CCNA Network Infra Connectivity Questions

75 of 390 questions · Page 2/6 · Network Infra Connectivity topic · Answers revealed

76
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on interfaces G0/0 and G0/1 so that R1 can reach R2's loopback0 (198.51.100.1/32) and R2 can reach R1's loopback0 (203.0.113.1/32). The current configuration has a wrong subnet mask on R1 G0/0 and a missing default gateway on R2, causing reachability failures. Additionally, configure IPv6 using EUI-64 on R1 G0/1 and static IPv6 on R2 G0/1 to enable IPv6 ping between the two routers. All devices are routers.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1192.168.1.1/24linkR1R2R2 (G0/1 192.168.2.1/24)

Hints

  • Check the subnet mask on R1 G0/0: it does not match R2's /30.
  • R2 has no route to reach R1's loopback or the 192.168.1.0/24 network; it needs a default gateway.
  • R2's IPv6 address is on a different subnet (2001:db8:2::/64) than R1's (2001:db8:1::/64); they must be on the same subnet.
A.On R1 G0/0, change subnet mask to 255.255.255.252; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.1; for IPv6, on R2 G0/1 change address to 2001:db8:1::2/64.
B.On R1 G0/0, change subnet mask to 255.255.255.0; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.1; for IPv6, on R2 G0/1 change address to 2001:db8:1::2/64.
C.On R1 G0/0, change subnet mask to 255.255.255.252; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.2; for IPv6, on R2 G0/1 change address to 2001:db8:2::2/64.
D.On R1 G0/0, change subnet mask to 255.255.255.252; on R2, add ip route 0.0.0.0 0.0.0.0 10.0.0.1; for IPv6, on R2 G0/1 change address to 2001:db8:1::2/64 and on R1 G0/1 use static IPv6 instead of EUI-64.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.252
exit
interface GigabitEthernet0/1
ipv6 address 2001:db8:1::/64 eui-64
exit

! R2
interface GigabitEthernet0/1
ip address 192.168.1.2 255.255.255.0
ipv6 address 2001:db8:1::2/64
exit
ip route 0.0.0.0 0.0.0.0 10.0.0.1

Why this answer

The primary IPv4 issues are a subnet mask mismatch on the point-to-point link and a missing default gateway on R2. On R1 G0/0, the mask is /24 instead of /30; while both routers can reach each other directly, the mismatched subnet mask causes routing inconsistencies because R1 advertises the link as a /24, potentially affecting routing decisions. Fixing the mask to /30 ensures both routers agree on the subnet.

R2 lacks a route to R1's loopback and the 192.168.1.0/24 network, so a default route via 10.0.0.1 resolves reachability. For IPv6, R1 G0/1 uses EUI-64, and R2 G0/1 must be on the same subnet (2001:db8:1::/64); R2's address was incorrectly set to 2001:db8:2::2/64, so changing it to 2001:db8:1::2/64 enables IPv6 ping.

Exam trap

Watch for subnet mask mismatches on point-to-point links; both ends must use the same mask. Also, ensure default routes point to the correct next-hop IP (the neighbor's interface IP). For IPv6, both interfaces must be on the same subnet to communicate directly.

Why the other options are wrong

B

The subnet mask on R1 G0/0 should be /30 to match R2, not /24.

C

The default gateway must be the neighbor's IP address, and IPv6 subnets must match for direct communication.

D

The requirement states EUI-64 on R1 G0/1, so static is not allowed.

77
PBQmedium

You are connected to R1 via the console. R1 is a new router that needs to be configured with a hostname, an encrypted privileged password 'cisco123', and a banner message 'Unauthorized access prohibited'. Additionally, SSH must be enabled for remote management using a domain name 'example.com' and a key size of 1024. The management interface is G0/0 with IP 192.168.1.1/24.

Network Topology
G0/0192.168.1.1/24linkR1management network

Hints

  • Set the hostname first, as it affects the RSA key generation.
  • The banner message must be delimited by a character not in the message.
  • SSH requires a domain name and RSA key pair.
A.hostname R1 enable secret cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh login local interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
B.hostname R1 enable password cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh password cisco123 login interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
C.hostname R1 enable secret cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh password cisco123 login local interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
D.hostname R1 enable secret cisco123 banner motd #Unauthorized access prohibited# ip domain-name example.com crypto key generate rsa modulus 1024 line vty 0 4 transport input ssh login local username admin secret cisco123 interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown
AnswerA
solution
! R1
hostname R1
enable secret cisco123
banner motd $ Unauthorized access prohibited $
ip domain-name example.com
crypto key generate rsa modulus 1024
line vty 0 4
transport input ssh
login local

Why this answer

Configuring hostname, enable secret, and banner sets basic identity and security. Generating RSA keys with a domain name enables SSH; then VTY lines are restricted to SSH only.

Exam trap

Watch out for the difference between 'enable password' and 'enable secret' – only 'enable secret' encrypts the password. Also, remember that SSH requires a domain name and RSA keys generated before configuring VTY lines. Do not add unnecessary commands like creating a local username unless explicitly required.

Why the other options are wrong

B

The specific factual error: 'enable password' does not encrypt the password; 'login' without 'local' allows any password to work if set, but does not use local user database.

C

The specific factual error: 'login local' requires a local username database, but no username is configured; the VTY password is unnecessary and misleading.

D

The specific factual error: The question does not require creating a local username; adding one is extraneous and could be considered incorrect in a PBQ where only the specified steps are needed.

78
Matchingmedium

Drag and drop the cable types on the left to the correct maximum distance or connector type on the right. PAIRS: Cat5e → 100 meters (max distance) Cat6a → 100 meters (max distance) Single-mode fiber → LC connector Multimode fiber (OM3) → 300 meters (max distance at 10 Gbps) Coaxial cable (RG-6) → F-type connector

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters (max distance)

100 meters (max distance)

LC connector

550 meters (max distance at 10 Gbps)

F-type connector

Why these pairings

These pairings correctly match cable types to their typical maximum distances or connector types. OM3 multimode fiber supports 300 meters at 10 Gbps, not 550 meters (OM4 supports 550 meters). Single-mode fiber typically uses LC connectors, and RG-6 coaxial cable uses F-type connectors.

Exam trap

Be careful not to confuse the distance limits of single-mode and multi-mode fiber. Single-mode fiber supports much longer distances (kilometers) than multi-mode fiber (hundreds of meters). Also, remember that coaxial cables use BNC connectors, not RJ-45.

79
PBQhard

You are connected to R1. Configure the G0/0 interface to match the speed (100 Mbps) and duplex (full) of the connected switch port, then diagnose and fix an auto-negotiation failure that has caused excessive CRC errors. Finally, select and replace the SFP module on G0/0 with one that supports a 5 km fiber link, using the correct cable type.

Hints

  • Check the current SFP status with 'show interfaces gigabitethernet 0/0 transceiver'.
  • The switch port is configured with speed 100 and duplex full; mismatch causes protocol down.
  • For 5 km, you need a single-mode SFP (1000BASE-LX) and single-mode fiber (SMF).
A.Set speed 100, duplex full; replace SFP with 1000BASE-LX; use single-mode fiber (SMF).
B.Set speed 100, duplex half; replace SFP with 1000BASE-SX; use multimode fiber (MMF).
C.Set speed 1000, duplex full; replace SFP with 1000BASE-LX; use single-mode fiber (SMF).
D.Set no speed, no duplex (auto); replace SFP with 1000BASE-LX; use single-mode fiber (SMF).
AnswerA
solution
! R1
configure terminal
interface gigabitethernet 0/0
speed 100
duplex full
no shutdown
end
copy running-config startup-config

Why this answer

The interface is up but line protocol is down, indicating a layer 1 issue. The switch port is manually set to 100 Mbps/full duplex, but R1 is using auto-negotiation, causing a mismatch. First, set the speed to 100 and duplex to full on G0/0.

The CRC errors may appear later if cabling is faulty; for a 5 km fiber link, you need a 1000BASE-LX SFP (single-mode) and single-mode fiber (SMF). Verify the SFP is recognized and the link comes up.

Exam trap

A common trap is to assume auto-negotiation will work when one side is manually configured, or to confuse SFP types (SX vs LX) and fiber types (MMF vs SMF). Always verify that speed and duplex match on both ends, and choose the SFP based on distance and fiber type.

Why the other options are wrong

B

The specific factual error: Duplex must match the switch (full), and 1000BASE-SX cannot reach 5 km.

C

The specific factual error: Speed must match the switch port's configured speed (100 Mbps), not auto-negotiate to 1000 Mbps.

D

The specific factual error: Auto-negotiation cannot match a manually configured port; both sides must be manually set or both use auto-negotiation.

80
PBQhard

You are connected to the WLC via its management IP 192.168.10.10. A new corporate SSID 'SecureCorp' must be configured for WPA3-Personal with PSK 'Cisco123' on the 5 GHz radio only. The SSID should be broadcast. The WLAN must be mapped to interface 'corp_vlan' (VLAN 100). After configuration, a wireless client reports it cannot see or connect to the SSID. Troubleshoot and resolve the client's association failure.

Network Topology
192.168.10.50192.168.10.50APWLCClient

Hints

  • The client cannot see the SSID in its Wi-Fi list — check broadcast setting.
  • All other WLAN parameters are correct; only one setting prevents discovery.
  • Use the 'broadcast-ssid' command under the WLAN configuration.
A.Enable SSID broadcast for the SecureCorp WLAN.
B.Change the security mode to WPA2-Personal with the same PSK.
C.Reconfigure the WLAN to use interface 'management' instead of 'corp_vlan'.
D.Disable the 5 GHz radio and enable the 2.4 GHz radio for the SecureCorp WLAN.
AnswerA
solution
! WLC
config wlan 1
broadcast-ssid
end

Why this answer

The client cannot see the SSID because SSID broadcast is disabled. The SSID is configured to be broadcast, but the actual setting is off. To resolve, enable SSID broadcast on the WLAN.

The security and VLAN settings are correct. Enabling broadcast allows the client to discover the network without manual entry.

Exam trap

Do not confuse SSID visibility issues with security or VLAN misconfigurations. A hidden SSID prevents discovery; the client must either manually configure the SSID or the administrator must enable broadcast. Always check the broadcast setting first when a client cannot see a WLAN.

Why the other options are wrong

B

The specific factual error is that the security mode does not affect SSID visibility; the problem is the broadcast setting.

C

The specific factual error is that interface mapping controls VLAN assignment for traffic, not SSID broadcast.

D

The specific factual error is that radio band selection does not affect SSID broadcast; the hidden SSID prevents discovery on any band.

81
MCQhard

A network engineer notices that users in VLAN 10 report intermittent connectivity and slow file transfers to a server on the same switch. The engineer issues the show interfaces fa0/1 command on the switch port connected to the server and observes a high number of runts, input errors, and CRC errors, while output errors are minimal. The interface configuration shows speed 100 and duplex full.

A.The server NIC is set to 10 Mbps half-duplex, causing a speed mismatch.
B.The server NIC is auto-negotiating to 100 Mbps half-duplex, resulting in a duplex mismatch.
C.The cable connecting the server to the switch is faulty, introducing excessive noise.
D.The switch port is configured with an incorrect native VLAN, causing duplex negotiation issues.
AnswerB

With the switch forced to full-duplex and the server using auto-negotiation, the server defaults to half-duplex. The duplex mismatch leads to collisions on the half-duplex side, generating runts, CRC errors, and input errors on the switch port.

Why this answer

Option B is correct because the symptoms—high runts, input errors, and CRC errors with minimal output errors—are classic indicators of a duplex mismatch. When the switch port is hardcoded to 100 Mbps full-duplex and the server NIC auto-negotiates to 100 Mbps half-duplex (a common fallback when one side is manually set), collisions occur on the full-duplex side, corrupting frames and causing input errors. The speed matches (both 100 Mbps), so the issue is purely duplex-related.

Exam trap

Cisco often tests the misconception that speed and duplex mismatches always occur together; the trap here is that a duplex mismatch can exist even when speed matches, and the error pattern (high input errors, low output errors) specifically points to duplex, not cabling or VLAN issues.

Why the other options are wrong

A

Misconception that speed mismatch produces specific error counters; in reality, incompatible speeds cause link failure, not runts and CRC errors.

C

Misconception that CRC errors alone point to a bad cable; duplex mismatch is one of the most common causes of runts and CRC errors on forced-full interfaces.

D

Misconception that a VLAN mismatch can trigger interface errors; these errors are purely physical/data-link layer phenomena unrelated to VLAN settings.

82
Multi-Selecthard

Which two statements accurately compare IPv4 private addresses and public addresses?

Select 2 answers
A.Private IPv4 addresses are not directly Internet-routable.
B.Public IPv4 addresses are intended to be globally unique and routable.
C.Private IPv4 addresses always require OSPF to function inside a LAN.
D.Public IPv4 addresses cannot exist on Internet-facing devices.
E.Private and public IPv4 addresses are both automatically translated by ARP.
AnswersA, B

This is correct because RFC 1918 private ranges are intended for internal use and are not routed on the public Internet.

Why this answer

Private IPv4 addresses are intended for internal use and are not directly routable on the public Internet. In plain language, they are designed for use inside organizations, homes, and other local environments without consuming globally unique public space. Public addresses, by contrast, are intended to be unique and routable across the Internet. This is one of the main reasons NAT became so common in IPv4 environments.

CCNA questions often test this distinction because learners sometimes confuse “valid inside a LAN” with “routable everywhere.” Private addressing is extremely useful, but it does not eliminate the need for translation or public addressing when reaching the Internet. The two correct statements are the ones that preserve that basic separation between internal-use ranges and globally routable address space.

Exam trap

Be careful not to confuse the routability of private addresses with their validity within a LAN. Private addresses need NAT for Internet access.

Why the other options are wrong

C

Private IPv4 addresses do not require OSPF or any specific routing protocol to function inside a LAN; they can operate with static routes or any dynamic routing protocol. OSPF is just one option and is not mandatory.

D

Public IPv4 addresses are specifically used on Internet-facing devices to enable global reachability. Without public addresses, devices would not be directly accessible from the Internet.

E

ARP (Address Resolution Protocol) resolves IP addresses to MAC addresses on a local network segment and does not perform any translation between private and public addresses. NAT (Network Address Translation) handles that translation.

83
PBQmedium

You are connected to the console of R1. The network uses IPv6 with EUI-64. R1's GigabitEthernet0/0 has MAC address 0011.2233.4455. You need to configure an IPv6 address on this interface using the prefix 2001:db8:1:1::/64 with EUI-64, and ensure the interface is operational.

Network Topology
G0/0LANR1Hosts

Hints

  • The command uses 'ipv6 address' with the 'eui-64' keyword.
  • EUI-64 automatically generates the interface ID from the MAC address.
  • Verify the full IPv6 address with the link-local and global addresses.
A.ipv6 address 2001:db8:1:1:0011:22ff:fe33:4455/64 eui-64
B.ipv6 address 2001:db8:1:1::/64 eui-64
C.ipv6 address 2001:db8:1:1:0211:22ff:fe33:4455/64
D.ipv6 address 2001:db8:1:1::/64 eui-64 0011.2233.4455
AnswerB
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:1:1::/64 eui-64

Why this answer

Option B uses the correct syntax 'ipv6 address 2001:db8:1:1::/64 eui-64', which configures the prefix and derives the interface ID automatically from the MAC address via EUI-64. Option A is invalid because specifying the full 128-bit address with the eui-64 keyword is not allowed; the eui-64 keyword requires only a prefix. Option C omits the eui-64 keyword, so it configures a static address without using EUI-64, which would not match the requirement to use EUI-64.

Option D appends the MAC address after the eui-64 keyword, which is invalid syntax; the eui-64 keyword does not accept an explicit MAC address.

Exam trap

Remember that the 'ipv6 address ... eui-64' command automatically derives the interface ID from the MAC address. Do not manually calculate the EUI-64 address or include the MAC address in the command. Also, ensure you include the 'eui-64' keyword; without it, the command expects a full 128-bit address.

Why the other options are wrong

A

Invalid syntax: the eui-64 keyword cannot be used with a full 128-bit address; it requires only a prefix.

C

Missing the eui-64 keyword, so the interface would be configured with a static address rather than deriving the interface ID from the MAC.

D

Invalid syntax: the eui-64 keyword does not accept an explicit MAC address as an argument.

84
Multi-Selectmedium

Which TWO statements are correct regarding Protocol Data Units (PDUs) and data encapsulation in the OSI model?

Select 2 answers
A.The PDU at the Transport layer is called a frame.
B.Data is encapsulated with a TCP header at the Transport layer to form a segment.
C.The Network layer PDU is the packet, which includes the IP header.
D.The Data Link layer adds a header and trailer to create a bit.
E.Encapsulation occurs as data moves up the OSI layers from Physical to Application.
AnswersB, C

The Transport layer adds a TCP header (or UDP header) to the data from upper layers, creating a segment (or datagram). This is a correct description of encapsulation.

Why this answer

Option B is correct because at the Transport layer, the TCP protocol adds a TCP header to the payload data, forming a segment. This encapsulation process is fundamental to reliable data delivery, as the TCP header includes source and destination ports, sequence numbers, and acknowledgment numbers for connection-oriented communication.

Exam trap

Cisco often tests the direction of encapsulation (down the stack) versus de-encapsulation (up the stack), and the specific PDU names at each layer, to catch candidates who confuse these fundamental concepts.

Why the other options are wrong

A

This statement incorrectly identifies the Transport layer PDU; it is actually a segment or datagram, while a frame is at Layer 2.

D

Bits are created at the Physical layer, not the Data Link layer; the Data Link layer creates frames.

E

This describes decapsulation, not encapsulation. Encapsulation occurs when moving down the OSI model stack.

85
Multi-Selectmedium

Which TWO statements accurately describe the responsibilities of the OSI model's Transport layer?

Select 2 answers
A.It provides logical addressing and routing to determine the best path for data.
B.It segments data from the upper layers and manages end-to-end flow control.
C.It converts data into electrical signals for transmission over the physical medium.
D.It provides reliable or unreliable delivery of data between applications on different hosts.
E.It encapsulates data into frames and adds source and destination MAC addresses.
AnswersB, D

The Transport layer segments data into smaller units and can use flow control mechanisms (e.g., TCP's windowing) to prevent overwhelming the receiver.

Why this answer

Option B is correct because the Transport layer (Layer 4) segments data from upper layers and manages end-to-end flow control using mechanisms like TCP's sliding window to prevent overwhelming a slow receiver. Option D is correct because the Transport layer provides either reliable delivery (TCP) or unreliable delivery (UDP) between applications on different hosts, ensuring data reaches the appropriate application via port numbers. Option A is incorrect because logical addressing and routing are functions of the Network layer (Layer 3).

Option C is incorrect because converting data into electrical signals is the responsibility of the Physical layer (Layer 1). Option E is incorrect because encapsulating data into frames with MAC addresses is a function of the Data Link layer (Layer 2).

Exam trap

Cisco often tests the distinction between Transport layer flow control (end-to-end) and Network layer congestion control (path-based), leading candidates to confuse Layer 4 segmentation with Layer 3 routing functions.

Why the other options are wrong

A

Logical addressing and routing are Network layer (Layer 3) functions, not Transport layer responsibilities.

C

Converting data into electrical signals is the Physical layer (Layer 1) function, not Transport layer.

E

Encapsulation into frames with MAC addresses is a Data Link layer (Layer 2) function, not Transport layer.

86
MCQmedium

A network engineer is troubleshooting a connectivity issue between two hosts on different subnets. The sending host has constructed a packet with a destination IP address of 192.168.2.10. As the packet travels down the OSI model layers on the sending host, which Protocol Data Unit (PDU) name is assigned to the data at the Transport layer after TCP segments are created, and at which layer does the IP address get encapsulated?

A.PDU is a frame; IP address is added at the Data Link layer.
B.PDU is a segment; IP address is added at the Network layer.
C.PDU is a packet; IP address is added at the Transport layer.
D.PDU is a datagram; IP address is added at the Transport layer.
AnswerB

TCP segments are formed at the Transport layer, and the IP address is encapsulated at the Network layer when creating the packet.

Why this answer

At the Transport layer, TCP divides data into segments, so the PDU is called a segment, making B correct. The destination IP address (192.168.2.10) is added at the Network layer, where the IP header encapsulates the segment into a packet. Option A is wrong because a frame is a Data Link layer PDU, and IP addresses are not added at that layer.

Option C is wrong because the PDU at the Transport layer is a segment, not a packet, and IP addresses are added at the Network layer, not the Transport layer. Option D is wrong because 'datagram' typically refers to UDP’s Transport layer PDU (not TCP), and IP addresses are not added at the Transport layer.

Exam trap

Cisco often tests the precise PDU naming per layer (segment for TCP at Transport, packet for IP at Network) and the layer where IP addresses are added, tricking candidates who confuse 'packet' with 'segment' or think IP addresses are added at the Transport layer.

Why the other options are wrong

A

The PDU at the Transport layer is a segment, not a frame. Frames are the PDU at the Data Link layer (Layer 2). Additionally, IP addresses are added at the Network layer (Layer 3), not the Data Link layer.

C

A packet is the PDU at the Network layer (Layer 3), not the Transport layer. The IP address is added at the Network layer, not the Transport layer. The Transport layer PDU is a segment (for TCP) or a datagram (for UDP).

D

A datagram is the PDU for UDP at the Transport layer, but the question specifies TCP segments. Even if it were UDP, the IP address is still added at the Network layer, not the Transport layer.

87
Multi-Selectmedium

Which TWO statements accurately describe cabling and SFP transceiver diagnostics?

Select 2 answers
A.Copper SFP modules require Cat6a cabling to achieve a 100-meter reach.
B.Fiber SFP modules are typically identified by the 'GLC-T' or 'SFP-GE-T' product IDs.
C.The 'show interfaces transceiver' command displays optical power levels for both Tx and Rx on fiber SFPs.
D.The 'show cable-diagnostics tdr interface' command can measure the distance to a break in a fiber optic cable.
E.A multimode fiber SFP with LC connectors is commonly used for short-reach connections up to 550 meters.
AnswersC, E

This command provides real-time transceiver diagnostics, including transmit power, receive power, temperature, voltage, and bias current. It is valid for fiber SFP modules that support digital optical monitoring (DOM).

Why this answer

Option C is correct because the 'show interfaces transceiver' command on Cisco IOS devices displays detailed operational data for SFP modules, including optical power levels for both transmit (Tx) and receive (Rx) on fiber SFPs. This output is critical for verifying that the optical signal is within the specified thresholds to ensure proper link operation.

Exam trap

Cisco often tests the distinction between copper and fiber SFP product IDs (e.g., 'GLC-T' is copper, not fiber) and the correct diagnostic commands for each media type, leading candidates to confuse TDR (copper) with fiber optical power monitoring.

Why the other options are wrong

A

The statement incorrectly mandates Cat6a cabling, whereas Cat5e and Cat6 also support the full 100-meter distance for 1000BASE-T.

B

This mixes up part number naming conventions; GLC-T and SFP-GE-T always indicate copper transceivers, not fiber.

D

TDR relies on electrical signals and impedance changes; it cannot function on fiber optics.

88
PBQhard

You are connected to R1. The network administrator has partially configured IPv4 and IPv6 on the interfaces. However, PC1 (connected to R1's G0/1) cannot reach PC2 (connected to R2's G0/1). Configure R1 and R2 so that PC1 can ping PC2. Fix any addressing errors. Use IPv4 subnet 192.0.2.0/30 for the link between R1 and R2, and 198.51.100.0/24 for the PC LANs. For IPv6, use 2001:db8:1::/64 on R1's G0/1 and 2001:db8:2::/64 on R2's G0/1, with R1's G0/1 using EUI-64 and R2's G0/1 using a static address 2001:db8:2::1/64.

Hints

  • Check the subnet mask on the link between R1 and R2.
  • IPv6 EUI-64 requires the interface to be up and unicast-routing enabled.
  • Ensure both routers have routes to each other's LANs.
A.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64 eui-64' and 'no shutdown'. Enable 'ipv6 unicast-routing' globally on both routers.
B.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64 eui-64' and 'no shutdown'. No need to enable IPv6 unicast-routing because it is on by default.
C.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64' (without eui-64) and 'no shutdown'. Enable 'ipv6 unicast-routing' globally on both routers.
D.On R1, change the subnet mask on G0/0 from /24 to /30. On R1 G0/1, issue 'ipv6 address 2001:db8:1::/64 eui-64' and 'no shutdown'. Enable 'ipv6 unicast-routing' globally on both routers. Also, change the default gateway on PC1 to 2001:db8:1::1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
exit
interface GigabitEthernet0/1
ipv6 address 2001:db8:1::/64 eui-64
no shutdown
exit
ipv6 unicast-routing

! R2

Why this answer

The issue is a subnet mask mismatch on the link between R1 and R2: R1 uses /24 (255.255.255.0) while R2 uses /30 (255.255.255.252). This prevents R1 from having a route to R2's LAN. Fix R1's G0/0 mask to /30.

Additionally, R1's G0/1 IPv6 EUI-64 command is missing the interface identifier; the correct command is 'ipv6 address 2001:db8:1::/64 eui-64' but the interface must be enabled with 'no shutdown'. Also ensure IPv6 unicast-routing is enabled. The PCs have correct gateways.

Exam trap

Watch for subnet mask mismatches on point-to-point links; they break routing. Also, remember that IPv6 unicast-routing is disabled by default and must be enabled. EUI-64 requires the 'eui-64' keyword and generates an address based on MAC, not a static ::1.

Why the other options are wrong

B

The specific factual error is that IPv6 unicast-routing is disabled by default on Cisco routers.

C

The specific factual error is that the command without 'eui-64' assigns a static address, not an EUI-64 address.

D

The specific factual error is assuming the EUI-64 address ends with ::1, which is not guaranteed.

89
Drag & Dropmedium

Drag and drop the following steps into the correct order to isolate and resolve interface CRC errors, duplex mismatches, and flapping on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start with checking statistics to identify issues, then verify duplex and cable, replace hardware if needed, and finally confirm resolution.

Exam trap

Candidates often jump to hardware replacement or configuration changes without first gathering data. Always start with 'show interface' statistics to pinpoint the issue before taking corrective action.

90
MCQhard

A network technician is troubleshooting a link between two Cisco switches, SW1 and SW2, connected via a single-mode fiber optic cable. The interface on SW1 is up/up, but the interface on SW2 remains down/down. The technician has verified that the fiber cable is not damaged and that the SFP modules are correctly seated. Which configuration change should the technician make to resolve the issue?

A.Configure the interface on SW2 to use the same speed and duplex settings as SW1.
B.Replace the 1000BaseSX SFP on SW2 with a 1000BaseLX SFP.
C.Enable MDIX on both interfaces to allow automatic crossover detection.
D.Change the VLAN assignment on SW2's interface to match that of SW1.
AnswerB

The SFP types do not match—SW1 is LX (single-mode) and SW2 is SX (multimode). Using a consistent LX SFP on both ends ensures proper communication over single-mode fiber.

Why this answer

The issue is that SW1 is up/up but SW2 is down/down, indicating a unidirectional link. Since the fiber cable and SFP seating are verified, the most likely cause is an SFP wavelength mismatch. SW1 likely has a 1000BaseLX SFP (long-wavelength, single-mode), while SW2 has a 1000BaseSX SFP (short-wavelength, multimode).

Single-mode fiber requires LX optics; SX optics are designed for multimode fiber and will not produce a signal that can be received correctly over single-mode fiber, causing the remote interface to remain down. Replacing the 1000BaseSX SFP on SW2 with a 1000BaseLX SFP resolves the wavelength incompatibility.

Exam trap

Cisco often tests the misconception that fiber link issues are always due to physical damage or seating, when in fact the most common exam trap is an SFP type mismatch (SX vs. LX) on single-mode fiber, causing a unidirectional link.

Why the other options are wrong

A

On fiber optic links, speed and duplex are typically fixed (e.g., 1000 Mbps full duplex) and do not require manual configuration; auto-negotiation is standard for Gigabit Ethernet over fiber. Since the interface on SW1 is up/up, the settings are already compatible, so this change would not resolve the down/down state on SW2.

C

MDIX (Medium Dependent Interface Crossover) is a feature for copper Ethernet cables to automatically correct for straight-through vs. crossover cable issues. Fiber optic connections do not use MDIX because they use separate transmit and receive fibers, so enabling MDIX has no effect on fiber links.

D

A VLAN mismatch would cause the interface to be up/up but not forward traffic (Layer 2 issue), not the down/down state observed. The down/down state indicates a Layer 1 problem, such as a physical or optical incompatibility.

91
MCQhard

A subnet must support at least 62 usable hosts. Which prefix will create the smallest subnet that meets the requirement?

A./27
B./26
C./25
D./24
AnswerB

This is correct because a /26 provides 64 total addresses and 62 usable hosts.

Why this answer

To support at least 62 usable hosts, the subnet needs 64 total addresses, because two of those will be reserved for the network and broadcast addresses. In plain language, the target is not 62 total addresses; it is 62 usable ones after the two reserved values are taken away. A /26 provides exactly 64 total addresses and therefore 62 usable host addresses.

This is a classic minimum-prefix question because it checks whether you can convert a host requirement into the correct power-of-two subnet size without over-allocating unnecessarily. A /27 would be too small, while /25 would work but would waste more addresses than needed. The smallest valid prefix is /26.

Exam trap

Ensure you calculate usable hosts, not total addresses. Remember that network and broadcast addresses are not usable.

Why the other options are wrong

A

A /27 prefix provides only 32 total addresses (2^(32-27)=32), with 30 usable hosts after subtracting network and broadcast addresses. This is insufficient for the requirement of at least 62 usable hosts.

C

A /25 prefix provides 128 total addresses and 126 usable hosts, which is more than required. While it meets the requirement, it is not the smallest prefix, leading to wasted IP addresses in a subnet.

D

A /24 prefix provides 256 total addresses and 254 usable hosts, far exceeding the requirement of 62 usable hosts. This is not the smallest prefix and results in significant waste of IP address space.

92
Matchingmedium

Match each IPv6 concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv6 addressing used for wider routed communication

IPv6 addressing used only on the local segment

Host self-configuration using router advertisements

OSPF version used for IPv6 routing operation

Why these pairings

These pairings accurately define key IPv6 concepts.

Exam trap

Be careful not to confuse the scope of IPv6 address types. Link-local addresses are not routable, unique local addresses are private, and anycast is one-to-nearest, not one-to-many. Remember that 'local' in link-local means the link, not the site.

93
Multi-Selectmedium

Which TWO statements accurately describe the encapsulation process and PDU naming across the OSI and TCP/IP models?

Select 2 answers
A.At the Transport layer, the TCP/IP model uses segments, while the OSI model uses packets.
B.In the OSI model, the Network layer encapsulates data into packets, while in the TCP/IP model the Internet layer performs the same function.
C.The term 'frame' is used at the Data Link layer in both the OSI and TCP/IP models, and it contains the Layer 2 header and trailer.
D.Encapsulation adds headers and trailers at each layer, so the PDU size decreases as data moves down the stack.
E.The OSI model's Session layer is responsible for end-to-end flow control using TCP segments, while the TCP/IP model combines this into the Application layer.
AnswersB, C

Both the OSI Network layer (Layer 3) and TCP/IP Internet layer produce packets (IP packets/datagrams) by adding a Layer 3 header.

Why this answer

Option B is correct because the OSI Network layer and the TCP/IP Internet layer both encapsulate transport layer segments or datagrams into packets by adding a Layer 3 header (e.g., IP header). This is the fundamental encapsulation step where logical addressing is applied, and the resulting PDU is called a packet in both models. The function is identical despite the different layer names.

Exam trap

Cisco often tests the precise PDU naming per layer (segment, packet, frame) and the fact that encapsulation increases PDU size, not decreases it, to catch candidates who confuse the direction of encapsulation or mix up OSI and TCP/IP layer terminology.

Why the other options are wrong

A

Misattributes the 'packet' PDU to the Transport layer – packets are created at the Network layer (Layer 3).

D

Reverses encapsulation logic: each layer adds its own overhead, increasing the size.

E

Incorrectly assigns flow control to the Session layer and misrepresents its placement in the TCP/IP model.

94
PBQmedium

You are connected to the console of SW1. The network administrator reports that SW1 cannot discover neighbouring devices using CDP. SW1 is connected to R1 via GigabitEthernet0/1. CDP is globally enabled, but still no neighbours are shown.

Network Topology
G0/1G0/0SW1R1

Hints

  • CDP is enabled globally but may be disabled per interface.
  • Check the CDP status on the specific interface.
  • Enable CDP on the interface with the 'cdp enable' command.
A.Enable CDP on interface GigabitEthernet0/1 with the command 'cdp enable'.
B.Enable CDP globally with the command 'cdp run'.
C.Use the command 'lldp run' to enable LLDP as an alternative.
D.Check the physical cable and interface status on GigabitEthernet0/1.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
cdp enable

Why this answer

CDP was globally enabled but the interface GigabitEthernet0/1 had CDP disabled by default (or was explicitly disabled). Enabling CDP on the interface allowed neighbour discovery.

Exam trap

The trap is that candidates often think CDP is either globally enabled or disabled, forgetting that CDP must be enabled on each interface individually. Always check interface-level CDP configuration when global CDP is enabled but no neighbors are discovered.

Why the other options are wrong

B

The specific factual error is that 'cdp run' enables CDP globally, but global CDP is already enabled.

C

The specific factual error is that LLDP is a different protocol and does not affect CDP operation.

D

The specific factual error is that physical issues would likely cause the interface to be down, but the question does not indicate any physical problem.

95
Multi-Selectmedium

Which two statements accurately describe ARP in an IPv4 Ethernet network?

Select 2 answers
A.ARP resolves a known IPv4 address to a MAC address on the local segment.
B.ARP is used to choose the best Layer 3 path across multiple routers.
C.ARP requests are typically sent as broadcasts on the local LAN.
D.ARP can normally resolve the MAC address of a host located across a routed network.
E.ARP replaces the need for a default gateway.
AnswersA, C

This is correct because ARP is used to discover the Layer 2 MAC address associated with a known IPv4 address on the local network.

Why this answer

ARP is the mechanism used to map a known IPv4 address to a Layer 2 MAC address on the local network segment. In plain language, if a device knows the IP address it wants to reach on the same LAN, ARP helps it discover the correct Ethernet destination MAC address to use in the frame. That is why ARP is so important for local delivery in IPv4 Ethernet environments. Without it, devices would know where they want to send traffic logically, but not how to address the actual frame on the local link.

ARP does not cross routers in the usual way, and it is not a routing protocol. It does not determine best paths to remote networks. It simply helps with local resolution of IPv4-to-MAC information. This distinction matters a lot on CCNA questions because many wrong answers try to blur the line between local neighbor resolution and routing behavior.

Exam trap

Do not confuse ARP with routing protocols or assume it functions across routers. Remember, ARP is strictly for local address resolution.

Why the other options are wrong

B

ARP operates at Layer 2 and is only concerned with resolving IP addresses to MAC addresses on the local link. Path selection between routers is performed by routing protocols (e.g., OSPF, EIGRP) and the routing table, which operate at Layer 3.

D

ARP requests are broadcast only within the local subnet and are not forwarded by routers. To reach a host on a different subnet, the source host must send the packet to its default gateway, which then uses its own ARP process to resolve the next-hop MAC.

E

ARP does not replace the default gateway; it only resolves the MAC address of the gateway or other local hosts. The default gateway is still required for routing traffic to other subnets, as ARP cannot provide Layer 3 forwarding.

96
PBQhard

You are connected to the console of R1. The network uses IPv6 and you need to configure an IPv6 address on interface G0/0 using the EUI-64 format. The subnet is 2001:db8:acad:1::/64. The interface MAC address is 0011.2233.4455. After configuration, verify that the full IPv6 address is correct.

Hints

  • EUI-64 automatically generates the interface ID from the MAC address.
  • The subnet prefix is /64, so the interface ID is 64 bits.
  • The MAC address 0011.2233.4455 will become 0211.22FF.FE33.4455.
A.ipv6 address 2001:db8:acad:1:0211:22ff:fe33:4455/64
B.ipv6 address 2001:db8:acad:1:0011:22ff:fe33:4455/64
C.ipv6 address 2001:db8:acad:1:0011:2233:4455/64
D.ipv6 address 2001:db8:acad:1:0211:2233:4455/64
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown
ipv6 address 2001:db8:acad:1::/64 eui-64

Why this answer

The EUI-64 method inserts FFFE in the middle of the MAC and flips the U/L bit. With the given MAC, the resulting interface ID is 0211:22FF:FE33:4455, forming the full IPv6 address.

Exam trap

Remember that EUI-64 requires both inserting FFFE and flipping the U/L bit. A common mistake is to do only one of these steps or to use the MAC address directly. Always verify the seventh bit of the first byte is flipped (0x00 becomes 0x02, 0x01 becomes 0x03, etc.).

Why the other options are wrong

B

The U/L bit was not flipped; the interface ID starts with 0011 instead of 0211.

C

The FFFE insertion is missing; the interface ID is just the MAC address written in IPv6 format.

D

FFFE is missing; only the U/L bit flip was applied.

97
Multi-Selectmedium

Which three of the following are functions of the Dynamic Host Configuration Protocol (DHCP) in a network? (Choose three.)

Select 3 answers
.Assigning IP addresses to hosts automatically from a defined pool.
.Providing the default gateway and DNS server information to clients.
.Leasing IP addresses for a configurable period of time.
.Resolving domain names to IP addresses for client devices.
.Authenticating users before granting network access.
.Translating private IP addresses to public IP addresses for internet access.

Why this answer

DHCP automates IP address assignment from a defined pool, eliminating manual configuration. It also provides essential network parameters like the default gateway and DNS server via DHCP options (e.g., Option 3 for router, Option 6 for DNS). Additionally, DHCP leases IP addresses for a configurable period, after which the client must renew the lease to continue using the address.

Exam trap

Cisco often tests the distinction between DHCP providing DNS server information (correct) and DHCP performing DNS resolution (incorrect), as candidates confuse the roles of DHCP and DNS.

98
PBQmedium

You are connected to the console of R1. R1 is a new router that needs to be configured for remote management. The network administrator wants to enable SSH for secure access with a local user 'admin' and password 'cisco123'. The router already has an IP address 192.168.1.1/24 on GigabitEthernet0/0 and the interface is up.

Network Topology
G0/0192.168.1.1/24192.168.1.100/24linkR1Management host

Hints

  • SSH requires a hostname and domain name.
  • RSA key pairs must be generated for encryption.
  • The VTY lines must be configured to accept SSH connections.
A.Enable SSH by configuring a hostname, domain name, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines for SSH transport.
B.Enable SSH by configuring a hostname, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines for SSH transport. No domain name is needed.
C.Enable SSH by configuring a hostname, domain name, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines for Telnet transport.
D.Enable SSH by configuring a hostname, domain name, generating RSA keys, creating local user 'admin' with password 'cisco123', and configuring VTY lines with 'login local' and 'transport input ssh'. No further configuration is needed.
AnswerD
solution
! R1
ip domain-name example.com
crypto key generate rsa
username admin secret cisco123
line vty 0 4
transport input ssh

Why this answer

To enable SSH with local authentication, the router requires a unique hostname, an IP domain name, RSA keys, a local username/password, and VTY lines configured with both 'transport input ssh' and 'login local'. Option D correctly includes all these elements, while the others omit critical steps like 'login local' or the domain name, or use Telnet instead of SSH.

Exam trap

Trap: Candidates often forget the domain name requirement or confuse 'transport input ssh' with 'login local'. Remember: both are needed on VTY lines for SSH with local authentication.

Why the other options are wrong

A

Missing the 'login local' command on VTY lines, so local authentication will not work.

B

Lacks an IP domain name, which is necessary to generate RSA keys for SSH.

C

Configures VTY lines for Telnet ('transport input telnet'), not SSH, failing the remote management requirement.

99
MCQhard

A technician is troubleshooting a dual-stack network where an IPv6-only host cannot reach an IPv4 resource. The technician issues the show ipv6 interface brief command on the local router and notices the interface facing the host has a link-local address but no global unicast address. The technician then checks the running configuration and finds that the command ipv6 unicast-routing is missing. What is the most likely cause?

A.An IPv6 access list on the router is blocking Router Advertisement messages.
B.IPv6 unicast routing has not been enabled on the router.
C.The IPv4 resource is not configured for NAT64 translation.
D.The host has an incorrect default gateway for IPv6.
AnswerB

The ipv6 unicast-routing command is required to enable IPv6 forwarding on Cisco routers. Without it, the router does not participate in IPv6 routing, does not generate Router Advertisements, and interfaces will not obtain global unicast addresses through SLAAC or DHCPv6 relay. The show ipv6 interface output displaying only a link-local address, combined with the absence of ipv6 unicast-routing in the configuration, confirms this root cause.

Why this answer

The missing `ipv6 unicast-routing` command means the router is not acting as an IPv6 router, so it does not send Router Advertisement (RA) messages. Without RAs, the host cannot autoconfigure a global unicast address or learn a default gateway, breaking IPv6 connectivity to any IPv4 resource even if NAT64 is present.

Exam trap

Cisco often tests the misconception that configuring an IPv6 address on an interface is sufficient for IPv6 routing, when in fact the global `ipv6 unicast-routing` command is required to enable the router to forward IPv6 packets and send Router Advertisements.

Why the other options are wrong

A

This option focuses on a filtering issue, not the disabled routing engine, and would not cause the router’s own interface to lack a global unicast address.

C

NAT64 configuration would affect translation, but the root cause visible in the output is the lack of IPv6 routing capability on the router.

D

This shifts the blame to the host, but the router-side evidence (missing command and missing global unicast) clearly indicates a router configuration problem.

100
Multi-Selectmedium

Which TWO commands or tools would a network engineer use to verify if a client has a duplicate IP address conflict on the local subnet?

Select 1 answer
A.ipconfig /all
B.arp -a
C.nslookup
D.ping
E.tracert
AnswersB

This command displays the ARP cache, which maps IP addresses to MAC addresses. If a duplicate IP exists, the ARP cache may show two different MAC addresses for the same IP address, indicating a conflict.

Why this answer

The `arp -a` command displays the local ARP cache, which maps IP addresses to MAC addresses. If a duplicate IP exists on the subnet, the ARP cache may show inconsistent or rapidly changing MAC-to-IP mappings, and the local host may receive duplicate address detection messages, indicating a conflict. Other commands like `ipconfig`, `ping`, `nslookup`, and `tracert` do not directly reveal ARP-level conflicts.

Exam trap

Cisco often tests the misconception that `ipconfig /all` can detect duplicate IPs, but it only shows local configuration, not network-level conflicts, while `arp -a` is the correct tool to inspect the ARP table for anomalies.

Why the other options are wrong

A

`ipconfig /all` shows only the local IP configuration, not whether the same IP is assigned to another host.

C

`nslookup` resolves domain names to IP addresses and is unrelated to local IP conflicts.

D

`ping` tests connectivity but cannot identify duplicate IPs, as a reply does not guarantee the IP is unique.

E

`tracert` traces the path to a remote host, irrelevant for detecting local subnet duplicate IPs.

101
MCQeasy

Which medium is the most common choice for a 10G uplink between wiring closets on different floors of the same building?

A.Rollover cable
B.Fiber optic cable
C.Coaxial cable
D.Console cable
AnswerB

Correct. Fiber is the standard uplink choice here.

Why this answer

Fiber is commonly used for building uplinks because it supports higher bandwidth and longer distances than typical copper for this use case.

Exam trap

Don't confuse the capabilities of multimode fiber with single-mode fiber for long-distance, high-speed connections.

Why the other options are wrong

A

A rollover cable is a specialized Cisco console cable used for out-of-band management access to a device's console port, not for network data traffic. It cannot carry 10G Ethernet signals and is physically incompatible with Ethernet interfaces.

C

Coaxial cable (e.g., RG-6) is primarily used for cable TV, broadband internet (DOCSIS), or legacy Ethernet (10BASE2/10BASE5), but it does not support 10G Ethernet speeds over the distances required between floors in a modern enterprise network. Fiber or twisted-pair copper (Cat6a/Cat7) are the standard 10G media.

D

A console cable (typically a rollover or USB-to-serial cable) is used for initial device configuration and management access, not for carrying network traffic. It cannot support 10G data rates and is not designed for switch-to-switch uplinks.

102
MCQhard

A switch unexpectedly blocks a link toward the distribution layer. Gi1/0/24 shows a path cost of 4 while Gi1/0/23 shows a path cost of 19. Why did interface Gi1/0/24 become the root port instead of Gi1/0/23?

A.Gi1/0/24 has a lower port number, so STP always prefers it first.
B.STP prefers interfaces with the highest path cost to reduce loops.
C.Gi1/0/23 is blocked because alternate ports are always chosen over root ports.
D.has a lower root path cost to the root bridge
AnswerD

Correct. The root path cost is the primary determinant for root port selection; lower cost wins, which is why Gi1/0/24 (cost 4) is preferred over Gi1/0/23 (cost 19).

Why this answer

Spanning Tree chooses a root port by looking for the best path toward the root bridge. In this case, Gi1/0/24 shows a cost of 4, while Gi1/0/23 shows a cost of 19. Lower cost is better, so Gi1/0/24 is selected as the root port and moves into forwarding.

Gi1/0/23 becomes an alternate port and is placed into a blocking state to prevent a loop. STP compares root path cost first; only if the cost is tied does it move on to tie-breakers like sender bridge ID and port ID. The lower cost on Gi1/0/24 explains why that port won the root-port election.

Exam trap

Remember that STP prioritizes root path cost over other factors like port numbers or bridge IDs unless there's a tie.

Why the other options are wrong

A

STP does not use port number as the primary criterion; it is only a tie-breaker when path cost, bridge ID, and sender bridge ID are all equal. Here, the path costs differ, so port number is irrelevant.

B

STP is designed to select the path with the lowest total cost to the root bridge, not the highest. Choosing a higher-cost path would increase latency and waste bandwidth.

C

The root port is the forwarding port toward the root bridge, while the alternate port is a blocked backup. The alternate port is not chosen over the root port; it only becomes active if the root port fails.

103
MCQmedium

A network administrator is configuring a new Windows workstation on a small office network that uses IPv4 addressing. The workstation must be able to communicate with devices on other subnets and resolve hostnames via a company DNS server at 10.10.10.5. The administrator has already set the IP address to 10.10.10.10 and the subnet mask to 255.255.255.0. Which additional parameter must be configured to meet both requirements?

A.Configure a default gateway of 10.10.10.1 and a DNS server of 10.10.10.5.
B.Configure only a DNS server of 10.10.10.5.
C.Change the subnet mask to 255.255.0.0 to allow communication across subnets.
D.Configure a default gateway of 10.10.20.1 and a DNS server of 10.10.10.5.
AnswerA

This provides both the default gateway for routing to other subnets and the DNS server for name resolution.

Why this answer

To communicate with devices on other subnets, the workstation needs a default gateway (router) to forward traffic beyond its local subnet. The IP address 10.10.10.10 with subnet mask 255.255.255.0 places it in the 10.10.10.0/24 network, so a default gateway (e.g., 10.10.10.1) is required for inter-subnet routing. Additionally, to resolve hostnames, the DNS server address must be explicitly configured; the company DNS server is at 10.10.10.5.

Option A correctly provides both parameters.

Exam trap

Cisco often tests the requirement that a default gateway must be on the same subnet as the host; the trap here is that candidates may think a DNS server alone suffices for inter-subnet communication, or they may incorrectly assume changing the subnet mask can replace a router, or they may choose a gateway on a different subnet without realizing it is unreachable.

Why the other options are wrong

B

Without a default gateway, the workstation cannot send packets to destinations outside its own subnet (10.10.10.0/24). The DNS server alone only provides name resolution, not routing to other subnets.

C

Changing the subnet mask to 255.255.0.0 would expand the broadcast domain and could cause routing problems, but it does not provide a path to other subnets. The workstation still needs a default gateway to communicate with devices outside its local network.

D

The default gateway 10.10.20.1 is not on the same subnet as the workstation (10.10.10.0/24). For a host to reach its default gateway, the gateway must be directly reachable on the local subnet. Since 10.10.20.1 is on a different subnet, the workstation cannot send traffic to it.

104
Multi-Selectmedium

Drag and drop the following steps into the correct order to describe the TCP three-way handshake between a client and a server.

Select 3 answers
A.Client sends SYN to server
B.Server sends SYN-ACK to client
C.Client sends ACK to server
D.Server sends ACK to client
AnswersA, B, C

This is the first step of the TCP three-way handshake. The client initiates the connection by sending a SYN (synchronize) segment to the server, indicating its initial sequence number and requesting a connection.

Why this answer

The TCP three-way handshake starts with the client initiating the connection by sending a SYN, followed by the server acknowledging with SYN-ACK, and finally the client confirming with an ACK. This sequence establishes a reliable connection before data transfer.

Exam trap

Do not confuse the order of the handshake. The server never sends a standalone ACK; its ACK is always combined with its SYN. Also, remember that the client sends the first SYN, not the server.

Why the other options are wrong

D

The server's acknowledgment is already included in the SYN-ACK segment; sending a separate ACK would be an extra step not defined in the TCP specification.

105
MCQeasy

At which OSI layer do routers make forwarding decisions based on logical addressing?

A.Layer 1
B.Layer 2
C.Layer 3
D.Layer 4
AnswerC

Correct. Layer 3 is the network layer.

Why this answer

Routers operate at the network layer when making forwarding decisions based on logical Layer 3 addresses such as IPv4 or IPv6 destination addresses.

Exam trap

Don't confuse the roles of routers and switches. Remember that routers use logical addressing (IP addresses) at Layer 3, while switches use physical addressing (MAC addresses) at Layer 2.

Why the other options are wrong

A

Layer 1 (Physical layer) deals with the physical transmission of bits over media, such as cables or radio frequencies. Routers do not make forwarding decisions at this layer; they only handle electrical or optical signals.

B

Layer 2 (Data Link layer) uses MAC addresses for switching within the same network segment. Routers, however, forward packets based on Layer 3 logical addresses, not MAC addresses, which are only used for next-hop delivery.

D

Layer 4 (Transport layer) handles end-to-end communication, segmentation, and flow control using protocols like TCP and UDP. Routers do not use Layer 4 information for forwarding decisions; they only examine Layer 3 headers.

106
Drag & Dropmedium

Drag and drop the following troubleshooting steps into the correct order to isolate CRC errors, duplex mismatches, and flapping on a Cisco IOS-XE interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, gather data with show commands to identify the errors (CRC, duplex, flapping). Then apply configuration changes to resolve the issue. Next, clear interface counters to reset statistics and create a clean baseline.

Finally, monitor interface statistics to verify that the errors are no longer occurring.

Exam trap

Do not confuse the order of clearing counters and verifying. Clear counters after applying the fix, not before, to get a clean baseline for verification. Also, always gather data before making changes.

107
MCQhard

A subnet uses the prefix /22. How many usable host addresses are available?

A.254
B.510
C.1022
D.2046
AnswerC

This is correct because a /22 has 1024 total addresses and 1022 usable hosts.

Why this answer

A /22 leaves 10 host bits available. In plain language, that means each subnet contains 2^10, or 1024, total addresses. Two of those are reserved for the network and broadcast addresses in normal IPv4 subnetting, leaving 1022 usable host addresses.

This is a common subnet-capacity calculation. The safest method is to calculate the total address count from the number of host bits and then subtract the two reserved addresses. That leads directly to the correct usable-host value.

Exam trap

Remember to subtract the network and broadcast addresses from the total number of addresses to find the usable host count.

Why the other options are wrong

A

A /24 prefix provides 256 total addresses (2^(32-24)=256), with 254 usable host addresses after subtracting the network and broadcast addresses. This does not match the /22 prefix in the question.

B

A /23 prefix provides 512 total addresses (2^(32-23)=512), with 510 usable host addresses. This is half the total addresses of a /22, so it is incorrect for the given prefix.

D

A /21 prefix provides 2048 total addresses (2^(32-21)=2048), with 2046 usable host addresses. This is double the total addresses of a /22, so it is incorrect for the given prefix.

108
Matchingeasy

Match each IP service or protocol to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically provides IP configuration to clients

Resolves hostnames into IP information

Maps a local IPv4 address to a MAC address

Synchronizes device clocks

Why these pairings

DHCP automatically assigns IP addresses and other network parameters to clients. DNS translates domain names into IP addresses. ARP resolves a local IPv4 address to a MAC address on the same subnet.

NTP synchronizes device clocks over a network. These four protocols are correctly matched to their primary purposes.

Exam trap

Be careful not to confuse protocols that work together. For example, DNS is often used by HTTP and SMTP, but each protocol has a distinct primary function. Focus on the core purpose of each protocol as defined in the OSI model.

109
MCQhard

A network administrator is troubleshooting slow file transfers between two servers in different access-layer switches. The administrator runs the 'show interface' command on the uplink connecting the two switches and notices a high number of CRC errors on both ends, but a high number of late collisions on only one interface; the other interface reports no late collisions.

A.Duplex mismatch: the interface with late collisions is half-duplex while the other end is full-duplex. Configure both ends to auto-negotiate speed and duplex.
B.Speed mismatch: one interface is set to 100 Mbps, the other to 1 Gbps. This causes frequent link flaps, resulting in CRC errors. Use the 'speed' command to match the rates.
C.Faulty Ethernet cable causing signal degradation, which leads to CRC errors. The late collisions are a result of the switch misdetecting collisions due to the degraded signal. Replace the cable.
D.A broadcast storm caused by a loop is flooding the uplink with frames, leading to CRC errors and late collisions as the switch discards excess traffic. Enable Spanning Tree Protocol to block the redundant path.
AnswerA

Late collisions only occur on half-duplex Ethernet when multiple stations attempt to transmit simultaneously. When one end is full-duplex, the half-duplex end perceives any overlapping transmission as a collision, producing late collisions and CRC errors. Auto-negotiation correctly sets both ends to full-duplex when supported, fixing the problem.

Why this answer

A is correct because a duplex mismatch causes one interface to operate in half-duplex (detecting late collisions due to CSMA/CD) while the other operates in full-duplex (no collisions). The half-duplex interface waits for the carrier sense before transmitting, but the full-duplex interface transmits immediately, causing the half-duplex side to detect collisions after the transmission window (late collisions). CRC errors occur on both ends because frames are corrupted when collisions happen.

Configuring both ends to auto-negotiate ensures matching duplex and speed, resolving the issue.

Exam trap

Cisco often tests the distinction between CRC errors (which can have multiple causes like cable faults or duplex mismatch) and late collisions (which are a definitive indicator of a duplex mismatch), leading candidates to incorrectly attribute CRC errors alone to a cable issue.

Why the other options are wrong

B

Confuses speed mismatch (which prevents link establishment) with duplex mismatch (which allows the link to come up but causes errors and late collisions).

C

Assumes all interface errors are cable-related and overlooks the characteristic late-collision signature of duplex mismatch.

D

Misinterprets high utilization as a source of physical-layer errors and ignores the diagnostic value of asymmetric late collisions.

110
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe the data encapsulation process as it flows down the OSI model from the source host.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Encapsulation proceeds from the top OSI layers to the bottom. First, the application generates data (Step 1). The Transport layer then adds a header (TCP or UDP) to create a segment (Step 2) because this is the first step in preparing data for reliable delivery.

The Network layer adds an IP header to form a packet (Step 3), which provides logical addressing and routing information. The Data Link layer adds a frame header and trailer to create a frame (Step 4), enabling physical addressing (MAC) and error detection. Finally, the Physical layer converts the frame to bits for transmission (Step 5), as it is the layer that ultimately puts signals on the wire.

111
Multi-Selectmedium

Which two statements accurately describe IPv6 link-local addresses?

Select 2 answers
A.They are used for communication on the local segment only.
B.They are globally routable across the Internet.
C.They are commonly involved in local IPv6 neighbor interactions.
D.They exist only when DHCPv6 fails.
E.They replace the need for any default gateway logic.
AnswersA, C

This is correct because link-local addresses are intended for local-link communication.

Why this answer

IPv6 link-local addresses are designed for communication on the local segment only. In plain language, they allow devices to talk to nearby neighbors without needing globally routable addresses. They play an important role in IPv6 functions such as Neighbor Discovery and are commonly used when hosts communicate with the default gateway on the same link. These addresses are normal and expected in IPv6 environments.

They are not globally Internet-routable, and they are not just emergency fallbacks for DHCPv6 failure. The two correct answers are the ones that preserve their local-link purpose and their importance in standard IPv6 behavior rather than treating them as optional or globally reachable.

Exam trap

Remember that link-local addresses are not routable and are not a fallback for DHCPv6. They are essential for local communications.

Why the other options are wrong

B

Link-local addresses have a scope of link-local (fe80::/10) and are not forwarded by routers, making them non-routable across the Internet. They are intended only for communication on a single network segment.

D

Link-local addresses are automatically generated on all IPv6 interfaces regardless of DHCPv6. They are a mandatory part of IPv6 operation, not a fallback mechanism.

E

For off-link communication, IPv6 hosts still require a default gateway (usually a router's link-local address) to forward packets beyond the local segment. Link-local addresses do not eliminate the need for routing logic.

112
MCQeasy

Which field in an IPv4 packet is primarily used to prevent packets from looping forever in the network?

A.Version
B.Header checksum
C.Time to Live
D.Protocol
AnswerC

TTL is the loop-prevention field.

Why this answer

Each router decrements the TTL field by one. When TTL reaches zero, the packet is discarded. That mechanism prevents indefinite looping.

Exam trap

Remember that TTL is about lifespan and loop prevention, not error checking or addressing.

Why the other options are wrong

A

The Version field (4 bits) indicates the IP version (e.g., IPv4 or IPv6) and has no role in loop prevention. It is used by routers to interpret the packet header correctly.

B

The Header Checksum field detects errors in the IPv4 header only; it does not limit packet forwarding or prevent loops. If corrupted, the packet is discarded, but this does not stop looping.

D

The Protocol field identifies the next-level protocol (e.g., TCP, UDP, ICMP) carried in the payload. It has no impact on packet forwarding or loop prevention.

113
Multi-Selectmedium

Which two statements accurately describe the relationship between a network address and a broadcast address in IPv4 subnetting?

Select 2 answers
A.The network address is the first address in the subnet block.
B.The broadcast address is the last address in the subnet block.
C.Both addresses are normal host addresses that can be assigned to users.
D.The broadcast address always becomes the default gateway.
E.These concepts exist only in IPv6 and not IPv4.
AnswersA, B

This is correct because the network address marks the beginning of the subnet.

Why this answer

The network address identifies the beginning of the subnet block, and the broadcast address identifies the final address in that block. In practical terms, both are reserved and are not assigned to ordinary hosts. The usable host range falls between them.

This is a very basic subnetting truth, but it is foundational for every other addressing calculation.

Exam trap

Be cautious not to confuse the roles of network and broadcast addresses with usable host addresses.

Why the other options are wrong

C

Both the network address and broadcast address are reserved addresses within a subnet and cannot be assigned to hosts. The network address identifies the subnet itself, and the broadcast address is used for one-to-all communication. Assigning them to hosts would cause conflicts.

D

The default gateway is typically the IP address of a router interface on the subnet, which is a normal host address within the usable range. The broadcast address is the last address in the subnet and is reserved for broadcasting; it cannot be used as a gateway.

E

Network and broadcast addresses are fundamental to IPv4 subnetting and are defined in IPv4 standards. IPv6 does not use broadcast addresses; instead, it uses multicast and anycast. Therefore, stating these concepts exist only in IPv6 is factually incorrect.

114
Multi-Selectmedium

Which TWO commands can a network technician use on a modern Linux host to verify the IP address configuration and test reachability to a remote server?

Select 2 answers
A.ip addr
B.ifconfig
C.tracert
D.ping
E.nslookup
AnswersA, D

The `ip addr` command is the modern Linux utility to display all network interfaces and their assigned IP addresses, MAC addresses, and status.

Why this answer

The `ip addr` command (option A) is the modern Linux utility for displaying IP address configuration, replacing the deprecated `ifconfig`. The `ping` command (option D) uses ICMP Echo Request/Reply messages to test Layer 3 reachability to a remote server. `ifconfig` (option B) is deprecated and not expected for current certification exams; `tracert` (option C) is a Windows command; `nslookup` (option E) performs DNS lookups but does not verify IP configuration or connectivity.

Exam trap

Cisco often tests the distinction between Windows and Linux commands, so the trap here is that candidates may mistakenly select `tracert` (a Windows command) instead of recognizing that the Linux equivalent is `traceroute`, or they may choose `ifconfig` without knowing it is deprecated in favor of `ip addr`.

Why the other options are wrong

B

Although `ifconfig` can still display IP settings, it is a deprecated legacy command and the question expects the modern `ip addr` from the iproute2 suite.

C

`tracert` is the Windows traceroute utility; the Linux command is `traceroute`.

E

`nslookup` is a DNS troubleshooting tool and cannot verify interface IP configuration or test basic reachability like `ping`.

115
MCQmedium

Which command enables IPv6 routing on a Cisco router?

A.ipv6 unicast-routing
B.ipv6 enable
C.ip routing ipv6
D.ipv6 route enable
AnswerA

Correct. This is the required global command.

Why this answer

The global configuration command 'ipv6 unicast-routing' enables IPv6 forwarding on a Cisco router. 'ipv6 enable' is an interface-level command used to enable IPv6 on a specific interface, not globally. 'ip routing ipv6' and 'ipv6 route enable' are syntactically invalid commands that do not exist in Cisco IOS.

Exam trap

Be careful not to confuse interface-specific commands with global routing commands. Remember that enabling IPv6 globally requires a specific command.

Why the other options are wrong

B

'ipv6 enable' is an interface command, not a global command to enable IPv6 routing.

C

'ip routing ipv6' is not a valid Cisco IOS command.

D

'ipv6 route enable' is not a valid Cisco IOS command.

116
MCQeasy

A host sends traffic to a web server on another subnet. Which address is used as the destination MAC address in the first Ethernet frame sent by the host?

A.The MAC address of the remote web server
B.The MAC address of the local default gateway
C.The MAC address of the DNS server
D.The broadcast MAC address
AnswerB

Correct. The default gateway is the Layer 2 next hop for remote destinations.

Why this answer

When a host wants to communicate with a device on a different subnet, it cannot reach that device directly. The host must send the frame to its default gateway, which is the router that connects to other subnets. Therefore, the destination MAC address in the first Ethernet frame is the MAC address of the local default gateway, not the remote web server (A).

The DNS server (C) is used for name resolution, not for forwarding traffic. The broadcast MAC address (D) would send the frame to all devices on the local subnet, which is not appropriate for unicast communication to a remote destination.

Exam trap

Remember that the destination MAC address for remote communication is the default gateway's, not the remote host's.

Why the other options are wrong

A

The MAC address of the remote web server is not used because the remote host is on a different subnet and cannot be reached directly at Layer 2.

C

The DNS server is used for domain name resolution, not for forwarding data frames to remote subnets.

D

The broadcast MAC address would send the frame to all devices on the local subnet, which is incorrect for unicast traffic to a remote destination.

117
Multi-Selectmedium

Which TWO interface issues can be identified by analyzing the output of the 'show interfaces' command?

Select 2 answers
A.Duplex mismatch
B.Routing protocol misconfiguration
C.Speed mismatch
D.VLAN mismatch
E.STP topology change
AnswersA, C

The 'show interfaces' output shows late collisions, CRC errors, or input errors that are often caused by a duplex mismatch between two connected devices.

Why this answer

The 'show interfaces' command displays interface statistics and operational status, including duplex and speed settings. A duplex mismatch occurs when one end of a link is set to full-duplex and the other to half-duplex, leading to collisions and CRC errors visible in the output. Speed mismatch is also detectable because the interface will show the negotiated speed or errors like 'input errors' if the speeds do not match.

Exam trap

Cisco often tests that 'show interfaces' reveals physical-layer issues like duplex and speed mismatches, but candidates mistakenly think it also shows Layer 2 or Layer 3 problems such as VLAN or routing misconfigurations.

Why the other options are wrong

B

Routing protocol misconfiguration is a Layer 3 issue that does not manifest in the 'show interfaces' output, which focuses on Layer 1 and Layer 2 interface statistics. To diagnose routing issues, you would use commands like 'show ip route' or 'show ip protocols'.

D

A VLAN mismatch is a Layer 2 issue that does not appear in the 'show interfaces' output; it is diagnosed using 'show vlan' or 'show interfaces trunk'. The 'show interfaces' command shows physical and data link layer statistics, not VLAN membership.

E

STP topology changes are not directly visible in 'show interfaces'; they are monitored using 'show spanning-tree' or 'debug spanning-tree events'. The 'show interfaces' command does not provide information about spanning-tree state changes.

118
PBQhard

You are connected via the console to R1, a new Cisco ISR 4321 router. The network team requires that all routers be reachable via SSH for management. R1's management interface is GigabitEthernet0/0 with IP 192.168.1.1/24. You need to configure SSH on R1, including a hostname, domain name, RSA key pair of 1024 bits, local user 'admin' with secret 'cisco123', and enable SSH version 2. Additionally, configure the vty lines to accept only SSH connections and use local authentication.

Network Topology
G0/0192.168.1.1/24linkR1Management Network

Hints

  • You need to set hostname and domain name before generating RSA keys.
  • Use 'crypto key generate rsa modulus 1024' to create the key pair.
  • Configure vty lines to only allow SSH and use local authentication.
A.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 1024 R1(config)# username admin secret cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local
B.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa general-keys modulus 1024 R1(config)# username admin password cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh telnet R1(config-line)# login local
C.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 1024 R1(config)# username admin secret cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input all R1(config-line)# login local
D.R1(config)# hostname R1 R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa modulus 1024 R1(config)# username admin secret cisco123 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# password cisco123 R1(config-line)# login
AnswerA
solution
! R1
hostname R1
ip domain-name example.com
crypto key generate rsa modulus 1024
username admin secret cisco123
line vty 0 4
transport input ssh
login local

Why this answer

SSH configuration requires a hostname, domain name, RSA key pair, local username, and vty line settings. The command sequence ensures SSH version 2 is used and only SSH connections are accepted on the vty lines.

Exam trap

Watch for subtle differences: 'username secret' vs 'username password', 'transport input ssh' vs 'transport input all' or 'transport input ssh telnet', and 'login local' vs 'login'. Also ensure the hostname and domain name are set before generating RSA keys.

Why the other options are wrong

B

Using 'password' instead of 'secret' stores the password in plaintext; allowing Telnet alongside SSH does not restrict to SSH only.

C

'transport input all' permits Telnet and other protocols, which is not restrictive enough.

D

Using 'password' and 'login' on vty lines enables password-only authentication, not local user authentication.

119
Matchingeasy

Match the data format to its most accurate characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lightweight format commonly used by REST APIs

Markup-style format that uses opening and closing tags

Human-friendly format that relies heavily on indentation

Simple tabular format with comma-separated values

Why these pairings

JSON is lightweight and key-value based, XML uses tags and attributes, YAML relies on indentation, CSV is for tabular data, Protobuf is a binary schema-driven format, and HTML is for web page structure.

Exam trap

Avoid confusing the characteristics of different data formats. Remember that JSON uses key-value pairs, XML uses tags, YAML uses indentation, CSV is tabular, Protobuf is binary, and HTML is for web structure.

120
Drag & Dropmedium

Drag and drop the steps into the correct order to generate an IPv6 EUI-64 address from a MAC address.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start by obtaining the MAC address and splitting it into two 24‑bit halves (OUI and NIC portions). Insert FFFE in the middle to create a 64‑bit interface identifier. Flip the U/L bit (7th bit) of the first byte, then combine the identifier with the IPv6 prefix (e.g., FE80::/10 for link‑local) to form the complete address.

Exam trap

Students often forget to flip the U/L bit or perform the steps in the wrong order. Remember: MAC → split → insert FFFE → flip U/L bit → combine with prefix.

121
Matchingmedium

Drag and drop the wireless LAN terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Operates only in 5 GHz band; uses 80/160 MHz channels

Introduces OFDMA and works in both 2.4 and 5 GHz bands

Uses SAE for stronger authentication than WPA2

Network name broadcast by access points

Primary concern in 2.4 GHz band; channels 1, 6, 11 are non-overlapping

Typically via HTTPS, SSH, or console for configuration

Why these pairings

802.11ac (Wi-Fi 5) operates exclusively in the 5 GHz band and uses wide channels (80/160 MHz) for high throughput. 802.11ax (Wi-Fi 6) introduces OFDMA for efficiency and supports both 2.4 GHz and 5 GHz. WPA3 enhances security with Simultaneous Authentication of Equals (SAE), replacing WPA2's Pre-Shared Key (PSK) to resist brute-force attacks. The SSID is the human-readable network name broadcast by access points.

Channel overlap is a critical issue in the 2.4 GHz band because only three channels (1, 6, 11) are non-overlapping. WLC management interfaces commonly use HTTPS, SSH, or console for secure configuration.

Exam trap

Do not assume 802.11ax operates only in 5 GHz; it works in both bands, unlike 802.11ac which is 5 GHz only.

122
MCQhard

A wireless client associates to an AP and successfully authenticates to the correct SSID, but it does not obtain an IP address. The WLC is running in local mode. What should the technician do next?

A.Check the DHCP server to ensure it has available leases.
B.Verify the AP’s operating channel for interference.
C.Verify the VLAN mapping on the WLC for the client’s WLAN.
D.Verify the WPA3 PSK on the client.
AnswerC

In local mode, the WLC bridges client traffic to a specified VLAN. An incorrect or missing VLAN ID prevents the DHCP discovery from reaching the DHCP server. This step directly confirms whether the client’s traffic is placed on the correct subnet.

Why this answer

Option C is correct because when a wireless client authenticates to the SSID but fails to obtain an IP address, the most likely cause is a VLAN mapping mismatch on the WLC. In local mode, the WLC maps the WLAN to a specific VLAN (via the interface or VLAN tag), and if that VLAN does not have a DHCP relay or is not trunked to the correct switch, the client's DHCP requests will never reach the DHCP server. This is a common Layer 2 connectivity issue that prevents IP address assignment even though authentication succeeds.

Exam trap

Cisco often tests the misconception that DHCP issues are always server-side (Option A), when in reality the WLC's VLAN-to-interface mapping is a critical Layer 2 configuration that must be verified first in a wireless context.

Why the other options are wrong

A

Troubleshooting at Layer 3 (IP) before verifying Layer 2 (VLAN) connectivity skips a fundamental step in the OSI model.

B

Confuses a Layer 1 problem with a Layer 2/3 problem. The client’s association proves the RF link is functional.

D

This investigates a condition that has already been ruled out (authentication succeeded) and does not address the IP assignment failure.

123
PBQhard

You are connected to R1. The connection between R1 and R2 is experiencing intermittent failures. Troubleshoot the interface G0/0 on R1 to identify and resolve the issue so that the link becomes stable and operational.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Look at the line protocol status for any unusual keywords.
  • Check the running-config for any interface-specific commands related to testing.
  • The loopback command creates a loop condition; it must be removed.
A.Enter interface configuration mode for G0/0 and issue the 'no loopback' command.
B.Enter interface configuration mode for G0/0 and issue the 'no shutdown' command.
C.Enter interface configuration mode for G0/0 and issue the 'speed 100' command to force 100 Mbps.
D.Enter interface configuration mode for G0/0 and issue the 'no keepalive' command.
AnswerA
solution
! R1
interface gigabitEthernet 0/0
no loopback

Why this answer

The interface shows '(looped)' in the line status, indicating a layer 1 loop (likely a cable loopback) or a misconfigured loopback test. The interface is physically up and line protocol is up, but the loop condition prevents normal data flow. To fix this, you must remove the loopback test with 'no loopback' on the interface, then verify the interface recovers to 'up, line protocol is up' without the loop indication.

Exam trap

Watch for the '(looped)' keyword in the interface status. It is a specific indicator of a loopback test, not a general loop or cable issue. Do not confuse it with other interface problems like speed/duplex mismatch or administrative shutdown.

Why the other options are wrong

B

The interface is not administratively down; 'no shutdown' would have no effect on a loop condition.

C

The problem is a loopback test, not a speed/duplex mismatch. Changing speed may cause additional problems.

D

Keepalives are used to detect link failures; disabling them would not resolve a loopback test and could mask real issues.

124
MCQhard

A branch office needs four subnets from the 192.168.50.0/24 network, with each subnet supporting up to 50 hosts. Which prefix length should be used for each subnet?

A./25
B./26
C./27
D./28
AnswerB

Correct. /26 gives four equal subnets and 62 usable addresses each.

Why this answer

Each subnet must support at least 50 hosts, so /26 is the smallest suitable prefix because it provides 62 usable addresses. A /24 can be split into exactly four /26 subnets.

Exam trap

A frequent exam trap is selecting a subnet mask that provides enough hosts but not enough subnets, or vice versa. For instance, choosing /25 seems tempting because it supports 126 hosts, which exceeds the 50-host requirement. However, /25 only creates two subnets from a /24, which fails the requirement for four subnets.

Another trap is picking /27, which creates enough subnets but only supports 30 hosts, insufficient for 50 hosts per subnet. Candidates must carefully balance subnet count and host capacity to avoid these pitfalls.

Why the other options are wrong

A

/25 provides 126 usable hosts per subnet, which is more than enough for 50 hosts, but it only creates two subnets from a /24 network. Since four subnets are required, /25 is insufficient for subnet count.

C

/27 creates eight subnets from a /24, which is enough subnets, but each subnet only supports 30 usable hosts. This is less than the required 50 hosts, so /27 is not suitable.

D

/28 creates sixteen subnets but only supports 14 usable hosts per subnet, which is far below the 50-host requirement. Therefore, /28 is not a valid option.

125
Multi-Selectmedium

Which TWO of the following are valid interpretations of errors seen in the output of the 'show interface' command?

Select 2 answers
A.CRC errors indicate that frames were received with an invalid checksum, often due to cabling issues.
B.Runts are frames that are larger than the maximum allowed size.
C.Giants are frames that are smaller than 64 bytes.
D.Input errors include runts, giants, CRC errors, and frame errors.
E.Flaps indicate that the interface is physically disconnected.
AnswersA, D

CRC errors occur when the cyclic redundancy check fails, indicating data corruption. This is commonly caused by faulty or noisy cabling.

Why this answer

CRC errors (option A) indicate frames with an invalid checksum, often due to cabling issues, which is correct. Option D is also correct: 'Input errors' is a cumulative counter that includes runts, giants, CRC errors, and frame errors. Option B is wrong because runts are frames smaller than 64 bytes, not larger.

Option C is wrong because giants are frames larger than the maximum allowed size (typically 1518 bytes), not smaller than 64 bytes. Option E is wrong because 'flaps' refer to an interface going up and down repeatedly, not necessarily physically disconnected; it could be due to duplex mismatch or other reasons.

Exam trap

Cisco often tests the exact byte thresholds for runts (less than 64 bytes) and giants (greater than 1518 bytes), and candidates frequently reverse these values or confuse them with other error types.

Why the other options are wrong

B

Runts are frames smaller than 64 bytes, not larger than the maximum size.

C

Giants are frames larger than the maximum allowed size (typically 1518 bytes), not smaller than 64 bytes.

E

Flaps indicate an interface repeatedly transitioning between up and down states, not necessarily a physical disconnection.

126
Matchingmedium

Match each basic IPv4 concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines network versus host portions of the address

Next hop used for off-subnet traffic

Address used to reach all hosts in the local broadcast domain

Address identifying an individual device in the subnet

Why these pairings

The subnet mask is a 32-bit value that distinguishes the network portion from the host portion of an IPv4 address, enabling devices to determine their subnet membership. The default gateway is the IP address of the local router, which serves as the next hop for traffic destined to subnets outside the local network. The broadcast address, typically the highest address in a subnet, is used to send a single packet to all hosts within the same broadcast domain.

A host address is a unique IP assigned to a single device's interface within a subnet, allowing it to be identified individually.

Exam trap

Do not confuse classful addressing with CIDR or VLSM. Classful addressing is defined by fixed boundaries per class, while classless methods allow variable-length subnet masks. NAT is a separate concept for address translation.

127
Matchingmedium

Match each IPv6 address type or concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv6 address type used for wider routed communication

IPv6 address type used only on the local segment

Address used by a device to refer to itself

Method for deriving an interface identifier from a MAC address

Why these pairings

Each IPv6 address type has a distinct purpose: Global Unicast for public routing, Link-Local for local segment, Unique Local for private site, Multicast for group communication, Anycast for nearest device, and SLAAC for stateless address assignment.

Exam trap

The most common trap is confusing the scope of Link-Local and Unique Local addresses. Remember: Link-Local is only for the local link, while Unique Local is for private site-wide use but not internet-routable. Also, don't confuse multicast with unicast.

128
PBQhard

You are troubleshooting a PC connected to switch SW1. The PC cannot access the internet. SW1 is connected to router R1 via port G0/1. R1 provides default gateway and DHCP services. Analyze the provided show output and fix the connectivity issue so that the PC can ping 8.8.8.8. === Show output from R1 === <pre> R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES manual administratively down down GigabitEthernet0/1 10.0.0.1 YES NVRAM up up </pre> === Show output from PC === <pre> C:\> ipconfig Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . : 169.254.123.45 Subnet Mask . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . : </pre> === Show output from SW1 === <pre> SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 </pre>

Network Topology
G0/1G0/2G0/1G0/0SW1PC1R1

Hints

  • Check if R1's interface connected to SW1 has an IP address.
  • The DHCP pool expects the default gateway to be on the same subnet as the clients.
  • APIPA address means the PC did not receive a DHCP offer.
A.Configure R1's interface G0/0 with IP address 192.168.1.1/24 and ensure the interface is not administratively down.
B.Change the VLAN on SW1's port G0/2 to VLAN 10 and configure R1's subinterface G0/0.10 with IP 192.168.1.1/24.
C.Enable DHCP snooping on SW1 and configure the port G0/2 as a trusted port.
D.Configure a static IP address of 192.168.1.10/24 on the PC with default gateway 192.168.1.1.
AnswerA
solution
! R1
interface gigabitethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown

Why this answer

The PC's APIPA address (169.254.x.x) indicates DHCP failure. The router's DHCP pool is correctly configured and has a lease, but the show output reveals that R1's interface G0/0 is administratively down and has no IP address. Without a working IP on G0/0, the router cannot serve DHCP or route traffic for VLAN 1, even though both the PC and the router are in the same VLAN.

Option A fixes the root cause by assigning the correct subnet IP and bringing the interface up. Option B is incorrect because moving the PC to a different VLAN or creating subinterfaces does nothing to enable the router's physical interface where DHCP and routing must run. Option C is wrong because DHCP snooping or trust configurations are irrelevant when the router's own interface is down/unaddressed.

Option D is a workaround that only masks the problem; the scenario requires a working DHCP service, and a static IP would not restore the intended design.

Exam trap

This question tests your ability to identify that a router interface must have an IP address in the client subnet for DHCP to work, even if the DHCP pool is correctly configured. Many candidates focus on VLANs or DHCP server settings but overlook the basic requirement of an IP address on the router interface.

Why the other options are wrong

B

Changing VLANs or using subinterfaces does not solve the problem because the router's physical interface must be up and have an IP address to serve the VLAN.

C

Enabling DHCP snooping or trust settings on the switch cannot fix a router interface that is administratively down and unassigned.

D

Assigning a static IP to the PC circumvents but does not resolve the root issue of the router's interface being down, and the scenario requires DHCP.

129
Multi-Selectmedium

Which three options correctly describe how a router processes a packet destined for a remote network? (Choose three.)

Select 3 answers
.It decrements the Time-to-Live (TTL) field in the IP header.
.It performs a lookup in the routing table for the destination IP address.
.It rewrites the source and destination MAC addresses for the next hop.
.It replaces the source IP address with its own outgoing interface IP.
.It sends an ARP request for every destination IP address in the packet.
.It encapsulates the entire packet in a new Layer 2 frame with the original MAC addresses.

Why this answer

When a router forwards a packet to a remote network, it first decrements the Time-to-Live (TTL) field in the IP header to prevent infinite loops. It then performs a routing table lookup for the destination IP address to determine the next-hop interface and IP. Finally, it rewrites the source and destination MAC addresses for the next hop, because MAC addresses are only relevant on the local link and must be updated at each Layer 3 hop.

Exam trap

Cisco often tests the distinction between Layer 2 (MAC) and Layer 3 (IP) header changes, so the trap here is that candidates mistakenly think the source IP address is rewritten at each hop, confusing routing with NAT or PAT.

130
Matchingeasy

Match each common network device or concept to its primary role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forwards traffic between networks

Forwards local traffic inside a LAN

Applies permit/deny policy to traffic

Provides wireless connectivity

Why these pairings

Router routes between networks; switch forwards within LAN; hub repeats signals; firewall filters traffic; AP provides Wi-Fi; modem converts digital to analog for WAN.

Exam trap

Be careful not to confuse the functions of routers and switches, as both forward traffic but at different layers. Also, remember that a home 'router' often includes a switch, AP, and modem, but the primary role of a router is routing between networks.

131
MCQhard

A host sends an IPv4 packet larger than the outgoing interface MTU, and the DF bit is not set. What will a router normally do?

A.Drop the packet without notification
B.Fragment the packet before forwarding
C.Convert the packet into UDP
D.Forward it unchanged and let the switch fragment it
AnswerB

Correct. The router fragments the packet when DF is not set.

Why this answer

If fragmentation is allowed, an IPv4 router can fragment a packet to fit the outgoing interface MTU. If DF were set, the router would instead drop the packet and typically send an ICMP message back to the source.

Exam trap

Be careful not to confuse the behavior when the DF bit is set with when it is not set. Remember, fragmentation is allowed when DF is not set.

Why the other options are wrong

A

A router does not drop the packet without notification when the DF bit is not set; instead, it fragments the packet. Dropping without notification only occurs when the DF bit is set and the packet exceeds the MTU, in which case the router sends an ICMP Fragmentation Needed message.

C

Routers operate at Layer 3 (IP) and do not modify the transport layer protocol (e.g., UDP or TCP) to handle MTU issues. Converting a packet to UDP would change the protocol and is not a function of IP fragmentation or any standard routing behavior.

D

Switches operate at Layer 2 and do not perform IP fragmentation. Fragmentation is a Layer 3 function handled by routers or the source host. The router must fragment the packet before forwarding it to the switch.

132
MCQhard

A host is configured with IP address 192.168.70.18/30. Which addresses belong to the same subnet block?

A.192.168.70.16 through 192.168.70.19
B.192.168.70.18 through 192.168.70.21
C.192.168.70.12 through 192.168.70.15
D.192.168.70.20 through 192.168.70.23
AnswerA

This is correct because .18 belongs to the /30 block that runs from .16 to .19.

Why this answer

A /30 subnet has a block size of 4. In practical terms, the relevant blocks in the last octet are 0–3, 4–7, 8–11, 12–15, 16–19, and so on. Because 18 falls inside the 16–19 block, the subnet includes network address .16, usable hosts .17 and .18, and broadcast .19.

This question checks whether you can identify the correct /30 block and understand all addresses that fall inside it.

Exam trap

Be careful not to confuse adjacent subnet blocks or miscalculate the block size of a /30 subnet.

Why the other options are wrong

B

A /30 subnet always has a block size of 4 addresses, starting at multiples of 4. The block starting at .18 would be 192.168.70.16–.19, not .18–.21. The range .18–.21 crosses a subnet boundary and includes addresses from two different subnets.

C

The block 192.168.70.12–.15 is a different /30 subnet (network .12, broadcast .15). The host .18 belongs to the subnet .16–.19, not .12–.15.

D

The block 192.168.70.20–.23 is the next /30 subnet (network .20, broadcast .23). The host .18 is not in this range; it is in the .16–.19 subnet.

133
MCQhard

A host address is 10.55.8.117/29. Which address is the network address of the subnet?

A.10.55.8.112
B.10.55.8.119
C.10.55.8.120
D.10.55.8.116
AnswerA

This is correct because .117 belongs to the 112-119 /29 block.

Why this answer

A /29 subnet has a block size of 8. In practical terms, the relevant last-octet blocks are 112-119 for this host. That means the network address is 10.55.8.112. Once you identify the correct block, the first address in the block is the network address.

This is a useful addressing-boundary question because it checks careful block calculation, not memorized guesses.

Exam trap

Be careful not to confuse the network address with the first usable host or the broadcast address.

Why the other options are wrong

B

10.55.8.119 is the broadcast address for the subnet 10.55.8.112/29, not the network address. The broadcast address is the last address in the block (112+8-1=119) and is used to send traffic to all hosts in the subnet.

C

10.55.8.120 is the network address of the next /29 subnet (120-127), not the current one. The current subnet ends at 119, so 120 belongs to a different subnet.

D

10.55.8.116 is a valid host address within the subnet 10.55.8.112/29 (usable range: 113-118). It is not the network address, which must be the first address (112).

134
Multi-Selectmedium

Which three of the following correctly describe the behavior of EtherChannel? (Choose three.)

Select 3 answers
.It aggregates multiple physical links into a single logical link.
.It provides load balancing across the member links based on a hash algorithm.
.It requires that all member ports have the same speed and duplex settings.
.It requires that member ports be on different switches to form a single channel.
.It increases the total number of STP instances in the network.
.It allows multiple VLANs on the same link only if configured as an access port.

Why this answer

EtherChannel aggregates multiple physical links into a single logical link, increasing bandwidth and providing redundancy. It uses a hash algorithm (based on source/destination MAC, IP, or TCP/UDP ports) to distribute traffic across member links. All member ports must have identical speed and duplex settings and be on the same switch (or stack).

The statement that EtherChannel allows multiple VLANs only if configured as an access port is false because EtherChannel links can operate as trunks to carry multiple VLANs.

Exam trap

Cisco often tests the misconception that EtherChannel can be formed across different standalone switches (without stacking) or that it increases STP instances, when in fact it reduces them by treating the bundle as a single logical port.

135
MCQhard

In a network running STP, SW2 became the root bridge for VLAN 10. Both SW1 and SW2 have the same bridge priority. Why did SW2 become the root?

A.Because SW2 has the lower bridge ID due to the lower MAC address.
B.Because SW2 has the higher VLAN number configured.
C.Because SW2 has more trunk ports than SW1.
D.Because SW2 has the highest bridge priority.
AnswerA

This is correct because the priorities are equal, so the lower MAC address wins the root election.

Why this answer

SW2 became the root bridge because its bridge ID is lower. In practical terms, spanning tree elects the root bridge by comparing bridge IDs, which are based on priority plus MAC address. The device with the lowest bridge ID wins. In the exhibit, both switches use the same priority, so the tie is broken by the lower MAC address.

This is a classic STP interpretation question. Many learners focus only on priority, but if priorities match, the MAC address becomes decisive.

Exam trap

Remember, in STP, lower values are preferred. If priorities match, the MAC address decides the root bridge.

Why the other options are wrong

B

The VLAN number is not a factor in the STP root bridge election. The election is based solely on bridge ID, which consists of bridge priority and MAC address.

C

The number of trunk ports does not affect the root bridge election. STP uses bridge ID (priority and MAC address) to determine the root bridge, not port count or type.

D

The root bridge is elected based on the lowest bridge ID, not the highest. A higher bridge priority (numerically larger) makes a switch less likely to become root.

136
Multi-Selecteasy

A support engineer is explaining why a host uses ARP before sending a frame on an Ethernet LAN. Which two statements are correct?

Select 2 answers
A.ARP resolves an IPv4 address to a MAC address
B.A host may ARP for its default gateway when sending to a remote network
C.ARP is used to discover the remote router's OSPF router ID
D.ARP replaces DNS for hostname resolution
AnswersA, B

The host needs the destination MAC for local Layer 2 forwarding.

Why this answer

On Ethernet, the sender needs a destination MAC address. For remote destinations, that usually means ARPing for the default gateway's MAC.

Exam trap

A frequent exam trap is selecting options that confuse ARP with DNS or routing protocol functions. For example, some may incorrectly believe ARP resolves hostnames like DNS or discovers OSPF router IDs. These misunderstandings arise because ARP and DNS both involve address resolution, but ARP only maps IPv4 addresses to MAC addresses on the local LAN, while DNS maps hostnames to IP addresses.

Similarly, ARP does not interact with routing protocols like OSPF. Misinterpreting ARP’s role leads to incorrect answers and can cost points on the CCNA exam.

Why the other options are wrong

C

Incorrect because ARP does not discover routing protocol identifiers like OSPF router IDs; these are unrelated to Layer 2 address resolution.

D

Incorrect because ARP does not replace DNS; DNS resolves hostnames to IP addresses, whereas ARP resolves IP addresses to MAC addresses.

137
Multi-Selectmedium

Which three of the following are characteristics of Layer 2 Ethernet switches that improve network performance? (Choose three.)

Select 3 answers
.They create separate collision domains per port.
.They forward frames based on the destination MAC address.
.They reduce the number of broadcast domains.
.They can perform cut-through switching to reduce latency.
.They use IP addresses to make forwarding decisions.
.They automatically block all unknown unicast frames.

Why this answer

Layer 2 Ethernet switches improve network performance by creating separate collision domains per port, eliminating collisions between devices on different ports. They forward frames based on the destination MAC address, enabling efficient hardware-based switching. Cut-through switching reduces latency by starting to forward as soon as the destination MAC address is read.

The other options are incorrect: switches do not reduce broadcast domains (broadcasts are forwarded to all ports in the same VLAN unless a router or VLAN segmentation is used); switches operate at Layer 2 using MAC addresses, not IP addresses; and unknown unicast frames are flooded out all ports except the incoming port, not automatically blocked, to ensure connectivity if the destination is unknown.

Exam trap

Cisco often tests the distinction between collision domains and broadcast domains, where candidates mistakenly think switches reduce broadcast domains, but switches only segment collision domains while broadcast domains are controlled by VLANs or routers.

138
PBQhard

You are connected to R1 via console. PC1 is connected to R1's GigabitEthernet0/1 interface and is configured with a static IP address. PC1 cannot reach the internet (203.0.113.1). Identify and resolve the connectivity issue. Configure R1 to restore full connectivity for PC1.

Network Topology
203.0.113.1/30PC1Internet

Hints

  • The problem is not with IP addressing or routing; R1 can reach the internet.
  • PC1 uses a private IP address (RFC 1918), which must be translated before leaving R1.
  • Check if NAT is configured on R1.
A.Configure NAT overload on R1: define ACL 1 to permit 192.168.1.0 0.0.0.255, set GigabitEthernet0/0 as outside and GigabitEthernet0/1 as inside, and apply ip nat inside source list 1 interface GigabitEthernet0/0 overload.
B.Configure a static route on R1: ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 203.0.113.1.
C.Change PC1's default gateway to 203.0.113.1.
D.Enable IP routing on R1 and configure OSPF.
AnswerA
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

PC1 has a default gateway of 192.168.1.1, which is correct, but R1 is not performing NAT. R1 can reach the internet (203.0.113.1) but PC1 cannot because R1 drops packets from PC1 destined to the internet without source NAT. The fix is to configure NAT overload (PAT) on R1: define an ACL to match PC1's subnet, configure the inside and outside interfaces, and enable NAT on the outside interface.

This will translate PC1's private IP to R1's public IP.

Exam trap

The trap is that candidates may focus on routing (default route, routing protocols) or IP addressing (default gateway) when the real issue is NAT. Always verify if private IPs are being translated when hosts cannot reach the internet, even if the router itself has connectivity.

Why the other options are wrong

B

The specific factual error is that a default route is already in place and working; adding another does not solve the NAT problem.

C

The specific factual error is that a host's default gateway must be on the same subnet; 203.0.113.1 is not reachable directly from PC1.

D

The specific factual error is that OSPF does not solve the private-to-public address translation problem; it only exchanges routes between routers.

139
PBQhard

You are troubleshooting a PC (PC-A) connected to switch SW1, which is connected to router R1. PC-A has an APIPA address (169.254.23.45) and cannot reach the internet (203.0.113.1). You confirm that R1 has a correctly configured DHCP pool for the 192.168.10.0/24 subnet, but the DHCP service is not enabled. The network uses VLAN 10 with subnet 192.168.10.0/24. Verify and correct the configuration on PC-A, SW1, and R1 to restore full connectivity.

Network Topology
G0/0/0192.168.10.1/24G0/0/0192.168.10.1/24203.0.113.1PC-ASW1R1Internet

Hints

  • Check if the DHCP server process is running on R1.
  • APIPA addresses (169.254.x.x) indicate DHCP failure.
  • The DHCP pool is configured but not yet active.
A.Enable the DHCP service on R1 with the 'service dhcp' command.
B.Configure a default gateway on PC-A with the IP address 192.168.10.1.
C.Change the VLAN on SW1's interface connected to PC-A from VLAN 10 to VLAN 1.
D.Add the 'ip helper-address' command on R1's interface connected to SW1.
AnswerA
solution
! R1
service dhcp

! SW1


! PC-A

Why this answer

The APIPA address (169.254.x.x) indicates that PC-A failed to obtain a DHCP lease. The correct solution is to enable the DHCP service on R1 with 'service dhcp', which is not running despite the configured pool. Option B is incorrect because setting a default gateway on PC-A with a static IP would still require a valid address in the subnet; the APIPA address cannot communicate with 192.168.10.1.

Option C is wrong because the PC-A interface on SW1 is correctly assigned to VLAN 10. Option D is unnecessary since R1 is directly connected to the same subnet, so 'ip helper-address' is only used to forward DHCP broadcasts across router boundaries.

Exam trap

Do not assume that configuring a DHCP pool is sufficient; the DHCP service must be explicitly enabled with 'service dhcp'. Also, remember that APIPA addresses indicate DHCP failure, not just a missing gateway.

Why the other options are wrong

B

The PC's APIPA address cannot reach the 192.168.10.1 gateway because it is not in the same subnet, so configuring a default gateway alone does not restore connectivity.

C

Changing the VLAN to VLAN 1 would isolate PC-A from the correct subnet (VLAN 10), breaking connectivity instead of fixing it.

D

The 'ip helper-address' command is used on interfaces that need to forward DHCP broadcasts to a remote DHCP server; here R1 itself is the DHCP server and is directly attached, so the command is not needed.

140
PBQhard

You are connected to R1 via the console. R1 and R2 are connected via a fiber link using SFPs. The link is not coming up. Configure the correct SFP type on R1's interface GigabitEthernet0/0 to support the required 2 km distance, and fix any auto-negotiation or speed/duplex misconfiguration so that the link becomes operational.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/302 km fiberR1R2

Hints

  • Check the transceiver details to see the current SFP's distance capability.
  • The link requires 2 km; the current SFP only supports 550 m.
  • Auto-negotiation is not used on fiber links; disable it with 'no negotiation auto'.
A.Replace SFP with 1000BASE-LX, configure 'no negotiation auto' on GigabitEthernet0/0, and remove 'speed 1000' and 'duplex full'.
B.Replace SFP with 1000BASE-SX, configure 'negotiation auto' on GigabitEthernet0/0, and keep 'speed 1000' and 'duplex full'.
C.Replace SFP with 1000BASE-LX, configure 'negotiation auto' on GigabitEthernet0/0, and keep 'speed 1000' and 'duplex full'.
D.Replace SFP with 1000BASE-LX, configure 'no negotiation auto' on GigabitEthernet0/0, and configure 'speed 100' and 'duplex full'.
AnswerA
solution
! R1
interface gigabitEthernet 0/0
no speed 1000
no duplex full
no negotiation auto
end

Why this answer

The current SFP is 1000BASE-SX (850 nm), rated for only 550 m, which is insufficient for a 2 km link. It must be replaced with a 1000BASE-LX SFP that supports up to 10 km. The interface currently has 'speed 1000', 'duplex full', and 'negotiation auto'.

On fiber SFPs, auto-negotiation is not supported and the speed and duplex are fixed at 1000 Mbps full duplex; therefore, 'no negotiation auto' is required, and any manually configured speed/duplex that violates the SFP's capabilities will prevent the link from coming up. Option A correctly uses 1000BASE-LX, disables auto-negotiation, and removes the redundant speed/duplex commands (the defaults are sufficient). Option D incorrectly sets 'speed 100', which is incompatible with the 1000BASE-LX SFP, causing the link to fail.

Option B uses the wrong SFP type (1000BASE-SX). Option C uses the correct SFP but leaves 'negotiation auto', which is unsupported on fiber SFPs and will keep the link down.

Exam trap

Do not assume auto-negotiation is always required; fiber SFPs use fixed parameters. Also, remember that 1000BASE-SX is for short distances (up to 550 m), while 1000BASE-LX supports longer distances (up to 10 km).

Why the other options are wrong

B

Uses 1000BASE-SX, which cannot support the required 2 km distance.

C

Retains 'negotiation auto', which is not supported on fiber SFPs and prevents the link from establishing.

D

Configures 'speed 100', a value incompatible with a 1000BASE-LX SFP, causing a link failure.

141
MCQhard

A host address is 192.168.90.33/28. Which address is the last usable host in the subnet?

A.192.168.90.46
B.192.168.90.47
C.192.168.90.33
D.192.168.90.48
AnswerA

This is correct because .46 is the last usable address before the .47 broadcast in the 32-47 block.

Why this answer

The /28 subnet mask (255.255.255.240) gives a block size of 16 addresses. The network address for 192.168.90.33 is 192.168.90.32, so the broadcast address is 192.168.90.47. The last usable host is the broadcast address minus one, which is 192.168.90.46.

Exam trap

Cisco often tests the distinction between the broadcast address and the last usable host, tricking candidates who forget to subtract one from the broadcast address.

Why the other options are wrong

B

192.168.90.47 is the broadcast address for the subnet 192.168.90.32/28. Broadcast addresses cannot be assigned to hosts; they are used to send traffic to all hosts in the subnet.

C

192.168.90.33 is the first usable host in the subnet (network address .32 + 1). The question asks for the last usable host, not the first.

D

192.168.90.48 is the network address of the next subnet (192.168.90.48/28). It is not part of the current subnet and cannot be used as a host address in the subnet containing .33.

142
MCQhard

A user reports they cannot access any network resources. A network administrator runs ipconfig on the user's Windows PC and sees an IPv4 address of 169.254.45.3/16. The administrator then pings the default gateway 10.0.0.1, which fails, and uses traceroute to 10.0.0.1, which shows only '1 * * * Request timed out.' What is the most likely cause of the problem?

A.The PC's DNS server address is incorrect.
B.The switch port is in an administratively down state.
C.The Ethernet cable is unplugged from the PC.
D.The DHCP server is unreachable.
AnswerD

The 169.254.x.x APIPA address indicates that the PC is configured for DHCP but did not receive a DHCP offer. Because the address is not in the same subnet as the default gateway, all connectivity beyond the local link fails.

Why this answer

The 169.254.45.3/16 address is an Automatic Private IP Addressing (APIPA) address, assigned by Windows when a DHCP discovery fails. The failed ping and traceroute to the default gateway confirm that the PC has no IP connectivity to the network. Since the PC is on the same subnet as the DHCP server (10.0.0.0/24), the most likely cause is that the DHCP server is unreachable, preventing the PC from obtaining a valid IP address.

Exam trap

Cisco often tests the distinction between a link-local APIPA address and a 'Media disconnected' state; the trap here is that candidates may assume a physical issue (unplugged cable or disabled port) when the presence of an APIPA address actually proves the physical and data link layers are operational.

Why the other options are wrong

A

DNS misconfiguration would not prevent direct IP connectivity to the gateway.

B

With the port down, the PC would not assign any IP address; APIPA assignment requires an active link.

C

Physical disconnection prevents link establishment, so no IP address is assigned.

143
MCQhard

A host with address 10.0.0.130/25 needs to identify its subnet. Which subnet is correct?

A.10.0.0.0/25
B.10.0.0.64/25
C.10.0.0.128/25
D.10.0.0.192/25
AnswerC

This is correct because 130 falls in the 128 through 255 range.

Why this answer

A /25 uses blocks of 128 addresses. In plain language, that means the fourth-octet ranges are 0–127 and 128–255. Since the host address ends in 130, it belongs to the upper block, which means the subnet is 10.0.0.128/25.

This kind of question is a staple of subnetting because it tests whether you can identify the correct subnet boundary from the prefix and host address. Once you recognize the /25 split, the answer becomes straightforward.

Exam trap

Be careful not to confuse the subnet mask with the number of addresses it covers. Always calculate the address range based on the subnet mask.

Why the other options are wrong

A

The subnet 10.0.0.0/25 covers addresses 10.0.0.0 through 10.0.0.127. Since 10.0.0.130 is outside this range, it cannot belong to this subnet. The host's address must be within the subnet's range.

B

The /25 prefix length has a subnet size of 128, so valid network addresses are multiples of 128 (0, 128, 256, etc.). 10.0.0.64 is not a multiple of 128, so it is not a valid /25 network address.

D

The /25 prefix length creates subnets with a block size of 128, starting at 0, 128, 256, etc. 10.0.0.192/25 would be a valid subnet if the network started at 192, but 192 is not a valid /25 boundary because 192 is not a multiple of 128.

144
PBQmedium

You are connected to the console of R1. The network administrator reports that R1 cannot discover neighboring devices via CDP. R1 is connected to SW1 via GigabitEthernet0/0. You suspect CDP is disabled globally or on the interface. Your task is to enable CDP and verify neighbor discovery.

Network Topology
G0/0G0/1R1SW1

Hints

  • CDP can be disabled globally or per interface.
  • Use the 'show cdp' command to check global status.
  • After enabling, wait a few seconds for neighbor discovery.
A.Enter global configuration mode, issue 'cdp run', then enter interface configuration mode for GigabitEthernet0/0 and issue 'cdp enable'.
B.Enter global configuration mode, issue 'cdp enable', then enter interface configuration mode for GigabitEthernet0/0 and issue 'cdp run'.
C.Enter global configuration mode, issue 'cdp run', then enter interface configuration mode for GigabitEthernet0/0 and issue 'no cdp disable'.
D.Enter global configuration mode, issue 'cdp enable', then enter interface configuration mode for GigabitEthernet0/0 and issue 'no cdp disable'.
AnswerA
solution
! R1
cdp run
interface GigabitEthernet0/0
cdp enable

Why this answer

CDP was disabled globally and on the interface. Enabling CDP globally and then on the interface allows R1 to discover directly connected Cisco devices.

Exam trap

Remember that CDP requires two separate commands: 'cdp run' globally and 'cdp enable' on each interface. Do not confuse the global and interface commands, and do not invent commands like 'no cdp disable'.

Why the other options are wrong

B

The specific factual error is that 'cdp enable' is used on interfaces, not globally. The global command to enable CDP is 'cdp run'.

C

The specific factual error is that 'no cdp disable' is not a valid Cisco IOS command. The proper command is 'cdp enable'.

D

The specific factual errors are: the global command should be 'cdp run', and the interface command should be 'cdp enable'.

145
Multi-Selectmedium

Which two statements about ARP on an IPv4 Ethernet network are correct? (Choose two.)

Select 2 answers
A.An ARP request is sent as a Layer 2 broadcast.
B.An ARP reply is normally sent as a unicast frame.
C.ARP is used to map IPv6 addresses to MAC addresses.
D.ARP is forwarded by routers across subnets by default.
AnswersA, B

Correct. The requester does not yet know the destination MAC.

Why this answer

ARP resolves an IPv4 address to a MAC address on the local segment. ARP requests are broadcast; ARP replies are typically unicast.

Exam trap

Be careful not to confuse ARP requests with replies, and remember that ARP operates only within a local segment.

Why the other options are wrong

C

ARP is specifically designed for IPv4 networks to map IPv4 addresses to MAC addresses. IPv6 uses Neighbor Discovery Protocol (NDP) with ICMPv6 messages to perform address resolution, not ARP.

D

ARP operates only within a single broadcast domain (subnet) and is not forwarded by routers. Routers separate broadcast domains and do not forward ARP requests or replies across subnets by default.

146
MCQhard

A host cannot communicate with its default gateway. The technician uses the show arp command on the host and sees that the ARP entry for the gateway IP is incomplete. The technician has already verified that the Ethernet cable is securely connected and the switch port is active. What should the technician do next?

A.Check the switch port’s VLAN configuration and ensure the host and router interface are in the same VLAN.
B.Replace the Ethernet cable between the host and the switch.
C.Clear the ARP cache on the host and attempt to ping the gateway again.
D.Check the router’s routing table for a route to the host’s subnet.
AnswerA

If the host and gateway are in different VLANs, the ARP request broadcast never reaches the gateway, so the entry stays incomplete. This step directly addresses the most probable Layer 2 fault after excluding physical issues.

Why this answer

An incomplete ARP entry for the default gateway indicates that the host sent an ARP request but never received a reply. Since the physical layer (cable and switch port) is verified as operational, the most likely cause is a Layer 2 mismatch: the host and the router interface are in different VLANs, preventing the ARP reply from reaching the host. Checking the switch port's VLAN configuration ensures both devices are in the same broadcast domain, which is required for ARP to function.

Exam trap

Cisco often tests the distinction between Layer 2 connectivity (ARP, VLANs) and Layer 3 connectivity (routing), leading candidates to incorrectly focus on routing tables or ARP cache clearing when the real issue is a VLAN mismatch.

Why the other options are wrong

B

Candidates may equate a physical link symptom with a faulty cable, but the port’s active status indicates a good L1 connection. This action skips necessary logical checks.

C

This is a common ‘quick fix’ mindset, but in a structured troubleshooting process, clearing the cache hides information without solving the root cause.

D

Candidates might confuse local ARP failure with reachability issues to a remote subnet, but the gateway is the router itself. Routing is irrelevant until the destination is off-segment.

147
MCQmedium

Which IPv6 address type is automatically created on an interface and used for communication on the local link only?

A.Global unicast
C.Unique local
D.Multicast
AnswerB

Correct. Link-local addresses exist per link and are not routed.

Why this answer

Every IPv6-enabled interface generates a link-local address, typically in the FE80::/10 range. It is used for neighbor discovery, local communication, and next-hop resolution on the same link.

Exam trap

A common exam trap is confusing link-local addresses with unique local or global unicast addresses. Link-local addresses are automatically generated and only valid on the local link, whereas unique local addresses resemble private IPv4 addresses but are routable within an organization. Multicast addresses are not assigned to interfaces for unicast communication, so selecting multicast is incorrect.

Understanding the scope and automatic generation of link-local addresses is critical.

Why the other options are wrong

A

Global unicast addresses are routable beyond the local link and are not automatically created for local link communication only.

C

Unique local addresses are similar to private IPv4 addresses and are routable within an organization, not limited to the local link.

D

Multicast addresses are used for group communication and are not assigned as interface addresses for unicast communication.

148
MCQhard

A network administrator is troubleshooting an IPv6 connectivity issue on a newly deployed router. The router's G0/0/0 interface is configured with an IPv6 address using EUI-64, but hosts on that subnet cannot reach the router's link-local address. The administrator runs 'show ipv6 interface g0/0/0' and sees that the interface is up/up but the IPv6 address is not in the expected format. What is the most likely cause of the problem?

A.The interface is administratively down.
B.The IPv6 address was not configured correctly; the 'ipv6 address' command was likely omitted or misconfigured.
C.The MAC address of the interface is invalid, preventing EUI-64 from generating a proper address.
D.The router is not sending Router Advertisements, so hosts cannot autoconfigure.
AnswerB

If the 'ipv6 address' command was omitted, IPv6 is not enabled, and no link-local address exists. If it was misconfigured (e.g., missing the `eui-64` keyword), the router would still have a link-local address, so the symptom of hosts unable to reach the link-local address would not occur. Therefore, omission is the most likely cause given the symptom.

Why this answer

The router's G0/0/0 interface is up/up, but the IPv6 address is not in the expected EUI-64 format. This indicates that the 'ipv6 address' command was likely omitted entirely, because if it were simply misconfigured (e.g., without the `eui-64` keyword), the router would still automatically generate a link-local address, and hosts would be able to reach it. Since hosts cannot reach the link-local address, IPv6 is not enabled on the interface at all.

The correct configuration requires the `ipv6 address` command with the appropriate prefix and the `eui-64` keyword.

Exam trap

Cisco often tests the distinction between interface status (up/up) and configuration correctness, leading candidates to assume that a working interface means the IPv6 address is properly configured, when in fact the address may be missing or misconfigured.

Why the other options are wrong

A

The 'show ipv6 interface' output shows 'up, line protocol is up', indicating the interface is not administratively down. An administratively down interface would show 'administratively down' in the output.

C

The link-local address (FE80::21A:2BFF:FE3C:4D5E) is correctly formed using EUI-64, which requires a valid MAC address. The presence of 'FF:FE' in the middle indicates EUI-64 is functioning properly, so the MAC address is valid.

D

The output shows 'ND router advertisements are sent every 200 seconds', confirming that Router Advertisements are enabled. The problem is about the router's own IPv6 address, not host autoconfiguration.

149
MCQmedium

A switch displays the following output: Interface Status VLAN Gi1/0/5 connected 20 Gi1/0/6 notconnect 1 Gi1/0/24 trunk trunk Which interface is operating as an access port in VLAN 20?

A.Gi1/0/5
B.Gi1/0/6
C.Gi1/0/24
D.None of the interfaces
AnswerA

Correct. It is connected and assigned to VLAN 20.

Why this answer

The output explicitly shows Gi1/0/5 in VLAN 20 and not operating as a trunk.

Exam trap

Be careful not to confuse trunk ports with access ports or assume interfaces not shown in the output are relevant.

Why the other options are wrong

B

Gi1/0/6 is an access port in VLAN 1 (the default VLAN), not VLAN 20. The question specifically asks for an interface operating as an access port in VLAN 20, so this option is incorrect.

C

Gi1/0/24 is configured as a trunk port, which carries traffic for multiple VLANs and is not an access port. Access ports belong to a single VLAN, so this option is incorrect.

D

Gi1/0/5 is clearly an access port in VLAN 20, so there is an interface that matches the description. Therefore, 'None of the interfaces' is incorrect.

150
Matchingmedium

Match each IPv4 addressing term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Address that identifies the subnet itself

Address assigned to an individual device in the subnet

Address used to reach all hosts in the subnet

Value that defines network versus host portions

Why these pairings

The network address is the first address in a subnet and identifies the subnet itself. The host address is any usable address assigned to a device within the subnet. The broadcast address is the last address in the subnet, used to send data to all hosts.

The subnet mask is a 32-bit value that separates the network and host portions of an IP address.

Exam trap

Do not confuse the host address with the network address or broadcast address. The host address is the usable IP for a device, while the network and broadcast addresses are reserved.

← PreviousPage 2 of 6 · 390 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Infra Connectivity questions.