gateway (192.168.100.1). Second, the ip helper-address on G0/1 points to 192.168.100.254 (the wrong address) instead of the DHCP server's own interface IP 192.168.100.1.

To fix, change the default-router to 192.168.100.1 and update the helper-address to 192.168.100.1.

Exam trap

Be careful not to confuse the excluded addresses (reserved for static assignment) with the gateway address. Also, remember that when a router acts as both DHCP server and relay, the helper-address should point to the router's own interface IP on the server subnet, not to an excluded address.

Why the other options are wrong

B

The specific factual error is that the helper-address should be the DHCP server's IP, not an excluded address.

C

The specific factual error is that the default-router must be the gateway address, not an excluded address.

D

The specific factual error is that the question states the configuration uses 192.168.100.254 for both, so this option does not match the given scenario.

449
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication on R1 so that SSH login attempts first contact the RADIUS server at 192.0.2.10 (key 'cisco123'), and if the server is unreachable, fall back to the local database. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on a connected switch remains in the 'unauthorized' state despite RADIUS being functional; identify and fix the misconfiguration on the switch (SW1).

Network Topology
G0/0192.0.2.1/24G0/1G0/1SW1R1Client

Hints

  • Check if the switch has 'aaa new-model' enabled.
  • The switch needs a RADIUS server definition and an authentication method list for dot1x.
  • The 'aaa authentication dot1x default group radius' command is missing.
A.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
B.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
C.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto', 'dot1x pae authenticator'.
D.R1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication login default group radius local', 'line vty 0 4', 'login authentication default'. SW1: 'aaa new-model', 'radius server RADIUS', 'address ipv4 192.0.2.10 key cisco123', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', 'interface GigabitEthernet0/1', 'authentication port-control auto'.
AnswerA
solution
! R1


! SW1
configure terminal
aaa new-model
radius server RADIUS
address ipv4 192.0.2.10
key cisco123
aaa authentication dot1x default group radius
end
write memory

Why this answer

The correct answer is Option A. For R1, the 'aaa authentication login default group radius local' command ensures that SSH login attempts first contact the RADIUS server at 192.0.2.10 and fall back to the local database if the server is unreachable. Options that omit the 'local' keyword (C) lack this fallback, making them incorrect.

Option B incorrectly uses 'aaa authentication login' on the switch for 802.1X; the correct command is 'aaa authentication dot1x'. On SW1, all wrong options (B, C, D) are missing the 'dot1x pae authenticator' command under the interface, which is required for the switch to explicitly act as an 802.1X authenticator (though some IOS versions auto-assume it, Cisco CCNA expects explicit configuration). Option D also lacks 'dot1x pae authenticator', leaving the port in unauthorized state.

Only Option A includes all necessary commands: correct RADIUS server definitions, proper AAA authentication lists for both login and dot1x, global 'dot1x system-auth-control', and the interface-level commands 'authentication port-control auto' and 'dot1x pae authenticator'.

Exam trap

Do not confuse 'aaa authentication login' (for device access) with 'aaa authentication dot1x' (for network access); also, the 'dot1x pae authenticator' command is often required to explicitly set the port to authenticator role — omitting it can leave the port unauthorized even if other 802.1X commands are present.

Why the other options are wrong

B

Uses 'aaa authentication login' on the switch instead of 'aaa authentication dot1x', which does not enable RADIUS authentication for 802.1X.

C

On R1, the login authentication list omits 'local', so there is no fallback to the local database if the RADIUS server is unreachable.

D

Missing the 'dot1x pae authenticator' command under GigabitEthernet0/1, which is necessary for the switch to function as an 802.1X authenticator.

450
PBQhard

You are connected to R1, a multilayer switch acting as a DNS client and DNS server for the local network. The network uses 192.168.1.0/24 for internal hosts. Users report that hostnames like 'server1.example.com' fail to resolve. Diagnose and fix the DNS resolution issue using nslookup and dig. Ensure that R1 can resolve both forward and reverse DNS queries correctly.

Network Topology
192.168.1.0/24G0/0203.0.113.0/30SiR1Internal HostsInternet

Hints

  • Check if the DNS forwarder is reachable; if not, you may need to configure local DNS records.
  • Use 'ip host' to create an A record, and 'ip dns primary' for reverse zone with PTR.
  • Remove the unreachable name-server with 'no ip name-server' to stop using it.
A.Configure R1 as a local DNS server with an A record for server1.example.com (192.168.1.10) and a PTR record for 192.168.1.10, then remove the unreachable forwarder 192.0.2.53 and ensure ip domain lookup uses the local server.
B.Configure R1 as a DNS server with only an A record for server1.example.com (192.168.1.10) and keep the forwarder 192.0.2.53 for other queries.
C.Remove the forwarder 192.0.2.53 and configure R1 as a DNS server with only a PTR record for 192.168.1.10.
D.Change the DNS forwarder to a reachable server like 8.8.8.8 and add a PTR record for 192.168.1.10 on R1.
AnswerA
solution
! R1
ip dns server
ip host server1.example.com 192.168.1.10
ip dns primary 1.168.192.in-addr.arpa soa ns.example.com admin.example.com 1 3600 900 604800 86400
ip dns primary 1.168.192.in-addr.arpa ns ns.example.com
ip dns primary 1.168.192.in-addr.arpa ptr 10 1.168.192.in-addr.arpa server1.example.com
no ip name-server 192.0.2.53

Why this answer

The issue is twofold: first, the DNS forwarder (192.0.2.53) is unreachable, causing forward lookups to fail with NXDOMAIN; second, there is no PTR record for the reverse lookup zone. The forward lookup failure is because R1 is configured to use an unreachable external DNS server. The reverse lookup failure is because no PTR record exists for the host IP.

To fix, either configure a reachable DNS forwarder or enable local DNS server with appropriate records. Here, we configure R1 as a local DNS server with an A record for 'server1.example.com' pointing to 192.168.1.10 and a PTR record for the reverse lookup. Then we remove the unreachable forwarder and ensure ip domain lookup uses local server.

Exam trap

Students often forget that reverse DNS requires a PTR record in addition to the A record. Also, they may not verify that the DNS forwarder is reachable; simply adding records without removing an unreachable forwarder will not fix forward lookups. Always check both forward and reverse resolution requirements.

Why the other options are wrong

B

The forwarder is unreachable, so keeping it will cause forward lookups to fail. Also, reverse lookup requires a PTR record, which is missing.

C

Forward lookups require an A record mapping the hostname to an IP address; without it, forward queries return NXDOMAIN.

D

The scenario expects R1 to be a local DNS server for internal hosts; using an external forwarder for internal hostnames is not best practice and may not resolve internal names if the forwarder doesn't have the records.

← PreviousPage 6 of 7 · 478 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Services and Security questions.