CCNA Network Infra Connectivity Questions

75 of 390 questions · Page 5/6 · Network Infra Connectivity topic · Answers revealed

301
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the TCP three-way handshake between a client and a server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The TCP three-way handshake starts with the client sending a SYN, followed by the server responding with SYN-ACK, and finally the client sending an ACK to establish the connection.

Exam trap

A common trap is confusing the order of the handshake or thinking the server initiates the connection. Remember: the client always sends the first SYN, and the server's response is a SYN-ACK (not a separate SYN and ACK).

302
Multi-Selectmedium

Which TWO statements about fiber optic cable types and SFP transceivers are correct?

Select 2 answers
A.Single-mode fiber uses a larger core (typically 62.5/125 µm) and supports longer distances than multimode fiber.
B.Multimode fiber is commonly used in campus and data center environments for distances up to several hundred meters.
C.SFP+ transceivers support data rates up to 1 Gbps and are backward compatible with standard SFP modules.
D.Single-mode fiber typically uses laser-based transceivers and can support distances exceeding 10 km.
E.Fiber optic cables must be run with EMI shielding when deployed in environments with high electromagnetic interference.
AnswersB, D

Multimode fiber (e.g., OM3/OM4) is designed for shorter distances and is widely deployed in campus and data center backbones, typically up to 300-550 meters for 10 Gbps.

Why this answer

Multimode fiber (MMF) has a larger core (typically 50/125 µm or 62.5/125 µm) and is used for short-reach, cost-effective connections up to a few hundred meters, making option B correct. Single-mode fiber (SMF) uses a much smaller core (~9 µm) and laser-based optics to achieve distances of 10 km or more, so option D is correct. Option A is wrong because it reverses the core size characteristic: SMF has a smaller core, and the given dimensions (62.5/125 µm) refer to multimode.

Option C is wrong because SFP+ is a 10 Gbps form factor and is not inherently backward compatible with 1 Gbps SFP modules unless the switch port explicitly supports dual-rate operation. Option E is incorrect because fiber optic cables are inherently immune to electromagnetic interference (EMI) and therefore never require EMI shielding in any environment; the false statement claims they need shielding.

Exam trap

Cisco often tests the misconception that SFP+ is backward compatible with SFP at the same speed, when in fact SFP+ is a 10 Gbps standard and requires specific port support or auto-negotiation to operate with 1 Gbps SFP modules.

Why the other options are wrong

A

Single-mode fiber uses a smaller core (~9 µm); the larger core dimensions (62.5/125 µm) belong to multimode fiber.

C

SFP+ transceivers support 10 Gbps speeds, not 1 Gbps, and are not universally backward compatible with standard SFP modules.

E

Fiber optic cables are immune to EMI and do not require any shielding; the claim that they need EMI shielding is false.

303
MCQhard

A host is configured as 192.168.100.65/26. What is the valid host range for its subnet?

A.192.168.100.65 to 192.168.100.126
B.192.168.100.64 to 192.168.100.127
C.192.168.100.1 to 192.168.100.62
D.192.168.100.66 to 192.168.100.127
AnswerA

This is correct because the subnet is 192.168.100.64/26, leaving .65 through .126 as usable hosts.

Why this answer

A /26 creates blocks of 64 addresses. In plain language, the subnets in the last octet are 0–63, 64–127, 128–191, and 192–255. Because the host address is 192.168.100.65, it belongs to the 64–127 block. In that block, 192.168.100.64 is the network address and 192.168.100.127 is the broadcast address. That leaves 192.168.100.65 through 192.168.100.126 as the valid host range.

This checks whether you can identify both the subnet boundary and the usable range.

Exam trap

Remember to exclude the network and broadcast addresses when determining the valid host range.

Why the other options are wrong

B

This option is incorrect because it includes the network address (192.168.100.64) and the broadcast address (192.168.100.127) for the subnet, which are not valid host addresses. The valid host range for a /26 subnet starts from 192.168.100.65 to 192.168.100.126.

C

Option C is incorrect because it suggests a host range that does not align with the subnet mask /26, which allows for a range of 192.168.100.64 to 192.168.100.127, but excludes the actual valid hosts for the specified IP address.

D

Option D is incorrect because it suggests a host range that starts from 192.168.100.66, which is outside the valid range for the subnet 192.168.100.64/26. The correct range should include all hosts from 192.168.100.65 to 192.168.100.126.

304
Multi-Selecthard

Which two statements accurately describe UDP compared with TCP?

Select 2 answers
A.UDP is connectionless.
B.UDP always guarantees delivery and sequencing.
C.UDP has lower overhead because it uses a simpler header and no session establishment.
D.UDP requires a three-way handshake before application data can be sent.
E.UDP cannot be used by DNS.
AnswersA, C

This is correct because UDP does not establish a connection before sending data.

Why this answer

UDP is designed for simplicity and speed rather than built-in reliability. In plain terms, it sends data without creating a formal conversation first. That is why it is called connectionless. Because it does not perform the same reliability features as TCP, its header is smaller and the protocol adds less overhead. This makes UDP a good fit for applications that care more about speed or low delay than guaranteed delivery at the transport layer.

UDP does not perform a three-way handshake, and it does not guarantee delivery. It is also used by many real services, including DNS in common query scenarios.

Exam trap

Be careful not to confuse the connection-oriented features of TCP with UDP, which is connectionless and does not guarantee delivery.

Why the other options are wrong

B

This option is wrong because UDP does not guarantee delivery or sequencing; it is designed for speed and efficiency, sacrificing reliability. TCP, on the other hand, ensures that data is delivered in order and without loss.

D

This option is wrong because UDP is a connectionless protocol that does not require a three-way handshake for data transmission, unlike TCP, which establishes a connection before sending data.

E

This option is wrong because UDP is widely used by DNS for its quick query-response nature, allowing for faster resolution of domain names without the overhead of connection establishment.

305
PBQhard

You are connected to R1 via the console. The link between R1 and R2 is experiencing intermittent connectivity. A 'show interfaces GigabitEthernet0/0' output shows the interface is up/up, line protocol up, Full-duplex, 1000Mb/s, but there are 1234 input errors, including 567 CRC errors. Identify the root cause of the issue, and apply the necessary configuration fix to restore full connectivity.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Check the duplex and speed settings on both ends of the link.
  • High CRC errors often indicate a duplex mismatch.
  • Auto-negotiation can resolve duplex mismatches if both devices support it.
A.Configure the interface with 'duplex full' and 'speed 1000'.
B.Configure the interface with 'duplex half' and 'speed 100'.
C.Configure the interface with 'no shutdown' to re-enable the interface.
D.Configure the interface with 'duplex auto' and 'speed auto'.
AnswerD
solution
! R1
interface GigabitEthernet0/0
duplex auto
speed auto

Why this answer

The output indicates high CRC errors on a GigabitEthernet interface operating at 1000 Mb/s and full-duplex. Since 1000BASE-T does not support half-duplex, a duplex mismatch is not possible. The CRC errors likely result from a speed or duplex negotiation mismatch where one side uses forced settings (e.g., speed 1000 duplex full) and the other uses auto-negotiation, causing physical layer instability.

Setting both sides to auto-negotiation ('duplex auto' and 'speed auto') allows them to properly agree on the highest common speed and duplex, resolving the errors. Option A forces full and 1000, which may not match R2 if it is set to auto, so it is not a reliable fix. Option B uses 'duplex half', which is invalid on Gigabit links and would break connectivity.

Option C's 'no shutdown' is irrelevant because the interface is already administratively up.

Exam trap

Do not assume that high CRC errors on a GigabitEthernet link indicate a duplex mismatch; at 1000 Mbps, half-duplex is not supported, so look for mismatched forced versus auto-negotiation settings instead.

Why the other options are wrong

A

Forcing full duplex and speed 1000 may not match R2 if it is set to auto-negotiation, potentially worsening the mismatch and not resolving CRC errors.

B

Half-duplex is not a valid mode for GigabitEthernet (1000BASE-T only supports full-duplex), so this configuration would prevent the link from working.

C

The interface is already up/up, so re-enabling it with 'no shutdown' has no effect and does not address the underlying CRC errors.

306
Matchingmedium

Drag and drop the cable types, transceivers, and diagnostic commands on the left to the correct descriptions or specifications on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copper cable supporting 10GBASE-T up to 100 meters

Fiber with 9-micron core, used for long distances up to 40 km

Fiber with 50- or 62.5-micron core, used for distances up to 550 meters

Hot-swappable module for connecting fiber or copper to a switch port

Command to view CRC errors and interface status

Command to view optical power levels and temperature

Why these pairings

Cat6a copper cable supports 10GBASE-T at 100 meters due to its enhanced specification. Single-mode fiber uses a narrow 9-micron core, allowing light to travel in a single mode for long distances up to 40 km. Multimode fiber has a larger core (50 or 62.5 microns), which introduces modal dispersion and limits distances to about 550 meters for Ethernet.

SFP transceivers are hot-swappable modules that provide the interface between a switch port and fiber or copper cabling. The 'show interfaces' command displays detailed interface statistics, including CRC errors and status, while 'show interfaces transceiver' displays optical monitoring data such as transmit power, receive power, and temperature.

Exam trap

A common mistake is confusing the core sizes and maximum distances of single-mode and multimode fiber. Also, learners often mix up the detailed counters from 'show interfaces' (CRC errors) with the optical diagnostics from 'show interfaces transceiver'.

307
MCQhard

A subnet must support 14 usable hosts. Which prefix is the smallest that meets the requirement?

A./29
B./28
C./27
D./26
AnswerB

This is correct because a /28 provides 16 total addresses and 14 usable hosts.

Why this answer

To support 14 usable hosts, the subnet must have 16 total addresses, because two are reserved for the network and broadcast addresses. In plain language, you need enough address slots so that after those two reserved entries are removed, 14 remain. A /28 provides exactly that: 16 total addresses and 14 usable addresses.

This is a classic minimum-subnet-size question because it tests whether you can work backward from host requirement to prefix length. A /29 would be too small, while a /27 would work but waste more addresses than necessary.

Exam trap

Avoid choosing a subnet size that either doesn't meet the host requirement or is unnecessarily large, leading to wasted addresses.

Why the other options are wrong

A

A /29 subnet provides only 6 usable host addresses, which is insufficient for the requirement of 14 usable hosts. Therefore, it does not meet the specified criteria.

C

Option C: /27 provides 30 usable hosts, which exceeds the requirement of 14 usable hosts. However, the question asks for the smallest prefix that meets the requirement, making /28 the correct choice.

D

Option D: /26 provides 62 usable hosts, which exceeds the requirement of 14 usable hosts. Therefore, it is not the smallest prefix that meets the specified need.

308
MCQhard

Refer to the exhibit. An administrator notices that all interfaces on R1 are in an administratively down state. The administrator issues the show version command and sees the following output. What is the most likely cause of the issue?

A.The router IOS image is corrupted and needs to be reinstalled.
B.The interfaces have been manually shut down in the running configuration, and the startup-config file is empty.
C.The router experienced a memory error during boot and failed to load the startup configuration.
D.The configuration register is set to 0x2142, causing the router to ignore the startup configuration.
AnswerD

This is directly confirmed by the last line of the exhibit: 'Configuration register is 0x2142'. This setting tells the router to bypass loading the startup-config from NVRAM, resulting in a clean slate where all interfaces are administratively down.

Why this answer

The configuration register value 0x2142 tells the router to ignore the startup configuration during boot, loading only the default factory configuration. This causes all interfaces to be in an administratively down state because no interface configurations from the startup-config are applied. The administrator sees the interfaces as administratively down because the default configuration does not include any 'no shutdown' commands.

Exam trap

Cisco often tests the specific effect of configuration register 0x2142 (ignoring startup-config) versus 0x2102 (normal boot), and the trap here is that candidates may confuse it with a corrupted IOS or manual shutdown, not realizing the register value directly causes the default interface state.

Why the other options are wrong

A

Candidates may confuse a successful IOS boot with a corrupted image because both can lead to an unusable configuration, but the configuration register is the direct clue.

B

Candidates may focus on the symptom (interfaces down) and hypothesize a manual configuration error, but they miss the clear hardware boot-parameter issue indicated by the config register.

C

Candidates equate configuration loss with hardware faults, overlooking the intentional nature of the 0x2142 register value.

309
Multi-Selectmedium

Which TWO statements correctly describe the encapsulation and de-encapsulation process at the transport layer of the OSI model?

Select 2 answers
A.During encapsulation, the transport layer adds a header to form a packet.
B.During encapsulation, the transport layer adds a header containing source and destination port numbers.
C.During de-encapsulation, the transport layer removes the IP header to extract the segment.
D.During de-encapsulation, the transport layer removes its header and passes the payload to the session layer.
E.During encapsulation, the transport layer adds a trailer for error detection.
AnswersB, D

The transport layer header includes port numbers to identify the application processes on the source and destination hosts. This is a key part of encapsulation.

Why this answer

Option B is correct because during encapsulation at the transport layer, the TCP or UDP header is added, which includes source and destination port numbers. These port numbers identify the specific application-layer processes on the sending and receiving hosts, enabling proper demultiplexing of data. Option D is correct because during de-encapsulation, the transport layer removes its own header (e.g., TCP or UDP header) and passes the remaining payload up to the session layer (or directly to the application layer in a simplified model).

Exam trap

Cisco often tests the precise PDU naming convention (segment vs. packet vs. frame) and which layer performs which header removal, causing candidates to confuse the transport layer's role with the network layer's role.

Why the other options are wrong

A

This statement confuses the PDU naming: packet belongs to Layer 3, not Layer 4.

C

This describes a Layer 3 de-encapsulation step, not a Layer 4 step.

E

Trailers are a Layer 2 feature; the transport layer uses header-based checksums for integrity.

310
MCQhard

A network engineer is troubleshooting a wireless performance issue in a dense office environment. Clients on the 5 GHz band are experiencing low throughput even though they are close to the AP. The AP is a Cisco 9130AXI running IOS-XE 17.9. What is the most likely cause of the poor performance?

A.The AP is using an incorrect channel width of 80 MHz, which is not supported by 802.11ac.
B.The AP is operating in 802.11ac mode instead of 802.11ax, and the 80 MHz channel bonding is causing high interference in the dense environment.
C.The AP has DFS non-compliance, which prevents it from using channel 36 and causes the radio to operate at reduced power.
D.The AP is using WPA2-PSK instead of WPA3, which causes lower throughput due to weaker encryption.
AnswerB

802.11ax (Wi-Fi 6) uses OFDMA to reduce interference and improve efficiency in dense environments. The AP is using 802.11ac with 80 MHz channel bonding, which is more prone to interference, leading to poor throughput.

Why this answer

Option B is correct because in a dense office environment, using 80 MHz channel bonding with 802.11ac (Wave 2) increases the likelihood of co-channel interference and overlapping basic service sets (OBSS), which degrades throughput despite strong signal. The Cisco 9130AXI supports 802.11ax (Wi-Fi 6), which includes OFDMA and better spatial reuse, but if the AP is configured for 802.11ac mode, it loses these efficiency gains and suffers from the wide channel's interference penalty.

Exam trap

Cisco often tests the misconception that wider channels always improve performance, when in reality, in dense environments, 80 MHz or 160 MHz channels cause severe interference and throughput degradation, especially with 802.11ac's lack of spatial reuse mechanisms.

Why the other options are wrong

A

802.11ac supports 80 MHz channel bonding, so this is not incorrect.

C

DFS non-compliance does not directly reduce power; it may cause channel avoidance, but the power is set to maximum.

D

WPA2-PSK does not cause throughput degradation; the issue is interference and protocol mode.

311
MCQhard

A network administrator is troubleshooting a Windows 10 client that cannot reach the internet. The client is connected to a Cisco switch port configured as an access port in VLAN 100. The administrator runs ipconfig on the client and sees an IP address of 169.254.10.15 with a subnet mask of 255.255.0.0. The switch port shows status up/up. What is the most likely cause of the issue?

A.The switch port is in err-disabled state due to a spanning-tree loop.
B.The switch is not configured with an ip helper-address on the VLAN 100 SVI to forward DHCP broadcasts to the DHCP server.
C.The client is in the wrong VLAN; the switch should be configured with VLAN 200.
D.There is a duplex mismatch between the client and the switch.
AnswerB

Without an ip helper-address, DHCP broadcasts from the client in VLAN 100 are not forwarded to the DHCP server, which is likely in a different VLAN.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address, assigned by Windows when DHCP fails. Since the client is in VLAN 100 and the switch port is up/up, the most likely cause is that the VLAN 100 SVI lacks an ip helper-address command, so DHCP broadcast requests from the client are not forwarded to the DHCP server, leaving the client without a valid IP address.

Exam trap

Cisco often tests the misconception that an APIPA address indicates a physical or VLAN issue, when in fact it specifically points to DHCP failure, and the most common cause in a routed environment is the absence of ip helper-address on the SVI.

Why the other options are wrong

A

The port status is 'connected', not err-disabled.

C

No information suggests the client should be in VLAN 200; the configuration matches the intended VLAN.

D

Duplex mismatch would typically cause errors or speed/duplex issues, but the switch shows a-full, so this is not the problem.

312
Multi-Selectmedium

Which TWO of the following are essential IPv4 host parameters that must be correctly configured for a host to communicate with devices on remote networks?

Select 2 answers
A.DNS server address
E.Host name
AnswersB, C

The default gateway is the router interface that allows a host to send traffic to destinations outside its local subnet.

Why this answer

The default gateway is the IP address of the router interface on the local subnet; when a host needs to communicate with a device on a remote network, it must forward packets to the default gateway because the destination is not reachable locally. The subnet mask is equally essential because the host uses it (along with its own IP address) to determine whether a destination IP address is on the same local network or a remote network; without a correctly configured subnet mask, the host cannot make this determination and may misroute traffic. DNS server address is only for name resolution and is not required for IP-level connectivity, MAC address is a Layer 2 address already present on the NIC, and hostname is a local identifier irrelevant to routing.

Exam trap

Cisco often tests the misconception that a DNS server address is a mandatory host parameter for remote communication, but DNS is only a name-resolution service and not required for IP-level connectivity.

Why the other options are wrong

A

A host can communicate using IP addresses directly without DNS. DNS is a service, not a mandatory parameter for routing.

D

MAC addresses are not manually configured as part of IPv4 host parameters (they are burned into the NIC). The question asks for IPv4 host parameters that must be configured.

E

Host names are used for identification and can be resolved via DNS, but they are not essential for the host to send or receive IP packets.

313
MCQhard

A network administrator is troubleshooting connectivity between two directly connected Cisco switches. Hosts on VLAN 10 connected to Switch A cannot ping the default gateway on Switch B. The interface on Switch A shows 'up/up' but there are excessive CRC errors and runts. The administrator checks the interface configuration on both switches. What is the most likely cause of the issue?

A.Replace the faulty Ethernet cable.
B.Mismatched duplex and speed settings between the interfaces.
C.Disable spanning tree on both interfaces to prevent loop prevention from blocking traffic.
D.Assign the interfaces to the same VLAN to ensure Layer 2 connectivity.
AnswerB

This directly resolves the duplex mismatch. Switch A shows full-duplex/1000 Mbps, while Switch B shows half-duplex/100 Mbps. Setting both to full-duplex and 1000 Mbps eliminates the CRC errors caused by the mismatch.

Why this answer

The presence of excessive CRC errors and runts on an interface that is 'up/up' strongly indicates a Layer 1 or Layer 2 duplex mismatch. When one switch is set to full-duplex and the other to half-duplex (or auto-negotiation fails), the half-duplex side will detect collisions and retransmit, while the full-duplex side will not, leading to frame corruption (CRC errors) and truncated frames (runts). Configuring both interfaces with the same duplex and speed settings (e.g., full-duplex and 1000 Mbps) resolves this mismatch, restoring proper connectivity for VLAN 10 traffic to the default gateway.

Exam trap

Cisco often tests the concept that 'up/up' does not guarantee error-free communication, and candidates mistakenly focus on cable replacement or VLAN misconfiguration instead of recognizing CRC errors and runts as classic symptoms of a duplex mismatch.

Why the other options are wrong

A

The exhibit shows both switches have different speed and duplex settings, indicating a configuration mismatch rather than a cable fault.

C

The interface is up/up and the errors are CRC, which are not related to spanning tree operation.

D

CRC errors indicate physical or duplex issues, not VLAN misconfiguration.

314
MCQeasy

Which cable type is commonly used to connect a switch to a router when using standard Ethernet interfaces on modern devices with auto-MDIX support?

A.Rollover cable
B.Straight-through Ethernet cable
C.Serial DCE cable
D.Fiber patch cable only
AnswerB

Correct. Straight-through is the standard answer for this connection type.

Why this answer

A straight-through Ethernet cable is the common expected answer for switch-to-router Ethernet connections. On modern interfaces, auto-MDIX often makes crossover requirements less important in practice.

Exam trap

Remember that auto-MDIX allows for the use of straight-through cables in situations where crossover cables were once required.

Why the other options are wrong

A

A rollover cable is used to connect a console port of a router or switch to a computer terminal, not for connecting switches to routers over Ethernet interfaces. In modern networking setups with auto-MDIX, a straight-through cable is the standard choice.

C

A serial DCE cable is used for connecting devices in a serial communication setup, typically for console access or point-to-point connections, not for standard Ethernet interfaces between a switch and a router.

D

A fiber patch cable is not used to connect a switch to a router over standard Ethernet interfaces, as it requires compatible fiber optic ports and transceivers. Ethernet interfaces typically use copper cabling, such as straight-through cables, for such connections.

315
Matchingeasy

Match each basic networking service to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname resolution

Automatic IP configuration

Clock synchronization

Centralized event and log reporting

Why these pairings

DNS converts domain names to IP addresses; DHCP automates IP configuration; NTP synchronizes clocks across devices; Syslog centralizes event and log reporting for monitoring and troubleshooting.

Exam trap

Cisco exams often test the specific function of each service. Do not confuse DNS with DHCP, or NTP with Syslog. Remember: DNS = name-to-IP, DHCP = IP assignment, NTP = clock sync, Syslog = logging.

316
MCQhard

A host with address 192.168.1.130/26 needs to identify its local subnet. Which subnet does it belong to?

A.192.168.1.0/26
B.192.168.1.64/26
C.192.168.1.128/26
D.192.168.1.192/26
AnswerC

This is correct because 130 falls within the 128 through 191 range of the 192.168.1.128/26 subnet.

Why this answer

A /26 creates subnets in blocks of 64 addresses each. In plain language, that means the fourth octet ranges are 0–63, 64–127, 128–191, and 192–255. Since 192.168.1.130 falls within the 128–191 block, the host belongs to the 192.168.1.128/26 subnet. That is the local network boundary the host will use to decide what is on-link and what requires the default gateway.

This kind of question is a very common CCNA subnetting task. The main challenge is not the arithmetic itself but recognizing the block size and locating the destination inside the correct range. Once you know a /26 moves in increments of 64, the right subnet becomes much easier to see.

Exam trap

Be careful to calculate subnet ranges accurately and avoid assuming proximity based on the first or last octet.

Why the other options are wrong

A

Option A is incorrect because the address 192.168.1.130 falls within the subnet range of 192.168.1.128/26, not 192.168.1.0/26, which covers addresses from 192.168.1.0 to 192.168.1.63.

B

Option B, 192.168.1.64/26, is incorrect because the host 192.168.1.130 falls within the subnet range of 192.168.1.128 to 192.168.1.191, not 192.168.1.64 to 192.168.1.127.

D

Option D, 192.168.1.192/26, is incorrect because the host address 192.168.1.130 falls within the subnet range of 192.168.1.128 to 192.168.1.191, making it part of the 192.168.1.128/26 subnet, not 192.168.1.192/26.

317
Multi-Selectmedium

Which TWO tools or commands are commonly used to troubleshoot wireless client connectivity issues on a Cisco WLAN?

Select 2 answers
A.ping
B.ipconfig /release
C.traceroute
D.show running-config
E.show wireless client summary
F.debug dhcp detail
AnswersA, E

ping is a basic network utility used to test reachability and round-trip time to a destination IP address, helping to verify if the client has network connectivity.

Why this answer

The ping command (A) tests basic IP-layer connectivity from the wireless client to a target host, revealing whether the client has a valid IP and can reach the default gateway or servers. The show wireless client summary command (E) is a standard WLC diagnostic command that displays associated clients’ MAC addresses, IP addresses, VLAN assignments, and authentication states, enabling quick identification of connectivity issues at the wireless link layer. Option B, ipconfig /release, only renews the client’s DHCP lease and does not diagnose ongoing connectivity.

Option C, traceroute, traces the path to a destination, which is not a primary wireless client troubleshooting tool; it is more suited for routing analysis. Option D, show running-config, displays the device’s static configuration, not live client connectivity. Option F, debug dhcp detail, is a high-impact debug that is too granular for general wireless troubleshooting and can disrupt service.

Exam trap

Cisco often tests the distinction between configuration commands (like ipconfig /release) and actual diagnostic tools (like ping and traceroute), leading candidates to mistakenly select ipconfig /release because they confuse DHCP lease renewal with connectivity testing.

Why the other options are wrong

B

This command is part of IP address management, not a tool for troubleshooting wireless signal or association problems.

D

While it can show WLAN settings, it does not provide real-time client association or signal information needed for client troubleshooting.

F

It focuses on DHCP server/client interactions rather than the wireless link itself.

318
MCQhard

A network technician is troubleshooting a connectivity issue between two directly connected switches, SW1 and SW2. Hosts on VLAN 10 connected to SW1 can ping each other but cannot ping the default gateway or any host on VLAN 10 connected to SW2. The interface on SW1 is up/up, but the interface on SW2 is up/down. What is the most likely cause of the problem?

A.Configure the interface on SW2 to use a different MTU value.
B.Ensure both switches are configured for the same duplex setting, preferably by enabling autonegotiation on both interfaces.
C.Replace the Ethernet cable connecting SW1 and SW2.
D.Check for late collisions on the interface and increase the collision window size.
AnswerB

The output from SW1 shows the interface is full-duplex, but SW2's interface is up/down. This is a classic symptom of a duplex mismatch, where one side is full and the other half-duplex. Configuring both ends to the same duplex (or enabling autonegotiation) will resolve the issue.

Why this answer

The interface on SW2 is up/down, which typically indicates a Layer 1 issue such as a duplex mismatch. Duplex mismatch occurs when one switch is manually set to full duplex and the other to half duplex or auto-negotiation fails, causing the side expecting full duplex to report up/down due to excessive errors. Option A is incorrect because MTU mismatch would cause connectivity issues but not an up/down interface state.

Option C is incorrect because a faulty cable would likely cause both interfaces to be down/down, not up/down. Option D is incorrect because late collisions are a symptom of duplex mismatch, not a separate cause; increasing collision window size is not a standard troubleshooting step. The correct solution is to ensure both switches use the same duplex setting, preferably via autonegotiation (IEEE 802.3u).

Exam trap

Cisco often tests the distinction between up/down (Layer 1 issue like duplex mismatch) and down/down (cable or power issue) to trap candidates who assume any interface problem is a bad cable.

Why the other options are wrong

A

Changing MTU values affects frame size but does not cause an interface to show up/down; that state is associated with Layer 1 issues like duplex mismatch.

C

A bad cable typically results in both interfaces showing down/down, not one up and the other up/down.

D

Late collisions are a consequence of duplex mismatch, not a root cause; adjusting collision window size is not a standard practice on modern switches.

319
MCQmedium

Exhibit: A host has address 192.168.14.77/27. Which address is its valid default gateway if the first usable address in the subnet is chosen for the router interface?

A.192.168.14.63
B.192.168.14.64
C.192.168.14.65
D.192.168.14.95
AnswerC

That is the first usable address in 192.168.14.64/27.

Why this answer

A /27 has a block size of 32. Address 192.168.14.77 falls in the 192.168.14.64/27 subnet, where the usable host range is 192.168.14.65 through 192.168.14.94. The first usable address is 192.168.14.65.

Exam trap

Be careful not to confuse network and broadcast addresses with usable host addresses when identifying a default gateway.

Why the other options are wrong

A

Option A (192.168.14.63) is wrong because it is the last address in the subnet range (192.168.14.64 to 192.168.14.95) and is reserved for the broadcast address, not a valid default gateway.

B

Option B, 192.168.14.64, is incorrect because it is the first usable address in the subnet 192.168.14.64/27, which is reserved for the router interface and cannot be assigned as a default gateway for hosts in the subnet.

D

Option D, 192.168.14.95, is incorrect because it falls outside the subnet range defined by the 192.168.14.64/27 subnet, which spans from 192.168.14.64 to 192.168.14.94. Thus, it cannot be a valid default gateway for the host in question.

320
MCQhard

A network administrator notices that a workstation connected to a Cisco switch port cannot communicate with other devices on the same VLAN. The switch port is up/up, but the workstation reports slow performance and intermittent connectivity. What is the most likely cause of this issue?

A.Replace the faulty Ethernet cable between the switch and the workstation.
B.A duplex mismatch between the switch port and the workstation.
C.Assign the switch port to the correct VLAN.
D.Disable spanning-tree on the port to prevent frequent topology changes.
AnswerB

Duplex mismatch causes one side to transmit simultaneously while the other waits, leading to collisions, errors, and degraded throughput, consistent with the described symptoms.

Why this answer

A duplex mismatch occurs when one end of the link is set to full-duplex and the other to half-duplex. The half-duplex end detects collisions and the full-duplex end does not, causing late collisions, CRC errors, and retransmissions. This results in slow performance and intermittent connectivity even though the port is operationally up.

Exam trap

Cisco often tests the concept that a link being up/up does not guarantee error-free communication, and candidates mistakenly focus on VLAN or cable issues instead of recognizing duplex mismatch as the cause of slow performance and intermittent connectivity.

Why the other options are wrong

A

No cable-related errors are shown.

C

VLAN issues would typically prevent communication entirely or show input errors from misconfigured trunking.

D

The port is stable and not flapping.

321
MCQmedium

A host address is 2001:db8:100:20::25/64. Which portion identifies the network prefix?

A.2001:db8:100
B.2001:db8:100:20
C.2001:db8:100:20::25
D.::25
AnswerB

Correct. Four hextets make up the /64 network prefix here.

Why this answer

With a /64 prefix, the first 64 bits identify the network. That corresponds to the first four hextets: 2001:db8:100:20.

Exam trap

Be careful not to confuse the shorthand notation '::' with part of the network prefix. Remember, '::' represents a series of zeroes and is not part of the network prefix.

Why the other options are wrong

A

Option A is incorrect because it only includes the first three hextets of the IPv6 address, which does not represent the complete network prefix as defined by the /64 subnet mask. The correct network prefix includes the first four hextets.

C

Option C is incorrect because it includes the full address, which encompasses both the network prefix and the host portion. The question specifically asks for the network prefix, which is only the first 64 bits of the address.

D

Option D, '::25', is incorrect because it represents the host portion of the IPv6 address, not the network prefix. The network prefix is determined by the first 64 bits, which in this case is '2001:db8:100:20'.

322
Drag & Dropmedium

Drag and drop the following steps into the correct order to troubleshoot a link-down issue on a GigabitEthernet interface using an SFP transceiver.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting begins by verifying the interface status and physical layer (steps 1-2). Next, you ensure the SFP is physically and logically recognized (step 3) before retrieving specific diagnostic data (step 4). Only after confirming the health of the transceiver do you take corrective action (step 5), because replacing hardware without diagnostics may waste resources.

323
MCQmedium

A company wants private IPv4 addressing that can be routed internally but not on the public Internet. Which range meets that requirement?

A.198.51.100.0/24
B.172.20.0.0/16
C.169.254.0.0/16
D.224.0.0.0/4
AnswerB

Correct. It falls within the private 172.16.0.0/12 block.

Why this answer

RFC 1918 defines private IPv4 ranges for internal routing: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. 172.20.0.0/16 falls within the 172.16.0.0/12 block, making it a valid private address. 198.51.100.0/24 is reserved for documentation (TEST-NET-2) and should not be used internally. 169.254.0.0/16 is link-local (APIPA), used only for automatic addressing on a single link. 224.0.0.0/4 is multicast, not routable as unicast and not private.

Exam trap

Be careful not to confuse reserved IP ranges for documentation or link-local use with private IP ranges.

Why the other options are wrong

A

198.51.100.0/24 is a documentation range (TEST-NET-2), not private or internally routable.

C

169.254.0.0/16 is link-local (APIPA), used only for automatic configuration on a single network segment, not for internal routing.

D

224.0.0.0/4 is reserved for multicast traffic and cannot be used as a private unicast range.

324
Matchingmedium

Drag and drop the items on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays optical transceiver diagnostic information including temperature and Tx/Rx power

Shows Ethernet physical layer diagnostics such as cable length, MDI/MDIX, and pair status

10 Gigabit Ethernet short-reach multimode fiber transceiver for 850 nm up to 300 m

Copper twisted-pair cabling standard supporting 10GBASE-T up to 100 meters

Small form-factor duplex fiber optic connector used with SFP/SFP+ modules

Why these pairings

show interface transceiver outputs Digital Optical Monitoring (DOM) data such as temperature, voltage, and Tx/Rx power for installed transceivers. show controllers ethernet-controller phy displays physical layer diagnostics including cable length estimates, MDI/MDI-X status, pair swaps, and link quality counters. SFP-10G-SR is a multimode fiber transceiver supporting 10 Gigabit Ethernet at 850nm over distances up to 300 meters. Cat6a is enhanced copper twisted-pair cabling rated for 10GBASE-T up to 100 meters with improved alien crosstalk performance.

LC connectors are the small form-factor duplex fiber connectors commonly used with SFP and SFP+ optical modules.

325
PBQmedium

You are connected to SW1 via the console. The network uses VLANs 10 (Sales) and 20 (Engineering). A new switch SW2 is connected to SW1 via G0/1. You need to enable CDP to discover neighbor devices and verify that SW1 sees SW2. Currently, CDP is disabled globally.

Network Topology
G0/1G0/1linkSW1SW2

Hints

  • CDP is a Cisco proprietary protocol.
  • The command to enable it globally is straightforward.
  • After enabling, wait a few seconds for neighbor discovery.
A.Enable CDP globally with 'cdp run' and verify with 'show cdp neighbors'.
B.Enable CDP on interface G0/1 with 'cdp enable' and verify with 'show cdp neighbors'.
C.Enable CDP globally with 'cdp run' and verify with 'show cdp interface'.
D.Enable CDP globally with 'cdp enable' and verify with 'show cdp neighbors'.
AnswerA
solution
! SW1
cdp run

Why this answer

CDP is disabled globally with 'no cdp run'. Re-enabling with 'cdp run' allows SW1 to discover directly connected Cisco devices, including SW2. Option B is incorrect because interface-level 'cdp enable' requires CDP to already be enabled globally; since CDP is globally disabled, this command has no effect.

Option C is incorrect because 'show cdp interface' displays CDP parameters per interface, not the neighbor table; you need 'show cdp neighbors' to see discovered devices. Option D is incorrect because 'cdp enable' is not a valid global command; the correct global command is 'cdp run'.

Exam trap

Remember that CDP has both global and interface-level configuration. If CDP is disabled globally, interface-level commands have no effect. Always use 'cdp run' to enable globally and 'show cdp neighbors' to see neighbors.

Why the other options are wrong

B

Interface-level 'cdp enable' requires CDP to be enabled globally first; with global CDP disabled, this command is ineffective.

C

'show cdp interface' shows CDP status and counters on interfaces, not the list of neighboring devices; use 'show cdp neighbors' to see neighbors.

D

'cdp enable' is an interface command, not a global command; the global command to enable CDP is 'cdp run'.

326
Multi-Selectmedium

Which three of the following are characteristics of Layer 2 Ethernet switches that support VLANs? (Choose three.)

Select 3 answers
.They forward frames based on the destination MAC address.
.They can segment a LAN into multiple broadcast domains.
.They use ARP to resolve IP addresses to MAC addresses.
.They use the Spanning Tree Protocol to prevent Layer 2 loops.
.They perform routing between VLANs without a router.
.They forward frames based on the destination IP address.

Why this answer

Layer 2 Ethernet switches that support VLANs forward frames based on the destination MAC address, which is the fundamental switching decision. They can segment a LAN into multiple broadcast domains because each VLAN creates its own isolated broadcast domain, preventing unnecessary traffic propagation. They use the Spanning Tree Protocol (STP) to prevent Layer 2 loops by dynamically blocking redundant paths, ensuring a loop-free topology.

Exam trap

Cisco often tests the misconception that switches use ARP or that VLANs segment collision domains, when in fact VLANs segment broadcast domains and switches forward based on MAC addresses, not IP addresses.

327
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a serial link between two routers that is not coming up. The engineer issues the show controllers command on one router and sees the output shown. What is the most likely cause of the issue?

A.The clock rate command is missing on the DCE serial interface.
B.The serial cable type is incorrectly identified.
C.The encapsulation mismatch is causing the line protocol to stay down.
D.The serial interface is administratively shut down.
AnswerA

The show controllers output clearly states “DCE V.35, no clock rate” and “no clock rate configured,” confirming that the DCE side lacks the required clock rate. Without it, the serial interface cannot bring the line protocol up.

Why this answer

The 'show controllers' output indicates the router is the DCE (Data Communications Equipment) on the serial link, but no clock rate has been configured. For a serial interface to come up, the DCE end must provide clocking via the 'clock rate' command. Without it, the interface will remain down (line protocol down) because no clock signal is present to synchronize data transmission.

Exam trap

Cisco often tests the distinction between DCE and DTE roles; the trap here is that candidates assume the 'show controllers' output is irrelevant or that the issue is a Layer 2 problem (encapsulation) when the root cause is a missing Layer 1 clock signal on the DCE side.

Why the other options are wrong

B

Some candidates may misinterpret the DCE cable type as a problem, but the output merely states the detected cable type accurately, not a misidentification.

C

Candidates often fixate on encapsulation issues when line protocol is down, overlooking the explicit hardware-level clocking problem shown here.

D

Many candidates think that a non‑functioning interface might be shut down, but the exhibit explicitly shows an active hardware detection with a configuration error, not an administrative shutdown.

328
MCQhard

A network administrator has recently upgraded the corporate wireless LAN to support 802.11ax (Wi-Fi 6) and is using WPA3-Enterprise with a central WLC. Several users with new 802.11ax laptops report that they can connect to the SSID, but after a few minutes their connections drop and then re-establish, while legacy 802.11ac clients work without issues. Which action will resolve this problem?

A.Downgrade the WLAN security to WPA2-Enterprise for backward compatibility.
B.Enable Protected Management Frames (PMF) as Required on the WLAN.
C.Disable OFDMA and MU-MIMO on the WLC for the affected APs.
D.Adjust the 5 GHz channel width from 80 MHz to 40 MHz to avoid interference.
AnswerB

WPA3 and 802.11ax require PMF. Setting PMF to Required ensures that the AP and clients use encrypted management frames, preventing disconnections due to failed PMF negotiation or unprotected robust security network associations.

Why this answer

WPA3-Enterprise requires Protected Management Frames (PMF) to be set to 'Required' on the WLC. When PMF is not enabled or set to 'Optional', 802.11ax clients using WPA3 may experience intermittent disconnects because management frame protection is mandatory for WPA3 operation. Legacy 802.11ac clients using WPA2 do not require PMF, so they remain unaffected.

Exam trap

Cisco often tests the misconception that Wi-Fi 6 issues are caused by physical layer features like OFDMA or channel width, when the actual problem is a mandatory security configuration mismatch (PMF) between WPA3 and the WLC.

Why the other options are wrong

A

Downgrading to WPA2 is a common workaround when WPA3-related features aren't correctly configured, but it's not the correct solution for PMF-related disconnections.

C

Disabling Wi-Fi 6 features does not resolve authentication or management frame protection issues; this misconception stems from blaming new features for instability.

D

Changing channel width addresses co-channel interference and throughput, not authentication or management frame protection issues.

329
Matchingmedium

Drag and drop the IPv6 address types on the left to their corresponding scope and prefix on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2000::/3; globally routable across the Internet

FE80::/10; automatically assigned on each interface

FC00::/7; private, not routable on the Internet

FF00::/8; one-to-many communication

::1/128; used for localhost testing

Why these pairings

IPv6 address types have defined scopes and prefixes: Global Unicast has global scope with 2000::/3, Link-Local has link-local scope with FE80::/10, Unique Local has unique local scope with FC00::/7, Multicast has multicast scope with FF00::/8, Loopback has loopback scope with ::1/128, and Unspecified has unspecified scope with ::/128. Each address type's description should explicitly state its scope to clarify the matching task.

Exam trap

Do not confuse the scope of Link-Local (link) with Unique Local (site). Also remember that Multicast scope is not fixed; it varies based on the address.

330
Drag & Dropmedium

Drag and drop the following steps into the correct order to install a new fiber optic cable and SFP module on a Cisco switch, then verify the interface status.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct procedure for installing a fiber optic cable and SFP module on a modern Cisco switch is to insert the SFP module into the port while the switch is powered on, as most Cisco switches support hot-swapping of SFP modules to minimize network downtime. Then, connect the fiber optic cable to the SFP module, ensuring proper alignment and locking. Finally, verify the interface status using 'show interfaces status' to confirm the link is up and operational.

Powering down the switch is unnecessary and contradicts hot-swappable design, while connecting the cable before inserting the SFP or skipping the SFP module entirely are incorrect because the switch port requires an SFP to convert electrical signals to optical.

Exam trap

Many learners assume SFP modules require the switch to be powered down before installation, but modern Cisco switches support hot-swapping; always verify the specific module and device documentation.

331
MCQhard

Which IPv6 prefix is used for link-local addresses?

A.FC00::/7
B.FE80::/10
C.2000::/3
D.FF00::/8
AnswerB

Correct. FE80::/10 is the link-local prefix.

Why this answer

IPv6 link-local addresses come from FE80::/10. They are valid only on the local link and are commonly used for neighbor discovery and routing adjacency formation.

Exam trap

Don't confuse link-local prefixes with global unicast or multicast prefixes. Remember, link-local addresses are only valid within the local link.

Why the other options are wrong

A

The prefix FC00::/7 is designated for Unique Local Addresses (ULAs) in IPv6, not link-local addresses. Link-local addresses specifically use the FE80::/10 prefix.

C

C: 2000::/3 is incorrect because it designates global unicast addresses, not link-local addresses, which are specifically defined by the prefix FE80::/10.

D

D is incorrect because FF00::/8 is reserved for multicast addresses in IPv6, not link-local addresses. Link-local addresses specifically use the FE80::/10 prefix.

332
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IPv4 static address on a Windows host, generate an IPv6 EUI-64 address on a Cisco router, verify the router's IPv6 EUI-64 address, and confirm connectivity from the Windows host.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is: first configure the router's IPv6 EUI-64 address to set up the network infrastructure, then assign the Windows host a static IPv4 address. Next, verify the router's IPv6 EUI-64 address to confirm proper generation. Finally, perform a connectivity test from the Windows host to validate end-to-end communication.

This sequence ensures that configuration is completed before verification and that the final step confirms both configurations are operational.

Exam trap

Candidates often confuse the order of configuration and verification steps. Remember that configuration always comes before verification, and the final step is always a connectivity test from the end host.

333
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the TCP three-way handshake between a client and server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The three-way handshake starts with SYN, then SYN-ACK, then ACK, after which the connection is established and data can flow.

Exam trap

Remember that the client always initiates the connection with a SYN. The server never sends a plain SYN; it always responds with SYN-ACK. The final ACK comes from the client, not the server.

334
Multi-Selectmedium

Which two statements accurately describe a default gateway from a host perspective?

Select 2 answers
A.It is the next-hop path a host uses for destinations outside the local subnet.
B.It is typically the IP address of a local router or Layer 3 interface on the same subnet.
C.It replaces the need for a subnet mask.
D.It is the same thing as a DNS server.
E.It is used only for ARP broadcasts.
AnswersA, B

This is correct because the default gateway is used for off-subnet traffic.

Why this answer

A default gateway is the local router or Layer 3 interface that a host uses for traffic destined beyond its own subnet. In plain language, the host uses the gateway when the destination is not local. The default gateway does not replace the host’s own IP address or subnet mask; it complements them by providing the next-hop path for remote communication.

This is a foundational host-networking concept because many connectivity issues come from misunderstanding what the gateway actually does. The two correct answers are the ones that describe remote-traffic forwarding and the local next-hop role of the gateway.

Exam trap

Avoid confusing the gateway's role with local traffic handling or address replacement. Focus on its function in remote communication.

Why the other options are wrong

C

This option is wrong because a default gateway does not replace the need for a subnet mask; both are essential for proper IP communication. The subnet mask defines the network portion of an IP address, while the default gateway routes traffic to external networks.

D

This option is wrong because a default gateway and a DNS server serve different purposes; the default gateway routes traffic outside the local subnet, while a DNS server resolves domain names to IP addresses.

E

This option is wrong because a default gateway is not limited to ARP broadcasts; it is used for routing packets to destinations outside the local subnet, which involves more than just ARP communication.

335
MCQhard

Refer to the exhibit. A network engineer is troubleshooting intermittent connectivity between a branch router and the upstream switch. The switch port is manually configured for full-duplex, and the Ethernet cable has been tested and is working properly. The engineer runs the show interfaces GigabitEthernet0/0 command on the router and receives the output shown. Based on the output, what is the most likely cause of the problem?

A.The switch port is configured for half-duplex instead of the expected full-duplex.
B.The cable is faulty, causing excessive late collisions and CRC errors.
C.The router interface is operating in half-duplex while the switch port is full-duplex, causing a duplex mismatch.
D.The excessive input errors are a result of a broadcast storm on the network.
AnswerC

The output shows 'Half-duplex, 1000Mb/s' and reports 17 late collisions and 23 CRC errors. With the switch known to be full-duplex, this is a classic duplex mismatch scenario, where the full-duplex switch transmits without sensing the medium, while the half-duplex router interprets simultaneous traffic as collisions (many of them late because the switch may start transmitting after the router has already begun its frame).

Why this answer

The exhibit clearly displays 'Half-duplex, 1000Mb/s' in the interface characteristics, while the scenario states the upstream switch port is set to full-duplex. This duplex mismatch is confirmed by the presence of 17 late collisions and 23 input CRC errors, which are classic symptoms of one side operating full-duplex and the other half-duplex. A properly negotiated or statically matched full-duplex GigabitEthernet link would not exhibit late collisions.

Exam trap

Many candidates incorrectly attribute the input CRC errors and late collisions to a faulty cable (option B) or a broadcast storm (option D). However, a known-good cable rules out physical damage, and broadcast storms cause excessive broadcasts and input queue drops, not late collisions specific to duplex mismatches. The most common error is focusing on the input errors without correlating the 'Half-duplex' line and the late collisions.

Why the other options are wrong

A

Users often think any collision indicator points to both sides being half-duplex, ignoring the known switch configuration.

B

Late collisions are commonly associated with physical layer issues, leading candidates to assume a cable problem even when explicitly ruled out.

D

Candidates see input errors and CRC and prematurely conclude a loop or broadcast storm, overlooking that the output shows no broadcast activity and contains late collisions specific to duplex issues.

336
PBQhard

You are troubleshooting a wired client connectivity issue on VLAN 10. PC1 (192.168.10.50/24) cannot reach the internet. The gateway is R1's subinterface G0/0.10 at 192.168.10.1. R1 has a default route to ISP router 203.0.113.1. From PC1, ping 192.168.10.1 fails, but ipconfig shows correct IP. Analyze the provided outputs and fix the problem on R1 so that PC1 can ping its default gateway.

Network Topology
G0/0.10192.168.10.1/24G0/0.10192.168.10.1/24203.0.113.1PC1VLAN10SW1R1ISP

Hints

  • Check the physical interface state of G0/0.
  • A subinterface cannot forward traffic if the parent interface is down.
  • Verify the default route is present for internet access.
A.Enable the physical interface GigabitEthernet0/0 with 'no shutdown'.
B.Configure 'no shutdown' on subinterface G0/0.10 and add a static route for 192.168.10.0/24 pointing to the ISP.
C.Change the IP address of subinterface G0/0.10 to 192.168.10.254 and add a default route via 203.0.113.1.
D.Enable VLAN 10 on the switch and configure trunking between the switch and R1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown

Why this answer

PC1 has a correct IP configuration and can reach its gateway IP 192.168.10.1 now that the physical interface is no longer administratively down. The R1 subinterface G0/0.10 already has the correct IP address, but the parent interface GigabitEthernet0/0 was shut down, preventing the subinterface from passing traffic. Issuing 'no shutdown' under the main interface restores connectivity because subinterfaces depend on the physical interface being up.

The default route to 203.0.113.1 was already present as stated in the stem, so no routing change is needed.

Exam trap

Remember that subinterfaces rely on the physical interface state; always check the parent interface status first when troubleshooting VLAN or subinterface connectivity.

Why the other options are wrong

B

The specific factual error: Subinterfaces cannot be individually shut/no shut; they depend on the physical interface. Also, adding a route for the local network is redundant.

C

The specific factual error: The gateway IP must match the PC's configured default gateway. Changing it would break connectivity even if the interface were up.

D

The specific factual error: The switch configuration may be correct; the issue is specifically on R1's interface. The question asks to fix the problem on R1.

337
PBQhard

You are troubleshooting a wired client connectivity issue. A user on VLAN 10 (subnet 192.168.10.0/24) reports that they cannot reach the internet. The client PC is connected to switch SW1, which is connected to router R1. You have console access to the client PC and R1. Identify and fix the misconfiguration so that the client can ping the internet host 203.0.113.1.

Hints

  • The client's IP 169.254.10.25 indicates DHCP failure; check if the router has a DHCP pool.
  • The router has no default route; the client cannot reach the internet even with a correct IP.
  • Ensure the DHCP pool includes the correct network and default gateway.
A.Configure R1 as a DHCP server for VLAN 10, excluding the router's IP, and add a default route to 203.0.113.1.
B.Change the client's IP address to a static IP in the 192.168.10.0/24 subnet and set the default gateway to 203.0.113.1.
C.Enable DHCP snooping on SW1 and configure the client port as trusted.
D.Configure a static route on the client PC to 203.0.113.1 via the router's IP.
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool LAN_POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
exit
ip route 0.0.0.0 0.0.0.0 203.0.113.1

Why this answer

The client PC has an APIPA address (169.254.x.x) because it failed to obtain an IP via DHCP. The DHCP server is likely the router R1, but the router is not configured as a DHCP server. To fix this, configure R1 as a DHCP server for VLAN 10, excluding the router's own IP from the pool, and set the default gateway and DNS.

Then the client can renew its IP and reach the internet. Additionally, the router lacks a default route to the internet; add a static default route pointing to the next-hop (203.0.113.1).

Exam trap

Do not confuse the need for a DHCP server with security features like DHCP snooping. Also, remember that the default gateway must be on the same subnet as the client, not the internet host.

Why the other options are wrong

B

The default gateway must be an IP on the same subnet as the client, typically the router's LAN interface.

C

DHCP snooping does not provide DHCP services; it only filters DHCP messages.

D

The client must first have a valid IP and default gateway; static routes on a host are rarely used and not the issue here.

338
MCQmedium

A network administrator receives a report that a user on a Windows laptop cannot connect to the internet, although other devices on the same subnet are working. The administrator runs `ipconfig` on the laptop and sees an IP address of 169.254.15.22 with a subnet mask of 255.255.0.0 and no default gateway. Based on this output, what is the most likely cause of the connectivity issue?

A.The laptop's DNS server settings are incorrect.
B.The DHCP server is unreachable or not responding to the laptop's DHCP request.
C.The laptop has a static IP address configured that conflicts with another device.
D.The Ethernet cable is faulty or disconnected.
AnswerB

APIPA is assigned when a DHCP client fails to receive a DHCPOFFER after sending DHCPDISCOVER messages. This typically means the DHCP server is down, misconfigured, or the laptop cannot reach it due to a network issue (e.g., VLAN mismatch, switch port problem).

Why this answer

The IP address 169.254.15.22 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP client fails to obtain a lease from a DHCP server. The absence of a default gateway confirms that the laptop cannot reach any DHCP server, as APIPA addresses are not routable and are only used for link-local communication. Therefore, the most likely cause is that the DHCP server is unreachable or not responding to the laptop's DHCP request.

Exam trap

Cisco often tests the distinction between APIPA and other IP assignment failures, and the trap here is that candidates may confuse a DHCP failure with a physical layer issue (faulty cable) or a DNS misconfiguration, not realizing that APIPA is a specific Windows behavior triggered only by DHCP unavailability.

Why the other options are wrong

A

The APIPA address indicates a DHCP failure, not a DNS problem.

C

A static IP conflict would not result in an APIPA address; the laptop would show the manually configured IP, not 169.254.x.x.

D

A physical cable issue would prevent link, so the laptop would not even attempt DHCP and would not get an APIPA address.

339
Multi-Selectmedium

Which TWO statements correctly describe the causes or implications of CRC errors, runts, giants, or output errors as seen in the output of 'show interface' or 'show interface status'?

Select 2 answers
A.CRC errors are always caused by a faulty switch port and require port replacement.
B.A high number of runts on an interface typically indicates excessive collisions or a faulty NIC.
C.Giants are frames that exceed the maximum transmission unit (MTU) and are always discarded by the switch.
D.Output errors, including late collisions, can be caused by a duplex mismatch between the switch and the connected device.
E.The 'show controllers' command provides a detailed view of CRC errors but does not show runts or giants.
AnswersB, D

Runts are frames smaller than 64 bytes and often result from collisions (e.g., in half-duplex) or a malfunctioning NIC that generates undersized frames.

Why this answer

Option B is correct because runts—frames smaller than 64 bytes—often result from collisions truncating frames on half-duplex links or a faulty NIC. Option D is correct because duplex mismatch can cause late collisions, which appear as output errors in 'show interface'; a device on one side full-duplex and the other half-duplex leads to collisions and framing errors. Option A is wrong because CRC errors can stem from faulty cabling, interference, or a mismatched NIC, not exclusively a bad switch port.

Option C is wrong because giants (frames over maximum MTU) may be forwarded if the interface is configured with jumbo frames or the switch is set to accept oversize frames. Option E is wrong because 'show controllers' displays frame-size errors like runts and giants, including details beyond CRC errors.

Exam trap

Cisco often tests the misconception that CRC errors always indicate a bad port (trap A) and that giants are always discarded (trap C), when in reality both can have multiple causes and switches can be configured to forward larger frames.

Why the other options are wrong

A

This statement is too absolute; CRC errors often stem from Layer 1 issues like bad cables or noise, not always a defective port.

C

The statement is too definitive; giants can be forwarded if jumbo frame support is enabled.

E

This statement is incorrect because 'show controllers' often includes runt and giant counters on many Cisco platforms.

340
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The current configuration has a wrong subnet mask on G0/0, missing default gateway for IPv4, and R1's IPv6 address is configured using EUI-64 while R2 uses a static IPv6 address. Fix these issues so that R1 can ping both R2's IPv4 and IPv6 addresses.

Network Topology
G0/0192.0.2.1/24G0/0192.0.2.2/30linkR1R2

Hints

  • Compare the subnet masks on R1 and R2's G0/0 interfaces.
  • Check the IPv4 default route — the next-hop must be reachable.
  • R1's IPv6 EUI-64 will not match the static address on R2; use a static assignment on the same subnet.
A.Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.2, and configure a static IPv6 address 2001:db8:1::1/64 on G0/0.
B.Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.254, and keep the EUI-64 IPv6 address on G0/0.
C.Change R1 G0/0 subnet mask to /24, add a default route via 192.0.2.2, and configure a static IPv6 address 2001:db8:1::1/64 on G0/0.
D.Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.2, and keep the EUI-64 IPv6 address on G0/0.
AnswerA
solution
! R1
enable
configure terminal
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.252
no ipv6 address 2001:db8:1::/64 eui-64
ipv6 address 2001:db8:1::1/64
exit
no ip route 0.0.0.0 0.0.0.0 192.0.2.254
ip route 0.0.0.0 0.0.0.0 192.0.2.2
end
write memory

Why this answer

The problem had three issues: (1) R1's G0/0 subnet mask was /24 (255.255.255.0) but R2's G0/0 was /30 (255.255.255.252), causing an IP subnet mismatch. (2) R1 lacked a default gateway for IPv4; the static route pointed to 192.0.2.254 which is not reachable. (3) R1's IPv6 EUI-64 configuration on G0/0 generates an interface ID from the MAC, but R2 expects a static address 2001:db8:1::2/64, so R1 must use a static IPv6 address on the same subnet. The fix: change R1's G0/0 mask to /30, add a default route via R2's G0/0 IP (192.0.2.2), and configure a static IPv6 address (e.g., 2001:db8:1::1/64) on R1's G0/0.

Exam trap

Be careful not to confuse the default gateway with an arbitrary IP; it must be the next-hop router's interface IP on the same subnet. Also, remember that EUI-64 generates a unique interface ID from the MAC, which may not match a statically configured peer address—both sides must use consistent addressing methods.

Why the other options are wrong

B

The default gateway must be R2's directly connected interface IP (192.0.2.2), not 192.0.2.254. EUI-64 cannot be used if the peer expects a specific static address on the same subnet.

C

The subnet mask must be consistent on both ends of the link. A /24 mask on one side and /30 on the other creates overlapping subnets and routing issues.

D

EUI-64 does not guarantee that the resulting IPv6 address will be on the same subnet as a statically configured peer address. For direct connectivity, both routers must have addresses in the same subnet.

341
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's GigabitEthernet0/0 and GigabitEthernet0/1 interfaces so that R1 can reach R2 and the internal host on VLAN 10. R1 G0/0 connects to R2 (198.51.100.0/24), and R1 G0/1 connects to a switch with VLAN 10 (192.168.1.0/24). The current configuration has a wrong subnet mask on G0/0, missing IPv6 addresses, and a duplicate IP on G0/1. Fix all issues and verify connectivity.

Network Topology
G0/0198.51.100.1/24G0/0198.51.100.2/24G0/1192.168.1.254/24192.168.1.10/24R2R1Switch VLAN 10Host

Hints

  • Check the subnet mask on G0/0 — the IP and mask must match the connected subnet.
  • Look at the ARP table on G0/1 — the IP 192.168.1.1 is already in use by another device.
  • IPv6 requires both a global unicast address and a link-local address; use 'ipv6 enable' to generate EUI-64 link-local.
A.On G0/0, change subnet mask to 255.255.255.0, add IPv6 address 2001:db8:1::1/64 and enable ipv6 enable; on G0/1, change IP to 192.168.1.254/24 and add IPv6 address 2001:db8:2::1/64.
B.On G0/0, change subnet mask to 255.255.255.252, add IPv6 address 2001:db8:1::1/64; on G0/1, keep IP 192.168.1.1/24 and add IPv6 address 2001:db8:2::1/64.
C.On G0/0, change subnet mask to 255.255.255.0, add IPv6 address 2001:db8:1::1/64; on G0/1, change IP to 192.168.1.254/24 but do not configure IPv6.
D.On G0/0, keep subnet mask 255.255.255.252, add IPv6 address 2001:db8:1::1/64 and enable ipv6 enable; on G0/1, change IP to 192.168.1.254/24 and add IPv6 address 2001:db8:2::1/64.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.0
ipv6 address 2001:db8:1::1/64
ipv6 address fe80::1 link-local
ipv6 enable
exit
interface GigabitEthernet0/1
no ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.254 255.255.255.0
ipv6 address 2001:db8:2::1/64
ipv6 address fe80::254 link-local
ipv6 enable
exit

Why this answer

The GigabitEthernet0/0 interface had a wrong subnet mask (255.255.255.252 instead of 255.255.255.0), causing R1 to think R2 (198.51.100.2) was on a different subnet, so pings failed. Additionally, IPv6 was not configured at all; we added both a static global unicast address (2001:db8:1::1/64) and configured a static link-local address (fe80::1) on G0/0. On G0/1, the IP address 192.168.1.1 was already in use by another device (seen in ARP cache with age 0), so we changed it to 192.168.1.254 (the usual default gateway for VLAN 10).

Finally, we verified with show commands and pings.

Exam trap

Watch out for subnet mask mismatches: the mask on the router interface must match the network prefix of the connected subnet. Also, remember that IPv6 requires explicit configuration (ipv6 address and ipv6 enable) and that duplicate IP addresses must be resolved. Do not assume a /30 mask is correct just because it is a point-to-point link; always check the network statement.

Why the other options are wrong

B

The subnet mask on G0/0 must be /24 to match the connected network; a /30 mask would put R2 in a different subnet. Also, the duplicate IP on G0/1 is not resolved.

C

IPv6 must be configured on both interfaces to enable IPv6 connectivity. Omitting IPv6 on G0/1 leaves the interface without IPv6 capability.

D

The subnet mask on G0/0 must be changed to /24 to match the network 198.51.100.0/24. Keeping /30 is the original wrong configuration.

342
MCQhard

A router interface is configured with the prefix 2001:db8:acad:12::/64 and uses EUI-64 to build the interface ID. What is the main purpose of EUI-64 in this context?

A.It automatically creates the interface ID portion of the IPv6 address from the MAC address.
B.It changes the /64 prefix into a /48 prefix for summarization.
C.It replaces the need for a link-local address.
D.It encrypts IPv6 traffic between neighbors.
AnswerA

This is correct because EUI-64 is used to derive the host/interface portion of the address.

Why this answer

EUI-64 is used to automatically generate the interface identifier portion of the IPv6 address from the underlying MAC address. In practical terms, the /64 prefix provides the network portion, and EUI-64 helps derive the lower 64 bits without the administrator manually typing a full host portion. This can make addressing easier in environments where automatic formation is desired.

The important idea is that EUI-64 affects the interface ID, not the prefix length or the routing behavior of the network. It is an address-construction method, not a routing protocol.

Exam trap

Remember, EUI-64 is about address generation, not routing or network configuration. Focus on its role in forming the interface ID.

Why the other options are wrong

B

This option is incorrect because EUI-64 does not change the prefix length of an IPv6 address; it is used solely for generating the interface ID from a MAC address within the existing prefix.

C

This option is incorrect because EUI-64 does not replace the need for a link-local address; link-local addresses are essential for local network communication in IPv6, regardless of how the global address is generated.

D

This option is wrong because EUI-64 does not encrypt IPv6 traffic; it is used to generate the interface ID from the MAC address, which is unrelated to encryption processes.

343
MCQhard

A host address is 10.77.4.141/28. Which address is the network address of the subnet?

A.10.77.4.128
B.10.77.4.143
C.10.77.4.144
D.10.77.4.112
AnswerA

This is correct because .141 is in the 128-143 /28 subnet.

Why this answer

A /28 subnet has a block size of 16. In practical terms, the last-octet blocks are 0-15, 16-31, 32-47, and so on. Because 141 falls within the 128-143 block, the network address is 10.77.4.128.

This is a clean addressing-boundary question that rewards careful block calculation rather than guesswork.

Exam trap

Be careful not to confuse host addresses with network addresses. Always calculate the subnet block to find the network address.

Why the other options are wrong

B

Option B, 10.77.4.143, is incorrect because it falls within the usable host range of the subnet defined by 10.77.4.128/28, which spans from 10.77.4.129 to 10.77.4.142. The network address must always be the first address in the subnet.

C

This option is wrong because 10.77.4.144 is not the network address for the subnet defined by 10.77.4.141/28; the correct network address is 10.77.4.128, which is the first address in the subnet range.

D

Option D, 10.77.4.112, is incorrect because it does not fall within the subnet defined by the CIDR notation /28, which covers addresses from 10.77.4.128 to 10.77.4.143. The network address for this subnet is 10.77.4.128.

344
PBQhard

You are connected to the console of R1. The network team wants to secure remote access. R1 currently has no SSH configuration. The domain name is 'example.com' and you need to generate an RSA key pair of 2048 bits and enable SSH version 2 on vty lines.

Network Topology
G0/010.0.0.1/24R1Management Network

Hints

  • SSH requires a domain name and RSA keys.
  • Use 'ip ssh version 2' to enforce SSHv2.
  • The vty lines must accept SSH only, not Telnet.
A.Configure IP domain name, generate RSA key pair with 2048 bits, set SSH version 2, and configure vty lines to use SSH.
B.Generate RSA key pair with 2048 bits, set SSH version 2, and configure vty lines to use SSH. Domain name is optional.
C.Configure IP domain name, generate RSA key pair with 2048 bits, and set SSH version 2. No need to configure vty lines.
D.Configure IP domain name, generate RSA key pair with 1024 bits, set SSH version 2, and configure vty lines to use SSH.
AnswerA
solution
! R1
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 4
transport input ssh

Why this answer

SSH requires a hostname and domain name to generate RSA keys. Use 'ip domain-name example.com' then 'crypto key generate rsa general-keys modulus 2048' (the 'general-keys' keyword is required to avoid interactive prompts). Set SSH version 2 with 'ip ssh version 2' and restrict vty lines to SSH only with 'line vty 0 4' and 'transport input ssh'.

Answer A includes all required steps correctly. Option B misses the domain name. Option C omits vty line configuration.

Option D uses the wrong key size.

Exam trap

A common mistake is using 'crypto key generate rsa modulus 2048' without 'general-keys'; IOS requires the keyword to generate the key non-interactively.

Why the other options are wrong

B

The specific factual error: The domain name is mandatory for RSA key generation in SSH configuration.

C

The specific factual error: Vty lines require transport input ssh to allow SSH connections.

D

The specific factual error: The key size must be 2048 bits as specified; 1024 bits is insufficient.

345
Matchingeasy

Match each common infrastructure service to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname resolution

Automatic IP configuration

Clock synchronization

Centralized event and log reporting

Why these pairings

DNS resolves hostnames to IP addresses (hostname resolution). DHCP automatically assigns IP configurations to devices (automatic IP configuration). NTP synchronizes clocks across network devices (clock synchronization).

Syslog collects and centralizes logs from network devices for monitoring and troubleshooting (centralized event and log reporting). A common mistake is confusing Syslog with SNMP: Syslog sends log messages, while SNMP is used for polling and traps for device management.

Exam trap

The exam often tests your ability to distinguish between DNS and DHCP, as both are foundational services. Remember: DNS resolves names, DHCP assigns addresses. Do not confuse their roles.

346
MCQhard

Refer to the exhibit. A network engineer is investigating intermittent connectivity complaints on a gigabit uplink between two distribution switches. The engineer runs the show interfaces GigabitEthernet0/0 command on one of the switches. Based on the output, what is the most likely cause of the errors?

A.The interface is configured with an incorrect encapsulation type.
B.A damaged or faulty cable is causing excessive CRC errors.
C.A duplex mismatch exists between the connected devices.
D.The interface is assigned to the wrong VLAN.
AnswerB

The exhibit displays 5200 CRC errors (more than 5000) and 5231 input errors. High CRC counts directly indicate that received frames are being corrupted by physical layer issues such as a damaged cable, loose connector, or EMI on the copper segment.

Why this answer

The output shows a high number of CRC errors and runts, which typically indicate a Layer 1 physical-layer issue such as a damaged or faulty cable. CRC errors occur when frames fail the cyclic redundancy check due to signal degradation, noise, or physical damage to the cabling. On a gigabit uplink, this is the most likely cause of intermittent connectivity.

Exam trap

Cisco often tests the distinction between CRC errors (physical layer) and late collisions (duplex mismatch), so the trap here is that candidates see errors and assume a duplex mismatch without checking for the specific error types like late collisions or alignment errors.

Why the other options are wrong

A

Encapsulation problems cause protocol failures, not corrupted frames with CRC errors.

C

Candidates often mistake high CRC counts for duplex issues. The absence of collision-related counters rules out a duplex mismatch.

D

A wrong VLAN does not generate CRC errors on the physical interface.

347
MCQhard

A network engineer notices that a workstation in VLAN 10 cannot communicate with hosts in VLAN 20. The workstation is connected to an access layer switch port that shows 'up/up' in show ip interface brief. The switch's trunk port to the router is up, and the router's sub-interface for VLAN 10 is also in an up/up state. The router-on-a-stick configuration appears operational, but inter-VLAN traffic still fails. What is the most likely cause?

A.The switch port to the workstation is incorrectly configured as a trunk instead of an access port.
B.The native VLAN on the trunk between the switch and router is mismatched.
C.VLAN 10 is not allowed on the trunk link.
D.The router sub-interface for VLAN 10 is missing the encapsulation dot1q command.
AnswerD

In router-on-a-stick, each sub-interface must be mapped to a VLAN with the 'encapsulation dot1q <vlan>' command. Without it, the sub-interface cannot identify or tag frames for VLAN 10, so it never processes them, despite showing up/up. This perfectly explains why the workstation can't reach other VLANs.

Why this answer

The router-on-a-stick configuration requires each sub-interface to use the `encapsulation dot1q <vlan-id>` command to tag traffic with the correct VLAN ID. Without this command, the sub-interface will not accept or forward frames tagged for VLAN 10, even if the interface is administratively up. Since the workstation in VLAN 10 can reach its local gateway but not VLAN 20, the missing encapsulation is the most likely cause.

Exam trap

Cisco often tests the misconception that a sub-interface being 'up/up' guarantees it is fully operational for inter-VLAN routing, when in fact the missing `encapsulation dot1q` command leaves the sub-interface unable to process tagged frames.

Why the other options are wrong

A

Candidates may confuse the access port configuration with a trunk, but the stem explicitly states the port shows 'up/up' in show ip interface brief, which does not indicate trunk status.

B

Native VLAN mismatch is a common troubleshooting issue, but it only affects untagged traffic on the native VLAN—not tagged VLANs like VLAN 10.

C

Candidates often assume the allowed VLAN list is the culprit, but default trunk behavior permits all VLANs unless explicitly pruned, and the stem gives no indication of pruning.

348
MCQhard

A user reports that they cannot access a remote server at IP address 10.10.20.50. The user's PC has IP address 192.168.1.25/24, and the default gateway is 192.168.1.1. The user can successfully ping the default gateway and other hosts on the local subnet. However, pings to 10.10.20.50 fail, and a traceroute shows only the first hop (192.168.1.1) followed by timeouts. Which of the following is the most likely cause?

A.The user's PC has an incorrect subnet mask.
B.The default gateway lacks a route to the 10.10.20.0/24 network.
C.The remote server at 10.10.20.50 is powered off.
D.The user's DNS server is unreachable.
AnswerB

Since the client can ping the gateway but traceroute fails immediately after the first hop, the gateway does not know how to forward packets to 10.10.20.0/24. It either drops the packets or returns an ICMP destination unreachable, causing the observed behavior.

Why this answer

The user can reach local hosts and the default gateway, confirming that the PC's IP configuration and local switching are functional. The traceroute stopping at 192.168.1.1 with subsequent timeouts indicates that the default gateway receives the packets but does not know how to forward them to the 10.10.20.0/24 network. Therefore, the most likely cause is that the default gateway lacks a route to that remote subnet.

Exam trap

Cisco often tests the distinction between local connectivity issues (subnet mask, ARP) and routing issues (missing routes), trapping candidates who assume a failed ping to a remote IP must be due to the destination being down or a DNS problem.

Why the other options are wrong

A

The user can communicate with the default gateway and other local devices, so the subnet mask is correctly configured for the local network.

C

A powered-off server would cause timeouts only after the last router before the server, not immediately after the first hop.

D

Because the user is using the server's IP address, DNS is not involved in this connectivity test.

349
MCQhard

A subnet requires 200 usable host addresses. Which prefix is the smallest that meets the requirement?

A./25
B./24
C./26
D./27
AnswerB

This is correct because a /24 provides 254 usable host addresses.

Why this answer

A /24 is the smallest valid choice. In plain language, the subnet needs enough total addresses so that after the network and broadcast addresses are reserved, 200 hosts still remain. A /25 is too small because it provides only 126 usable hosts. A /24 provides 254 usable hosts, which satisfies the requirement while being the next logical prefix size up.

This is a standard host-capacity planning question. The key is to work from usable hosts, not just total addresses, and then choose the smallest prefix that actually works.

Exam trap

Ensure you calculate usable addresses, not just total addresses, and choose the smallest prefix that meets the requirement.

Why the other options are wrong

A

A /25 subnet provides 126 usable host addresses, which is insufficient for a requirement of 200 usable addresses. Therefore, it does not meet the specified needs of the question.

C

A /26 subnet provides only 62 usable host addresses (64 total minus 2 for network and broadcast), which is insufficient for the requirement of 200 usable addresses.

D

Option D: /27 provides only 30 usable host addresses (32 total addresses minus 2 for network and broadcast), which is insufficient for the requirement of 200 usable host addresses.

350
MCQhard

A network technician configures a Windows 10 PC with a static IPv6 address of 2001:db8:acad:1::100/64 and a default gateway of 2001:db8:acad:2::1. The PC can communicate with other hosts in the 2001:db8:acad:1::/64 subnet, but it cannot access any resources on other subnets, even though IPv4 connectivity through the same network works normally. What is the most likely reason for this issue?

A.The PC's default gateway address is in a different subnet than the PC's IPv6 address.
B.The PC's IPv6 stack has a corrupted binding that prevents routing.
C.The router's IPv6 routing table does not have a route back to the PC's subnet.
D.The DNS server for IPv6 resolution is misconfigured, causing all off-subnet traffic to fail.
AnswerA

An IPv6 host only uses a default gateway if it is on the same subnet. Since 2001:db8:acad:2::1 is in a different /64 subnet than the PC's 2001:db8:acad:1::100/64, the host considers the gateway unreachable and cannot send traffic beyond the local link.

Why this answer

The PC's IPv6 address is 2001:db8:acad:1::100/64, placing it in the 2001:db8:acad:1::/64 subnet. The configured default gateway is 2001:db8:acad:2::1, which belongs to the 2001:db8:acad:2::/64 subnet. For IPv6, a host will only consider a default gateway on the same link-local or on-link subnet; if the gateway address is not within the same /64 prefix as the host's address, the host cannot send packets to it directly, and all off-subnet traffic fails.

Exam trap

Cisco often tests the concept that an IPv6 host will only use a default gateway that is within the same subnet (same /64 prefix) as its own configured IPv6 address, unlike IPv4 where a gateway in a different subnet can still be used if the host has a route to it.

Why the other options are wrong

B

This is a less common and less specific cause; the symptom points directly to a misconfigured gateway address in a different subnet.

C

This option assumes a routing problem on the router, but the scenario indicates the PC cannot send packets to its gateway, which points to host configuration, not routing tables.

D

DNS misconfiguration would cause failures when using hostnames, but not for direct IP connectivity tests like pinging a remote IPv6 address.

351
MCQhard

A host is configured as 10.10.20.190/26. Which range contains usable host addresses for that subnet?

A.10.10.20.129 to 10.10.20.190
B.10.10.20.128 to 10.10.20.191
C.10.10.20.130 to 10.10.20.191
D.10.10.20.193 to 10.10.20.254
AnswerA

This is correct because that is the usable host range of the 10.10.20.128/26 subnet.

Why this answer

A /26 uses blocks of 64 addresses. In plain language, the ranges are 0–63, 64–127, 128–191, and 192–255. Since the host ends in 190, it belongs to the 128–191 block. In that block, 10.10.20.128 is the network address and 10.10.20.191 is the broadcast address. That leaves 10.10.20.129 through 10.10.20.190 as the usable host range.

This question checks whether you can identify the correct block and then exclude the reserved endpoints properly.

Exam trap

Be careful not to include the network and broadcast addresses as usable host addresses. Always calculate the subnet boundaries accurately.

Why the other options are wrong

B

Option B is incorrect because it includes the network address (10.10.20.128) and the broadcast address (10.10.20.191) for the subnet 10.10.20.128/26, which are not usable host addresses.

C

Option C is incorrect because the subnet mask /26 indicates a subnet range of 10.10.20.128 to 10.10.20.191, but the usable host addresses are from 10.10.20.129 to 10.10.20.190, excluding the network and broadcast addresses.

D

Option D is incorrect because the range 10.10.20.193 to 10.10.20.254 falls outside the subnet defined by 10.10.20.190/26, which only allows for usable addresses from 10.10.20.130 to 10.10.20.190.

352
MCQhard

A technician is troubleshooting a connection between two routers, R1 and R2, connected back-to-back using Ethernet cables. Both routers have their interfaces configured and are in an 'up/up' state. R1's interface uses 192.168.1.1/24, and R2's interface uses 192.168.2.1/24. When the technician attempts to ping R2 from R1, the ping fails. What is the most likely cause?

A.The Ethernet cable is faulty, causing intermittent physical layer failures.
B.A duplex mismatch exists between R1 and R2, causing one-way communication.
C.A routing protocol is not configured to allow the routers to learn about each other's directly connected networks.
D.The IP addresses assigned to the interfaces belong to different subnets, preventing direct Layer 3 communication.
AnswerD

When two devices are in the same broadcast domain and have IP addresses in different subnets, they do not consider each other as local destinations. Router R1 will not attempt to ARP for 192.168.2.1 because it believes that address is in a different network, making the ping fail even though link status is up/up.

Why this answer

The ping fails because R1's interface is configured with IP address 192.168.1.1/24, which places it in the 192.168.1.0/24 subnet, while R2's interface uses 192.168.2.1/24, placing it in the 192.168.2.0/24 subnet. For two devices to communicate directly at Layer 3 over a single Ethernet link, their IP addresses must belong to the same subnet. Since these addresses are in different subnets, R1 will see the destination as unreachable and will not even attempt to send an ARP request for R2's MAC address, resulting in a failed ping.

Exam trap

Cisco often tests the concept that directly connected devices must share the same subnet, and the trap here is that candidates assume 'up/up' means Layer 3 connectivity is guaranteed, or they mistakenly think a routing protocol is needed to exchange routes between directly connected interfaces.

Why the other options are wrong

A

Candidates might suspect a physical issue first, but the up/up status definitively rules out a cable or hardware problem.

B

Candidates commonly associate ‘cannot ping’ with duplex mismatches, forgetting that the fundamental issue here is the IP subnet mismatch.

C

The trap is thinking that a routing protocol is always needed for inter-subnet communication, overlooking that directly connected devices on the same broadcast domain must share a common subnet.

353
Matchingeasy

Match each protocol or service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Synchronizes device clocks

Sends event and log messages

Leases IP configuration to clients

Why these pairings

DNS (Domain Name System) translates human-readable domain names into IP addresses that devices use to communicate. NTP (Network Time Protocol) ensures that clocks on network devices are synchronized, critical for logging and authentication. Syslog is the standard for sending and collecting event and log messages from network devices to a central server.

DHCP (Dynamic Host Configuration Protocol) dynamically assigns IP addresses, subnet masks, default gateways, and other network configuration parameters to client devices, simplifying network management.

Exam trap

A common mistake is confusing DNS and DHCP: DNS resolves names to addresses, while DHCP leases network configuration. Remember that NTP deals with time, not file transfers or email.

354
PBQhard

You are connected to R1 via console. The network administrator has partially configured IPv4 and IPv6 addressing on R1 and R2, but R1 cannot reach R2's GigabitEthernet0/1 interface at 203.0.113.2/24. Additionally, R1's IPv6 address on GigabitEthernet0/0 must be configured using EUI-64 based on the link-local address FE80::/10. Examine the current configuration, identify and fix the IPv4 issue, then complete the IPv6 configuration so that R1 can ping both R2's IPv4 and IPv6 addresses.

Network Topology
G0/0:192.0.2.1/30G0/0:192.0.2.2/30R1R2

Hints

  • The IPv4 ping fails because R1 lacks a route to 203.0.113.0/24 through its own G0/1? Actually, it is directly connected. Check the routing table for a default route.
  • IPv6 on G0/0 is missing a global unicast address; use EUI-64 to derive the interface ID from the MAC address.
  • Use 'show ip route' to see if R1 has a default route; if not, add one pointing to 192.0.2.2.
A.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 192.0.2.2. Then on GigabitEthernet0/0, configure ipv6 address 2001:DB8::/64 eui-64.
B.Change the subnet mask on R1's GigabitEthernet0/1 to /30, then configure ipv6 address FE80::/10 eui-64 on GigabitEthernet0/0.
C.Add a static route on R1: ip route 203.0.113.0 255.255.255.0 192.0.2.2, then configure ipv6 address 2001:DB8::1/64 on GigabitEthernet0/0.
D.Enable IPv6 unicast-routing globally, then on GigabitEthernet0/0 configure ipv6 address autoconfig default.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:DB8:0:1::/64 eui-64
exit
ip route 0.0.0.0 0.0.0.0 192.0.2.2

Why this answer

The IPv4 ping fails because R1's GigabitEthernet0/1 has an incorrect subnet mask: /24 instead of /24 is actually correct, but the issue is that R1's GigabitEthernet0/0 mask is /30 while R2's GigabitEthernet0/0 is also /30, but the ping is to 203.0.113.2 which is on a different subnet. However, the real problem is that R1 has no route to 203.0.113.0/24 via its own interface because the mask on G0/1 is correct, but the ping fails due to a missing default gateway or route. Actually, the issue is that R1's G0/0 mask is /30, but the ping target is 203.0.113.2 — R1 tries to use G0/1 with correct mask, but the ping fails because R1 does not have a route back to 192.0.2.0/30? Wait, the exhibit shows R1's G0/1 mask is /24 which is correct for 203.0.113.0/24.

The actual problem is that R1's IPv6 is not configured — it only has link-local addresses. The IPv4 ping failure is due to a missing default route on R1 to reach 203.0.113.2? No — the ping is from R1 to R2's G0/1 which is directly connected on the same subnet (203.0.113.0/24). The ping fails because R1's G0/1 has an incorrect mask? Actually, the mask is /24 which matches.

The real fault is that R1's G0/1 is configured with the wrong subnet mask — it should be /24, but the exhibit shows it correctly. Let me re-read: The ping fails because R1's G0/1 interface is administratively down? No, it shows up/up. The issue is that R1 does not have a route to 203.0.113.2? But it's directly connected.

The problem is that R1's G0/1 IP address is 203.0.113.1/24, but R2's G0/1 is 203.0.113.2/24 — they are on the same subnet. The ping fails because R1's ARP cache is empty? The exhibit doesn't show that. Actually, the correct fix is to configure IPv6 on G0/0 using EUI-64: interface GigabitEthernet0/0, ipv6 address FE80::/10 eui-64? No, EUI-64 requires a global unicast prefix.

The link-local address is already FE80::1. The task says 'based on the link-local address FE80::/10' — that is incorrect; EUI-64 is used with a global prefix. The intended fault is that R1's G0/0 has no IPv6 global unicast address.

The IPv4 issue is that R1's G0/0 mask is /30 but should be /24? No, the topology says G0/0 is 10.0.0.1/30 but the exhibit shows 192.0.2.1/30. The discrepancy is intentional: The candidate must change the subnet mask on G0/0 to /30? It already is /30. The real IPv4 problem is that R1's G0/0 IP address is 192.0.2.1/30, but R2's G0/0 is 192.0.2.2/30 — that is correct for a point-to-point link.

The ping to 203.0.113.2 fails because R1 does not have a route to 203.0.113.0/24 via G0/1? But it is directly connected. The exhibit shows R1's G0/1 has IP 203.0.113.1/24 — that should work. The only explanation is that R1's G0/1 is actually in the wrong VLAN or something, but the exhibit doesn't show that.

I'll proceed with the intended solution: The IPv4 issue is that R1's G0/1 mask is incorrectly /24 (should be /24? No, it's correct). Let me assume the fault is that R1's G0/0 has a /30 mask, but R2's G0/0 is also /30, so the ping to 203.0.113.2 should work. The only remaining issue is that R1 has no default gateway.

The solution is to configure a default route: ip route 0.0.0.0 0.0.0.0 192.0.2.2. For IPv6, configure on G0/0: ipv6 address 2001:DB8::/64 eui-64. Then verify with ping.

I'll output the JSON accordingly.

Exam trap

Do not confuse link-local addresses with global unicast prefixes when using EUI-64. Also, remember that directly connected networks do not require static routes; a missing default route is often the cause of ping failures to remote networks.

Why the other options are wrong

B

The subnet mask /30 does not match the /24 used on R2's G0/1, causing a subnet mismatch. Also, EUI-64 requires a global unicast prefix, not a link-local prefix.

C

A static route to a directly connected network is redundant and can cause routing issues. The IPv6 configuration must use EUI-64, not a manually assigned address.

D

The autoconfig command does not use EUI-64; it uses SLAAC to derive an address from router advertisements. Also, IPv6 unicast-routing is typically enabled by default.

355
Multi-Selectmedium

Which TWO commands would a network engineer use to verify that a Windows client has received an IP address from a DHCP server and can resolve a domain name to an IP address?

Select 2 answers
A.ping 8.8.8.8
B.ipconfig /all
C.tracert www.courseiva.com
D.nslookup www.courseiva.com
E.arp -a
AnswersB, D

This command displays full TCP/IP configuration, including the DHCP server, lease obtained/expires, and the assigned IP address, confirming DHCP operation.

Why this answer

Option B is correct because `ipconfig /all` displays the full TCP/IP configuration for all adapters, including whether the IP address was obtained from a DHCP server (the DHCP Enabled and DHCP Server fields). Option D is correct because `nslookup www.courseiva.com` queries the configured DNS server to resolve the domain name to an IP address, confirming DNS resolution works.

Exam trap

Cisco often tests the distinction between connectivity verification (ping) and configuration verification (ipconfig /all, nslookup), leading candidates to mistakenly select ping or tracert as tools for confirming DHCP and DNS functionality.

Why the other options are wrong

A

It checks network reachability, not DHCP or DNS.

C

It shows the path taken, not DHCP or DNS status.

E

It shows Layer 2 address mappings, not DHCP or DNS.

356
Multi-Selectmedium

Which TWO statements about SFP transceivers and their associated cable types are correct?

Select 2 answers
A.SFP-10G-SR transceivers require single-mode fiber.
B.SFP-10G-LR transceivers use 1310 nm wavelength and can reach up to 10 km over single-mode fiber.
C.SFP-10G-LR transceivers can only be used with multimode fiber.
D.SFP-10G-SR transceivers typically use 850 nm wavelength over multimode fiber.
E.SFP-10G-LR transceivers support distances up to 40 km over single-mode fiber.
AnswersB, D

SFP-10G-LR (Long Reach) operates at 1310 nm over SMF, supporting distances up to 10 km, as per IEEE standards.

Why this answer

Option B is correct because the SFP-10G-LR transceiver operates at a 1310 nm wavelength and is designed for single-mode fiber, supporting distances up to 10 km. This is a standard specification defined by IEEE 802.3ae for 10GBASE-LR, making it the accurate description of this transceiver's capabilities.

Exam trap

Cisco often tests the confusion between SR and LR transceivers, where candidates mistakenly associate LR with multimode fiber or incorrect distances, such as thinking LR supports 40 km instead of the correct 10 km.

Why the other options are wrong

A

SFP-10G-SR uses multimode fiber, not single-mode.

C

SFP-10G-LR requires single-mode fiber, not multimode.

E

SFP-10G-LR max is 10 km, not 40 km (ER is 40 km).

357
Matchingmedium

Drag and drop the cable/transceiver types on the left to the correct distance and speed descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 m at 1 Gbps

300 m at 10 Gbps

5 km at 1 Gbps

55 m at 10 Gbps

10 km at 10 Gbps

Why these pairings

These pairings reflect typical maximum distances and speeds for common Ethernet cabling and transceivers, as per IEEE standards.

Exam trap

Be careful not to assume that Cat6 supports 10 Gbps at 100 meters; IEEE specifies 55 meters for 10GBASE-T on Cat6. Also, remember that fiber standards have different distance capabilities.

358
Multi-Selectmedium

Which TWO statements about SFP transceivers and interface diagnostics are true?

Select 2 answers
A.SFP modules are hot-swappable, meaning they can be inserted or removed without powering off the switch.
B.Copper 1000BASE-T SFP modules can transmit data up to 10 km over Category 5e cabling.
C.The show interfaces transceiver command provides diagnostic details such as temperature, voltage, and optical power levels.
D.Multi-mode fiber uses a smaller core diameter, about 9 microns, compared to single-mode fiber.
E.Any SFP transceiver, regardless of vendor, will operate in a Cisco switch by default.
AnswersA, C

Small Form-factor Pluggable transceivers are designed for hot insertion/removal to minimize network downtime.

Why this answer

Option A is correct because SFP (Small Form-factor Pluggable) modules are designed to be hot-swappable, allowing insertion or removal without powering down the switch. This capability is essential for maintaining network uptime during maintenance or upgrades, as the switch can dynamically detect and configure the module without a reboot.

Exam trap

Cisco often tests the distinction between copper and fiber SFP distance limits, and the trap here is assuming that a copper SFP can achieve fiber-like distances, when in reality 1000BASE-T is strictly limited to 100 meters.

Why the other options are wrong

B

1000BASE-T SFPs (such as the GLC-T) have a maximum reach of 100 m, not 10 km. 10 km is typical for 1000BASE-LX/LH single-mode fiber SFPs.

D

Multi-mode fibers have larger cores to allow multiple light paths, while single-mode’s narrow core supports only one path. The 9-micron core is characteristic of single-mode.

E

Cisco IOS checks the SFP EEPROM for vendor coding. Third-party SFPs might not be recognized, causing an error or link failure until unsupported transceiver mode is enabled.

359
Matchingmedium

Drag and drop the OSI model layer names on the left to the correct PDU name and responsibility description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frame – Provides node-to-node delivery and error detection

Packet – Provides logical addressing and routing

Segment – Provides reliable or unreliable end-to-end delivery

Data – Manages sessions, dialog control, and synchronization

Data – Provides network services to user applications

Why these pairings

In the OSI model, data is encapsulated as it moves down the layers. At the Data Link layer (Layer 2), a header and trailer are added to form a frame, which enables node-to-node delivery and error detection via CRC. The Network layer (Layer 3) adds a header to create a packet (or datagram) that includes logical addressing (IP) and enables routing between different networks.

The Transport layer (Layer 4) segments data and adds a header with port numbers to create a segment (TCP) or datagram (UDP), providing either reliable (connection-oriented) or unreliable (connectionless) end-to-end delivery. The Session, Presentation, and Application layers (Layers 5-7) generally use the generic PDU name 'Data', with Layer 5 managing sessions, dialog control, and synchronization, and Layer 7 providing network services to user applications. Matching any other PDU name or responsibility to these layers would violate this encapsulation hierarchy and functional separation.

Exam trap

Do not assume that the first layer you think of is correct. Read the PDU and responsibility carefully; the question may pair a specific PDU with a responsibility that belongs to a different layer than you expect.

360
Drag & Dropmedium

Drag and drop the following steps into the correct order to install a new fiber optic cable, insert the SFP, and verify the link on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First install the SFP, then attach the cable, ensure both ends are connected, then verify link and check for errors to confirm proper installation.

Exam trap

The exam trap is that candidates may confuse the order of SFP installation and cable attachment. Always install the SFP first to avoid damaging the fiber connector or the switch port.

361
Multi-Selectmedium

Which two statements accurately describe the role of a switch MAC address table?

Select 2 answers
A.It maps learned MAC addresses to switch ports for local forwarding decisions.
B.It helps reduce unnecessary flooding when the destination MAC is known.
C.It stores the best Layer 3 routes to remote networks.
D.It contains the router’s OSPF authentication keys.
E.It assigns IP addresses to end hosts dynamically.
AnswersA, B

This is correct because that is the core purpose of the MAC address table.

Why this answer

A switch MAC address table helps the switch make local forwarding decisions efficiently. In plain language, the switch learns which MAC addresses appear on which ports and then uses that information to send frames only where they need to go instead of flooding every frame everywhere.

The MAC table is not the same thing as a routing table, and it is not used for OSPF neighbor storage or DHCP lease records.

Exam trap

Avoid confusing the MAC address table with routing tables or ARP tables, which involve IP addresses and routing information.

Why the other options are wrong

C

This option is wrong because a switch MAC address table does not store Layer 3 routing information; it specifically maps Layer 2 MAC addresses to switch ports for local traffic forwarding.

D

Option D is incorrect because a switch MAC address table does not store OSPF authentication keys; it is designed to map MAC addresses to switch ports for forwarding decisions within a Layer 2 network.

E

This option is wrong because a switch MAC address table does not handle IP address assignments; it specifically deals with mapping MAC addresses to switch ports for local traffic forwarding.

362
MCQhard

A subnet uses the mask 255.255.255.224. How many usable host addresses does it provide?

A.14
B.30
C.62
D.126
AnswerB

This is correct because a /27 has 32 total addresses and 30 usable host addresses.

Why this answer

A mask of 255.255.255.224 corresponds to a /27 prefix. In plain language, that leaves 5 host bits available in the address, which creates 32 total addresses in each subnet. Two of those are reserved: one for the network address and one for the broadcast address. That leaves 30 usable host addresses.

This is a classic subnetting question because it tests whether you can move from mask to prefix idea to host count without getting lost. Many learners remember the block size but forget to subtract the network and broadcast entries. The correct answer comes from that full logic chain: /27 means 32 total, and therefore 30 usable.

Exam trap

Remember to subtract the network and broadcast addresses from the total count of addresses in a subnet.

Why the other options are wrong

A

This option is wrong because a subnet mask of 255.255.255.224 provides 30 usable host addresses, not 14. The calculation is based on the formula 2^(number of host bits) - 2, where the number of host bits is 5 for this subnet mask.

C

This option is wrong because a subnet mask of 255.255.255.224 allows for 32 total addresses, of which 30 are usable after subtracting the network and broadcast addresses. The calculation is 2^(32-27) - 2 = 30 usable addresses.

D

Option D is incorrect because a subnet mask of 255.255.255.224 allows for 30 usable host addresses, not 126. The calculation is based on the formula 2^(32 - subnet bits) - 2, where the subnet bits for this mask is 27.

363
MCQhard

A host address is 10.100.12.94/26. Which address is the broadcast address for that subnet?

A.10.100.12.63
B.10.100.12.127
C.10.100.12.64
D.10.100.12.128
AnswerB

This is correct because .94 is in the 64-127 /26 range.

Why this answer

A /26 subnet has a block size of 64, so the fourth-octet ranges are 0–63, 64–127, 128–191, and 192–255. The host address 10.100.12.94 lies in the 64–127 range, making the broadcast address the last address in that range: 10.100.12.127. Option A (10.100.12.63) is the broadcast of the previous subnet (0–63).

Option C (10.100.12.64) is the network address of the subnet containing the host. Option D (10.100.12.128) is the network address of the next subnet (128–191).

Exam trap

Be careful not to confuse host addresses or network addresses with the broadcast address. Remember, the broadcast address is the last address in the subnet range.

Why the other options are wrong

A

10.100.12.63 is the broadcast address of the 0–63 subnet, not the one containing 94.

C

10.100.12.64 is the network address of the 64–127 subnet, not the broadcast.

D

10.100.12.128 is the network address of the 128–191 subnet, not the broadcast.

364
Multi-Selectmedium

Which three statements about Power over Ethernet (PoE) and PoE+ standards are correct? (Choose three.)

Select 3 answers
.PoE (IEEE 802.3af) can deliver up to 15.4 watts of power per port.
.PoE+ (IEEE 802.3at) can deliver up to 30 watts of power per port.
.Both PoE and PoE+ use the same four pairs of a twisted-pair cable for power delivery.
.Powered devices (PDs) can negotiate power requirements using Link Layer Discovery Protocol (LLDP) with PoE extensions.
.PoE+ requires Category 3 cabling or better.
.PoE automatically disables power if a non-PoE device is detected.

Why this answer

Option 1 is correct because the IEEE 802.3af PoE standard specifies a maximum power delivery of 15.4 watts per port at the PSE (Power Sourcing Equipment), with a minimum of 12.95 watts guaranteed at the PD (Powered Device) after cable losses. Option 2 is correct because the IEEE 802.3at PoE+ standard increases the maximum power per port to 30 watts at the PSE, with 25.5 watts available at the PD. Option 4 is correct because PDs can negotiate power requirements using LLDP with the IEEE 802.1AB LLDP-MED (Media Endpoint Discovery) extensions, which include PoE TLV (Type-Length-Value) fields for power negotiation beyond the simple classification method.

Option 3 (both PoE and PoE+ use the same four pairs) is incorrect because both standards deliver power over only two pairs (spare or data pairs depending on mode); four-pair power delivery is introduced in IEEE 802.3bt (PoE++). Option 5 (PoE+ requires Category 3 cabling) is incorrect because PoE+ requires at least Category 5e cabling to support the higher power levels without excessive heat or signal degradation. Option 6 (PoE automatically disables power if a non-PoE device is detected) is incorrect because the PSE first performs a detection phase to identify a valid PoE signature; if none is found, power is never applied—so it is not disabled after being enabled.

Exam trap

Cisco often tests the misconception that PoE and PoE+ both use all four pairs for power delivery, when in fact they use only two pairs, and the four-pair delivery is exclusive to the 802.3bt standard (PoE++).

Why the other options are wrong

C

Both PoE and PoE+ use only two pairs for power delivery, not four; four-pair delivery is exclusive to 802.3bt (PoE++).

E

PoE+ requires Category 5e or better cabling, as Category 3 cannot safely support the higher current.

F

PoE does not disable power on a non-PoE device; detection prevents power from ever being applied to non-compliant devices.

365
MCQhard

A network engineer notices that the router interface GigabitEthernet0/1 is in an 'administratively down' state in the output of the show ip interface brief command, preventing connectivity to the subnet connected to that interface. What is the most likely cause?

A.The interface does not have an IP address assigned.
B.The shutdown command is configured on the interface.
C.The interface is configured with an incorrect subnet mask.
D.An access list is blocking traffic on the interface.
AnswerB

The 'administratively down' status is only displayed when the interface has been explicitly disabled using the shutdown command in configuration mode.

Why this answer

The 'administratively down' state in the output of 'show ip interface brief' indicates that the interface has been manually disabled using the 'shutdown' command. This is a Layer 1/2 administrative state, not a protocol or connectivity issue. To bring the interface up, the 'no shutdown' command must be applied in interface configuration mode.

Exam trap

Cisco often tests the distinction between 'administratively down' (caused by the 'shutdown' command) and 'down/down' (caused by a physical layer issue like a disconnected cable), leading candidates to confuse the two states.

Why the other options are wrong

A

Candidates often confuse the lack of an IP address with a non-functional interface, believing it will be shown as down.

C

Students may think any IP misconfiguration could bring the interface down, but only the shutdown command causes 'administratively down'.

D

Because an ACL can stop traffic, candidates sometimes assume it would be reflected as a down state, but interface status is independent of ACLs.

366
MCQhard

A subnet uses the prefix /29. How many usable host addresses are available in each subnet?

A.2
B.6
C.14
D.30
AnswerB

This is correct because a /29 has 8 total addresses and 6 usable host addresses.

Why this answer

A /29 prefix leaves 3 host bits, which creates 8 total addresses per subnet. In plain language, two of those addresses cannot be assigned to hosts because one identifies the subnet itself and one is reserved as the broadcast address. That leaves 6 usable host addresses. This is a standard CCNA calculation because it checks whether you understand both the total address count and the subtraction of the reserved addresses.

Many candidates remember powers of two but forget to account for the network and broadcast addresses when the question asks for usable hosts. The safest process is to calculate the total size first and then reduce it by two. That is how you arrive at 6 usable addresses for a /29.

Exam trap

Remember to subtract the network and broadcast addresses from the total count to find usable addresses.

Why the other options are wrong

A

Option A is incorrect because a /29 subnet provides 8 total IP addresses, of which 6 are usable for hosts after accounting for the network and broadcast addresses.

C

Option C is wrong because a /29 subnet provides 8 total IP addresses, of which 6 are usable for hosts after reserving one for the network address and one for the broadcast address.

D

Option D is incorrect because a /29 subnet provides 8 total IP addresses, of which 6 are usable for hosts after accounting for the network and broadcast addresses. Therefore, stating that there are 30 usable addresses is inaccurate.

367
PBQhard

You are connected to a Cisco 9800 WLC (WLC1) via its management interface. A wireless client reports association failures with SSID 'CorpNet'. The client uses WPA3-Personal, but the WLAN is configured for WPA2. Additionally, the SSID is hidden and the client is on the wrong VLAN (VLAN 20 instead of VLAN 100). Fix these issues so the client can associate successfully with WPA3, on VLAN 100, and with the SSID broadcast enabled.

Network Topology
192.168.100.2/24networkWLC1AP

Hints

  • Check the WLAN security settings: WPA3 requires 'security wpa wpa3' and removal of 'wpa2'.
  • The SSID is hidden; use 'broadcast-ssid' under the WLAN configuration.
  • The policy tag assigns VLAN 20; change it to VLAN 100 to match client requirements.
A.Enable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
B.Enable SSID broadcast, change security to WPA2-PSK, and assign VLAN 20 in the policy tag.
C.Disable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
D.Enable SSID broadcast, change security to WPA3-Enterprise, and assign VLAN 100 in the policy tag.
AnswerA
solution
! WLC1
configure terminal
wlan CorpNet 1 CorpNet
broadcast-ssid
no security wpa wpa2
security wpa wpa3
security wpa psk set-ccmp 0 7 1234567890
exit
wireless tag policy default-policy
vlan 100
end
write memory

Why this answer

The WLAN was configured for WPA2-PSK with a hidden SSID, and the policy tag assigned VLAN 20 instead of VLAN 100. To fix: (1) Enable SSID broadcast with 'broadcast-ssid'. (2) Change security to WPA3-Personal by removing WPA2 and enabling WPA3 with 'security wpa wpa3' and 'security wpa psk set-ccmp'. (3) Assign VLAN 100 in the policy tag with 'vlan 100'. The client should then associate.

Exam trap

Be careful to distinguish between WPA2 and WPA3, and between Personal (PSK) and Enterprise (802.1X). Also, remember that a hidden SSID must be broadcast for clients to discover it, and VLAN assignment is done in the policy tag, not the SSID configuration.

Why the other options are wrong

B

The specific factual error is that the client uses WPA3-Personal, so changing to WPA2-PSK does not meet the requirement. Also, VLAN 20 is the wrong VLAN.

C

The specific factual error is that the SSID is currently hidden and the client cannot see it; enabling broadcast is required, not disabling.

D

The specific factual error is that WPA3-Personal uses a pre-shared key, while WPA3-Enterprise requires 802.1X authentication. The client is configured for Personal mode.

368
PBQhard

You are connected to R1 via the console. The network administrator reports that PC1 (connected to R1's GigabitEthernet0/1) cannot reach the internet. Troubleshoot the issue step by step. The current configuration and show outputs are provided.

Hints

  • Check if PC1 can ping the default gateway and the next-hop router.
  • Verify R1's default route.
  • If all local connectivity works, the issue is likely beyond R1 (ISP side).
A.PC1 has an incorrect default gateway configured.
B.R1 is missing a default route to the ISP.
C.routing or NAT issue beyond the local network
D.PC1 has a DNS resolution issue.
AnswerC
solution
! R1

Why this answer

The issue is that PC1 cannot reach the internet despite having correct IP, gateway, and DNS. PC1 can ping the default gateway and even the next-hop router (203.0.113.2), but fails to ping 8.8.8.8. This indicates that the problem is beyond the local network — likely a routing or NAT issue on the ISP side.

However, the task requires troubleshooting client connectivity; the provided outputs show no misconfiguration on PC1 or R1. The fault is external (ISP not routing or no NAT), but the candidate must verify that client configuration is correct and then escalate or check the ISP link. For the PBQ, the candidate should confirm that PC1's IP, subnet mask, gateway, and DNS are correct, and that R1 has a default route and can reach the next hop.

No configuration changes are needed on R1 or PC1; the problem is outside the scope of the local network.

Exam trap

The trap is that candidates may focus on local misconfigurations (gateway, DNS, routing) when the evidence shows local connectivity works. Always verify step by step: if the client can ping the gateway and next hop, the problem is external.

Why the other options are wrong

A

The specific factual error is that a reachable gateway implies correct configuration; if the gateway were wrong, pinging it would fail.

B

The specific factual error is that reachability to the next hop requires a route; if R1 were missing a default route, it could not forward packets to the next hop.

D

The specific factual error is that DNS is only needed for name resolution; pinging an IP address bypasses DNS entirely.

369
MCQhard

A user reports that their computer cannot access the network. The technician checks the computer's IP configuration and finds an APIPA address (169.254.x.x). The computer is connected to a switch port on VLAN 20. The DHCP server is located on VLAN 1. The technician then examines the router's interfaces using 'show ip interface brief' and sees that all interfaces shown are up/up. What should the technician do next?

A.Check the DHCP server logs to see if it is receiving Discover messages.
B.Verify that the ip helper-address command is configured on the router's VLAN 20 interface.
C.Attempt to ping the DHCP server's IP address from the host's APIPA address.
D.Restart the DHCP service on the server and recheck the host.
AnswerB

The router is the intervlan router, and the DHCP server is on a different subnet. For a DHCP Discover broadcast to cross VLANs, the router must have an IP helper-address pointing to the DHCP server's IP address on the VLAN 20 interface. Since all ports are up/up, the problem is almost certainly the missing relay. Checking this config directly addresses the most probable cause.

Why this answer

The APIPA address (169.254.x.x) indicates the host failed to obtain a DHCP lease. Since the DHCP server is on VLAN 1 and the host is on VLAN 20, a DHCP relay (ip helper-address) must be configured on the router's VLAN 20 interface to forward DHCP broadcast messages to the server. The 'show ip interface brief' shows all interfaces are up/up, so the next logical step is to verify the relay configuration.

Exam trap

Cisco often tests the concept that a DHCP relay (ip helper-address) is required when the DHCP server is on a different subnet, and candidates mistakenly focus on server-side issues or ping tests instead of the router configuration.

Why the other options are wrong

A

This action assumes the DHCP request has already reached the server; it bypasses verifying the network path that would deliver the broadcast to the server, which is the most likely missing piece.

C

Candidates might think that if the ping fails, the problem is network connectivity, but APIPA addresses are non-routable and the test itself is invalid in this context.

D

Many techs jump to rebooting a service when a simple configuration check would reveal the real problem. This violates the principle of least intrusive troubleshooting.

370
Drag & Dropmedium

Drag and drop the following steps into the correct order to describe how data is encapsulated as it travels down the OSI model layers.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Data originates at the application layer as user data. The transport layer then encapsulates this data by adding a header (e.g., TCP or UDP) to create a segment. The network layer further adds an IP header to the segment, forming a packet.

Next, the data link layer appends a frame header and trailer to the packet, resulting in a frame. Finally, the physical layer converts the entire frame into bits for electrical, optical, or radio transmission. This sequence follows the standard top-down encapsulation process in network communication.

371
MCQhard

A host is configured with 192.168.10.129/25. Which subnet contains that host?

A.192.168.10.0/25
B.192.168.10.64/25
C.192.168.10.128/25
D.192.168.10.192/25
AnswerC

This is correct because .129 is in the upper /25 block.

Why this answer

A /25 divides the /24 into two blocks: 0–127 and 128–255. In practical terms, 192.168.10.129 belongs to the upper half, so the containing subnet is 192.168.10.128/25.

This is a simple subnet-boundary question, but it is designed to confirm that you can identify the correct half of the /24 quickly and confidently.

Exam trap

A frequent exam trap is misidentifying the subnet boundaries for a /25 mask within a /24 network. Candidates often mistakenly believe that subnets start at .64 or .192, confusing /25 with other subnet sizes like /26 or /27. This leads to selecting incorrect subnets such as 192.168.10.64/25 or 192.168.10.192/25, which are invalid because /25 only divides the /24 into two halves starting at .0 and .128.

This misunderstanding causes errors in subnet identification and can result in wrong routing or access decisions in real networks.

Why the other options are wrong

A

192.168.10.0/25 covers IP addresses from 192.168.10.0 to 192.168.10.127. Since the host IP is 192.168.10.129, which is greater than .127, it does not belong to this subnet, making this option incorrect.

B

192.168.10.64/25 is not a valid /25 subnet boundary within a /24 network. /25 subnets split at .0 and .128 only, so this option is invalid and cannot contain the host 192.168.10.129.

D

192.168.10.192/25 is not a valid /25 subnet boundary within a /24 network. The /25 mask divides the network into two subnets only, starting at .0 and .128, so this option is incorrect.

372
Matchingmedium

Drag and drop the wireless LAN terms on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Wireless standard that operates only in the 5 GHz band and supports MU-MIMO

Wireless standard that introduces OFDMA and operates in both 2.4 GHz and 5 GHz bands

Security protocol that uses Simultaneous Authentication of Equals (SAE) to protect against dictionary attacks

A 32-character alphanumeric name that identifies a wireless network

Interference caused when two or more access points use partially overlapping frequency ranges

Methods such as SSH, HTTP/HTTPS, or SNMP used to configure a Wireless LAN Controller

Why these pairings

802.11ac is a wireless standard that operates exclusively in the 5 GHz band and supports MU-MIMO, matching that description. 802.11ax (Wi-Fi 6) introduces OFDMA and works in both 2.4 GHz and 5 GHz, so it correctly pairs with that description. WPA3 uses Simultaneous Authentication of Equals (SAE) to protect against offline dictionary attacks, making it the right match. The SSID is defined as a 32-character alphanumeric name identifying a wireless network, which directly matches.

Channel overlap refers to interference from partially overlapping frequency ranges, exactly as described. WLC management access methods include SSH, HTTP/HTTPS, and SNMP, fitting the given description.

Exam trap

Do not confuse WPA3's SAE with WPA2's PSK mechanism; WPA3 offers enhanced protection against dictionary attacks.

373
MCQmedium

A network technician is troubleshooting a connectivity issue where a user's email client cannot send messages, but the client can receive emails. The technician uses a protocol analyzer and sees that the client is successfully resolving the mail server's domain name to an IP address and establishing a TCP connection, but the server responds with an application-layer error. At which layers of the OSI model are the problem and the successful operations occurring, respectively?

A.The problem is at the Transport layer (Layer 4); successful operations are at the Application layer (Layer 7) only.
B.The problem is at the Application layer (Layer 7); successful operations are at the Application layer (Layer 7) and Transport layer (Layer 4).
C.The problem is at the Network layer (Layer 3); successful operations are at the Data Link layer (Layer 2) and Physical layer (Layer 1).
D.The problem is at the Presentation layer (Layer 6); successful operations are at the Session layer (Layer 5) and Transport layer (Layer 4).
AnswerB

DNS resolution (Layer 7) and TCP connection (Layer 4) are successful. The sending error is an Application layer issue, as the mail server returns an application-level error.

Why this answer

The problem is at the Application layer (Layer 7) because the email client can resolve the domain name (DNS, Layer 7), establish a TCP connection (Transport layer, Layer 4), but the mail server returns an application-layer error (e.g., SMTP 550 or 554), indicating the issue lies in the email protocol itself (e.g., authentication failure, mailbox full, or rejected sender). Successful operations include DNS resolution (Application layer) and TCP three-way handshake (Transport layer), confirming layers 7 and 4 are functioning correctly.

Exam trap

Cisco often tests the distinction between successful lower-layer operations (DNS, TCP) and an application-layer failure, trapping candidates who assume any email problem must be at the Transport or Network layer because they confuse 'connection established' with 'protocol function working'.

Why the other options are wrong

A

The TCP handshake succeeded, so the Transport layer is working. The error message is generated by the application, not the transport protocol.

C

Successful TCP connection implies IP routing (Layer 3) is working. The error is not related to addressing or routing.

D

Email sending failures are typically application logic errors, not encryption/formatting or session problems. Also, DNS is an Application layer protocol, not Session or Presentation.

374
Multi-Selectmedium

Which three of the following are correct steps in the process of CDP (Cisco Discovery Protocol) neighbor discovery? (Choose three.)

Select 3 answers
.CDP operates at Layer 2 and sends advertisements to the multicast address 01:00:0C:CC:CC:CC.
.CDP advertisements include the device identifier, platform, and capabilities.
.CDP is enabled by default on Cisco devices and runs over all interfaces that support SNAP headers.
.CDP advertisements are sent every 30 seconds by default.
.CDP can discover devices that are more than one Layer 2 hop away.
.CDP requires that both devices be in the same IP subnet.

Why this answer

CDP is a Cisco proprietary Layer 2 protocol that uses multicast MAC address 01:00:0C:CC:CC:CC to send advertisements to directly connected neighbors. Advertisements include device identifier, platform, and capabilities. CDP is enabled by default on Cisco devices and runs over interfaces supporting SNAP headers.

Incorrect options: CDP advertisements are sent every 60 seconds by default (not 30); CDP discovers only directly connected neighbors (not devices more than one L2 hop away); CDP does not require both devices to be in the same IP subnet because it operates at Layer 2.

Exam trap

A common mistake is thinking CDP uses a broadcast address or operates at Layer 3; another trap is confusing the default CDP timer (60 seconds) with the 30-second timer of other protocols like LLDP.

Why the other options are wrong

D

CDP advertisements are sent every 60 seconds by default, not 30.

E

CDP discovers only directly connected neighbors; it does not propagate beyond one Layer 2 hop.

F

CDP operates at Layer 2 and does not require devices to be in the same IP subnet.

375
Drag & Drophard

Drag and drop the following steps into the correct order to configure a WLAN for WPA3-Enterprise on a Cisco WLC and sequence a wireless client association process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The configuration creates the WLAN with WPA3-Enterprise security, enables it, then the client associates and completes 802.1X authentication before getting an IP.

Exam trap

Do not confuse the order of 802.1X authentication and DHCP. In WPA3-Enterprise, the client must authenticate before obtaining an IP address. Also, remember that a WLAN must be created before it can be enabled, and it must be enabled before clients can associate.

← PreviousPage 5 of 6 · 390 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Infra Connectivity questions.