CCNA Network Services Security Questions

75 of 478 questions · Page 1/7 · Network Services Security topic · Answers revealed

1
PBQhard

You are connected to R1 via the console. An extended ACL named BLOCK_SMTP has been applied inbound on interface GigabitEthernet0/1, but users on the 192.168.10.0/24 network cannot send email to the SMTP server at 203.0.113.10. Additionally, the ACL is blocking all other traffic that should be permitted. Examine the running configuration and fix the ACL so that SMTP traffic (TCP port 25) from the 192.168.10.0/24 network to the SMTP server is permitted, and all other IP traffic is allowed.

Hints

  • The ACL is applied inbound on G0/1, so the source is the internal network.
  • The current ACL denies all SMTP traffic; you need to permit SMTP from the specific source network to the SMTP server before the deny.
  • Remember to remove the old ACL and create a new one with the correct order of entries.
A.permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 deny tcp any any eq 25 permit ip any any
B.permit tcp any any eq 25 deny tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any
C.deny tcp any any eq 25 permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any
D.permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 permit ip any any deny tcp any any eq 25
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_SMTP
ip access-list extended BLOCK_SMTP
permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25
deny tcp any any eq 25
permit ip any any
end

Why this answer

The correct answer is A. It permits SMTP from 192.168.10.0/24 to the SMTP server, then denies all other SMTP traffic, and finally permits all other IP traffic. Option B is wrong because it places a general permit for any SMTP before the specific deny, meaning all SMTP is permitted regardless of source/destination.

Option C is wrong because it denies all SMTP first, so the subsequent specific permit for the user network is never reached. Option D is wrong because the order permits the specific SMTP, then permits all IP traffic (including other SMTP), then denies SMTP—the permit ip any any before the deny makes the deny unreachable for all traffic, allowing all SMTP.

Exam trap

Remember that ACLs are processed sequentially; the first match wins. A common mistake is to place a general permit or deny before a specific statement, causing the specific statement to never be evaluated. Always order ACL entries from most specific to most general.

Why the other options are wrong

B

The order of ACL entries is crucial; the first match is applied. Here, the permit any any matches all SMTP before the deny can block the specific traffic.

C

The deny any any matches all SMTP, so the subsequent permit for the specific source/destination is never reached.

D

The permit ip any any matches all traffic, so the subsequent deny for SMTP is never applied.

2
Multi-Selectmedium

A router is configured as a DHCP server for VLAN 20. Clients on the VLAN can reach the default gateway, but they do not receive leases. Which two configuration issues on the router would directly prevent successful address assignment?

Select 2 answers
A.The excluded-address range removes the entire usable subnet
B.The DHCP pool is missing a dns-server statement
C.The subinterface lacks an ip helper-address
D.There are no available addresses left in the defined pool
AnswersA, D

Excluding 10.20.20.1 through 10.20.20.254 leaves nothing assignable for clients.

Why this answer

The router can serve DHCP locally without an ip helper-address. The real problem is that the excluded-address range consumes every usable host address, leaving the pool with no assignable leases.

Exam trap

A common exam trap is to incorrectly assume that missing optional DHCP parameters, such as the dns-server statement, or the absence of an ip helper-address on the subinterface, will prevent clients from receiving leases. Candidates may also overlook the impact of the excluded-address command consuming the entire subnet range, mistakenly thinking the router’s DHCP service is functioning correctly because clients can ping the gateway. The real issue is that no IP addresses remain available to assign, which is a subtle but critical configuration error that directly causes DHCP lease failures.

Why the other options are wrong

B

Incorrect because the dns-server statement is optional; its absence does not prevent the DHCP server from assigning IP addresses to clients.

C

Incorrect because the ip helper-address command is only necessary when forwarding DHCP requests across subnets, not when the router itself is the DHCP server on the VLAN.

3
MCQhard

A switchport is configured with sticky MAC learning and a maximum secure MAC value of 2. What is the main benefit of sticky learning in this situation?

A.It allows secure MAC addresses to be learned dynamically and used by port security.
B.It removes the maximum secure MAC limit automatically.
C.It converts the port into a trunk after two MAC addresses are learned.
D.It disables port security after the first reboot.
AnswerA

This is correct because sticky learning records observed MACs as secure addresses.

Why this answer

Sticky MAC learning allows the switch to learn secure MAC addresses dynamically and treat them as port-security entries without the administrator typing them manually. In plain language, it combines some of the convenience of automatic learning with the control of port security. If the configuration is later saved, those learned entries can become persistent.

This is a common CCNA port-security concept because it shows how sticky learning works with, not instead of, port security. The correct answer is the one focused on dynamic secure learning and convenience, not on disabling the maximum limit or turning the port into a trunk.

Exam trap

A frequent exam trap is to assume that sticky MAC learning disables the maximum secure MAC address limit or automatically converts the port into a trunk. Some candidates mistakenly believe sticky learning removes the configured maximum or disables port security after reboot. However, sticky learning only dynamically learns and locks MAC addresses up to the configured maximum and requires saving the configuration to persist.

Misunderstanding this can lead to selecting incorrect answers that imply sticky learning changes port behavior beyond dynamic secure MAC address learning.

Why the other options are wrong

B

This option is incorrect because sticky learning does not remove or disable the configured maximum secure MAC address limit; the limit remains enforced regardless of sticky learning.

C

This option is incorrect because sticky learning does not change the port type or convert it into a trunk; port mode remains unchanged and unrelated to sticky MAC learning.

D

This option is incorrect because sticky MAC addresses can persist if the configuration is saved, so port security is not disabled after a reboot; sticky learning supports persistence, not disabling.

4
MCQhard

A switchport is configured for 802.1X authentication. What is the usual role of the RADIUS server in that design?

A.It provides Layer 2 trunk negotiation for the supplicant.
B.It validates authentication credentials for the supplicant.
C.It replaces the need for DHCP on the access layer.
D.It generates ARP replies on behalf of the default gateway.
AnswerB

Correct. The RADIUS server performs centralized AAA decisions.

Why this answer

The switch acts as the authenticator and forwards authentication requests to the RADIUS server, which validates the user or device credentials.

Exam trap

A common exam trap is assuming the RADIUS server handles functions beyond authentication, such as DHCP IP address assignment or ARP gateway replies. Candidates might mistakenly believe that RADIUS negotiates switchport trunking or manages Layer 2 connectivity, which it does not. This confusion often arises because RADIUS is involved in network access control but does not replace other network services.

Misunderstanding these roles can lead to selecting incorrect options that describe unrelated network functions, causing errors in the exam.

Why the other options are wrong

A

Option A is incorrect because the RADIUS server does not handle Layer 2 trunk negotiation. Trunking is managed by protocols such as DTP or manual switchport configuration, not by the authentication server.

C

Option C is incorrect because DHCP is responsible for IP address assignment, not the RADIUS server. RADIUS focuses solely on authentication, authorization, and accounting functions.

D

Option D is incorrect because the RADIUS server does not generate ARP replies or perform any gateway functions. These tasks are handled by routers or Layer 3 devices in the network.

5
PBQhard

You are connected to R1. The network has two routers (R1, R2) and a switch (SW1) in between. R1's G0/0 connects to SW1 (192.168.1.1/24), SW1 connects to R2's G0/0 (192.168.1.2/24). R2 has a loopback (Lo0: 203.0.113.1/32) used as a management address. Configure an extended ACL on R1 so that only SSH (TCP/22) traffic from the 10.0.0.0/24 network is permitted to reach R2's loopback; all other traffic to that loopback must be denied. Then apply the ACL in the correct direction on the correct interface.

Hints

  • The source network is 10.0.0.0/24; use the correct wildcard mask.
  • The destination is a single host IP; use the 'host' keyword.
  • The ACL must be applied to the interface where traffic from 10.0.0.0/24 enters R1.
A.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any host 203.0.113.1 interface GigabitEthernet0/1 ip access-group 100 in
B.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any host 203.0.113.1 interface GigabitEthernet0/0 ip access-group 100 out
C.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 interface GigabitEthernet0/1 ip access-group 100 in
D.access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22 access-list 100 deny ip any any interface GigabitEthernet0/1 ip access-group 100 in
AnswerA
solution
! R1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.1 eq 22
access-list 100 deny ip any host 203.0.113.1
 permit ip any any
interface gigabitEthernet 0/1
ip access-group 100 in

Why this answer

The current configuration has no ACL restricting traffic to R2's loopback. The candidate must create an extended ACL that permits TCP from 10.0.0.0/24 to host 203.0.113.1 eq 22, then deny all other IP traffic to that host. The ACL must be applied inbound on R1's G0/1 (facing the 10.0.0.0/24 network) to filter traffic before it enters R1.

Applying outbound on G0/0 would also work, but inbound on G0/1 is more efficient and typical. The implicit deny at the end of the ACL blocks all other traffic to the loopback.

Exam trap

Be careful with ACL placement: inbound on the source-facing interface is more efficient and standard. Also, remember that extended ACLs should be placed as close to the source as possible. Do not rely solely on the implicit deny; explicit denies are often required in exam answers.

Avoid using overly broad deny statements that affect more traffic than intended.

Why the other options are wrong

B

The ACL is applied outbound on G0/0 instead of inbound on G0/1. Although it may achieve the goal, it is not the most efficient placement and may not be the expected answer in a PBQ.

C

Missing the explicit deny statement. The implicit deny at the end of the ACL will block other traffic, but the question expects an explicit deny for clarity and completeness.

D

The deny statement is too broad; it denies all IP traffic, not just traffic to the loopback. The correct deny should be specific to the loopback host.

6
MCQmedium

Port security is enabled with a maximum of 2 MAC addresses, but a third device connected through a small hub causes a violation. Which result is expected in restrict mode?

A.The port goes immediately to err-disabled state
B.Frames from the unknown MAC are dropped and the violation is counted
C.The switch learns the third MAC after 30 seconds automatically
D.STP blocks the port until the MAC table ages out
AnswerB

That is the purpose of restrict mode.

Why this answer

In restrict mode, the switch drops frames from unknown source MAC addresses and increments the violation counter, but the port stays up. That is less disruptive than shutdown mode.

Exam trap

Be careful not to confuse restrict mode with shutdown mode, which disables the port entirely.

Why the other options are wrong

A

In restrict mode, the port does not go to err-disabled state; that behavior is specific to shutdown mode. Shutdown mode disables the port upon a violation, whereas restrict mode only drops traffic from unknown MACs and increments the violation counter.

C

Port security does not automatically learn additional MAC addresses after a delay; it strictly enforces the configured maximum number of MAC addresses. If the maximum is set to 2, any new MAC address beyond that triggers a violation action (restrict, shutdown, or protect) immediately, not after 30 seconds.

D

STP (Spanning Tree Protocol) is used to prevent loops in redundant topologies and does not enforce port security. Port security violations are handled by the port security feature itself, independent of STP. STP blocking a port would be unrelated to MAC address limits.

7
MCQhard

Refer to the exhibit. A network administrator configures NAT overload on R1 to allow internal hosts in the 10.1.1.0/24 subnet to access the Internet. After the configuration, the administrator runs the show ip nat translations verbose command and notices that several internal sessions all appear to use the same inside global port 1024. The administrator is concerned that port conflicts will occur. Based on the output, which statement is correct?

A.The NAT configuration is missing the overload keyword, causing all internal hosts to share a single source port.
B.The static NAT entry mapping 203.0.113.5 to the entire 10.1.1.0/24 subnet forces all subordinate translations to use the same port 1024.
C.The dynamic NAT pool is exhausted, forcing the router to reuse port 1024 for all new sessions.
D.The translations are extended entries, so the combination of inside global IP, outside global IP, and port ensures each session is unique, even though the inside global port is the same.
AnswerD

Each table entry carries the 'extended' flag, which means the translation includes the destination address and port. This allows the same inside global port 1024 to be used simultaneously for different destinations (198.51.100.10:53, 203.0.113.100:443, 203.0.113.200:22). The five‑tuple still uniquely identifies the session, so port conflicts do not occur.

Why this answer

The exhibit shows four dynamic NAT translations, each marked with the 'extended' flag. In extended PAT, the translation table includes the destination IP address and port (the Outside global field). Even though all entries share the same inside global port 1024, each translation has a different Outside global pair (198.51.100.10:53 for UDP, 203.0.113.100:443 and 203.0.113.200:22 for TCP).

Therefore, the five‑tuple (protocol, inside global IP, inside global port, outside global IP, outside global port) remains unique for each session, and no port conflict exists. The 'extended' flag explicitly confirms that the router is using this extended matching logic to allow port reuse.

Exam trap

Option A is the most common trap because candidates often associate a single global port with a missing overload keyword. However, the presence of the 'extended' flag and the different outside destinations in the exhibit demonstrate that PAT overload is active and correctly implemented.

Why the other options are wrong

A

Candidates think that seeing the same global port means overload is not operating, but port reuse is normal in extended PAT.

B

Candidates may misinterpret the summary line as a static identity NAT rule that locks all translations to a single port.

C

Candidates confuse pool exhaustion (no free global addresses) with port reuse. Exhaustion typically manifests as translation failures, not as many entries sharing the same port.

8
Multi-Selectmedium

Which three of the following are functions of Network Address Translation (NAT) overload (PAT)? (Choose three.)

Select 3 answers
.It translates multiple private IP addresses to a single public IP address.
.It uses unique source port numbers to differentiate between internal sessions.
.It requires a pool of public IP addresses equal to the number of internal hosts.
.It can be configured with the 'ip nat inside source list' command referencing a standard ACL.
.It provides inbound-initiated connections to internal servers without static entries.
.It performs a one-to-one mapping between inside local and inside global addresses.

Why this answer

PAT (Port Address Translation), also known as NAT overload, allows multiple internal hosts to share a single public IP address by translating each session's source port to a unique port number. This enables the router to differentiate between concurrent sessions from different internal hosts, even though they all appear to originate from the same public IP. The correct options highlight the core functions: translating many private IPs to one public IP and using unique source port numbers for session differentiation.

Exam trap

Cisco often tests the misconception that PAT requires a pool of public IPs equal to the number of internal hosts, when in fact PAT's defining feature is the ability to map many internal hosts to a single public IP using port multiplexing.

9
MCQhard

Based on the exhibit, why does the ACL still allow HTTPS traffic from the branch subnet to the server?

A.The ACL blocks TCP port 80 instead of TCP port 443.
B.HTTPS uses UDP port 443, so TCP matching can never work.
C.The ACL must deny all IP traffic to the server to stop HTTPS.
D.ACLs cannot filter by destination port when a host keyword is used.
AnswerA

This is correct because HTTPS normally uses TCP port 443, not port 80.

Why this answer

The ACL still allows the HTTPS traffic because the deny statement is matching TCP port 80, not TCP port 443. In practical terms, the entry blocks HTTP, not HTTPS. Since the requirement is specifically to block encrypted web traffic on TCP 443, the current line is aimed at the wrong service.

This is a good precision question because it tests whether the candidate pays attention to the exact destination port rather than just seeing a generic web-related deny.

Exam trap

A common exam trap is assuming that blocking TCP port 80 also blocks HTTPS traffic. Candidates may see a deny statement for port 80 and mistakenly conclude that all web traffic is blocked. However, HTTPS uses TCP port 443, so if the ACL does not explicitly deny port 443, HTTPS traffic will still be allowed.

This trap tests attention to detail and understanding of port assignments for common services. Overlooking the exact port number leads to incorrect conclusions about ACL effectiveness and network security.

Why the other options are wrong

B

Incorrect. HTTPS uses TCP, not UDP. Denying UDP port 443 would not block HTTPS traffic, so this option is factually wrong.

C

Incorrect. It is unnecessary to deny all IP traffic to block HTTPS. Targeting the specific TCP port 443 is sufficient and more secure practice.

D

Incorrect. ACLs can filter by destination port even when using the host keyword. Both host-based IP matching and port filtering are valid in extended ACLs.

10
MCQhard

Based on the exhibit, what is the strongest next troubleshooting focus?

A.DNS or name-resolution configuration for the host or service
B.STP root bridge priority on the access switch
C.PPP encapsulation on the WAN edge
D.EtherChannel member consistency on the distribution switches
AnswerA

This is correct because the difference between IP success and hostname failure points directly to DNS-related troubleshooting.

Why this answer

The strongest next troubleshooting focus is DNS. In practical terms, the host can already reach the destination by IP address, which means switching, routing, and general Layer 3 connectivity are working for that path. The failure occurs only when the hostname is used, so the most likely remaining fault domain is name resolution rather than the data path itself.

This is a classic 'what do you check next' support question and very close to real-world helpdesk and network triage logic.

Exam trap

A frequent exam trap is to select options related to Layer 2 or WAN link issues, such as STP root bridge priority or PPP encapsulation, because candidates associate connectivity problems with these technologies. However, the question states that IP connectivity works, which means switching and routing are operational. Choosing these options wastes time and misses the core issue, which is DNS or name-resolution failure.

Candidates must carefully distinguish between IP connectivity and hostname resolution failures to avoid this common pitfall.

Why the other options are wrong

B

STP root bridge priority is irrelevant here because the network path to the IP address is already functional, meaning Layer 2 switching and spanning-tree topology are stable and not causing the failure.

C

PPP encapsulation on the WAN edge is not the cause since the symptom is specific to hostname resolution failure, and IP connectivity over the WAN is already confirmed as working.

D

EtherChannel member consistency issues would affect link aggregation and potentially cause connectivity failures, but since the client can reach the service by IP, EtherChannel problems are not the root cause.

11
Multi-Selectmedium

Which two statements accurately describe ACL behavior on Cisco devices?

Select 2 answers
A.ACL entries are processed from top to bottom until a match is found.
B.ACLs end with an implicit deny if unmatched traffic reaches the end.
C.ACLs always evaluate every line before deciding the action.
D.ACLs end with an implicit permit unless configured otherwise.
E.ACLs apply only to Layer 1 traffic and not IP packets.
AnswersA, B

This is correct because Cisco ACLs are evaluated sequentially and stop at the first match.

Why this answer

ACL questions often depend on understanding how Cisco devices process entries line by line. In plain language, ACL entries are evaluated from top to bottom, and the first matching statement decides the result. If traffic reaches the end without matching a permit, it is denied by the implicit deny. These two ideas explain many real ACL troubleshooting cases.

The wrong answers often sound plausible because they borrow language from other parts of networking. But ACLs do not normally evaluate all lines before choosing, and they do not end with an implicit permit. Once you remember “first match wins” and “implicit deny at the end,” many access-list questions become much easier.

Exam trap

A frequent exam trap is assuming that ACLs evaluate every line before deciding to permit or deny traffic. Candidates might think that if no explicit deny exists, traffic is allowed by default. However, Cisco ACLs stop processing at the first match, and if no match occurs, the implicit deny at the end blocks the traffic.

This misunderstanding can lead to incorrect answers about ACL behavior and cause misconfigurations in real networks. Remembering that ACLs use a “first match wins” approach and end with an implicit deny helps avoid this trap.

Why the other options are wrong

C

Incorrect because ACLs do not evaluate every line; they stop processing once a match is found, making this statement false.

D

Incorrect because Cisco ACLs do not end with an implicit permit; the default behavior is an implicit deny for unmatched traffic.

E

Incorrect because ACLs filter traffic at Layer 3 and Layer 4, not at Layer 1, so this statement is factually wrong.

12
Drag & Dropmedium

Drag and drop the following steps into the correct order to implement DHCP services for clients in VLAN 10 using a centralized DHCP server in VLAN 20 and to protect the network with DHCP snooping.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order requires the DHCP server to be configured first so it can respond to requests. Then the IP helper-address is configured on the default gateway interface for VLAN 10 to forward client broadcasts to the server. Next, DHCP snooping is enabled globally, followed by identifying the trusted port to the server (to allow DHCP replies), and then snooping is enabled on the client VLAN.

Finally, a client connection triggers a DHCP transaction that you can verify with the snooping binding table.

13
MCQhard

An engineer configures 802.1X port-based authentication on a Cisco IOS-XE switch for a voice VLAN deployment. After applying the configuration, IP phones on interface GigabitEthernet1/0/1 fail to receive a voice VLAN and remain in an unauthenticated state. The switchport is configured as an access port with voice VLAN 10. What is the most likely cause of the failure?

A.Re-authenticate the phone using 'dot1x reauthenticate interface Gi1/0/1'
B.Configure 'authentication host-mode multi-domain' on the interface
C.Add 'switchport voice vlan 10' under the interface
D.Change the port to 'authentication port-control force-authorized'
AnswerB

This command allows the switch to authorize both data and voice domains separately on the same port, enabling the phone to receive the voice VLAN.

Why this answer

The correct answer is B because in a voice VLAN deployment with 802.1X, the switchport must be configured with 'authentication host-mode multi-domain' to allow both a data device (phone) and a voice device (PC behind the phone) to authenticate separately. Without this mode, the port defaults to single-host mode, which prevents the phone from receiving the voice VLAN and keeps it in an unauthenticated state.

Exam trap

The trap here is that candidates often assume the issue is a missing voice VLAN command or an authentication failure, but Cisco specifically tests the requirement for multi-domain host mode when voice VLAN is used with 802.1X.

Why the other options are wrong

A

Re-authentication forces the phone to re-authenticate, but the port remains in single-host mode, which only allows one authenticated device. The phone's data and voice domains are not separated, so the voice VLAN assignment still fails.

C

The voice VLAN is already configured with 'switchport voice vlan 10' as stated in the scenario. The issue is not the VLAN definition but the authentication domain separation; the phone remains unauthenticated because the port cannot assign the voice VLAN without proper multi-domain support.

D

Setting 'authentication port-control force-authorized' bypasses 802.1X authentication entirely, which defeats the purpose of port-based security. It would allow the phone to connect without authentication, but the voice VLAN assignment still requires proper domain handling; moreover, this is not a secure solution.

14
Multi-Selectmedium

Which two statements accurately describe Syslog in a Cisco network environment?

Select 2 answers
A.Syslog can send device event messages to a centralized logging server.
B.Syslog is primarily used to assign IP addresses to hosts.
C.Syslog messages become easier to correlate when device clocks are synchronized.
D.Syslog automatically prevents switching loops.
E.Syslog replaces the need for any monitoring system.
AnswersA, C

This is correct because centralized message collection is one of Syslog’s main purposes.

Why this answer

Syslog is used to centralize device event messages such as warnings, errors, and informational entries. In plain language, it gives administrators one place to review what devices are reporting rather than checking each device individually. This makes troubleshooting and incident review easier, especially in larger environments. Syslog does not replace time synchronization, but it becomes much more useful when paired with NTP so timestamps are consistent.

A common trap is to assume Syslog is a routing protocol or a DHCP-like service. It is neither. It is about event reporting and centralized logging.

Exam trap

A common exam trap is confusing Syslog with DHCP or STP functions. Some candidates mistakenly believe Syslog assigns IP addresses or prevents switching loops because these are common network management tasks. However, Syslog’s sole purpose is to report and log device events.

Misunderstanding this can lead to selecting incorrect answers that describe DHCP’s or STP’s roles. Another trap is overlooking the importance of synchronized clocks for meaningful log correlation, which can cause candidates to underestimate why consistent timestamps matter in Syslog environments.

Why the other options are wrong

B

This option is incorrect because Syslog does not assign IP addresses; DHCP is the protocol responsible for IP address allocation in Cisco networks.

D

This option is incorrect because Syslog does not prevent switching loops; this function is handled by Spanning Tree Protocol (STP).

E

This option is incorrect because Syslog complements but does not replace broader network monitoring systems that provide additional analysis and alerting capabilities.

15
MCQeasy

Which OSPF neighbor state indicates that the routers have already exchanged full link-state databases?

A.2-WAY
B.EXSTART
C.FULL
D.INIT
AnswerC

FULL indicates the neighbors are fully adjacent.

Why this answer

FULL means the adjacency is complete and database synchronization has finished. States such as INIT, 2-WAY, EXSTART, and EXCHANGE all occur earlier in the process.

Exam trap

A frequent exam trap is selecting the 2-WAY or EXSTART states as the answer because they represent important steps in OSPF neighbor formation. However, 2-WAY only confirms bidirectional hello packets without database exchange, and EXSTART is merely the negotiation phase for database synchronization. Choosing these states overlooks the fact that full link-state database exchange and adjacency completion only occur at the FULL state.

Misunderstanding this can lead to incorrect assumptions about OSPF neighbor readiness and routing stability.

Why the other options are wrong

A

The 2-WAY state confirms bidirectional communication between OSPF neighbors but does not indicate that the full link-state database has been exchanged. It is an intermediate step before full adjacency.

B

EXSTART is the initial phase of database exchange where routers negotiate master-slave roles and sequence numbers. It does not mean the databases are fully synchronized yet.

D

INIT state means a router has received a hello packet from a neighbor but has not confirmed bidirectional communication, so full database exchange has not started.

16
MCQhard

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

A.The ACL blocks all traffic because the first entry is a deny
B.The ACL blocks HTTP but allows ICMP
C.The ACL permits HTTP because line 20 overrides line 10
D.The ACL blocks ping because ICMP is not explicitly permitted
AnswerB

Correct. HTTP matches the deny, while ping is permitted by the later broad permit.

Why this answer

ACLs are processed top down. Line 10 denies TCP destination port 80, which blocks HTTP. Line 20 then permits all remaining IP traffic, including ICMP echo packets used by ping.

Exam trap

Remember that ACLs are processed sequentially; the first match dictates the action, not subsequent lines.

Why the other options are wrong

A

The ACL does not block all traffic; it only denies TCP traffic destined for port 80 (HTTP). Other traffic, including ICMP, is permitted by the subsequent 'permit ip any any' statement.

C

Line 20 does not override line 10 because ACLs use first-match logic. Once a packet matches line 10 (TCP port 80), it is denied and no further processing occurs. Line 20 only applies to packets that do not match earlier entries.

D

ICMP is not explicitly blocked; it is permitted by the 'permit ip any any' statement on line 20, which covers all IP protocols including ICMP. The user's ping works, confirming this.

17
MCQmedium

Two switches are connected by an 802.1Q trunk. CDP reports a native VLAN mismatch. Which issue is most likely to appear because of this?

A.Untagged traffic may be placed into different VLANs on each switch.
B.All tagged traffic on the trunk is dropped immediately.
C.STP is disabled on the trunk link.
D.The trunk automatically converts to an access port.
AnswerA

That is the classic symptom of a native VLAN mismatch.

Why this answer

A native VLAN mismatch can cause untagged traffic sent on one side to be placed into a different VLAN on the other side. That leads to confusing connectivity issues and can also create security concerns. It does not automatically disable the trunk.

Exam trap

A common exam trap is to believe that a native VLAN mismatch causes the trunk link to shut down or block all traffic. In reality, only untagged traffic is affected, and tagged VLAN traffic continues to pass normally if allowed VLANs match. Another mistake is thinking the trunk automatically converts to an access port, which Cisco switches do not do.

Candidates may also overlook that STP remains enabled and functional despite the mismatch. Focusing only on trunk status without considering untagged traffic behavior leads to incorrect answers.

Why the other options are wrong

B

This is incorrect because tagged traffic on the trunk is not dropped due to a native VLAN mismatch; tagged frames continue to be forwarded normally if VLANs are allowed on both sides.

C

This option is wrong since a native VLAN mismatch does not disable Spanning Tree Protocol; STP continues to operate normally on the trunk link.

D

This is incorrect because Cisco switches do not automatically convert a trunk port to an access port due to a native VLAN mismatch; the trunk remains active.

18
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, including the use of nslookup and dig for diagnosis.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

DNS resolution starts with the client query, then recursive server lookups, authoritative response, caching and reply, and finally diagnostic tools like nslookup or dig to verify.

Exam trap

Do not confuse the order of DNS resolution steps. The client query always comes first, followed by recursive server queries, then authoritative response, then caching and reply, and finally diagnostic tools. Watch out for options that place diagnostic tools or authoritative responses before the client query.

19
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first exclude addresses to prevent the DHCP server from leasing reserved or gateway IPs, then create and configure the DHCP pool (network, default gateway), next enable DHCP relay on the required interface, and finally verify. Option D follows this Cisco best practice. Option A risks assigning excluded addresses because the pool is created before exclusions.

Options B and C place relay setup before the pool is fully configured, which is incorrect.

Exam trap

Candidates often mistakenly create the DHCP pool before excluding addresses, which can lead to the server leasing addresses intended to be reserved. Always configure exclusions first, then the pool, then relay, then verify.

20
PBQhard

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Network Topology
G0/0203.0.113.1/29G0/1192.168.1.0/24ISPInternetR1SwitchLAN

Hints

  • Check which interface is public and which is private — they are reversed.
  • The ACL used in the PAT command must match the inside subnet exactly.
  • The PAT command should reference the correct outside interface and the correct ACL.
A.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
B.Configure G0/0 as inside, G0/1 as outside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/1 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
C.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.2.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
D.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 2 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip nat inside
ip nat outside
exit
interface GigabitEthernet0/1
no ip nat outside
ip nat inside
exit
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source list 2 interface GigabitEthernet0/0 overload

Why this answer

The main issues: (1) Interfaces were swapped — G0/0 (public) was inside and G0/1 (private) was outside. They should be reversed: G0/0 outside, G0/1 inside. (2) ACL 1 (used in the PAT command) permitted 192.168.2.0/24 instead of 192.168.1.0/24. (3) The PAT command for G0/0 used ACL 2, which was correct for the subnet but the interface was wrong. After fixing interface assignments and correcting ACL 1 to permit the inside subnet, the PAT command must use ACL 1 and the correct outside interface.

The static NAT was correctly configured but needed the correct inside interface. The PAT translation uses the IP address of the outside interface (interface overload), so after fixing the configuration, inside hosts will be translated to 203.0.113.1, the primary IP of G0/0, not 203.0.113.5.

Exam trap

Common traps include confusing inside/outside interface roles, mismatching ACL subnets, and referencing the wrong ACL number in the PAT command. Always verify interface assignments, ACL content, and command syntax step by step.

Why the other options are wrong

B

The specific factual error: The inside/outside interface roles are reversed; PAT is applied to the wrong interface.

C

The specific factual error: The ACL does not match the inside network, so PAT will not be applied to LAN traffic.

D

The specific factual error: The PAT command uses the wrong ACL number; it should use ACL 1, not ACL 2.

21
MCQhard

A network administrator has configured dynamic NAT on a Cisco router to allow internal hosts to access the Internet. Internal hosts can ping external servers, but external hosts cannot initiate connections to any internal host. The administrator checks the NAT translations. What is the most likely cause of this behavior?

A.The NAT pool is exhausted because it contains only 21 addresses, and more than 21 internal hosts are trying to access the Internet simultaneously.
B.The router is configured for dynamic NAT without overload (PAT), so it assigns one public IP per inside host and does not allow inbound connections without a static mapping.
C.The inside local addresses are not in the same subnet as the inside interface, causing asymmetric routing.
D.The outside global addresses are not routable on the Internet, so external hosts cannot send return traffic.
AnswerB

The absence of protocol/port in the translations indicates one-to-one dynamic NAT without overload. This explains why internal hosts can initiate outbound traffic (they get a public IP) but external hosts cannot reach internal hosts (no return path).

Why this answer

Option B is correct because dynamic NAT without overload maps each inside host to a unique public IP from the pool, but it does not allow external hosts to initiate connections because there is no static mapping or port forwarding to direct inbound traffic. The described behavior—internal hosts reaching the Internet while external hosts cannot initiate connections—is typical of dynamic NAT without PAT. With PAT (overload), many internal hosts share a single public IP and inbound connections would still require explicit port forwarding; without overload, the router simply does not know how to translate incoming requests back to the correct inside host.

Exam trap

Candidates often confuse dynamic NAT with Port Address Translation (PAT). The trap is assuming that any dynamic NAT configuration automatically allows inbound connections, but without overload, external hosts cannot reach internal hosts unless static NAT or port forwarding is configured.

Why the other options are wrong

A

The symptom described is that external hosts cannot initiate connections to internal hosts. Even if the NAT pool were exhausted, internal hosts would still be able to initiate outbound connections (using PAT if configured), and external hosts would still be unable to initiate inbound connections unless static NAT or port forwarding is configured. Pool exhaustion would cause outbound failures, not specifically inbound failures.

C

The inside local addresses (192.168.1.x) are private IPs that are typically configured on the inside interface. The NAT translations show them mapping to public IPs, indicating that the router is correctly performing NAT. Asymmetric routing would cause connectivity issues in both directions, not just inbound, and is not indicated by the given symptoms.

D

The question states that internal hosts can ping external servers, which means return traffic is reaching the internal hosts. If the outside global addresses were not routable, the ping would fail because the external server would not be able to send a reply. Therefore, the addresses must be routable in this scenario.

22
MCQhard

A security policy requires that only one management subnet be able to initiate SSH to a router. Which approach most directly supports that requirement?

A.Use an ACL to permit SSH access only from the approved management subnet.
B.Enable PortFast on the router interfaces.
C.Disable all logging on the router.
D.Replace SSH with Telnet for easier filtering.
AnswerA

This is correct because the policy is specifically about restricting management access by source subnet.

Why this answer

The most direct approach is to use an ACL that restricts which source subnet is permitted to reach SSH management access on the router. In practical terms, SSH can remain enabled as the secure protocol, but access to it should still be limited to trusted management sources. That is a classic example of combining secure protocol choice with source restriction.

Options B and C are incorrect because PortFast is a spanning-tree feature unrelated to access control, and disabling logging does not restrict who can initiate SSH. Option D is wrong because Telnet does not filter by subnet and is less secure than SSH.

Exam trap

Don't confuse securing the protocol (SSH) with controlling access by source subnet. They are complementary but distinct actions.

Why the other options are wrong

B

PortFast is a spanning-tree optimization that speeds up the transition of an access port to forwarding; it does not control which sources can initiate SSH.

C

Disabling logging prevents the router from recording events, but it does not prevent unauthorized subnets from attempting SSH access.

D

Replacing SSH with Telnet does not add source filtering and actually reduces security; Telnet transmits credentials in clear text.

23
MCQmedium

A host receives its IP address automatically but cannot resolve hostnames. Which additional service information is most likely missing from its configuration?

A.A DNS server address
B.A new MAC address
AnswerA

This is correct because DNS service information is needed for hostname resolution.

Why this answer

If the host receives an IP address but cannot resolve hostnames, the most likely missing information is a DNS server setting. In plain language, the device has enough configuration to join the network but not enough to ask where hostnames map in IP terms. DHCP can provide this DNS server information automatically, and if it is missing, the host may still communicate by IP while failing on names.

This is a common service-troubleshooting pattern because it separates address configuration from name resolution. The correct answer is the missing DNS-related setting rather than the IP address itself or the subnet mask.

Exam trap

A frequent exam trap is assuming that if a host receives an IP address via DHCP, it automatically has all necessary network information, including DNS server addresses. This mistake overlooks that DHCP can provide IP address and subnet mask without DNS settings. Candidates might incorrectly select options related to MAC address changes, VLAN configurations, or routing protocols like OSPF, which do not affect hostname resolution.

The trap is confusing IP connectivity with name resolution, leading to wrong answers that ignore the essential role of DNS in translating hostnames to IP addresses.

Why the other options are wrong

B

Incorrect because changing the MAC address does not affect DNS or hostname resolution. MAC addresses operate at Layer 2 and are unrelated to IP services like DNS.

C

Incorrect because a trunk native VLAN setting relates to VLAN tagging on switches and does not impact a host’s ability to resolve hostnames or DNS functionality.

D

Incorrect because OSPF router ID is a routing protocol parameter used by routers and does not influence DNS or hostname resolution on end hosts.

24
Matchingmedium

Drag and drop the ACL commands and concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Extended ACL that permits HTTP traffic

Standard ACL that permits a subnet

Wildcard mask that matches only the last octet

Applies ACL 10 inbound on an interface

Creates a named extended ACL

Wildcard mask that matches all IP addresses

Why these pairings

Standard ACLs filter only by source IP. Extended ACLs offer more granular filtering. Named ACLs use names for identification.

Implicit deny is the default deny-all at the end. Inbound ACLs process traffic before routing, outbound after routing.

Exam trap

Do not confuse the filtering criteria of standard vs. extended ACLs. Standard ACLs only use source IP; extended ACLs use source/destination IP, protocol, and port. Also, remember that named ACLs are just a naming method, not a different filtering type.

25
Multi-Selectmedium

Which THREE statements correctly describe the configuration and verification of NAT, PAT, and static NAT?

Select 3 answers
A.To configure static NAT, use the command 'ip nat inside source static <inside-local> <inside-global>'.
B.PAT uses the command 'ip nat inside source list <acl> interface <interface> overload' to translate multiple inside addresses to the interface's IP using different port numbers.
C.The command 'show ip nat statistics' displays the current active translations including inside and outside addresses.
D.When configuring dynamic NAT, you must define a NAT pool using the command 'ip nat pool <name> <start-ip> <end-ip> netmask <mask>' and then use an ACL to match inside traffic.
E.To verify that static NAT is working, you should check the output of 'show ip interface brief' and look for the translated IP.
AnswersA, B, D

This command creates a one-to-one mapping between a private (inside local) and a public (inside global) IP address.

Why this answer

Option A is correct because the 'ip nat inside source static' command creates a one-to-one permanent NAT mapping. Option B is correct because PAT is configured by adding the 'overload' keyword to a dynamic NAT statement that references an ACL and an interface, allowing many private addresses to share a single public IP with different port numbers. Option D is correct: dynamic NAT requires a NAT pool defined with 'ip nat pool' and an access list to identify the inside traffic to be translated.

Option C is incorrect because 'show ip nat statistics' only displays counters and summary information, not the active translation entries; those are shown with 'show ip nat translations'. Option E is incorrect because 'show ip interface brief' does not show NAT translation mappings; verification of static NAT requires 'show ip nat translations'.

Exam trap

Cisco often tests the distinction between 'show ip nat statistics' (counters and summary) and 'show ip nat translations' (active mappings), leading candidates to mistakenly believe that statistics shows the actual translation entries.

Why the other options are wrong

C

The command 'show ip nat statistics' provides summary statistics such as total translations, hits, misses, and expired translations, but it does not list the actual translation entries. To view active translations, you must use 'show ip nat translations'.

E

The command 'show ip interface brief' displays the status and IP addresses of interfaces, but it does not show NAT translations. To verify static NAT, you should use 'show ip nat translations' or 'show ip nat statistics' to confirm the mapping is active.

26
MCQmedium

An access switch port shuts down as soon as a user connects a small unmanaged switch under the desk. Which feature caused that behavior?

D.Storm control
AnswerB

BPDU Guard shuts an edge port down if it receives a BPDU.

Why this answer

BPDU Guard is meant to protect access ports by shutting them down if BPDUs are received. That usually means someone connected another switch where only an endpoint should exist.

Exam trap

A frequent exam trap is mistaking BPDU Guard for Root Guard or Loop Guard. Candidates often confuse Root Guard’s role in blocking superior BPDUs with BPDU Guard’s immediate port shutdown on any BPDU reception. Similarly, Loop Guard protects against missing BPDUs but does not err-disable ports.

This confusion leads to selecting incorrect answers that do not cause the port to shut down when a small unmanaged switch is connected. Remember, only BPDU Guard err-disables the port upon receiving BPDUs on an access port, which is the exact behavior described in the question.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by blocking superior BPDUs but does not err-disable or shut down the port upon receiving BPDUs. It is designed to maintain root bridge stability rather than protect edge ports from unauthorized switches.

C

Loop Guard protects against loops caused by unidirectional link failures by preventing ports from transitioning to forwarding state when BPDUs are missing. It does not err-disable ports upon receiving BPDUs and therefore does not cause the port shutdown described.

D

Storm Control monitors traffic levels to prevent broadcast, multicast, or unicast storms by blocking traffic when thresholds are exceeded. It does not react to BPDUs or cause ports to shut down upon BPDU reception, so it is unrelated to the described behavior.

27
MCQmedium

Exhibit: A collector is receiving traffic metadata from a router, including source IP, destination IP, protocol, and byte counts. Which feature is being used?

B.SNMP trap
C.NetFlow
D.NTP
AnswerC

NetFlow describes traffic flows and counters.

Why this answer

NetFlow exports flow records that summarize traffic conversations. It does not carry full packet payloads, but it does provide useful metadata for analysis and capacity planning.

Exam trap

A frequent exam trap is mistaking Syslog or SNMP traps for the feature that exports traffic metadata. Syslog messages only report system events and errors, not detailed flow data. SNMP traps notify about specific device events or threshold breaches but do not provide conversation-level traffic summaries.

Another trap is confusing NTP, which only synchronizes device clocks, with traffic monitoring features. Candidates must recognize that only NetFlow exports detailed flow records including source IP, destination IP, protocol, and byte counts, which are essential for traffic analysis and capacity planning.

Why the other options are wrong

A

Syslog is designed to send event messages and system logs, not detailed traffic flow summaries. It cannot provide source and destination IP addresses with byte counts, so it is incorrect for this question.

B

SNMP traps are notifications about specific device events or threshold conditions, not detailed records of traffic conversations. They do not include flow metadata like source/destination IP and byte counts, making this option incorrect.

D

NTP is used solely for synchronizing time across network devices and does not provide any traffic metadata or flow information, so it is not the correct feature in this context.

28
PBQhard

You are connected to R1. Configure AAA with RADIUS authentication so that SSH users are authenticated first against the RADIUS server (198.51.100.10) and fall back to the local user database if the server is unreachable. Additionally, troubleshoot why an 802.1X-enabled interface (GigabitEthernet0/1) remains in the unauthorized state. The RADIUS server shares a key of 'cisco123' and uses UDP port 1812. The local user 'admin' with secret 'adminpass' must be available as a fallback.

Hints

  • The dot1x authentication list is missing a fallback method.
  • Use the 'aaa authentication dot1x default' command to add 'local' after 'group radius'.
  • After fixing, the port may need to re-authenticate; you can test by shutting/no shutting the interface.
A.[CORRECT] The RADIUS server is unreachable, but the 802.1X port remains unauthorized because the AAA authentication list for dot1x is configured to use only RADIUS without local fallback. The fix is to modify the dot1x authentication list to include 'local' as a fallback method.
B.The RADIUS server is unreachable because the shared key 'cisco123' is incorrect, causing the port to stay unauthorized.
C.The 802.1X port remains unauthorized because the RADIUS server uses UDP port 1812, but the switch expects port 1645.
D.The SSH authentication fails because the local user 'admin' is not configured with the correct privilege level, so fallback does not work.
AnswerA
solution
! R1
configure terminal
aaa authentication dot1x default group radius local
end
write memory

Why this answer

The RADIUS server is unreachable (not reachable), but the 802.1X port remains unauthorized because the AAA authentication list for dot1x is configured to use only RADIUS without local fallback. When the server cannot be reached (e.g., timeout), no fallback exists, so the port stays unauthorized. The fix is to modify the dot1x authentication list to include 'local' as a fallback method.

Adding local fallback allows the switch to authenticate the supplicant using the local database when the RADIUS server is unreachable.

Exam trap

Do not confuse authentication list configuration for different services (login vs dot1x). SSH uses 'login' list, while 802.1X uses 'dot1x' list. Also, ensure fallback methods are included for network access authentication to avoid permanent unauthorized state.

Why the other options are wrong

B

The specific factual error: The shared key is used for encrypting RADIUS traffic, but server reachability is confirmed; the key mismatch would cause authentication failures, not port unauthorized state due to missing fallback.

C

The specific factual error: The question states the server uses UDP port 1812, which is correct. The switch would need explicit configuration to use 1645; default is 1812.

D

The specific factual error: Privilege level is not required for authentication; it affects authorization. The local user exists and can authenticate, so SSH fallback is fine.

29
MCQhard

A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?

AnswerB

Correct. DAI directly targets ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets against trusted binding information learned through DHCP snooping, directly preventing IP-to-MAC spoofing. PortFast is used to speed up STP convergence and does not provide ARP security. EtherChannel aggregates multiple links for bandwidth and redundancy but does not inspect ARP traffic.

NetFlow is a traffic accounting and monitoring tool, not a security control for ARP spoofing. Therefore, DAI is the correct additional feature to address IP-to-MAC spoofing.

Exam trap

Don't confuse general security features with those specifically designed to prevent ARP spoofing.

Why the other options are wrong

A

PortFast is a Spanning Tree Protocol feature that immediately transitions a port to forwarding state, bypassing listening and learning states. It does not perform any validation of ARP packets or prevent IP-to-MAC spoofing attacks.

C

EtherChannel is a link aggregation technology that combines multiple physical links into a single logical link to increase bandwidth and provide redundancy. It does not inspect or validate ARP packets, so it cannot prevent IP-to-MAC spoofing.

D

NetFlow is a network monitoring protocol that collects IP traffic statistics for analysis and troubleshooting. It provides visibility into traffic patterns but does not actively block or validate ARP packets, so it cannot prevent spoofing attacks.

30
MCQhard

A switch port is configured with port security using these commands: switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security mac-address sticky A user unplugs a company laptop and connects a different unauthorized device. The interface stays up/up, but the new device has no connectivity. Which statement best explains what happened?

A.The port shut down because restrict mode always causes err-disable
B.Traffic from the unauthorized MAC address is being dropped while the interface remains up
C.The switch learned the new MAC address automatically and replaced the old sticky entry
D.Port security affects only management traffic, not user traffic
AnswerB

Correct. This is correct. Restrict mode drops unauthorized traffic but does not take the whole interface down. That is why the user sees a live port with no connectivity for the replacement device.

Why this answer

With a maximum of 1 secure MAC address, the switch learns only the company laptop's MAC via sticky learning. When the unauthorized device is plugged in, it attempts to send traffic with a new source MAC address. Since the maximum is already reached, this triggers a port security violation.

In restrict mode, the switch drops frames from the violating source but leaves the interface operational, matching the observed behavior: the interface stays up/up while the unauthorized device cannot pass traffic.

Exam trap

A common exam trap is assuming that any port security violation immediately disables the port. Candidates often confuse 'restrict' mode with 'shutdown' mode. In 'shutdown' mode, the port goes into an error-disabled state and the interface status changes to down, but in 'restrict' mode, the port remains up and only blocks unauthorized traffic.

This subtle difference can mislead test takers into selecting answers that describe the port shutting down, which contradicts the scenario where the interface stays up/up. Recognizing the behavior of each violation mode is crucial to avoid this mistake.

Why the other options are wrong

A

Option A incorrectly states that restrict mode always causes the port to shut down. In reality, restrict mode blocks unauthorized traffic but keeps the interface up. Shutdown mode is the one that disables the port and causes an error-disabled state, which contradicts the scenario where the port remains up/up.

C

Option C is incorrect because sticky MAC addresses are not automatically replaced when a new device connects. Instead, the switch enforces the violation action when an unauthorized MAC address appears, rather than overwriting the existing sticky entries.

D

Option D is false because port security controls all user data traffic on access ports by filtering frames based on source MAC addresses. It is not limited to management traffic, so this option misrepresents the scope of port security.

31
MCQmedium

A host can reach remote websites by IP address but fails when using their hostnames. Which missing configuration item is the strongest suspect?

A.A DNS server address
B.A new MAC address
AnswerA

This is correct because the host needs DNS information to resolve hostnames.

Why this answer

When a host can reach remote websites by IP address but not by hostname, the issue is that the host cannot resolve the hostname to an IP address. DNS (Domain Name System) is responsible for this resolution, and if the DNS server address is missing or misconfigured on the host, name resolution fails. This is the strongest suspect because all other network connectivity (routing, switching) is functional, as proven by successful IP-based access.

Exam trap

Cisco often tests the distinction between Layer 3 connectivity (IP reachability) and application-layer services (DNS), so the trap here is that candidates might suspect a routing or switching issue (like a missing default gateway or VLAN mismatch) when the symptom clearly isolates the problem to name resolution.

Why the other options are wrong

B

A MAC address is a hardware identifier used for local network communication at Layer 2, and it has no role in hostname resolution. Changing the MAC address would not affect the ability to resolve hostnames to IP addresses.

C

A trunk native VLAN is a configuration for switch ports that carry multiple VLANs, and it is unrelated to hostname resolution. The symptom described is a DNS issue, not a VLAN or trunking problem.

D

OSPF router IDs are used by routers in OSPF routing protocol operations, not by end hosts. End hosts do not participate in OSPF and do not require a router ID for any function, including name resolution.

32
MCQhard

A client PC is receiving an APIPA address (169.254.x.x) instead of a valid IP from the DHCP server. The DHCP server is on the same subnet as the client. The technician runs the command 'show ip dhcp binding' and confirms that the correct scope is configured. The command 'show ip dhcp pool' shows that there are plenty of addresses remaining in the pool. The client's NIC status shows 'connected'. What should the technician do next?

A.Check the DHCP snooping configuration on the access switch.
B.Verify that no firewall is blocking UDP ports 67 and 68 on the local network.
C.Run the ipconfig /release and /renew commands on the client.
D.Check for a rogue DHCP server on the network.
AnswerD

Given that the legitimate DHCP server is reachable, has a correct scope, and addresses are available, the most probable reason for persistent APIPA assignment is interference from an unauthorized DHCP server. A rogue server could be responding to DHCP Discover messages, preventing the client from obtaining a proper lease. The technician should use tools like packet captures or DHCP logs to detect any other DHCP Offer messages.

Why this answer

When a client on the same subnet as the DHCP server still receives an APIPA address, the problem is often that the client's DHCP Discover broadcasts are not reaching the legitimate DHCP server or the server's offers are not reaching the client. Since the technician has already verified the DHCP server configuration (scope exists, addresses available) and the client's physical connectivity (NIC connected), the most logical next step is to check for a rogue DHCP server. A rogue server can intercept DHCP Discover messages and respond with invalid or malicious offers, causing the client to disregard legitimate offers, or it might respond with offers that conflict and confuse the client.

This addresses the DHCP application layer (Layer 7) and ensures that only the authorized server is responding. Identifying a rogue server can be done via packet capture or by inspecting DHCP lease database inconsistencies.

Exam trap

Many candidates choose to run 'ipconfig /release' and 'ipconfig /renew' (Option C) as a first step, but doing so does not identify the root cause and can waste time if a rogue server is present. The APIPA assignment is a symptom, not a lease renewal issue, and the DHCP server has already been confirmed operational.

Why the other options are wrong

A

Candidates often jump to switch security features when they see DHCP issues, but without evidence of a switch misconfiguration, it is not the most direct next action.

B

Test-takers often consider firewalls as universal blockers, forgetting that in a flat Layer 2 domain, broadcast traffic such as DHCP Discover is not filtered by a firewall.

C

Candidates prefer simple client-side fixes, but CCNA troubleshooting emphasises identifying root causes before applying band-aid solutions.

33
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for AAA with RADIUS and 802.1X is: global config, enable AAA, configure RADIUS server, define authentication method list, then enable 802.1X on the interface.

Exam trap

Candidates often confuse the order of AAA configuration steps, especially whether to configure the RADIUS server before or after defining the method list. Remember: AAA must be enabled first, then the server, then the method list, then interface configuration.

34
Matchingmedium

Match each security concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protection against unauthorized disclosure

Protection against unauthorized modification

Ensuring systems and data remain accessible when needed

Verification of identity

Why these pairings

Confidentiality, integrity, and availability are the CIA triad. Authentication verifies identity, authorization grants permissions, and accounting logs actions.

Exam trap

Be careful not to confuse the three components of the CIA triad. Each has a distinct role: confidentiality (secrecy), integrity (accuracy), availability (uptime). Also, authentication is not part of the CIA triad but is a related security function.

35
Matchingmedium

Match each REST API method to the action it most closely represents in a typical network automation workflow.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update or replace a resource

Remove a resource

Why these pairings

GET retrieves data, POST creates new resources, PUT updates/replaces, PATCH partially updates, DELETE removes, and OPTIONS queries available methods. These correspond to common network automation workflows.

Exam trap

Be careful not to confuse PUT and PATCH: PUT replaces the entire resource, while PATCH applies a partial update. Also, remember that POST is for creating new resources, not for updating. These are common traps in CCNA automation questions.

36
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on an IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then define RADIUS server, then configure AAA authentication, then enable 802.1X globally, then apply per-interface 802.1X settings.

Exam trap

The exam trap is that candidates often confuse the dependency order: AAA authentication must reference an already-defined RADIUS server, and 802.1X globally requires AAA to be configured first. Always think about what each step depends on.

37
MCQhard

An administrator wants to allow HTTPS traffic from a source subnet to a server but deny all Telnet traffic from that same subnet to the same server. Which ACL capability is required to express that policy accurately?

A.An extended ACL that can match protocol and destination port information
B.A standard ACL because source matching is enough
C.A wildcard mask with all zeros only
D.A wireless SSID ACL
AnswerA

This is correct because the requirement depends on protocol/port-level filtering.

Why this answer

The policy requires extended ACL capability because it must distinguish traffic by protocol and destination port, not just by source address. In practical terms, the rule needs to treat TCP port 443 differently from TCP port 23 even though the source and destination networks are the same. A standard ACL is too limited for that.

This question is about matching precision. When the policy depends on protocol and port, extended ACLs are the right tool.

Exam trap

A frequent exam trap is selecting a standard ACL to enforce policies that require filtering by protocol or port number. Standard ACLs only filter by source IP address and cannot distinguish between different types of traffic like HTTPS and Telnet. This leads to incorrect assumptions that standard ACLs can block Telnet while allowing HTTPS from the same subnet.

The trap lies in overlooking the need for protocol and port-level filtering, which only extended ACLs provide. Candidates must remember that without extended ACLs, the router cannot differentiate traffic based on application-layer details, causing the policy to fail.

Why the other options are wrong

B

Incorrect because standard ACLs filter only by source IP address and cannot distinguish between different protocols or ports, making them insufficient for the requirement to allow HTTPS but deny Telnet.

C

Incorrect because a wildcard mask controls which bits of an IP address are matched but does not provide any capability to filter traffic based on protocol or port information, which is essential here.

D

Incorrect because wireless SSID ACLs relate to WLAN access control and do not filter IP traffic based on protocol or port, making them irrelevant to the question about IP traffic filtering.

38
MCQmedium

Users in 10.20.30.0/24 should be allowed to browse the web but should not be able to open Telnet sessions to any remote device. Which access list entry best meets the requirement?

A.deny tcp 10.20.30.0 0.0.0.255 any eq 23
B.deny udp 10.20.30.0 0.0.0.255 any eq 23
C.deny tcp any 10.20.30.0 0.0.0.255 eq 23
D.permit tcp 10.20.30.0 0.0.0.255 any eq 80
AnswerA

This blocks Telnet from that subnet to any destination.

Why this answer

To block Telnet while still allowing web traffic, the ACL should deny TCP destination port 23 from that source subnet and then permit the rest of the needed traffic. Telnet uses TCP port 23, not UDP and not source port 23.

Exam trap

A frequent exam trap is selecting an ACL entry that denies UDP traffic on port 23 or denies traffic with the source port set to 23. Telnet exclusively uses TCP as its transport protocol and communicates over destination port 23, so denying UDP or source port 23 traffic will not block Telnet sessions. Another common mistake is denying inbound Telnet traffic to the subnet rather than outbound traffic from the subnet, which does not prevent users inside the subnet from initiating Telnet connections.

Misunderstanding these protocol and port details leads to ineffective ACLs that fail to meet the requirement.

Why the other options are wrong

B

This option denies UDP traffic on port 23, but Telnet uses TCP, not UDP. Therefore, this ACL entry will not block Telnet sessions and is incorrect.

C

This option denies TCP traffic destined to the 10.20.30.0/24 subnet on port 23, which blocks inbound Telnet sessions to the subnet but does not prevent users inside the subnet from initiating outbound Telnet sessions.

D

This option permits TCP traffic from the subnet to any destination on port 80 (HTTP), allowing web browsing but does not block Telnet traffic, so it does not meet the requirement.

39
MCQhard

Refer to the exhibit. A network administrator is reviewing the NAT translations on router R1 and notices that the internal host 192.168.1.10 appears in both a static NAT entry (for ports 80 and 443) using global address 203.0.113.10, and a dynamic PAT entry (port 49152) using global address 203.0.113.1. The administrator is concerned this might indicate a misconfiguration. Based on the output, which statement is correct?

A.The translations are functioning correctly; the static entries allow inbound web traffic to the host, while the dynamic PAT entry supports an outbound client connection.
B.The static NAT rule is being overridden by the dynamic PAT rule, causing inbound web traffic to the server to fail.
C.The dynamic PAT entry indicates a duplicate session that will cause asymmetric routing and packet drops.
D.The router is incorrectly performing both static and dynamic NAT for the same inside address, which violates the configured NAT order.
AnswerA

The static mappings for ports 80 and 443 (global 203.0.113.10 → 192.168.1.10) are not overridden because the dynamic PAT entry uses a different global address (203.0.113.1) and a different source port (49152). This separation enables both inbound server traffic and outbound client traffic for the same inside host, which is a valid design.

Why this answer

The output shows static NAT entries mapping TCP ports 80 and 443 from global 203.0.113.10 to inside host 192.168.1.10. Simultaneously, a dynamic PAT entry maps a high ephemeral port 49152 to the same inside host for an outbound connection to 198.51.100.5:80. Because the static entries use a different global IP (203.0.113.10) and different port numbers than the dynamic PAT entry (203.0.113.1:49152), both can coexist correctly — static NAT handles inbound web requests, dynamic PAT handles outbound client traffic.

This is a normal operational state, not a misconfiguration.

Exam trap

Candidates often incorrectly assume that a single inside host cannot have both a static NAT entry and a dynamic PAT entry, leading them to choose option B (that the static rule is overridden). However, these entries serve different traffic directions and port ranges, so they coexist without conflict.

Why the other options are wrong

B

A common misconception is that any dynamic NAT entry for the same inside local address takes precedence or conflicts with static entries. In reality, the more specific static mapping takes priority for matching traffic, and the dynamic entry handles unrelated flows.

C

Candidates may misinterpret the presence of the same inside local IP in two entries as a duplicate session. Asymmetric routing would require inconsistent state in both directions, but here the NAT table correctly tracks distinct flows.

D

Some candidates believe that a single inside address can only participate in one type of NAT at a time. In fact, multiple NAT rules can coexist, and the router will use the most specific match (static port mapping) before falling back to dynamic PAT for unmapped ports.

40
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server 10.0.0.10, applied inbound on interface GigabitEthernet0/1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After entering config mode, create the ACL to allow HTTP from the specified network to the server. Apply it inbound on the correct interface. Then exit and verify.

Exam trap

A common trap is applying the ACL to an interface before creating it, or verifying before applying. Remember: create first, then apply, then verify. Also, ensure the ACL is applied in the correct direction (inbound) on the correct interface.

41
Multi-Selectmedium

Which four of the following are best practices for securing network services and devices? (Choose four.)

Select 4 answers
.Disable unused ports and services on routers and switches.
.Use Telnet for remote management because it is simpler to configure than SSH.
.Implement role-based access control (RBAC) to limit user privileges.
.Place all network devices on the same VLAN to simplify security policy enforcement.
.Enable logging and monitor logs for suspicious activity.
.Keep device firmware and operating systems up to date with security patches.

Why this answer

Disabling unused ports, implementing role-based access control (RBAC), enabling logging, and keeping firmware updated are all critical security best practices: they reduce the attack surface, limit user permissions, detect threats, and patch known vulnerabilities. Using Telnet is insecure because it transmits data in cleartext, unlike SSH. Placing all devices on the same VLAN undermines network segmentation and allows lateral movement by attackers.

Exam trap

Cisco often tests the misconception that Telnet is acceptable for management in a secure environment because it is easier to configure, but the exam expects you to recognize that SSH is the mandatory secure alternative.

42
MCQhard

Why is an extended ACL usually placed close to the source of the traffic being filtered?

A.Because standard ACLs cannot be applied near the destination
B.To stop unwanted traffic earlier and conserve bandwidth
C.To make NAT translation easier on inside interfaces
D.Because extended ACLs only work inbound on access interfaces
AnswerB

Correct. Filtering near the source is the classic design guidance for extended ACLs.

Why this answer

Extended ACLs can filter by source, destination, and protocol. Placing them near the source drops unwanted traffic before it crosses more of the network.

Exam trap

Remember that ACLs are processed by network devices, not end devices, and their placement affects traffic flow, not the ACL's complexity or dynamic capabilities.

Why the other options are wrong

A

Standard ACLs can be applied near the destination or source, but the placement guidance for extended ACLs is based on their ability to filter on source and destination IP addresses and ports, not on limitations of standard ACLs. The reason for placing extended ACLs near the source is to filter traffic early, not because standard ACLs cannot be applied near the destination.

C

NAT translation is typically performed on routers or firewalls at network boundaries, and ACL placement for filtering is independent of NAT configuration. Placing an extended ACL near the source does not directly affect NAT translation; NAT uses its own rules and is not a factor in ACL placement decisions.

D

Extended ACLs can be applied inbound or outbound on any interface, not just inbound on access interfaces. The statement is factually incorrect; extended ACLs are versatile and can be placed in various locations depending on the filtering requirements.

43
MCQmedium

What is a key difference between SNMPv3 and earlier SNMP versions?

A.SNMPv3 supports IPv4 only
B.SNMPv3 adds authentication and encryption features
C.SNMPv3 cannot be used for monitoring interface counters
D.SNMPv3 replaces syslog completely
AnswerB

Correct. Stronger security is the primary differentiator.

Why this answer

SNMPv3 improves security by adding authentication, message integrity, and privacy features. Earlier versions, especially SNMPv1 and v2c, rely on community strings and provide much weaker protection.

Exam trap

A common exam trap is to mistakenly believe that SNMPv3 restricts network monitoring capabilities or IP protocol support. Some candidates incorrectly think SNMPv3 supports only IPv4 or that it replaces syslog entirely. These misconceptions arise because the question emphasizes SNMPv3’s differences without clarifying what remains unchanged.

The trap is to focus on unrelated protocol features rather than the core improvement: security. Selecting options that mention monitoring limitations or protocol replacement leads to incorrect answers. Understanding that SNMPv3’s main advancement is adding authentication and encryption prevents falling into this trap.

Why the other options are wrong

A

Option A is incorrect because SNMPv3 supports both IPv4 and IPv6 networks. It is not limited to IPv4 only, so this option misrepresents SNMPv3’s capabilities.

C

Option C is incorrect since SNMPv3 continues to support monitoring functions such as interface counters. It does not remove or restrict these capabilities.

D

Option D is incorrect because SNMPv3 does not replace syslog. Both protocols coexist and serve different roles in network management and logging.

44
MCQmedium

In AAA, what does the second A stand for?

A.Application
B.Accounting
C.Authorization
D.Auditing
AnswerC

Correct. The second A is Authorization.

Why this answer

AAA stands for Authentication, Authorization, and Accounting. Authorization determines what an authenticated user is allowed to do.

Exam trap

A frequent exam trap is mistaking the second A in AAA for Accounting or Auditing. Many candidates confuse Authorization with Accounting because both start with 'A' and relate to user management. However, Authorization specifically controls what an authenticated user is allowed to do, while Accounting tracks user activities for logging and auditing purposes.

Selecting Accounting as the second A overlooks the sequential process where permissions are granted immediately after authentication, before any activity is logged. This confusion can lead to incorrect answers and misunderstanding of Cisco AAA implementation.

Why the other options are wrong

A

Application is not part of the AAA acronym and does not relate to the core security functions of Authentication, Authorization, or Accounting, making it an incorrect choice.

B

Accounting is the third A in AAA and focuses on logging user activities, not the second A which controls user permissions after authentication.

D

Auditing, while related to security, is not part of the AAA acronym and does not represent the second A in the AAA framework.

45
PBQhard

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 inside network can reach the Internet through the outside interface GigabitEthernet0/1 using the IP address 203.0.113.1. Additionally, configure static NAT to map internal server 192.168.1.10 to public IP 203.0.113.5. The current configuration has several errors. Identify and correct them.

Hints

  • Check the NAT direction on the interfaces.
  • Is the overload keyword present?
  • Does the ACL match the correct inside subnet?
A.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
B.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
C.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Keep ACL 100 as is because it already permits the correct subnet.
D.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit
ip nat inside source list 100 interface GigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
end
write memory

Why this answer

The configuration had three issues: (1) Inside and outside interfaces were swapped — G0/0 (inside) was marked 'ip nat outside' and G0/1 (outside) was 'ip nat inside'. (2) The PAT command was missing the 'overload' keyword. (3) ACL 100 matched the wrong subnet (192.168.2.0 instead of 192.168.1.0). To fix: correct interface NAT directions, add 'overload', and update ACL to permit 192.168.1.0/24.

Exam trap

Watch for three common NAT configuration errors: interface direction misassignment, missing 'overload' keyword for PAT, and incorrect ACL subnet matching. Always verify each component separately.

Why the other options are wrong

B

The specific factual error is that the inside and outside interfaces are swapped; G0/0 is the internal interface and must be 'ip nat inside'.

C

The specific factual error is that the ACL permits the wrong subnet (192.168.2.0 instead of 192.168.1.0).

D

The specific factual error is that both the interface directions are swapped and the ACL is changed, but the interface directions must be correct for NAT to work.

46
PBQhard

You are connected to R1, a router that serves as the DNS resolver for the local network 192.168.10.0/24. Users report that they cannot resolve the hostname 'webserver.internal' to its IP address (192.168.10.50), and reverse DNS lookups for that IP return a different name. Additionally, some queries to an external domain 'example.com' time out. Diagnose and fix the DNS configuration on R1 using nslookup and dig commands where applicable, ensuring proper forward and reverse resolution for internal hosts and reachability to external DNS servers.

Hints

  • Check which DNS servers are reachable with 'ping' or 'show ip dns'.
  • The missing A record can be added as a static host entry on R1.
  • The PTR record can be overridden with an 'ip host' command for the reverse lookup zone.
A.Remove the unreachable DNS server 192.0.2.53, add an A record for webserver.internal (192.168.10.50), and correct the PTR record for 192.168.10.50 to point to webserver.internal.
B.Add an A record for webserver.internal (192.168.10.50) and correct the PTR record for 192.168.10.50 to point to webserver.internal, but leave the unreachable DNS server 192.0.2.53 in the configuration.
C.Remove the unreachable DNS server 192.0.2.53 and add an A record for webserver.internal (192.168.10.50), but do not correct the PTR record for 192.168.10.50.
D.Replace the unreachable DNS server 192.0.2.53 with a reachable one, and correct the PTR record for 192.168.10.50 to point to webserver.internal, but do not add an A record for webserver.internal.
AnswerA
solution
! R1
no ip name-server 192.0.2.53
ip name-server 8.8.8.8
ip host webserver.internal 192.168.10.50
ip host 50.10.168.192.in-addr.arpa webserver.internal

Why this answer

The DNS server 192.0.2.53 is unreachable, causing timeouts for external queries. The primary DNS server 203.0.113.53 returns NXDOMAIN for 'webserver.internal' because no A record exists for that hostname in the internal zone. Additionally, the PTR record for 192.168.10.50 incorrectly points to 'mail.internal' instead of 'webserver.internal'.

To fix, first remove the unreachable DNS server with 'no ip name-server 192.0.2.53' or replace it with a reachable one. Then, on the DNS server (or via static host entries on R1), add an A record for webserver.internal (192.168.10.50) and correct the PTR record to point to webserver.internal. Optionally, configure 'ip host webserver.internal 192.168.10.50' on R1 for local resolution.

Exam trap

Watch out for questions that present multiple DNS issues simultaneously. Candidates often focus on one problem (e.g., missing A record) and forget to check reverse DNS or external server reachability. Always verify all symptoms before concluding the fix.

Why the other options are wrong

B

The specific factual error is that an unreachable DNS server must be removed or replaced to resolve external queries; simply fixing internal records does not address the timeout issue.

C

The specific factual error is that reverse DNS must match the forward record for consistency; an incorrect PTR record is a problem even if forward resolution works.

D

The specific factual error is that forward and reverse DNS are independent; adding a PTR record does not create an A record. The A record must exist for forward queries to succeed.

47
Multi-Selectmedium

A switch port is configured with port-security violation mode restrict. Which two statements are true when an unauthorized MAC address appears?

Select 2 answers
A.Frames from the unauthorized MAC are dropped
B.The port remains up
C.The interface immediately goes into err-disabled state
D.The switch converts the port to a trunk automatically
E.The violation mode changes itself to shutdown after three attempts
AnswersA, B

Restrict does not allow the violating traffic through.

Why this answer

Restrict drops frames from violating MAC addresses and can increment the violation counter while keeping the port up. Shutdown would err-disable the port instead.

Exam trap

Do not confuse restrict with shutdown mode; restrict does not disable the port.

Why the other options are wrong

C

The err-disabled state is characteristic of the shutdown violation mode, not restrict. In restrict mode, the port remains up and only drops violating traffic while logging the event.

D

Port security does not change the port's operational mode; it only controls MAC address access. Converting a port to a trunk is unrelated to port security and requires explicit configuration.

E

Port security violation modes do not automatically change. The mode is statically configured and remains the same regardless of the number of violations. There is no automatic escalation from restrict to shutdown.

48
Matchingmedium

Match each route source to its default administrative distance on a Cisco router.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

0

1

20

110

Why these pairings

Default administrative distances on Cisco routers: connected=0, static=1, EIGRP summary=5, OSPF=110, IS-IS=115, RIP=120. Lower value indicates higher preference.

Exam trap

The exam trap is that candidates often confuse the administrative distances for different routing protocols, especially EIGRP summary (5) vs. internal EIGRP (90), and OSPF (110) vs. IGRP (100). Remember that EIGRP summary routes are more preferred than internal EIGRP routes.

49
Drag & Drophard

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic, including ACL creation, NAT statement, interface marking, and the translation process for an outbound packet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: enter global configuration mode, mark the inside and outside interfaces with 'ip nat inside' and 'ip nat outside', then create an ACL to match internal traffic, and finally apply the NAT overload statement using the outside interface. This order ensures the NAT process knows which interfaces are designated as inside/outside before matching and translating traffic. Option B follows this standard recommended order.

Exam trap

Many candidates mistakenly think the ACL must be created before marking interfaces, but interface designation should come first to define the NAT domains before defining the traffic to translate.

50
PBQmedium

You are connected to R1 via console. R1 is a router that needs to provide DHCP services to hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router has two subinterfaces on GigabitEthernet0/0: G0/0.10 (192.168.10.1/24) and G0/0.20 (192.168.20.1/24) with 802.1Q encapsulation. Configure R1 as a DHCP server for both VLANs, excluding addresses 192.168.10.1-10 and 192.168.20.1-10, with a lease of 1 day. Ensure DNS server 8.8.8.8 is provided.

Network Topology
G0/0.10192.168.10.1/24trunkR1SW1

Hints

  • Use 'ip dhcp excluded-address' to reserve addresses.
  • Create DHCP pools with 'network', 'default-router', and 'dns-server'.
  • Lease time is in days; use 'lease 1' for 1 day.
A.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1
B.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 /24 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 0 0 ip dhcp pool VLAN20 network 192.168.20.0 /24 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1 0 0
C.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
D.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
lease 1
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
lease 1

Why this answer

Option A correctly uses `lease 1` for a 1-day lease, dotted decimal subnet masks, and proper DHCP pool settings. Option B incorrectly uses CIDR notation `/24` in the network command, which IOS does not accept. Option C uses `lease 24`, which is interpreted as 24 days, not 1 day.

Option D also incorrectly uses `lease 24`, resulting in a 24-day lease instead of the required 1-day lease.

Exam trap

Be careful with the lease command: the default unit is days, not hours. Also, remember that the network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR prefix length. Excluded addresses are configured globally, not within the pool.

Why the other options are wrong

B

The network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR notation like /24.

C

The lease command uses days as its unit; `lease 24` sets a 24-day lease, not the required 1 day.

D

The lease command sets duration in days, so `lease 24` gives a 24-day lease instead of a 1-day lease.

51
MCQmedium

A client on VLAN 20 must obtain an IPv4 lease from a DHCP server located on VLAN 100. Which feature is required on the Layer 3 interface for VLAN 20?

A.NAT overload
B.DHCP relay
D.Private VLAN
AnswerB

Correct. The SVI or routed interface needs DHCP relay.

Why this answer

A DHCP relay agent forwards client broadcasts as unicast to the remote server, typically using ip helper-address.

Exam trap

A common exam trap is selecting NAT overload or port security as the required feature for DHCP communication across VLANs. NAT overload is used for IP address translation and does not forward DHCP broadcasts, while port security restricts MAC addresses on switch ports but does not relay DHCP messages. Another trap is confusing private VLANs with DHCP relay; private VLANs isolate Layer 2 domains but do not forward DHCP requests between VLANs.

The key is understanding that DHCP relay is the only feature that forwards DHCP broadcasts as unicast messages across Layer 3 boundaries, enabling clients on VLAN 20 to obtain leases from a DHCP server on VLAN 100.

Why the other options are wrong

A

NAT overload translates private IP addresses to a public IP for outbound traffic but does not forward DHCP broadcasts between VLANs. It is unrelated to DHCP relay functionality required for inter-VLAN DHCP communication.

C

Port security restricts which MAC addresses can connect to a switch port but does not forward DHCP broadcasts or relay DHCP messages between VLANs, so it cannot enable DHCP communication across VLANs.

D

Private VLANs isolate devices within a VLAN for security purposes but do not provide DHCP relay capabilities or forward DHCP requests between VLANs, making this option incorrect.

52
MCQmedium

Exhibit: An engineer applies an ACL inbound on the VTY lines to permit SSH only from 10.5.5.0/24. Users from that subnet still cannot connect. What is the most likely reason?

A.The device may not have SSH fully enabled with keys and a valid login method
B.The ACL must be applied outbound on the VTY lines
C.SSH requires UDP port 22
D.VTY access-class can only be used with Telnet
AnswerA

The ACL allows the subnet, but SSH still needs its base configuration.

Why this answer

Restricting the VTY lines is not enough if SSH itself has not been enabled correctly. A missing local username, domain name, RSA keys, or transport input ssh setting can stop access even when the ACL is correct.

Exam trap

A frequent exam trap is believing that simply applying an ACL to permit SSH traffic on the VTY lines guarantees remote access. Candidates often overlook that SSH requires full configuration, including RSA key generation, domain name setting, and valid login credentials. Without these, the device will refuse SSH connections regardless of ACL permissions.

Another pitfall is misapplying the ACL outbound instead of inbound on VTY lines, which does not control incoming management sessions. Also, confusing SSH’s use of TCP port 22 with UDP can lead to incorrect ACL configurations. Recognizing these nuances prevents misinterpretation of the question and ensures correct troubleshooting.

Why the other options are wrong

B

Incorrect. Applying the ACL outbound on VTY lines does not control incoming management traffic. The correct direction for access control on VTY lines is inbound.

C

Incorrect. SSH uses TCP port 22, not UDP. Configuring ACLs to permit UDP port 22 will not allow SSH connections, making this option invalid.

D

Incorrect. The 'access-class' command works with both Telnet and SSH to restrict access based on IP addresses. It is not limited to Telnet only.

53
MCQhard

PCs in VLAN 40 are not receiving addresses from the centralized DHCP server at 172.16.1.10. What should be configured on the VLAN 40 default gateway interface?

A.ip dhcp excluded-address 10.40.40.1 10.40.40.10
B.ip helper-address 172.16.1.10
C.service dhcp
D.ip default-gateway 172.16.1.10
AnswerB

Correct choice.

Why this answer

When DHCP clients and the DHCP server are on different subnets, the router interface serving the client subnet must relay broadcasts to the server with the ip helper-address command.

Exam trap

Ensure you understand the difference between DHCP relay and DHCP security features like snooping, as well as local DHCP server configuration.

Why the other options are wrong

A

The 'ip dhcp excluded-address' command is used on a DHCP server to prevent certain addresses from being assigned, not on a router interface to forward DHCP requests. This command would not help clients in VLAN 40 reach the centralized DHCP server.

C

The 'service dhcp' command globally enables the DHCP server or relay agent on a Cisco device, but it does not specify where to forward requests. Without the 'ip helper-address' command, DHCP broadcasts will not be forwarded to the server.

D

The 'ip default-gateway' command is used on a switch to set a default gateway for management purposes, not to forward DHCP broadcasts. It does not provide DHCP relay functionality.

54
MCQmedium

Which ACL type can filter using source and destination IP addresses as well as TCP or UDP port numbers?

A.Standard IPv4 ACL
B.Extended IPv4 ACL
C.Prefix list
AnswerB

Correct. Extended ACLs support the granularity described.

Why this answer

Extended ACLs provide more granular matching, including source, destination, protocol, and Layer 4 port information.

Exam trap

A frequent exam trap is assuming that standard IPv4 ACLs can filter traffic based on destination IP addresses or TCP/UDP port numbers. Standard ACLs only match the source IP address, so relying on them for detailed filtering leads to incorrect answers. Another pitfall is confusing prefix lists or native VLAN ACLs with extended ACLs; prefix lists are for route filtering, and native VLAN ACLs do not provide the same level of granularity.

This misunderstanding can cause candidates to select incorrect options that seem plausible but do not meet the question’s requirements for filtering by source, destination, and port numbers.

Why the other options are wrong

A

Standard IPv4 ACLs only filter traffic based on the source IP address and cannot filter by destination IP or TCP/UDP port numbers, making this option incorrect for the question's requirements.

C

Prefix lists are used primarily for route filtering in routing protocols and do not filter traffic based on Layer 4 port numbers or destination IP addresses, so this option is incorrect.

D

Native VLAN ACLs apply to traffic within a VLAN but do not provide the granular filtering capabilities involving source/destination IP and port numbers, so this option is not correct.

55
PBQhard

You are connected to R1. The network uses 192.168.1.0/24 for internal hosts and 203.0.113.0/29 for the public IP pool (203.0.113.2 is the outside interface). Configure PAT so that inside hosts can reach the Internet using the pool address 203.0.113.2. Also configure static NAT to map internal server 192.168.1.10 to 203.0.113.3. The initial config has errors; identify and fix them.

Hints

  • Check the ACL used by the PAT command — does it match the inside subnet?
  • The inside hosts are on 192.168.1.0/24, not 10.0.0.0/8.
  • Only the ACL needs correction; the static NAT and interface NAT designations are correct.
A.Change ACL 10 to permit 192.168.1.0 0.0.0.255 and ensure the NAT pool and PAT are correctly configured.
B.Change the NAT pool to use a different public IP address and update the static NAT mapping.
C.Remove the static NAT and use PAT for the server as well.
D.Change the inside interface IP address to match the ACL.
AnswerA
solution
! R1
configure terminal
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
end

Why this answer

The ACL 10 permits 10.0.0.0/8, but inside hosts are on 192.168.1.0/24 — this ACL does not match the inside subnet, so PAT fails. The static NAT is correct. To fix: change ACL 10 to permit 192.168.1.0 0.0.0.255.

Also ensure the PAT references the correct ACL; currently it uses list 10, so after fixing the ACL, PAT will work. No other changes needed.

Exam trap

Candidates often overlook the ACL used in NAT and assume the NAT configuration is complete. Always verify that the ACL matches the inside network exactly. Also, remember that static NAT and PAT can coexist; do not remove static NAT if it is required.

Why the other options are wrong

B

The specific factual error is that the pool address 203.0.113.2 and static mapping to 203.0.113.3 are valid and do not need changing.

C

The specific factual error is that PAT does not allow inbound connections initiated from outside; static NAT is required for that purpose.

D

The specific factual error is that the inside interface IP is part of the 192.168.1.0/24 network and should not be changed; the ACL should be adjusted instead.

56
MCQmedium

A router is configured for NAT overload, but translations never appear when inside users browse the internet. Which issue is most likely?

A.The outside interface is missing the ip nat outside command
B.The ACL used by NAT must deny inside addresses
C.PAT requires DHCP on the inside interface
D.NAT overload works only with OSPF-learned routes
AnswerA

Without inside and outside roles, overload translations will not build correctly.

Why this answer

NAT needs the inside and outside interfaces marked correctly. If those roles are missing or reversed, the router has no context for translating traffic and the NAT table stays empty.

Exam trap

Ensure inside and outside interfaces are correctly set for NAT; misconfigurations here are a common oversight.

Why the other options are wrong

B

The ACL used by NAT should match the inside local addresses that need to be translated, typically using a permit statement. If the ACL denies inside addresses, no traffic will be matched for translation, causing NAT to fail. The correct ACL should permit the inside network.

C

PAT (Port Address Translation) does not require DHCP on any interface. PAT translates multiple private IP addresses to a single public IP using different port numbers, and it works independently of how IP addresses are assigned. DHCP is only needed if the interface needs to obtain an IP address dynamically.

D

NAT overload (PAT) is independent of the routing protocol used. It works with static routes, OSPF, EIGRP, or any other routing protocol. The routing protocol only affects how packets are forwarded, not how NAT translates addresses.

57
MCQhard

A switch has DHCP snooping enabled and Dynamic ARP Inspection enabled on VLAN 30. A printer with a static IP on VLAN 30 cannot communicate because its ARP packets are being dropped. What is the best fix?

A.Disable DAI on all VLANs globally.
B.Configure a static ARP inspection entry or ARP ACL for the printer.
C.Trust the user-facing printer access port for DHCP snooping and DAI.
D.Change the printer to use a larger MTU.
AnswerB

Correct. Static devices need a trusted binding source.

Why this answer

DAI relies on trusted bindings. Static-IP devices that are not learned through DHCP often require a static ARP ACL or equivalent trusted binding mechanism.

Exam trap

A common exam trap is to disable Dynamic ARP Inspection entirely or trust the user-facing access port to fix ARP packet drops from static IP devices. Disabling DAI weakens the network’s ARP spoofing protection, which is against best practices and exam expectations. Trusting access ports is too broad and can allow malicious ARP traffic, defeating the purpose of DAI.

The trap is that these options seem easier but compromise security, whereas the correct approach is to configure static ARP inspection entries or ARP ACLs for static IP devices to maintain security and functionality.

Why the other options are wrong

A

Disabling DAI on all VLANs globally removes ARP spoofing protection network-wide, which is excessive and reduces security unnecessarily. The question requires a targeted fix, so this option is incorrect.

C

Trusting the user-facing printer access port for DHCP snooping and DAI is too permissive and can allow malicious ARP packets, weakening security. It is not recommended as a best practice or exam answer.

D

Changing the printer to use a larger MTU does not affect ARP packet validation or DAI behavior. MTU size is unrelated to ARP inspection, so this option is irrelevant and incorrect.

58
MCQhard

Refer to the exhibit. An administrator has configured NAT on router R1 to allow hosts on the 192.168.1.0/24 LAN to access the Internet. However, users report that they cannot reach external websites. The administrator runs the show ip nat translations command. What is the most likely reason for the problem?

A.The access list used for dynamic NAT does not match the LAN subnet.
B.The ip nat outside command is missing from the WAN interface.
C.The ip nat inside source static commands have incorrect IP addresses.
D.The ip nat inside command is missing from the LAN-facing interface.
AnswerD

The output reveals that only static NAT translations are active; no dynamic entries exist. For the router to process packets from the LAN under NAT, the interface connected to the LAN must be configured with ip nat inside. Its absence stops all dynamic address translation, leaving only the manually configured static entries.

Why this answer

The output shows only static NAT entries (protocol column "---") with no dynamic translations. The presence of static entries does not depend on the dynamic NAT configuration. For dynamic NAT (like PAT overloading) to create translations for outbound traffic, the interface that receives packets from the inside hosts must have the ip nat inside command.

Because the LAN-facing interface is missing this command, no packets from 192.168.1.0/24 are evaluated for NAT, resulting in an empty dynamic translation table and connectivity failure.

Exam trap

Candidates often attribute the lack of dynamic translations to a misconfigured access list, but even a perfectly matched ACL cannot trigger NAT if the inside interface is not enabled with ip nat inside. The missing interface command is a more fundamental cause, as no translation can occur on packets entering that interface without it.

Why the other options are wrong

A

Candidates think any absence of dynamic entries is due to ACL mismatch, overlooking the prerequisite that the inside interface must be configured with ip nat inside for NAT to function at all.

B

The presence of static NAT translations in the output indicates that the ip nat outside command is already applied on the WAN interface.

C

Candidates may focus on the static entries, but the symptom is missing dynamic translations; bad static mappings would not prevent dynamic translations from appearing.

59
Multi-Selectmedium

Which three of the following are characteristics of DHCP snooping? (Choose three.)

Select 3 answers
.It filters untrusted DHCP messages on trusted ports.
.It builds and maintains a DHCP snooping binding database.
.It prevents DHCP starvation attacks by rate-limiting DHCP messages.
.It allows DHCP server messages from untrusted ports if the source MAC matches.
.It can validate DHCP client MAC addresses against the source MAC in the Ethernet frame.
.It automatically enables IP source guard when configured globally.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding database to track valid IP-to-MAC address assignments. It prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports, and it validates DHCP client MAC addresses against the source MAC in the Ethernet frame to prevent MAC spoofing. These three functions directly correspond to the correct answer options.

Exam trap

Cisco often tests the distinction between trusted and untrusted ports, leading candidates to incorrectly assume that DHCP snooping filters messages on trusted ports or allows server messages from untrusted ports under certain conditions.

60
MCQhard

A network administrator configured dynamic NAT on a Cisco router to allow internal hosts to access the internet. After the configuration, users report that they can access some websites but not others. The administrator checks the router and discovers that the NAT translation table is full, and new connection attempts are being dropped. What is the most likely cause of this issue?

A.The inside local addresses are not properly defined in the access list.
B.The NAT pool is exhausted; configure PAT to allow multiple hosts to share a single public IP.
C.The outside interface is not configured with the ip nat outside command.
D.The inside interface is not configured with the ip nat inside command.
AnswerB

The pool has only 10 addresses, and once all are used, new translations fail. PAT allows many internal hosts to share a single public IP by using unique port numbers.

Why this answer

When the NAT pool is exhausted, no new translations can be created, so only hosts that already have established translations can continue to communicate, causing intermittent connectivity. A full NAT table means the pool of public IP addresses is completely allocated, preventing new sessions. Implementing PAT allows multiple inside hosts to share a single public IP by multiplexing port numbers, resolving the pool exhaustion.

Exam trap

Cisco often tests the distinction between dynamic NAT (one-to-one pool) and PAT (many-to-one), leading candidates to overlook pool exhaustion when symptoms show partial connectivity rather than total failure.

Why the other options are wrong

A

The access list is used to define which inside local addresses are eligible for NAT. If the access list were misconfigured, the router would not create translations for those hosts. However, the scenario states that translations are present, indicating that the access list is correctly matching the internal hosts.

C

If the outside interface were missing the 'ip nat outside' command, the router would not perform NAT on outbound traffic at all, resulting in no translations being created. Since translations are present, this command is correctly configured.

D

Similar to option C, if the inside interface were missing the 'ip nat inside' command, no translations would be created. The presence of translations indicates that the inside interface is correctly configured.

61
PBQhard

You are connected to R1. Configure AAA with RADIUS server at 192.0.2.10 (key = Cisco123) so that console login uses local authentication as fallback. Then troubleshoot why a host connected to R1's GigabitEthernet0/1 (802.1X enabled) remains in unauthorized state. The RADIUS server is reachable. Fix the issue so the port authorizes successfully.

Hints

  • The RADIUS server is configured, but the AAA group 'radius' is not defined.
  • Check the 'aaa authentication login default' command — it references a group that doesn't exist.
  • Use 'aaa group server radius' to create a group and associate the RADIUS server.
A.The RADIUS server is not defined in a AAA group; create 'aaa group server radius RAD_GROUP' and 'server name RADIUS_SERVER', then update the login default to reference the group.
B.The RADIUS server key is incorrect; change the key to match the server's configuration.
C.The 802.1X port is not enabled; enable 'dot1x port-control auto' on GigabitEthernet0/1.
D.The RADIUS server is not reachable; check IP connectivity and firewall rules.
AnswerA
solution
! R1
configure terminal
aaa group server radius RAD_GROUP
server name RADIUS_SERVER
exit
aaa authentication login default group RAD_GROUP local
end

Why this answer

The RADIUS server is reachable but not properly referenced in a AAA group. The 'aaa authentication login default group radius local' command uses the default group 'radius', which must be explicitly defined with 'aaa group server radius' and associated with the RADIUS server. Without this group, the router cannot send authentication requests to the server, keeping the port unauthorized.

The fix is to create a AAA group for RADIUS, add the server to it, and update the login default to reference that group.

Exam trap

Trap: Candidates assume that 'group radius' in the authentication command automatically works without defining the group. Remember that 'radius' is a default group name that must be explicitly created with the 'aaa group server radius' command. Also, do not confuse reachability with configuration; the server may be reachable but not properly referenced.

Why the other options are wrong

B

The specific factual error: The key is already correct as per the scenario; the problem is the missing AAA group definition.

C

The specific factual error: The port already has 802.1X enabled, so re-enabling it does not fix the authentication failure.

D

The specific factual error: The server is reachable, so connectivity is not the problem.

62
PBQhard

You are connected to R1. The network consists of three routers: R1, R2, and R3. R1's G0/0 connects to R2 (10.0.0.0/30), and R1's G0/1 connects to R3 (10.0.1.0/30). A server at 203.0.113.100 on R2's LAN must be reachable from R3's LAN (203.0.113.0/24) via ICMP, but all other traffic from R3 to R2 must be blocked. The current ACL on R1 is too permissive, allowing all traffic. Configure and apply a standard ACL to permit only ICMP echo requests from R3 to the server, with the implicit deny blocking everything else.

Network Topology
G0/110.0.1.2/30G0/010.0.0.1/3010.0.1.0/30G0/010.0.0.1/30G0/010.0.0.2/3010.0.0.0/30G0/010.0.0.2/30R3R1 (G0/1 10.0.1.1/30)R2Server

Hints

  • Standard ACLs cannot filter by protocol; use an extended ACL number (100-199 or 2000-2699).
  • Apply the ACL inbound on the interface closest to the source (R3) to filter traffic early.
  • The current ACL is applied inbound on G0/0, which faces R2; it should be removed and replaced with a new ACL on G0/1.
A.Remove ACL 10 from G0/0, delete ACL 10, then configure extended ACL 100 with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' and apply it inbound on G0/1.
B.Remove ACL 10 from G0/0, delete ACL 10, then configure standard ACL 10 with 'permit 203.0.113.0 0.0.0.255' and apply it inbound on G0/1.
C.Remove ACL 10 from G0/0, delete ACL 10, then configure extended ACL 100 with 'permit icmp host 203.0.113.100 203.0.113.0 0.0.0.255 echo' and apply it inbound on G0/0.
D.Keep the existing ACL 10 applied inbound on G0/0, but add an extended ACL 100 with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' applied inbound on G0/1.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no ip access-group 10 in
exit
no access-list 10
access-list 100 permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo
interface GigabitEthernet0/1
ip access-group 100 in

Why this answer

The current ACL 10 permits all traffic inbound on G0/0, which is too permissive. The requirement is to allow only ICMP echo requests from R3's LAN (source 203.0.113.0/24) to the server at 203.0.113.100. A standard ACL uses source IP only.

First, remove the existing ACL from the interface with 'no ip access-group 10 in' on G0/0. Then delete ACL 10 with 'no access-list 10'. Create a new standard ACL that permits ICMP echo requests; since standard ACLs cannot filter by protocol, we must use an extended ACL.

So we configure an extended ACL (e.g., 100) with 'permit icmp 203.0.113.0 0.0.0.255 host 203.0.113.100 echo' and apply it inbound on G0/1 (the interface facing R3) to filter traffic before it enters R1. The implicit deny will block all other traffic from R3 to R2.

Exam trap

The key trap is that standard ACLs cannot filter by protocol; you must use an extended ACL for ICMP. Also, remember that ACLs are applied per interface and direction; removing the old permissive ACL is essential. Applying the ACL on the wrong interface or with reversed source/destination are common mistakes.

Why the other options are wrong

B

The specific factual error is that standard ACLs cannot filter by protocol (ICMP). They only match source IP addresses.

C

The specific factual error is that the ACL statement has the source and destination swapped, and it is applied on the wrong interface (G0/0 instead of G0/1).

D

The specific factual error is that the existing ACL 10 is too permissive and is applied on the wrong interface (G0/0 inbound) to filter traffic from R3 to R2. It must be removed to enforce the new restrictions.

63
PBQmedium

You are connected to R1 via the console. R1 connects two networks: GigabitEthernet0/0 (192.168.1.1/24) and GigabitEthernet0/1 (192.168.2.1/24). Create an extended ACL named BLOCK_HTTP that denies HTTP traffic (tcp port 80) from the 192.168.1.0/24 network to the 192.168.2.0/24 network, but permits all other IP traffic. Apply this ACL inbound on GigabitEthernet0/0.

Network Topology
G0/0192.168.1.1/24G0/1192.168.2.1/24HostsLAN AR1LAN BWeb servers

Hints

  • Use the 'ip access-list extended' command to create a named ACL.
  • The deny statement must specify source, destination, and protocol.
  • Apply the ACL to the interface where traffic enters.
A.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP in
B.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/1 ip access-group BLOCK_HTTP in
C.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP out
D.ip access-list extended BLOCK_HTTP deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80 permit ip any any interface GigabitEthernet0/0 ip access-group BLOCK_HTTP in interface GigabitEthernet0/1 ip access-group BLOCK_HTTP in
AnswerA
solution
! R1
ip access-list extended BLOCK_HTTP
deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80
permit ip any any
interface GigabitEthernet0/0
ip access-group BLOCK_HTTP in

Why this answer

The named extended ACL BLOCK_HTTP denies TCP port 80 from 192.168.1.0/24 to 192.168.2.0/24, then permits all other traffic. Applying it inbound on G0/0 filters traffic from LAN A before routing.

Exam trap

Pay close attention to the interface and direction specified in the question. Inbound ACLs filter traffic entering the interface, while outbound ACLs filter traffic leaving. Also, ensure the ACL is applied only on the required interface.

Why the other options are wrong

B

The ACL is applied on the wrong interface; it should be applied inbound on G0/0, not G0/1.

C

The ACL is applied in the wrong direction; it should be inbound, not outbound.

D

The ACL is applied on an extra interface (G0/1) that is not required, which may block legitimate traffic.

64
MCQhard

R1 has the following routes installed: O 10.10.10.0/24 via 192.0.2.2 S 10.10.10.128/25 via 198.51.100.2 S* 0.0.0.0/0 via 203.0.113.1 A packet destined for 10.10.10.200 arrives at R1. Which route is used?

A.The OSPF route to 10.10.10.0/24 via 192.0.2.2
B.The static route to 10.10.10.128/25 via 198.51.100.2
C.The default route via 203.0.113.1
D.The packet is dropped because OSPF routes cannot overlap with static routes.
AnswerB

Longest prefix match makes the /25 win.

Why this answer

Routers forward using longest prefix match first. Even though the OSPF /24 exists, the static /25 is more specific and covers 10.10.10.200, so the packet is sent via 198.51.100.2. The default route is used only when nothing more specific matches.

Exam trap

A common exam trap is assuming that the router will always prefer OSPF routes over static routes because OSPF is a dynamic routing protocol. Candidates may also mistakenly believe that overlapping routes are invalid or cause routing conflicts. In reality, Cisco routers allow overlapping routes and use the longest prefix match rule first, regardless of the routing protocol or administrative distance.

This leads to confusion when a static route with a longer prefix exists alongside an OSPF route with a shorter prefix. Misunderstanding this can cause incorrect answers about which route will be used for forwarding packets.

Why the other options are wrong

A

The OSPF route to 10.10.10.0/24 matches the destination IP but has a shorter prefix length (/24) than the static route (/25). Since longest prefix match is the primary rule, this route is not used.

C

The default route 0.0.0.0/0 is the least specific and is only used when no other route matches the destination IP. Since more specific routes exist, the default route is not selected.

D

It is incorrect that packets are dropped due to overlapping routes. Cisco routers allow overlapping static and OSPF routes and forward packets based on the most specific prefix match, so the packet is not dropped.

65
MCQhard

A security team wants device administrators to log in with individual named accounts instead of sharing one generic admin account. Which security objective does that most directly improve?

A.Accountability for administrative actions
B.Automatic VLAN assignment for management traffic
C.Route summarization efficiency
D.Wireless roaming performance
AnswerA

This is correct because individual accounts make it easier to tie actions to specific administrators.

Why this answer

It most directly improves accountability. In practical terms, when each administrator has an individual account, the organization can tie actions to specific people rather than to one shared identity. That makes investigation, auditing, and operational review much more meaningful.

This also supports better access-control hygiene overall, but the clearest direct benefit is being able to identify who actually performed an administrative action.

Exam trap

A frequent exam trap is selecting options unrelated to user identity and accountability, such as VLAN assignment or routing efficiency, because they sound like valid network improvements. However, these options do not address the core security goal of tracking who performed administrative actions. Candidates might also confuse accountability with performance or configuration optimization objectives, which are important but distinct.

The key is to focus on the security principle that individual named accounts enable precise attribution of actions, which shared accounts cannot provide. This distinction is critical for Cisco’s security fundamentals domain and the CCNA exam.

Why the other options are wrong

B

Incorrect because automatic VLAN assignment for management traffic is unrelated to user identity or accountability; it concerns network segmentation, not administrative tracking.

C

Incorrect because route summarization efficiency deals with optimizing routing tables and has no connection to user account management or security accountability.

D

Incorrect because wireless roaming performance relates to client mobility and access point behavior, which does not involve administrative account design or accountability.

66
MCQmedium

An administrator wants an access-layer interface to shut down immediately if another switch is connected accidentally. Which feature best meets that requirement?

AnswerC

Correct choice.

Why this answer

BPDU Guard is designed for edge ports. If the port receives a BPDU, the switch treats that as a sign that another switch has been connected and places the interface into an err-disabled state to protect the spanning-tree topology.

Exam trap

A frequent exam trap is selecting Root Guard or Loop Guard instead of BPDU Guard. Root Guard only blocks a port from becoming a root port but does not disable the port immediately upon receiving BPDUs. Loop Guard protects against unidirectional link failures by preventing a port from transitioning to forwarding when BPDUs are lost but does not shut down the port.

Candidates may also confuse PortFast as it is related to edge ports but it only speeds up STP convergence and does not disable ports. Understanding that BPDU Guard uniquely disables the port immediately upon receiving BPDUs on an edge port is essential to avoid this trap.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by blocking superior BPDUs but does not shut down the port immediately. It is designed to maintain the root bridge position, not to disable ports upon accidental switch connections.

B

PortFast allows a port to transition quickly to the forwarding state, reducing STP convergence time. However, it does not disable the port if a BPDU is received, so it does not meet the requirement to shut down the port immediately.

D

Loop Guard prevents a port from transitioning to forwarding if BPDUs are lost, protecting against unidirectional link failures. It does not disable the port upon receiving BPDUs and therefore does not meet the requirement.

67
MCQeasy

A user types www.example.com into a browser. Which service is used first to resolve that name into an IP address?

AnswerB

DNS resolves the hostname to an IP address.

Why this answer

DNS maps hostnames to IP addresses, which is the first step when a user enters a URL. DHCP assigns IP addresses, NTP synchronizes time, and Syslog handles logging—none of these services resolve domain names to IP addresses. The web session itself uses HTTP or HTTPS later, but name resolution happens first.

Exam trap

Don't confuse the role of DNS with HTTP, ARP, or DHCP. Remember, DNS is specifically for domain name resolution.

Why the other options are wrong

A

DHCP (Dynamic Host Configuration Protocol) assigns IP addresses, subnet masks, default gateways, and other network configuration parameters to clients. It does not perform name resolution; DNS is required for that.

C

NTP (Network Time Protocol) is used to synchronize clocks between network devices, not to resolve hostnames to IP addresses. It operates on UDP port 123 and has no role in DNS resolution.

D

Syslog is a protocol for logging system messages and events from network devices. It has no function in name resolution; it is used for monitoring and troubleshooting.

68
MCQhard

After securing a switch by running 'ip ssh version 2' and generating RSA keys with 'crypto key generate rsa modulus 1024', remote SSH connections fail with a 'key exchange error'. A check of the SSH client’s documentation reveals it requires a minimum 2048-bit RSA key for SSH version 2. What should the technician do next?

A.Verify IP connectivity between the client and the switch by issuing a ping from the client to the switch.
B.Check the SSH client configuration on the host to ensure it accepts 1024-bit keys.
C.Regenerate the RSA key pair on the switch with a 2048-bit modulus using the command 'crypto key generate rsa modulus 2048'.
D.Disable SSH version 2 on the switch and revert to SSH version 1, which does not enforce key length restrictions.
AnswerC

Regenerating the key pair with a higher modulus directly resolves the key-strength mismatch. The switch will then present a 2048-bit key during the SSH handshake, fixing the key exchange error. The existing 'ip ssh version 2' setting remains active after rekeying.

Why this answer

The 'key exchange error' occurs because the 1024-bit RSA key does not meet the client’s 2048-bit minimum requirement for SSH version 2. The immediate corrective step is to regenerate the RSA keys with a 2048-bit modulus using the 'crypto key generate rsa modulus 2048' command, which will produce a larger key pair while preserving the existing SSH version 2 configuration. This addresses the Layer 7 application misconfiguration directly.

Exam trap

Many candidates select verifying Layer 3 connectivity or testing the SSH client, but the error message and known client requirement clearly point to a key-strength mismatch, not a network reachability problem.

Why the other options are wrong

A

Assuming that a connection failure always starts at Layer 1 or 3, ignoring the specific error message that points to an application-layer mismatch.

B

Misplaced troubleshooting – attempting to relax security instead of fixing the server’s key size to meet the documented standard.

D

Drastic and insecure step that misdiagnoses the root cause; the issue is key size, not protocol version.

69
MCQhard

A router allows SSH management from anywhere on the internal network. A new policy requires that only the management subnet 10.50.50.0/24 be allowed to initiate SSH to the device. Which approach best enforces that requirement?

A.Restrict SSH access so only the 10.50.50.0/24 management subnet is permitted
B.Replace SSH with Telnet so the traffic is easier to identify
C.Enable PortFast on all access switches
D.Raise the Syslog severity threshold
AnswerA

This is correct because the policy is specifically about limiting management access by source.

Why this answer

The best approach is to use an access control mechanism that limits SSH access to the approved source subnet. In practical terms, SSH is the correct secure protocol, but protocol choice alone is not enough. The device should also restrict who is allowed to reach that management service. That usually means applying an ACL or equivalent source restriction focused on the management subnet.

This is a common management-plane security pattern: use a secure protocol, then limit the set of trusted sources that are allowed to use it.

Exam trap

A frequent exam trap is selecting an option that changes the management protocol, such as replacing SSH with Telnet, because it seems to simplify access control. However, Telnet is insecure as it transmits data in clear text, exposing credentials to interception. Another trap is choosing unrelated features like PortFast or syslog severity thresholds, which do not control access to management services.

Candidates may also overlook the need to apply an ACL to restrict source IPs, mistakenly believing that enabling SSH alone enforces the policy. This misunderstanding leads to incomplete security configurations that fail the requirement to limit SSH access to the management subnet.

Why the other options are wrong

B

Incorrect because replacing SSH with Telnet reduces security by transmitting data unencrypted, exposing credentials and management traffic to interception, which violates best practices and the policy’s intent to secure management access.

C

Incorrect because enabling PortFast affects Spanning Tree Protocol port states to speed up network convergence and does not provide any control over router management access or SSH session initiation.

D

Incorrect because raising the syslog severity threshold only changes the level of logged messages and does not restrict or control which hosts can initiate SSH connections to the router.

70
Matchingmedium

Match each security concept to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protection against unauthorized disclosure

Protection against unauthorized modification

Ensuring systems and data can be accessed when needed

Limiting access to only what is necessary

Why these pairings

Confidentiality ensures data is not disclosed to unauthorized parties; integrity prevents unauthorized modification of data; availability guarantees systems and data are accessible when needed; least privilege limits access rights to the minimum necessary. The correct matches reflect these core security principles.

Exam trap

A common mistake is confusing confidentiality with integrity or assuming availability means data is always accessible without considering authorized access.

71
MCQhard

A host receives an IP address, subnet mask, default gateway, and DNS server automatically when it joins the network. Which service is most directly responsible for delivering that bundle of settings?

C.NTP
D.GRE
AnswerA

This is correct because DHCP provides automatic host IP configuration information.

Why this answer

DHCP is most directly responsible because it is designed to provide hosts with IP configuration parameters automatically. In practical terms, this often includes the address, mask, gateway, and DNS server information needed for ordinary operation. That is exactly why DHCP is such a central end-host service.

This is one of the most foundational services in enterprise client connectivity.

Exam trap

Be careful not to confuse services that involve IP addresses with those that assign them. DHCP assigns IP settings, while others like DNS, NAT, and ARP have different roles.

Why the other options are wrong

B

Syslog is a protocol used for logging and monitoring system events, not for delivering network configuration parameters. It collects and forwards log messages from network devices to a central server for analysis, but does not assign IP settings.

C

NTP (Network Time Protocol) is designed to synchronize clocks between devices over a network, ensuring accurate timekeeping. It does not provide IP address, subnet mask, default gateway, or DNS server information to hosts.

D

GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate packets of one protocol within another, typically for creating VPNs or connecting remote networks. It does not provide host configuration parameters like IP addresses or DNS servers.

72
MCQmedium

A branch router has only one WAN link connected to an Ethernet handoff from the provider. Which static default route is generally the better choice?

A.ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
B.ip route 0.0.0.0 0.0.0.0 198.51.100.1
C.ip route 255.255.255.255 255.255.255.255 198.51.100.1
D.No static default route should ever be used on Ethernet.
AnswerB

A next-hop address is generally preferred on Ethernet provider handoffs.

Why this answer

On multiaccess Ethernet, pointing the default route to a next-hop IP address is usually cleaner because the router can resolve the next hop with ARP. Using only the exit interface on Ethernet can make the router treat many destinations as directly connected and trigger unnecessary ARP behavior.

Exam trap

A common exam trap is selecting a static default route that specifies only the exit Ethernet interface without a next-hop IP address. While this configuration can work, it causes the router to treat all unknown destinations as directly connected on the Ethernet segment. This behavior triggers excessive ARP requests for every unknown IP address, leading to network inefficiency and potential delays.

Candidates might incorrectly assume that specifying the interface alone is sufficient, but on multiaccess Ethernet links, this is suboptimal and can cause routing issues.

Why the other options are wrong

A

Configuring 'ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0' specifies only the exit interface. On multiaccess Ethernet, this causes the router to ARP for every unknown destination, which is inefficient and less ideal.

C

Configuring 'ip route 255.255.255.255 255.255.255.255 198.51.100.1' creates a host route, which matches only one IP address, not all unknown destinations. Therefore, it is not a valid default route.

D

The statement that no static default route should ever be used on Ethernet is incorrect. Static default routes are valid and commonly used on Ethernet interfaces, especially for WAN links.

73
MCQhard

A named standard ACL is configured to permit only the 192.168.30.0/24 subnet, but users from 192.168.31.0/24 are still passing traffic. What is the most likely reason?

A.Standard ACLs cannot match source addresses
B.The ACL is probably applied in the wrong place or direction for the traffic flow
C.Named ACLs ignore wildcard masks
D.The deny any line must appear before the permit
AnswerB

ACL placement matters a lot with standard ACLs.

Why this answer

Standard ACLs filter traffic based solely on the source IP address. If users from 192.168.31.0/24 are still passing traffic despite the ACL permitting only 192.168.30.0/24, the most likely reason is that the ACL is applied in the wrong place or direction. For example, if the ACL is applied inbound on an interface where traffic from 192.168.31.0/24 does not enter, or outbound on an interface where the traffic does not exit, the filter will not affect the intended flow.

The implicit deny statement denies all unmatched traffic, so if the ACL were correctly placed, traffic from 192.168.31.0/24 would be denied.

Exam trap

Remember that ACLs must be applied in the correct direction to affect traffic flow as intended.

Why the other options are wrong

A

Standard ACLs are specifically designed to match source IP addresses, so this statement is factually incorrect. They can match source addresses using wildcard masks.

C

Named ACLs use wildcard masks just like numbered ACLs; the naming does not affect the functionality of wildcard masks. The statement is technically incorrect.

D

The 'deny any' line at the end of an ACL is implicit, so placing it before the permit would block all traffic, including the intended 192.168.30.0/24 subnet. The order of entries matters, but the issue here is not about the order of deny any.

74
Multi-Selecthard

R1 learns the route 192.0.2.0/24 via OSPF, RIP, and a static route configured with an administrative distance of 130. Based on this information, which two statements are correct?

Select 2 answers
A.The OSPF route is installed because its administrative distance is lower than RIP and the floating static route.
B.The static route will be preferred because static routes always beat dynamic routes.
C.The static route acts as a backup and can be installed if the OSPF route disappears.
D.RIP wins because its metric is lower than OSPF cost.
E.All three routes should load-balance because the prefix length is the same.
AnswersA, C

For the same /24 prefix, OSPF AD 110 beats RIP 120 and static 130.

Why this answer

The router installs the OSPF route because it has the lowest administrative distance among the routes shown. The static route with AD 130 is intentionally floating, and the RIP route has a higher AD than OSPF. Route selection first prefers longest match, then lower AD among routes to the same prefix length.

Exam trap

A frequent exam trap is assuming that static routes always take precedence over dynamic routes regardless of administrative distance. Many candidates incorrectly believe that static routes inherently override OSPF or RIP routes. However, Cisco routers use administrative distance first to select the best route when multiple protocols provide the same prefix.

If a static route has a higher AD (like 130 for a floating static), it will not be installed unless the primary route disappears. Another common mistake is to think RIP wins because it has a lower metric than OSPF cost, but metrics are only compared within the same routing protocol, not across different protocols. This misunderstanding leads to incorrect route selection assumptions.

Why the other options are wrong

B

This option is incorrect because static routes do not always beat dynamic routes; the static route must have a lower administrative distance to be preferred, which is not the case here due to the floating static’s higher AD.

D

This option is incorrect because routing protocols are compared first by administrative distance, not by their internal metrics; RIP’s metric does not override OSPF’s lower AD.

E

This option is incorrect because equal prefix length alone does not guarantee load balancing; routes must have matching attributes and equal administrative distances for equal-cost multipath (ECMP) to occur.

75
MCQhard

A company wants to reduce the chance that unused switch ports can be exploited. Which action best aligns with that goal?

A.Administratively shut down unused switch ports
B.Convert all unused ports into trunk ports
C.Enable Telnet on all unused ports
D.Advertise every unused port into OSPF
AnswerA

This is correct because disabling unused ports reduces exposure and is a common hardening practice.

Why this answer

The best action is to administratively disable unused ports and apply hardening where appropriate. In plain language, an unused port is still a possible entry point if it remains active and unmonitored. Shutting it down reduces exposure and aligns with the broader principle of minimizing unnecessary attack surface. This is a simple but effective part of switch hardening.

Leaving unused ports active may feel convenient, but it creates opportunities for unauthorized connections. The correct answer is the one focused on disabling resources that are not needed rather than on unrelated technologies.

Exam trap

A frequent exam trap is selecting options that involve enabling protocols or configurations unrelated to physical port security, such as enabling Telnet or advertising ports in OSPF. These options may seem to increase control or visibility but do not reduce the risk of unauthorized access through unused switch ports. Another trap is converting unused ports into trunk ports, which actually increases exposure by allowing multiple VLANs to traverse ports that should be inactive.

The key mistake is confusing Layer 2 port hardening with Layer 3 routing or management protocol configurations, which do not address the fundamental risk of an active but unused physical port.

Why the other options are wrong

B

Converting unused ports into trunk ports is incorrect because it increases network exposure by allowing multiple VLANs on ports that should remain inactive, thereby expanding potential attack vectors.

C

Enabling Telnet on all unused ports is wrong as Telnet is an insecure management protocol that does not address physical port security and can expose the network to interception and unauthorized access.

D

Advertising every unused port into OSPF is irrelevant because OSPF is a Layer 3 routing protocol that does not manage or secure Layer 2 switch ports, so it does not reduce exploitation risk.

Page 1 of 7 · 478 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Services Security questions.