CCNA Network Services Security Questions

75 of 478 questions · Page 2/7 · Network Services Security topic · Answers revealed

76
MCQmedium

Which wireless security method is considered strongest among these choices for modern enterprise WLAN deployments?

A.WEP
B.WPA
C.WPA2 with AES
D.Open authentication
AnswerC

Correct. WPA2 with AES is the strongest listed option.

Why this answer

WPA2 with AES provides substantially stronger security than WEP, legacy WPA, or open authentication. In current enterprise environments, WPA2 and WPA3 are the expected baseline approaches depending on platform support.

Exam trap

A frequent exam trap is selecting WPA instead of WPA2 with AES because WPA sounds like a newer or stronger protocol than WEP. However, WPA uses TKIP, which is less secure and considered legacy. Another trap is underestimating the insecurity of open authentication, which provides no encryption and leaves WLAN traffic exposed.

Candidates might also mistakenly think WEP is acceptable due to its historical use, but it is deprecated and easily cracked. The key mistake is not recognizing that WPA2 with AES is the current minimum security standard for enterprise wireless networks, making it the strongest choice among the options.

Why the other options are wrong

A

WEP is deprecated and insecure because it uses weak RC4 encryption with static keys, which attackers can easily crack, making it unsuitable for modern enterprise WLANs.

B

WPA improves on WEP by introducing TKIP but still uses weaker encryption than WPA2 with AES, so it is not the strongest choice for enterprise wireless security.

D

Open authentication provides no encryption or authentication, leaving wireless traffic exposed to interception and unauthorized access, so it is not a secure method.

77
PBQhard

You are connected to R1. The network currently permits all HTTP traffic from hosts on the 192.168.1.0/24 LAN to reach the web server at 203.0.113.10, but SSH traffic (TCP port 22) from the same LAN is being blocked. Additionally, you must ensure that no other traffic from the LAN reaches the server. Configure an extended ACL on R1 to allow only HTTP and SSH from the LAN to the server, and apply it inbound on the correct interface. Verify your solution.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30hostsLAN:R1WANServer

Hints

  • The current ACL is blocking SSH but allowing everything else; you need to reverse the logic.
  • Apply the new ACL inbound on the interface facing the LAN (GigabitEthernet0/0).
  • Remember that an implicit deny all exists at the end of every ACL; do not add a permit ip any any.
A.Remove the existing ACL from the interface, delete the ACL, create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it inbound on GigabitEthernet0/0.
B.Modify the existing ACL BLOCK_SSH by adding a permit statement for HTTP and changing the deny SSH to permit SSH, then reapply it inbound on GigabitEthernet0/0.
C.Create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it inbound on GigabitEthernet0/1 (the WAN interface).
D.Create a new extended ACL that permits tcp from 192.168.1.0/24 to host 203.0.113.10 for ports 80 and 22, and apply it outbound on GigabitEthernet0/0.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip access-group BLOCK_SSH in
exit
no ip access-list extended BLOCK_SSH
ip access-list extended LAN_TO_SERVER
permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 22
exit
interface GigabitEthernet0/0
ip access-group LAN_TO_SERVER in
end

Why this answer

The existing ACL BLOCK_SSH is applied inbound on GigabitEthernet0/0 and explicitly denies SSH from the LAN to the server, but permits all other IP traffic (including HTTP). The requirement is to allow only HTTP and SSH, blocking everything else. The solution is to remove the current ACL from the interface, delete the ACL, create a new extended ACL that permits tcp from the LAN to the server for ports 80 (HTTP) and 22 (SSH), and implicitly deny all other traffic, then reapply it inbound on GigabitEthernet0/0.

Exam trap

The trap is that candidates may try to modify the existing ACL without realizing it contains a permit ip any any statement that would still allow all traffic. Also, they may apply the ACL on the wrong interface or in the wrong direction. Always check the existing ACL entries and apply ACLs inbound on the interface closest to the source.

Why the other options are wrong

B

The specific factual error is that the existing ACL contains a permit ip any any statement that would override any specific denies, allowing all traffic.

C

The specific factual error is that ACLs should be applied inbound on the interface where the traffic enters the router, not on the outbound interface towards the destination.

D

The specific factual error is that outbound ACLs filter traffic exiting the interface, but the traffic from LAN to server enters the router via GigabitEthernet0/0 and exits via another interface (e.g., WAN). An outbound ACL on GigabitEthernet0/0 would not affect traffic going to the server.

78
MCQhard

A host reaches websites by IP address but fails when using hostnames. Which service is the strongest suspect?

AnswerA

This is correct because hostname resolution is the missing function in this scenario.

Why this answer

The strongest suspect is DNS. In plain language, the host can already reach the remote system when given the numeric address directly, which suggests the underlying IP connectivity works. The missing piece is the translation of hostnames into IP-related information, and that is exactly the role of DNS.

This is one of the most common real troubleshooting patterns because it cleanly separates connectivity problems from name-resolution problems. If IP works but names fail, DNS becomes the most likely area to investigate.

Exam trap

A frequent exam trap is selecting NAT or PAT as the cause of hostname resolution failure because these services involve IP address translation. However, NAT and PAT affect IP connectivity and address translation between private and public networks, not the translation of hostnames to IP addresses. Another trap is choosing STP, which is unrelated to IP services and only manages Layer 2 loop prevention.

Candidates might also confuse port security with DNS, but port security controls switch port access and does not resolve hostnames. The key mistake is overlooking that DNS is the sole service responsible for converting hostnames into IP addresses, which is why it is the strongest suspect when name-based access fails but IP-based access succeeds.

Why the other options are wrong

B

STP (Spanning Tree Protocol) is unrelated to hostname resolution. It prevents Layer 2 switching loops and does not affect IP connectivity or DNS services, so it cannot cause hostname resolution failures.

C

PAT (Port Address Translation) manages IP address translation for outbound traffic but does not handle hostname-to-IP translation. If PAT were failing, IP connectivity itself would be affected, not just hostname resolution.

D

Port security controls access to switch ports by limiting which MAC addresses can connect. It does not perform or affect hostname resolution or IP address translation, so it is not related to the problem.

79
Matchingeasy

Match each network service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Assigns IP configuration to clients

Synchronizes device time

Collects and stores log messages

Why these pairings

Each network service has a distinct primary function: DNS translates names to IPs, DHCP automates IP assignment, NTP synchronizes time, SNMP manages devices, FTP transfers files, and HTTP serves web content.

Exam trap

A common trap is confusing DNS with DHCP because both involve IP addresses. Remember: DNS resolves names to IPs, while DHCP assigns IPs. Also, avoid mixing up DNS with other services like NTP or SNMP.

80
MCQmedium

An engineer configures NAT overload on a router for inside users. Which resource is primarily used to let many internal hosts share one public IPv4 address?

A.IPv6 extension headers
B.TCP and UDP port numbers
C.Different source MAC addresses on the WAN
D.Separate routing tables per client
AnswerB

Correct choice.

Why this answer

PAT distinguishes sessions by using Layer 4 port numbers. That is what allows many inside devices to use the same outside IP address at the same time without conflicting with each other.

Exam trap

Don't confuse static or dynamic NAT with PAT; only PAT allows multiple hosts to share a single IP using port numbers.

Why the other options are wrong

A

IPv6 extension headers are used for additional functionality in IPv6 packets, such as fragmentation or security, and are not involved in NAT overload (PAT) which operates at Layer 4 using port numbers.

C

Source MAC addresses are used for Layer 2 forwarding within a local network and are not preserved across a router's WAN interface; NAT operates at Layer 3 and above, not using MAC addresses for translation.

D

Routers do not maintain separate routing tables per client; routing tables are based on destination networks, not individual hosts. NAT overload uses a single routing table and relies on port numbers for translation.

81
MCQmedium

A router is configured with an access list intended to block Telnet from 192.168.10.0/24 to 10.1.1.10, but Telnet still works. What is the most likely reason?

A.The ACL must use wildcard mask 255.255.255.0 instead of 0.0.0.255
B.The ACL is applied in the wrong place or direction
C.Standard ACLs should always be used for Telnet filtering
D.The router must run PAT before ACLs can filter Telnet
AnswerB

The configuration logic points to an attachment problem rather than a syntax problem.

Why this answer

Option B is correct because the most common reason an ACL fails to block traffic is incorrect application—either it is applied to the wrong interface or in the wrong direction. For Telnet traffic from 192.168.10.0/24 to 10.1.1.10, the ACL must be applied inbound on the interface closest to the source or outbound on the interface closest to the destination. Option A is incorrect because the wildcard mask 0.0.0.255 is correct for matching the 192.168.10.0/24 network; 255.255.255.0 is a subnet mask, not a wildcard mask.

Option C is false—standard ACLs can only filter by source IP and cannot match the destination port (Telnet), so an extended ACL is actually required. Option D is unrelated; PAT (Port Address Translation) has no bearing on whether an ACL can filter Telnet traffic.

Exam trap

Cisco often tests the concept that an ACL's effectiveness depends on its placement and direction, not just its content, and the trap here is that candidates focus on the wildcard mask or ACL type while overlooking the fundamental requirement of correct application.

Why the other options are wrong

A

The wildcard mask 255.255.255.0 would match only the exact host 192.168.10.0, not the entire /24 subnet. Cisco ACLs use wildcard masks where 0 means match and 1 means ignore; for a /24, the correct mask is 0.0.0.255.

C

Standard ACLs can only filter based on source IP address and cannot match specific protocols like Telnet (TCP port 23) or destination addresses. Extended ACLs are required to filter Telnet traffic from a specific source to a specific destination.

D

PAT (Port Address Translation) is unrelated to ACL filtering. ACLs operate independently of NAT/PAT; they filter traffic based on Layer 3 and Layer 4 information regardless of whether translation is configured.

82
MCQhard

A host sends a packet larger than the outgoing interface MTU, and the IPv4 header has the Don't Fragment bit set. What will a router do with the packet?

A.Fragment it anyway and forward the pieces
B.Drop it and typically return an ICMP message indicating fragmentation is needed
C.Translate it to IPv6 and forward it
D.Broadcast it so another router can handle fragmentation
AnswerB

Correct. This is correct. When a packet is too large for the outgoing MTU and fragmentation is not allowed, the router drops the packet and usually informs the sender that fragmentation would be required.

Why this answer

The router drops the packet because the packet is too large for the next link and the sender has explicitly said the packet must not be fragmented. In IPv4, the Don't Fragment bit tells routers not to break the packet into smaller pieces. If the outgoing interface MTU is smaller than the packet size, the router cannot legally forward it as-is and cannot fragment it, so the normal result is to drop the packet and usually send back an ICMP unreachable message indicating that fragmentation is needed.

In plain terms, the router is telling the sender, 'This packet is too big for the path you chose, and you told me I am not allowed to split it.' This behavior is central to path MTU discovery.

Exam trap

A common exam trap is to assume that routers will fragment any oversized IPv4 packet regardless of the Don't Fragment bit. Candidates might select the option that routers fragment the packet anyway, ignoring the DF bit. This is incorrect because the DF bit explicitly prevents fragmentation.

Another tempting mistake is to think that routers might broadcast the packet to other routers or convert it to IPv6 to solve the problem, which does not happen. Understanding that the router must drop the packet and send an ICMP message is critical to avoid this trap.

Why the other options are wrong

A

Fragmenting the packet despite the DF bit being set violates the sender's explicit instruction to avoid fragmentation. Routers must respect the DF bit and cannot fragment in this case.

C

Routers do not convert IPv4 packets to IPv6 to handle MTU or fragmentation issues. These are different protocols, and such conversion is not a standard router behavior.

D

Routers do not broadcast oversized packets to other routers for fragmentation. The forwarding decision and fragmentation handling are local to the router, so the packet is dropped if it cannot be forwarded.

83
Matchingeasy

Match each DHCPv4 message in the DORA process to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client looks for DHCP servers

Server proposes an address and lease details

Client asks to use the offered address

Server confirms the lease

Why these pairings

The DORA process includes Discover (client broadcast), Offer (server response), Request (client accepts), and Ack (server confirms). Additional messages like NAK and Decline handle errors.

Exam trap

Do not confuse the order or roles of DHCP messages. Remember that the client initiates with Discover, then the server Offers, the client Requests, and the server Acknowledges. The mnemonic DORA helps: Discover, Offer, Request, Ack.

84
MCQhard

A network administrator has configured a DHCP server on VLAN 100 with an IP address of 192.168.100.10/24. Clients on VLAN 200 (192.168.200.0/24) report that they cannot obtain an IP address via DHCP. The router is configured with a DHCP relay on the VLAN 200 interface. The administrator checks the router configuration and verifies that the relay is in place, but clients still fail to get an address. The switch that the router and clients connect to has DHCP snooping enabled. What is the most likely cause of this issue?

A.The DHCP server is on a different subnet and the relay address is incorrect.
B.DHCP snooping is blocking the relay agent because the relay interface is not trusted.
C.The DHCP server is unreachable from the router.
D.The ip helper-address command is missing from the VLAN 200 interface.
AnswerB

The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.

Why this answer

The scenario states that DHCP snooping is enabled on the switch. When DHCP snooping is active, it discards DHCP messages received on untrusted ports. The router's VLAN 200 interface, which is configured as a DHCP relay agent, must be configured as a trusted port for DHCP snooping; otherwise, the relayed messages are silently dropped.

Option A is incorrect because the relay address is correctly pointing to the DHCP server's subnet. Option C is too generic and unlikely since the router and switch are directly connected. Option D is incorrect because the relay is verified to be in place.

Therefore, the most likely cause is DHCP snooping blocking the relay agent due to the relay interface not being trusted.

Exam trap

Cisco often tests the misconception that a correctly configured DHCP relay alone guarantees DHCP operation, ignoring that DHCP snooping can silently drop relayed messages if the relay interface is not trusted.

Why the other options are wrong

A

The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100. The issue is not with the relay address being incorrect.

C

The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct. The server is not unreachable.

D

The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface. The command is present.

85
Multi-Selecteasy

A company wants all routers and switches to use a common time source so log timestamps line up during incident review. Which two statements about NTP are correct?

Select 2 answers
A.It helps synchronize device clocks
B.Consistent time improves correlation of syslog and other event data
C.It advertises Layer 3 reachability between routers
D.It encrypts data traffic between endpoints by default
AnswersA, B

NTP is used to align time across systems.

Why this answer

NTP (Network Time Protocol) is used to synchronize device clocks (option A) so that event timestamps are consistent across network devices, which improves correlation of syslog and other event data (option B). Option C is incorrect because NTP does not advertise Layer 3 reachability; that is a function of routing protocols like OSPF or EIGRP. Option D is incorrect because NTP does not encrypt data traffic by default; it only synchronizes time and does not provide encryption.

Exam trap

A common exam trap is mistaking NTP for a routing or security protocol. Some candidates incorrectly believe NTP advertises Layer 3 reachability like routing protocols (e.g., OSPF or EIGRP) or that it encrypts data traffic by default. This confusion arises because NTP is often mentioned alongside other network services, but its sole purpose is to synchronize device clocks.

Selecting options related to routing or encryption when the question focuses on time synchronization leads to incorrect answers. Understanding that NTP only aligns time across devices helps avoid this trap.

Why the other options are wrong

C

This option is incorrect because advertising Layer 3 reachability is the role of routing protocols like OSPF or EIGRP, not NTP, which only synchronizes time.

D

This option is incorrect as NTP does not encrypt data traffic by default; it is a time synchronization protocol and does not provide encryption services.

86
MCQmedium

A router is configured for PAT overload. What does the inside global address represent for an internal PC?

A.The private IP address assigned to the internal PC
B.The public address that represents the internal PC to external networks
C.The remote server address as seen from the inside host
D.The MAC address of the outside interface
AnswerB

That is the inside global address.

Why this answer

With NAT overload, the inside local address is the private address on the internal host. The inside global is the translated public address that represents that inside host to the outside network.

Exam trap

A frequent exam trap is mistaking the inside global address for the inside local address. Candidates often confuse the private IP assigned to the internal PC (inside local) with the public IP address used externally (inside global). Another pitfall is mixing up inside global with outside local or outside global addresses, which relate to remote hosts rather than internal devices.

This confusion can lead to incorrect NAT configuration interpretations or troubleshooting errors. Remember, the inside global address is the public IP visible to external networks representing the internal PC, not the private IP assigned inside the LAN.

Why the other options are wrong

A

Option A incorrectly identifies the inside global address as the private IP address assigned to the internal PC. This is actually the inside local address, which is the private IP used within the internal network and not visible externally.

C

Option C confuses the inside global address with outside local or outside global addresses, which refer to remote servers or external hosts from the internal perspective. The inside global address specifically represents the internal PC externally.

D

Option D incorrectly associates the inside global address with the MAC address of the outside interface. NAT translation deals with IP addresses and ports, not MAC addresses, so this option is invalid.

87
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (NAT overload) on a Cisco IOS-XE router so that internal hosts can share a single public IP when accessing the internet. Note: The NAT overload command is applied globally, not on the interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global configuration mode. Then configure the inside and outside interfaces with 'ip nat inside' and 'ip nat outside'. Next, create an ACL to identify internal traffic that should be translated.

Finally, apply the NAT overload configuration globally using 'ip nat inside source list <ACL> interface <outside-interface> overload'. The correct order is global config, interfaces, ACL, then global NAT command.

Exam trap

A common mistake is placing the ACL creation before configuring the interfaces or thinking that the NAT overload command is applied directly on the outside interface instead of globally.

88
MCQhard

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

A.SSH is preferred because it provides encrypted remote administration, unlike Telnet
B.Telnet is preferred because it provides stronger confidentiality than SSH
C.SSH can be used only on Layer 2 switches and not routers
D.Blocking Telnet automatically disables all AAA functions
AnswerA

This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.

Why this answer

Permitting SSH while blocking Telnet is a hardening decision because SSH encrypts management traffic and Telnet does not. The administrator wants remote access to remain available with credentials and session data protected. Option A is correct: SSH provides encrypted remote administration.

Option B is wrong: Telnet offers no confidentiality. Option C is wrong: SSH works on routers and Layer 3 switches, not only Layer 2 switches. Option D is wrong: blocking Telnet does not disable AAA; AAA can still function over SSH or local authentication.

Exam trap

Avoid assuming that enabling both protocols or disabling both achieves security goals. Focus on encryption as the key factor.

Why the other options are wrong

B

Telnet transmits credentials and data in plaintext, so it lacks confidentiality and is less secure than SSH.

C

SSH can be configured on routers, Layer 3 switches, and any device that supports IP connectivity, not just Layer 2 switches.

D

Blocking Telnet only disables unencrypted remote access; AAA functions (e.g., authentication, authorization, accounting) remain operational via SSH or other methods.

89
Matchingmedium

Match each service to the issue it most directly addresses.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Names fail but direct IP access still works

Clients do not receive addressing automatically

Device times and timestamps do not align

Administrators want centralized event collection

Why these pairings

Each service directly addresses a specific network issue: DNS resolves names, DHCP assigns IPs, NTP syncs time, SNMP manages devices, Syslog collects logs, and NetFlow analyzes traffic.

Exam trap

The trap is confusing services that have overlapping or complementary roles, such as DHCP providing NTP server options or SNMP and NetFlow both being monitoring tools. Focus on the primary function of each service, not secondary capabilities.

90
Matchingeasy

Match each remote-management concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted remote administration

Unencrypted remote terminal access

Framework for authentication, authorization, and accounting

Centralized event and log reporting

Why these pairings

Remote management methods vary in security and functionality: Telnet is unencrypted, SSH is encrypted, RDP is for Windows desktops, VNC is platform-independent, console provides direct access, and serial is a physical connection method.

Exam trap

Do not confuse Telnet with SSH; both provide remote CLI but only SSH encrypts. Also, distinguish between in-band (Telnet/SSH) and out-of-band (console) management.

91
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure NTP with authentication on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the NTP authentication key using the ntp authentication-key command to create the key that will be used. Second, enable NTP authentication globally with ntp authenticate so that the router requires keys for NTP associations. Third, specify which keys are trusted with ntp trusted-key so the router accepts those keys.

Fourth, associate the NTP server with the key using the ntp server command with the key option, linking the server to the trusted key. Finally, verify the authenticated association using show ntp associations to confirm the configuration is working. This order is required because the key must exist before it can be trusted, authentication must be enabled before keys are checked, and the server must be configured with the key only after it is trusted.

92
PBQmedium

You are connected to R1 via the console. R1 is a router that needs to provide DHCP services for hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The DHCP server is located on VLAN 10 at 192.168.10.100, but hosts on VLAN 20 cannot reach it directly. Configure R1 to forward DHCP broadcasts from VLAN 20 to the DHCP server.

Network Topology
G0/0.10192.168.10.1/24G0/0.20192.168.20.1/24DHCP ServerVLAN 10R1VLAN 20Hosts

Hints

  • The helper address should be placed on the interface that receives the DHCP broadcast.
  • The helper address is the server's IP address.
  • Only one command is needed.
A.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip helper-address 192.168.10.100
B.interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip helper-address 192.168.10.100
C.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip dhcp relay information option
D.ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1
AnswerA
solution
! R1
interface GigabitEthernet0/0.20
ip helper-address 192.168.10.100

Why this answer

The ip helper-address command enables the router to forward UDP broadcasts (including DHCP) to a specific server. Placing it on the VLAN 20 subinterface ensures that DHCP requests from VLAN 20 are unicast to the server on VLAN 10.

Exam trap

The key trap is placing the ip helper-address on the wrong interface. Remember: the helper-address must be on the interface that receives the client's broadcast, not on the server's interface. Also, do not confuse ip helper-address with DHCP server configuration or relay option commands.

Why the other options are wrong

B

The ip helper-address must be configured on the interface that receives the client broadcasts (VLAN 20), not the server's VLAN.

C

This command enables relay agent information insertion, not the actual forwarding of DHCP packets to a server.

D

The question states the DHCP server is at 192.168.10.100, so R1 should relay, not serve.

93
Matchingeasy

Match each IP service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatic assignment of IP configuration information to clients

Resolution of hostnames into IP information

Synchronization of device clocks

Centralized collection of event and log messages

Why these pairings

DHCP automatically assigns IP configuration (IP address, subnet mask, default gateway) to clients. DNS resolves human-readable hostnames (e.g., www.example.com) into IP addresses. NTP synchronizes device clocks over a network to ensure accurate time-stamping.

Syslog provides a centralized collection of event and log messages from network devices.

Exam trap

Be careful not to confuse DHCP (automatic IP assignment) with DNS (name resolution).

94
MCQmedium

Users receive addresses from the correct subnet and can reach destinations by IP address, but they cannot browse by hostname.

A.Default-router option
B.DNS server option
C.Lease time option
D.TFTP server option
AnswerB

The DNS server option tells clients where to send name-resolution queries.

Why this answer

If clients get an IP address and default gateway but cannot resolve names, the usual problem is the DNS server information handed out by DHCP. Without that, hostname lookups fail even though IP connectivity may still exist.

Exam trap

Don't confuse general network connectivity options with DNS-specific configurations. Focus on what each DHCP option actually configures.

Why the other options are wrong

A

The default-router option (option 3) provides the gateway for off-subnet traffic. While a missing gateway would prevent access to external networks, the scenario states users receive correct subnet addresses and can likely reach local resources. The inability to browse by hostname points to a DNS issue, not a routing problem.

C

The lease time option (option 51) determines how long a client can use an assigned IP address before renewing. It does not affect DNS resolution or hostname browsing. A missing or incorrect lease time would cause IP address expiration issues, not name resolution failures.

D

The TFTP server option (option 66) is used for booting devices like IP phones or diskless workstations to download configuration files or operating systems. It is not involved in hostname resolution. A missing TFTP server would not affect DNS lookups.

95
MCQmedium

An engineer successfully authenticates to a controller and receives a token. What is the usual reason for including that token in later API requests?

A.To identify and authorize the client without resending full login credentials each time
B.To convert HTTP requests into SNMP traps
C.To elect the active controller in the cluster
D.To compress JSON payloads before transport
AnswerA

That is the practical purpose of token-based API access.

Why this answer

The token proves the client has already authenticated and is authorized to continue interacting with the API for the lifetime of that token or session. It is commonly sent in an HTTP header such as Authorization. It does not replace the need for IP routing or DNS resolution.

Exam trap

Remember that tokens are specific to API authentication and should not be confused with other network security or configuration mechanisms.

Why the other options are wrong

B

Tokens are used for authentication and authorization in API requests, not for converting HTTP requests into SNMP traps. SNMP traps are asynchronous notifications sent by network devices, and token-based APIs operate at a different layer and protocol.

C

Token-based authentication is unrelated to controller cluster election. Cluster election typically uses protocols like VRRP, HSRP, or proprietary mechanisms to determine an active controller, not API tokens.

D

Token inclusion in API requests serves authentication and authorization, not data compression. JSON payload compression is typically handled by content-encoding headers (e.g., gzip) and is independent of token usage.

96
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that blocks Telnet traffic from the 192.168.1.0/24 network to the 10.0.0.0/24 network, applied inbound on the interface facing the source.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, global config, then create ACL with deny and permit statements (order matters: deny first), then enter the source-facing interface and apply inbound; applying before creating ACL would fail.

Exam trap

Watch out for the order of ACL statements: deny must come before permit. Also, remember that ACLs must be created before they can be applied to an interface. Do not forget the implicit deny at the end of every ACL.

97
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a secure Cisco switch, from enabling secure management access to implementing advanced dynamic ARP inspection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

Hostname and IP domain name: required to generate RSA keys for SSH in the next step. 2. RSA key generation: SSH cannot function without cryptographic keys. 3.

SSH v2 enabled and Telnet disabled: ensures secure remote access before any authentication method is applied. 4. AAA authentication with RADIUS/TACACS+ on vty lines: controls who can access the switch after SSH transport is established. 5. Port security on access ports: protects the data plane by restricting MAC addresses once management plane is secured. 6.

DHCP snooping: builds a binding database used to validate traffic; must be active before DAI can work. 7. Dynamic ARP Inspection: relies on the DHCP snooping database to filter ARP packets and prevent man-in-the-middle attacks, so it must be configured last.

98
Multi-Selectmedium

Which TWO statements correctly describe the behavior of standard ACLs and their placement on interfaces?

Select 2 answers
A.Standard ACLs filter traffic based on source IP address only.
B.Standard ACLs should be placed as close to the source as possible.
C.Standard ACLs can filter traffic based on destination IP address.
D.Standard ACLs should be placed as close to the destination as possible.
E.Standard ACLs can filter traffic based on TCP or UDP port numbers.
AnswersA, D

Standard ACLs use only the source IP address (or a wildcard mask) to match packets; they do not consider destination, protocol, or port.

Why this answer

Standard ACLs filter traffic based solely on the source IP address, using numbers 1–99 or 1300–1999 in classic Cisco IOS. They do not consider destination IP, protocol, or port numbers. Because they lack granularity, placing them close to the destination (option D) prevents them from inadvertently blocking traffic that should be permitted, as they cannot distinguish between traffic destined for different services on the same destination host.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed close to the source (like extended ACLs), when in fact standard ACLs lack the granularity to do so safely and must be placed near the destination.

Why the other options are wrong

B

Standard ACLs filter only on source IP, so placing them close to the source can block traffic destined to other networks that should be allowed. The correct placement is close to the destination to minimize unintended filtering.

C

Standard ACLs do not examine destination IP addresses; they only match on source IP addresses. Filtering by destination requires an extended ACL.

E

Standard ACLs operate at Layer 3 and cannot examine Layer 4 information such as TCP or UDP port numbers. Port-based filtering requires an extended ACL.

99
MCQhard

A network technician has configured static NAT with the command ip nat inside source static 192.168.1.10 203.0.113.10. The web server at 192.168.1.10 is accessible from the internet on TCP port 80 but not on TCP port 443. The ACL applied to the outside interface permits all IP traffic. What is the most appropriate next step to troubleshoot this issue?

A.Check if the web server is running HTTPS service on port 443.
B.Verify that the ACL applied to the outside interface explicitly permits TCP port 443.
C.Examine the NAT translation table for any conflicting dynamic entries.
D.Confirm the inside global IP address mapped to the server is correct.
AnswerA

This step targets the application layer, where the symptom most likely resides. The ACL permits all IP traffic and the static NAT is successfully translating port 80, ruling out misconfigurations there.

Why this answer

Since the ACL already permits all IP traffic and the static NAT translation works for port 80, the problem is not at Layer 3/4 filtering or NAT. The most likely cause is an application-layer issue: the web server is not listening on port 443. Checking the server's HTTPS service directly addresses that.

Exam trap

Verifying the ACL — many candidates miss that an ACL 'permit ip any any' already allows all ports, so adding a port 443 rule is unnecessary and distracts from the real problem.

Why the other options are wrong

B

The already-configured ACL permits all IP traffic, so explicitly allowing port 443 would not resolve a server not listening on that port. This step wastes time on a verified configuration.

C

Static NAT does not use dynamic overload entries. There are no conflicting entries because NAT overload is not configured, making this check irrelevant.

D

The fact that port 80 works shows the inside global IP is correct. Re-verifying it would not explain the port-specific failure, as the issue is not with the translation.

100
PBQhard

You are connected to R1. The internal network 192.168.1.0/24 must be able to access the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.1. Additionally, a web server at 192.168.1.100 must be reachable from the Internet via static NAT to the same outside interface. The current configuration has errors. Correct the NAT configuration so that inside hosts can browse the web and the server is reachable from outside.

Hints

  • Check which interfaces are marked as inside and outside — both were inside.
  • The dynamic NAT rule is missing a keyword to enable port address translation.
  • Verify the ACL used in the NAT rule matches the correct inside subnet.
A.Change interface G0/1 to 'ip nat outside', add 'overload' to the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
B.Change interface G0/1 to 'ip nat outside', add 'overload' to the dynamic NAT rule, and change ACL 100 to permit 192.168.2.0 0.0.0.255
C.Change interface G0/1 to 'ip nat outside', remove the 'overload' keyword from the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
D.Change interface G0/1 to 'ip nat inside', add 'overload' to the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
AnswerA
solution
! R1
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
ip nat inside source list 100 interface GigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Why this answer

The configuration had three issues: (1) Interface G0/1 was incorrectly configured as 'ip nat inside' instead of 'ip nat outside' — this prevents translation as both interfaces are inside. (2) The NAT overload keyword was missing on the dynamic PAT rule — without 'overload', only one-to-one translation occurs. (3) ACL 100 was matching 192.168.2.0/24 instead of the actual inside subnet 192.168.1.0/24, so traffic from the correct subnet was not translated. Correcting these allows inside hosts to PAT to the outside IP and the static NAT to function properly.

Exam trap

Watch for three common mistakes in NAT configuration: (1) misplacing the 'inside' and 'outside' interface designations, (2) forgetting the 'overload' keyword for PAT, and (3) using an incorrect ACL that does not match the actual inside network. Always verify the ACL matches the source subnet of traffic needing translation.

Why the other options are wrong

B

The ACL must match the source subnet of the inside hosts that need translation; using 192.168.2.0/24 does not match 192.168.1.0/24.

C

The 'overload' keyword is essential for PAT; omitting it means only one inside host can use the outside IP at a time.

D

NAT requires one interface to be 'inside' and the other 'outside'; having both as 'inside' prevents translation of outbound traffic.

101
Multi-Selectmedium

Which TWO statements are true regarding the configuration and placement of standard and extended ACLs on a router?

Select 2 answers
A.Standard ACLs are typically placed closest to the source of the traffic.
B.Extended ACLs are typically placed closest to the source of the traffic.
C.A wildcard mask of 0.0.0.0 in an ACL matches all bits of the IP address.
D.A wildcard mask of 255.255.255.255 in an ACL matches all bits of the IP address.
E.Extended ACLs should be placed on the interface closest to the destination to filter traffic before it reaches the final segment.
AnswersB, C

Extended ACLs can filter on source and destination IP addresses, ports, and protocols, so placing them near the source allows early filtering and conserves bandwidth.

Why this answer

Option B is correct because extended ACLs evaluate multiple criteria (source/destination IP, port, protocol), so placing them closest to the source prevents unwanted traffic from consuming bandwidth across the network. Option C is correct because a wildcard mask of 0.0.0.0 means all 32 bits must match, matching a single host. Option A is incorrect—standard ACLs are placed closest to the destination, not the source.

Option D is incorrect—a wildcard mask of 255.255.255.255 matches any address (ignores all bits), not all bits. Option E is incorrect—extended ACLs placed near the destination would not conserve bandwidth; they should be near the source.

Exam trap

Cisco often tests the misconception that standard ACLs should be placed close to the source, when in fact extended ACLs are placed close to the source and standard ACLs close to the destination.

Why the other options are wrong

A

Standard ACLs filter only on source IP address, so placing them close to the source can block traffic that should be allowed to other destinations, causing unnecessary denial of service.

D

A wildcard mask of 255.255.255.255 means 'ignore all bits,' so it matches any IP address, equivalent to the 'any' keyword. It does not match all bits.

E

Extended ACLs are more effective when placed near the source to filter unwanted traffic early, not near the destination. Placing them near the destination allows unwanted traffic to traverse the network unnecessarily.

102
Matchingmedium

Match each symptom to the first service area most likely involved.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

Works by IP but not by hostname indicates that name resolution is failing, pointing to DNS. No automatic address on the host means DHCP is not providing an IP, so DHCP is the likely problem. Logs that do not line up in time suggest inconsistent clocks, which is a symptom of NTP failure.

No centralized device event view means log messages are not being aggregated, which is the role of Syslog.

Exam trap

Students often confuse DNS with DHCP: if a host can reach a destination by IP but not by hostname, DNS is the issue, not DHCP.

103
Multi-Selectmedium

Users complain that log timestamps from several routers do not line up with one another. Which two actions are most appropriate?

Select 2 answers
A.Configure NTP on the network devices
B.Verify timezone and timestamp settings
C.Increase the syslog severity threshold to debugging
D.Disable console logging
E.Clear the logging buffer on all devices
AnswersA, B

NTP keeps time synchronized.

Why this answer

When timestamps disagree, the first fix is time synchronization. NTP should be configured consistently, and devices should have correct timezone or clock settings so syslog messages can be correlated across the network.

Exam trap

Don't confuse log display settings or buffer configurations with time synchronization settings.

Why the other options are wrong

C

Increasing the syslog severity threshold to debugging generates more log messages but does not address the root cause of time discrepancies. It can overwhelm storage and analysis without fixing the time synchronization issue.

D

Disabling console logging reduces output to the console but does not affect the timestamps on logs stored elsewhere. The underlying time synchronization issue remains unresolved.

E

Clearing the logging buffer removes existing log entries but does not prevent future timestamps from being incorrect. The time drift persists, so new logs will still have mismatched timestamps.

104
Multi-Selectmedium

Which TWO statements correctly describe the operation of the ip helper-address command in a DHCP relay agent configuration?

Select 2 answers
A.It forwards DHCPDISCOVER broadcasts from a client to a DHCP server on a different subnet.
B.It is configured on the DHCP server interface to allow replies to reach clients on remote subnets.
C.It automatically forwards all UDP broadcasts by default.
D.It sets the gateway IP address (giaddr) field in the DHCP packet to the relay agent's IP address.
E.It prevents DHCP spoofing by validating the source MAC address of DHCP packets.
AnswersA, D

The relay agent listens for DHCP broadcasts on one interface and forwards them as unicasts to the configured server IP.

Why this answer

Option A is correct because the `ip helper-address` command is configured on the router interface facing the client, and it converts the client's DHCPDISCOVER broadcast into a unicast directed to the specified DHCP server, allowing the client to obtain an IP address from a server on a different subnet. Option D is also correct because the relay agent sets the giaddr (gateway IP address) field in the DHCP packet to its own interface IP address. This is how the DHCP server knows which subnet the client is on and can assign an appropriate IP address and return the reply.

Option B is incorrect because the command is configured on the interface facing the DHCP clients, not on the server-facing interface. Option C is incorrect because `ip helper-address` does not forward all UDP broadcasts; it only forwards broadcasts for specific UDP ports (DHCP, DNS, TFTP, etc.) by default, and this list can be modified. Option E is incorrect because the command does not perform any MAC address validation or spoofing protection; it simply relays DHCP messages.

Exam trap

Cisco often tests the misconception that `ip helper-address` forwards all UDP broadcasts, when in reality it only forwards specific UDP ports (default: 67, 68, 53, 69, 37, 137, 138, 161, 162) and can be customized with the `ip forward-protocol` command.

Why the other options are wrong

B

The `ip helper-address` command is configured on the client-facing interface, not the server-facing interface.

C

The command does not forward all UDP broadcasts; it only forwards specific UDP ports (DHCP, DNS, TFTP, etc.) by default.

E

The command does not validate source MAC addresses or prevent DHCP spoofing; it only relays DHCP messages.

105
MCQmedium

Which traffic type is typically most sensitive to delay and jitter and is commonly prioritized with QoS?

A.Voice traffic
B.Bulk backup traffic
C.Email attachments
D.Operating system updates
AnswerA

Correct. Voice is the classic latency-sensitive traffic class.

Why this answer

Voice traffic is highly sensitive to delay, jitter, and packet loss, so it is commonly prioritized in QoS policies.

Exam trap

A common exam trap is assuming that all traffic types require equal QoS prioritization. Candidates might incorrectly select bulk backup traffic or email attachments because they involve large data transfers, but these are not sensitive to delay or jitter. The trap lies in confusing throughput sensitivity with latency sensitivity.

Voice traffic demands low latency and minimal jitter to maintain call quality, which is why it is prioritized. Misunderstanding this distinction can lead to choosing incorrect answers that focus on volume rather than real-time sensitivity.

Why the other options are wrong

B

Bulk backup traffic is throughput-sensitive but not delay-sensitive. It can tolerate delays and jitter without impacting the backup process, so it is not typically prioritized by QoS in Cisco networks.

C

Email attachments are not time-sensitive and can tolerate delays and jitter. They do not require prioritization in QoS policies, making this option incorrect for delay-sensitive traffic.

D

Operating system updates involve large data transfers that are throughput-sensitive but not sensitive to delay or jitter. They are usually scheduled during off-peak times and are not prioritized by QoS.

106
Drag & Drophard

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on an IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure the RADIUS server, then enable AAA, create an authentication list for 802.1X, and finally apply 802.1X to the port.

Exam trap

Do not confuse the order of enabling AAA and creating authentication lists. AAA must be enabled globally before you can create authentication lists. Also, remember that the RADIUS server configuration comes first, as AAA needs to know which server to use.

107
MCQhard

An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?

A.Because the ACL must distinguish traffic by protocol or destination port, not just by source address.
B.Because standard ACLs can match destination TCP ports just as well.
C.Because extended ACLs are required for every router login policy regardless of criteria.
D.Because SSH and Telnet always use the same port number.
AnswerA

This is correct because Telnet-versus-SSH filtering requires extended matching capability.

Why this answer

An extended ACL is appropriate because the requirement is based not only on source address but also on the specific protocol and application port involved. In practical terms, the policy must distinguish Telnet from SSH even though both originate from the same source subnet. A standard ACL would be too limited because it mainly matches only on source address.

This is the kind of requirement that shows why extended ACLs exist. They allow more granular traffic control by matching protocol and destination details, not just who sent the packet.

Exam trap

Do not confuse the ability to filter by protocol and port with filtering by IP address alone; extended ACLs are required for the former.

Why the other options are wrong

B

Standard ACLs can only filter based on source IP address, not destination ports or protocols. They lack the granularity to distinguish between Telnet and SSH traffic.

C

Extended ACLs are not required for every router login policy; they are only needed when filtering must consider protocol or port information. Simple source-based filtering can use standard ACLs.

D

SSH uses TCP port 22, while Telnet uses TCP port 23. They are distinct ports, so an ACL can differentiate them based on destination port.

108
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config and enable AAA. Then define the RADIUS server, configure AAA authentication to use RADIUS for 802.1X, and finally enable 802.1X on the interface.

Exam trap

The key trap is the order of operations: AAA must be enabled first, then the RADIUS server defined, then authentication configured, and finally applied to the interface. Many candidates mistakenly configure the interface first or define the server after authentication.

109
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a different subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure the ip helper-address on the client-facing interface (A). Then enable 'debug ip dhcp relay' (D) so forwarded packets are captured. Next trigger the DORA process by releasing/renewing the client IP address (C).

Finally verify with passive show commands (B). Debug must be active before the DORA exchange; enabling it afterward misses the output.

Exam trap

Candidates often enable debugging after triggering the DORA process, causing the debug output to show nothing. Always enable debug before the client action.

110
Matchingmedium

Match each security term to the question it most directly answers.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Who are you?

What are you allowed to do?

What happened during the session?

Can the system or service be accessed when needed?

Why these pairings

Each security term is paired with the question it most directly answers. Authentication, Authorization, and Accounting form the AAA framework: Authentication verifies identity (Who are you?), Authorization determines permissions (What are you allowed to do?), and Accounting tracks user activity (What happened during the session?). Availability is part of the CIA triad (Confidentiality, Integrity, Availability) and addresses whether a system or service is accessible when needed (Can the system or service be accessed when needed?).

Exam trap

Learners may confuse Authorization with Authentication. Remember: Authentication confirms identity, while Authorization defines permissions after identity is verified.

111
Matchingmedium

Match each security concept to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies identity before access is granted

Determines permitted actions after identity is verified

Records activity or session information

Protects information from unauthorized disclosure

Why these pairings

These pairings correctly define core security concepts (CIA triad plus authentication and authorization).

Exam trap

Be careful not to confuse the terms within the CIA triad or between CIA and AAA. Remember: Confidentiality = privacy, Integrity = no unauthorized changes, Availability = uptime/access. AAA: Authentication = who you are, Authorization = what you can do, Accounting = what you did.

112
PBQhard

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the outside interface GigabitEthernet 0/1 with IP 203.0.113.2/29. The current configuration has an incorrect inside/outside interface assignment and a missing overload keyword. Fix all issues.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/29HostsLANR1ISPInternet

Hints

  • Check which interfaces are marked 'inside' and 'outside'.
  • The PAT command must include the 'overload' keyword.
  • The ACL must match the correct source subnet (192.168.1.0/24).
A.Configure 'ip nat inside' on GigabitEthernet0/0, 'ip nat outside' on GigabitEthernet0/1, correct ACL 10 to permit 192.168.1.0 0.0.0.255, and add 'overload' to the PAT command.
B.Configure 'ip nat outside' on GigabitEthernet0/0, 'ip nat inside' on GigabitEthernet0/1, keep ACL 10 as is, and add 'overload' to the PAT command.
C.Configure 'ip nat inside' on GigabitEthernet0/1, 'ip nat outside' on GigabitEthernet0/0, correct ACL 10 to permit 192.168.1.0 0.0.0.255, and add 'overload' to the PAT command.
D.Configure 'ip nat inside' on GigabitEthernet0/0, 'ip nat outside' on GigabitEthernet0/1, correct ACL 10 to permit 192.168.1.0 0.0.0.255, but do not add 'overload' to the PAT command.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
ip nat inside source list 10 interface GigabitEthernet0/1 overload
access-list 10 permit 192.168.1.0 0.0.0.255

Why this answer

Three issues exist: (1) The inside and outside interfaces are swapped — GigabitEthernet0/0 (LAN) should be 'ip nat inside' and GigabitEthernet0/1 (WAN) should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword. (3) ACL 10 permits 10.0.0.0/8 but the inside subnet is 192.168.1.0/24; ACL must be corrected. Fix with 'interface GigabitEthernet0/0', 'ip nat inside', 'interface GigabitEthernet0/1', 'ip nat outside', 'ip nat inside source list 10 interface GigabitEthernet0/1 overload', and 'access-list 10 permit 192.168.1.0 0.0.0.255'.

Exam trap

A common trap is confusing which interface should be inside and which should be outside. Remember: inside is the private LAN side, outside is the public WAN side. Also, do not forget the 'overload' keyword for PAT, and ensure the ACL matches the correct source subnet.

Why the other options are wrong

B

The specific factual error: The inside/outside interface assignment is reversed; ACL 10 permits 10.0.0.0/8 instead of 192.168.1.0/24.

C

The specific factual error: The inside/outside interface assignment is reversed; the WAN interface should be outside, not inside.

D

The specific factual error: The 'overload' keyword is missing, which is required for PAT to enable many-to-one translation.

113
Multi-Selectmedium

Which two statements accurately describe why least privilege and source restriction work well together for administrative access?

Select 2 answers
A.Least privilege reduces the scope of actions an authenticated user can perform.
B.Source restriction reduces the network locations from which administrative access is permitted.
C.Either one by itself removes the need for logging.
D.Both exist only for wireless guest access policies.
E.They require all administrative traffic to use PPP encapsulation.
AnswersA, B

This is correct because least privilege limits authorization scope.

Why this answer

Least privilege and source restriction work well together because they reduce risk in different ways. In practical terms, least privilege limits what a user can do after access is granted, while source restriction reduces where an administrative session is even allowed to originate. Together they reduce both exposure and potential impact.

This is a layered management-security concept and a strong exam-style reasoning item.

Exam trap

A common exam trap is believing that either least privilege or source restriction alone fully secures administrative access. Candidates may incorrectly think that limiting user permissions removes the need to restrict source IPs, or vice versa. This mistake overlooks that least privilege controls what actions a user can perform after access, but does not prevent unauthorized access attempts from untrusted locations.

Similarly, source restriction limits where access can originate but does not limit what an authenticated user can do. The exam tests understanding that both controls are necessary and complementary for robust administrative security.

Why the other options are wrong

C

This option is incorrect because neither least privilege nor source restriction eliminates the need for logging; visibility and accountability remain critical for security auditing.

D

This option is incorrect because least privilege and source restriction are broad security principles applicable to all administrative access, not limited to wireless guest access policies.

E

This option is incorrect because PPP encapsulation is unrelated to administrative access controls like least privilege and source restriction; it does not affect management access security.

114
Drag & Dropmedium

Drag and drop the configuration steps into the correct order to configure Port Address Translation (PAT) on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: first define the addresses to translate with an access list; next mark the inside interface with 'ip nat inside'; then mark the outside interface with 'ip nat outside'; finally, enable PAT globally with the 'ip nat inside source list ... overload' command. The overload command is not applied to an interface—it references the outside interface to translate source addresses to that interface’s IP.

Exam trap

The exam trap is that candidates often confuse the order of steps, thinking that applying the overload command or marking interfaces comes before defining the ACL. Remember: ACL first, then inside interface, then outside interface, then overload command.

115
MCQmedium

Why might voice traffic be placed in a priority queue on a WAN link?

A.To increase the TTL value of voice packets
B.To reduce delay and jitter for time-sensitive traffic
C.To change RTP into TCP for reliability
D.To avoid assigning IP addresses to phones
AnswerB

Correct. Priority queuing is used to protect time-sensitive traffic such as voice.

Why this answer

Voice traffic is delay-sensitive. Prioritization helps reduce queuing delay and jitter so real-time audio remains intelligible.

Exam trap

A common exam trap is selecting answers that confuse QoS prioritization with unrelated network functions such as increasing the TTL value of voice packets or converting RTP traffic into TCP. These options are incorrect because QoS focuses on managing packet scheduling and queuing rather than altering packet headers or transport protocols. Another trap is thinking that IP address assignment relates to QoS, which it does not.

Recognizing that priority queuing specifically targets delay-sensitive traffic like voice helps avoid these misleading options.

Why the other options are wrong

A

Increasing the TTL value of voice packets is unrelated to QoS or priority queuing. TTL controls packet lifetime and does not affect delay or jitter, so this option is incorrect.

C

QoS does not convert RTP (used for voice) into TCP. RTP is typically carried over UDP for real-time performance, so this option is incorrect.

D

Assigning IP addresses to phones is handled by DHCP or static configuration, not by QoS or priority queuing. This option is unrelated to voice traffic prioritization.

116
Multi-Selectmedium

Which TWO actions does DHCP snooping perform by default on a Cisco switch?

Select 2 answers
A.It blocks DHCP server messages received on untrusted ports.
B.It generates a Cisco Discovery Protocol packet for each DHCP request.
C.It builds a DHCP binding table.
D.It relays DHCP requests across VLANs.
E.It converts DHCP broadcasts into unicasts.
AnswersA, C

DHCP snooping classifies ports as trusted or untrusted. Untrusted ports are not permitted to send DHCP server-side messages (e.g., DHCPOFFER, DHCPACK), thereby preventing rogue DHCP servers.

Why this answer

DHCP snooping is a Layer 2 security feature that filters DHCP messages and builds a binding table. By default, it blocks DHCP server messages on untrusted ports and dynamically creates a binding table mapping IP addresses to MAC addresses. It does not relay requests across VLANs or convert broadcasts to unicasts (those are relay agent functions).

Why the other options are wrong

B

This statement incorrectly associates two separate features; DHCP snooping operates at Layer 2 for DHCP security, not for CDP.

D

This function belongs to the relay agent, not to DHCP snooping, which operates within a single VLAN to enforce security policies.

E

This is a relay agent feature; DHCP snooping does not alter the broadcast nature of DHCP packets, it only filters them.

117
PBQhard

You are troubleshooting PAT and static NAT on R1. The inside network 192.168.10.0/24 must be translated to the public IP 203.0.113.1 (interface G0/1) using port address translation. Additionally, the server at 192.168.10.100 must be reachable from the outside via static NAT to 203.0.113.5. The current configuration is not working. Identify and correct the errors in the running config on R1.

Hints

  • Check which subnet the ACL is matching — it might not be your inside network.
  • Look at the PAT command: is there an 'overload' keyword? Without it, only one translation is allowed.
  • Verify the static NAT mapping: the inside server IP should match the actual server.
A.The ACL in the NAT configuration incorrectly permits network 192.168.20.0/24 instead of 192.168.10.0/24, and the PAT command is missing the 'overload' keyword.
B.The static NAT entry uses the wrong inside address; it should be 192.168.10.100 but is configured with 192.168.10.1.
C.The PAT command is missing the 'overload' keyword, and the static NAT entry maps to the wrong public IP; it should use 203.0.113.1 instead of 203.0.113.5.
D.The static NAT entry maps the server to the wrong public IP, 203.0.113.1 instead of 203.0.113.5, and the ACL incorrectly permits network 192.168.20.0/24.
AnswerA
solution
! R1
configure terminal
no access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
end
write memory

Why this answer

The running configuration has two errors. First, access-list 100 incorrectly permits the 192.168.20.0/24 network instead of the inside network 192.168.10.0/24, so PAT will not translate any internal hosts. Second, the PAT command is missing the 'overload' keyword, which means only a single translation is possible, breaking connectivity for multiple devices.

The static NAT entry for the server is correctly mapping 192.168.10.100 to 203.0.113.5 and does not need correction.

Exam trap

Watch out for ACLs that match the wrong subnet in NAT configurations. Also, remember that PAT requires the 'overload' keyword; without it, only one translation is allowed. Static NAT often uses a different public IP than the PAT pool to avoid conflicts.

Why the other options are wrong

B

The static NAT entry is correct; the inside address 192.168.10.100 is properly mapped to 203.0.113.5.

C

Static NAT requires a separate public IP to avoid overlapping with PAT translations. The public IP 203.0.113.5 is appropriate.

D

The static NAT entry is correctly configured with 192.168.10.100 and 203.0.113.5; the error is solely in the ACL and missing overload keyword.

118
Multi-Selectmedium

Which two statements accurately describe DNS in everyday network use?

Select 2 answers
A.DNS helps resolve hostnames into IP-related information.
B.DNS makes services easier to use by allowing names instead of raw IP addresses.
C.DNS automatically assigns IP addresses to hosts.
D.DNS replaces the need for subnet masks.
E.DNS elects the STP root bridge.
AnswersA, B

This is correct because name resolution is DNS’s core function.

Why this answer

DNS translates human-friendly hostnames into IP-related information, making network services more accessible by name rather than numeric addresses. Option A is correct because DNS resolves names to IP addresses. Option B is correct because using names improves usability and allows underlying IP changes without user disruption.

Option C is incorrect because IP address assignment is a DHCP function, not DNS. Option D is incorrect because subnet masks are part of IP addressing and routing, unrelated to DNS name resolution. Option E is incorrect because STP (Spanning Tree Protocol) elects a root bridge for loop-free topology, which is unrelated to DNS.

Exam trap

A frequent exam trap is mistaking DNS for DHCP or other network functions. Some candidates incorrectly believe DNS assigns IP addresses to hosts, but that role belongs to DHCP. Others confuse DNS with protocols like STP, which manages network topology but is unrelated to name resolution.

This confusion arises because both DNS and DHCP are IP services, but they serve distinct purposes. Misunderstanding these roles can lead to incorrect answers and misconfiguration in real networks. Remember, DNS only resolves hostnames into IP-related information and does not handle IP address assignment or network path selection.

Why the other options are wrong

C

Option C is incorrect because DNS does not assign IP addresses; that task belongs to DHCP, which dynamically provides IP configuration to hosts on a network.

D

Option D is incorrect because DNS does not replace subnet masks; subnet masks are used to define network and host portions of an IP address and control routing and addressing scope.

E

Option E is incorrect because DNS has no role in Spanning Tree Protocol (STP) operations, such as electing the root bridge; these functions are unrelated to DNS.

119
Multi-Selectmedium

Which three of the following are considered best practices for securing device access in a Cisco network? (Choose three.)

Select 3 answers
.Use SSH instead of Telnet for remote management.
.Configure role-based access control (RBAC) using privilege levels or AAA.
.Implement a login banner to display a warning against unauthorized access.
.Disable password encryption using the 'service password-encryption' command.
.Allow SNMPv1 read-write community strings for ease of management.
.Use the same simple password for all devices to simplify administration.

Why this answer

SSH encrypts all traffic, including authentication credentials, protecting against eavesdropping and man-in-the-middle attacks, whereas Telnet sends everything in plaintext. Role-based access control (RBAC) via privilege levels or AAA limits users to only the commands necessary for their job, reducing the risk of accidental or malicious misconfiguration. A login banner provides legal notice that unauthorized access is prohibited, which is essential for prosecution and deters casual intruders.

Exam trap

Cisco often tests the misconception that 'service password-encryption' is a strong security measure, when in fact it only provides weak obfuscation (Type 7) that can be easily reversed, and the real best practice is to use secret passwords with Type 8/9 hashing.

120
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a DHCP issue where DHCP clients on the LAN subnet are sending DHCPDISCOVER messages but the DHCP server does not receive them. The output of the show ip dhcp binding command on R1 is shown. What is the most likely cause of the problem?

A.DHCP service is disabled on R1.
B.The ip helper-address command is configured on the WAN interface instead of the LAN interface facing the DHCP clients.
C.The DHCP pool is configured with a network address that does not match the client subnet.
D.The default-router option is missing from the DHCP pool configuration.
AnswerB

The show ip dhcp binding output shows zero bindings because the router is not relaying DHCP broadcasts. For a DHCP relay agent to work, the ip helper-address must be placed on the interface that receives client broadcasts (the LAN interface). Configuring it on the WAN interface sends relay messages toward the server in the wrong direction, so client DISCOVERs never reach the DHCP server.

Why this answer

The show ip dhcp binding output explicitly displays 'Total number of bindings = 0', confirming that no DHCP leases have been issued. Because the router is acting as a DHCP relay agent, this indicates it is not receiving any DHCPDISCOVER broadcasts from the clients. The most plausible reason is that the ip helper-address command is mistakenly placed on the WAN interface, which faces away from the client subnet, rather than on the LAN interface where the clients reside.

Without the helper address on the correct interface, broadcast DHCP messages are not forwarded to the DHCP server, resulting in zero bindings.

Exam trap

Many candidates select option C (incorrect network statement in the DHCP pool) because they assume a pool configuration error prevents any IP address assignment. However, even with a mismatched network statement, if the DHCP server received the DISCOVER messages it would still attempt to offer an address (and the binding table would show some activity or error). The true issue here is that the server never sees the requests because the relay agent is misconfigured.

Why the other options are wrong

A

Candidates may think that an empty binding table means the service is off, but the command itself would fail or show a service status if DHCP were truly disabled.

C

Candidates often associate 'no addresses assigned' with a pool misconfiguration, but a pool mismatch would not prevent the server from seeing DISCOVER messages and possibly creating failed or erroneous bindings.

D

Candidates may confuse a missing option with a complete failure of DHCP operation, but IP address leasing is independent of options like default-router.

121
Matchingmedium

Match each management or monitoring technology to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Exports event and log messages

Synchronizes device time

Summarizes traffic flows

Sends unsolicited alerts to a manager

Why these pairings

Syslog is designed to export event and log messages from network devices. NTP synchronizes device clocks across the network. NetFlow collects and summarizes traffic flows for analysis.

SNMP traps are unsolicited alerts sent from an agent to a management station to notify of events.

Exam trap

Be careful not to confuse the purposes of SNMP, Syslog, NetFlow, and CDP/LLDP. SNMP is for management and monitoring; Syslog is for logging; NetFlow is for traffic analysis; CDP/LLDP are for neighbor discovery. Each has a distinct role.

122
PBQhard

You are connected to R1. The network has a web server at 203.0.113.10 and a DNS server at 203.0.113.20. Hosts in the 192.168.1.0/24 subnet should be able to access HTTP to the web server and DNS queries to the DNS server, but all other traffic from that subnet to the servers must be blocked. Configure an extended ACL on R1 to achieve this, and apply it inbound on the correct interface. The current configuration is shown below.

Hints

  • The ACL must filter traffic as it enters R1 from the 192.168.1.0/24 hosts.
  • Use an extended named or numbered ACL; the order of permit statements matters.
  • Remember that the implicit deny will block all other traffic, but adding an explicit deny ip any any can help with troubleshooting.
A.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/0 ip access-group 100 in
B.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip any any interface GigabitEthernet0/1 ip access-group 100 in
C.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/0 ip access-group 100 out
D.access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80 access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53 access-list 100 deny ip 192.168.1.0 0.0.0.255 203.0.113.0 0.0.0.255 interface GigabitEthernet0/1 ip access-group 100 in
AnswerA
solution
! R1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 203.0.113.10 eq 80
access-list 100 permit udp 192.168.1.0 0.0.0.255 host 203.0.113.20 eq 53
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
interface GigabitEthernet0/0
ip access-group 100 in

Why this answer

The required ACL must permit HTTP (tcp dst eq 80) and DNS (udp dst eq 53) from 192.168.1.0/24 to the servers, then deny all other IP traffic from that subnet. The ACL is applied inbound on GigabitEthernet0/0 to filter traffic as it enters R1 from the 192.168.1.0/24 subnet. The commands sequence creates the ACL with the correct permit statements, an explicit deny ip any any (optional but shown for clarity), and applies it to the interface.

Exam trap

The key trap is that candidates often apply ACLs on the wrong interface or in the wrong direction. Remember: inbound ACLs filter traffic entering the interface, outbound ACLs filter traffic leaving the interface. Place the ACL as close to the source as possible.

Also, the implicit deny any at the end of an ACL means you do not need an explicit deny ip any any unless you want to log or override a previous permit.

Why the other options are wrong

B

The deny ip any any statement overrides the permit statements because ACLs are processed sequentially; any packet matching the deny is dropped. Also, applying the ACL inbound on the server-facing interface would filter traffic coming from the servers, not from the 192.168.1.0/24 subnet.

C

The ACL should be applied inbound on the interface receiving traffic from the 192.168.1.0/24 subnet (GigabitEthernet0/0) to filter before routing. Applying it outbound on the same interface would only filter traffic leaving that interface, which is not the traffic path from the subnet to the servers.

D

The ACL must be applied on the interface closest to the source of the traffic to be filtered. Since the traffic originates from the 192.168.1.0/24 subnet, the ACL should be applied inbound on GigabitEthernet0/0, not on the server-facing interface.

123
Multi-Selectmedium

Which two statements accurately describe why logs and accounting records both matter in secure operations?

Select 2 answers
A.They improve visibility into events and activity after access occurs.
B.They help with accountability and incident review.
C.They replace the need for authentication entirely.
D.They are useful only on wireless guest networks.
E.They automatically create access policies for administrators.
AnswersA, B

This is correct because both support post-event understanding and investigation.

Why this answer

Logs and accounting records both matter because security is not only about preventing access, but also about understanding what happened. In practical terms, logs can provide event visibility and system context, while accounting records can add traceability for user activity and access sessions. Together they improve incident review and operational accountability.

This is a visibility-and-traceability question, not a pure prevention question.

Exam trap

Don't confuse logs and accounting records with access control measures; they are about visibility and traceability, not prevention.

Why the other options are wrong

C

Logs and accounting records do not replace authentication; they complement it by recording who accessed what and when. Authentication is still required to verify identity before access is granted, and logs only capture activity after authentication occurs.

D

Logging and accounting are essential across all network segments, including wired, wireless, VPN, and data center environments. Limiting them to wireless guest networks would leave other critical areas unmonitored, creating security gaps.

E

Logs and accounting records are passive records of events; they do not automatically create or modify access policies. Policy creation requires administrative action based on analysis of logs, not the logs themselves.

124
MCQmedium

Which feature helps prevent a rogue DHCP server from handing out addresses on a campus switch network?

AnswerB

Correct. DHCP snooping is designed for this threat.

Why this answer

DHCP snooping classifies interfaces as trusted or untrusted and can block unauthorized DHCP server replies arriving on untrusted ports.

Exam trap

Avoid confusing PortFast (which skips STP convergence) with DHCP-specific features like DHCP Snooping.

Why the other options are wrong

A

PortFast is a Spanning Tree Protocol feature that immediately transitions an access port to the forwarding state, bypassing the listening and learning states. It does not inspect or validate DHCP messages, so it cannot prevent a rogue DHCP server from handing out addresses.

C

HSRP (Hot Standby Router Protocol) provides first-hop redundancy by allowing multiple routers to share a virtual IP address, ensuring gateway availability. It does not inspect DHCP traffic or provide any mechanism to block unauthorized DHCP servers.

D

LLDP (Link Layer Discovery Protocol) is a vendor-neutral protocol used for discovering neighboring devices and their capabilities by exchanging information such as device type, management addresses, and VLAN IDs. It has no role in DHCP security or filtering DHCP messages.

125
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity issues. Hosts on the 192.168.10.0/24 network cannot reach servers on the 192.168.20.0/24 network, but they can successfully reach other networks, including the Internet. The administrator runs the show ip access-lists command on the router (output shown). What is the most likely cause?

A.The ACL is applied in the wrong direction on the interface.
B.The ACL is missing a permit statement for the 192.168.20.0/24 destination.
C.The order of the ACL entries causes the deny statement to match first.
D.The implicit deny at the end is blocking the traffic to 192.168.20.0/24.
AnswerC

Extended IP access list 110 processes entries sequentially. Entry 10 denies traffic from 192.168.10.0/24 to 192.168.20.0/24, and entry 20 permits the same source to any destination. Because the deny is listed first, it is matched before the permit, causing the traffic to be dropped.

Why this answer

The exhibit shows Extended IP access list 110 with a deny statement for traffic from 192.168.10.0/24 to 192.168.20.0/24 (entry 10) placed before a permit ip any statement (entry 20). Because ACLs are processed in sequential order, the first matching entry is used. Traffic from 192.168.10.0/24 to 192.168.20.0/24 matches the deny statement and is dropped, even though a subsequent permit entry would allow it.

The counters (145 matches for deny, 95 matches for permit) confirm that the deny is being hit first.

Exam trap

Candidates often choose option B, thinking the ACL lacks a permit statement for the 192.168.20.0/24 destination, but the permit ip any statement (entry 20) would allow that traffic if the deny were not placed before it. They overlook the critical fact that order of ACL entries determines processing.

Why the other options are wrong

A

Candidates may assume any ACL misbehavior is due to wrong interface direction, ignoring that the specific symptom (only 192.168.20.0 is unreachable) points to the deny rule itself.

B

Candidates often focus on what an ACL ‘lacks’ rather than the sequence, missing that the existing permit any covers the destination but is shadowed by the earlier deny.

D

Candidates might recall that all ACLs have an implicit deny, but they fail to realize that a packet matching an earlier deny is already discarded, and the implicit deny only applies to unmatched traffic.

126
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start by entering global configuration mode and enabling AAA with 'aaa new-model' to allow AAA commands. Then, configure the RADIUS server parameters using 'radius-server host' and 'radius-server key' so the switch knows where to send authentication requests. Next, create an authentication method list with 'aaa authentication dot1x default group radius' to define the authentication method.

After the method list, the global command 'dot1x system-auth-control' must be issued to enable 802.1X globally; without it, the interface-level commands will not function. Finally, apply 802.1X port authentication on the interface using 'authentication port-control auto'. This order ensures each prerequisite is met before the next step.

Exam trap

A common mistake is omitting the global 'dot1x system-auth-control' command, which is required to enable 802.1X system-wide before configuring interface-level authentication.

127
Multi-Selectmedium

Which TWO statements accurately describe Network Address Translation (NAT) types?

Select 2 answers
A.Static NAT creates a fixed one-to-one mapping between a local and global address and is typically used to allow external connectivity to internal servers.
B.Dynamic NAT assigns a public IP from a pool for the duration of a translation, but it does not modify Layer 4 port numbers.
C.PAT only translates TCP packets because it uses port numbers, leaving UDP translation unsupported.
D.Static NAT entries are automatically removed after periods of inactivity to free up public addresses.
E.With PAT, if the public IP address pool is exhausted, new translations fail because PAT requires unique public IPs for each private host.
AnswersA, B

Static NAT permanently maps a private IP to a public IP, enabling inbound access to internal resources like web servers.

Why this answer

Static NAT creates a permanent, one-to-one mapping between an inside local (private) IP address and an inside global (public) IP address. This fixed mapping is typically used to make internal servers, such as a web or email server, reachable from the internet using a consistent public address.

Exam trap

Cisco often tests the misconception that PAT only works with TCP, but in reality PAT supports both TCP and UDP, and the trap here is that candidates confuse PAT's use of port numbers with a protocol limitation.

Why the other options are wrong

C

PAT works with any transport protocol that has port fields—TCP, UDP, and even ICMP through the identifier field.

D

Only dynamic translations (from dynamic NAT or PAT) have idle timeouts; static mappings are permanent.

E

This statement describes dynamic NAT pool exhaustion, not PAT, which uses port multiplexing.

128
MCQmedium

Why is disabling unused services on network devices considered a sound security practice?

A.Because it reduces unnecessary attack surface and exposure on the device.
B.Because it automatically improves routing convergence.
C.Because it guarantees the device cannot be misconfigured.
D.Because it converts the device into a controller.
AnswerA

This is correct because disabling unneeded services removes avoidable risk.

Why this answer

It is considered sound because every enabled service is a potential attack surface or management exposure point. In practical terms, if a service is not needed, leaving it enabled creates unnecessary risk without business value. Reducing what is listening or available on a device helps limit opportunities for misuse or exploitation.

Option B is incorrect because disabling unused services does not affect routing protocol convergence; that is a routing protocol function. Option C is wrong because no single security practice can guarantee the device cannot be misconfigured; misconfiguration remains possible through other means. Option D is nonsensical because disabling services does not turn the device into a controller.

Exam trap

Don't confuse the primary goal of security practices with secondary benefits like performance or compliance.

Why the other options are wrong

B

Disabling unused services does not affect routing convergence, which depends on routing protocols and network topology. Service hardening and routing optimization are separate concerns.

C

Disabling services reduces risk but does not guarantee prevention of misconfiguration; human error can still occur in other settings. Security hardening is a layered approach, not a silver bullet.

D

Disabling services does not change a device's role; a router remains a router, and a switch remains a switch. Converting a device to a controller requires specific software and configuration changes.

129
Multi-Selectmedium

Which two statements accurately describe why SSH is preferred over Telnet for device administration?

Select 2 answers
A.SSH is generally considered the more secure choice for remote CLI administration.
B.Telnet is generally considered less secure for remote device administration.
C.SSH eliminates the need for authentication and authorization policy.
D.Telnet is required before SSH can operate.
E.SSH is used only on wireless controllers and nowhere else.
AnswersA, B

This is correct because SSH is the preferred secure remote-management option.

Why this answer

SSH is preferred because it encrypts all traffic, including authentication credentials, making it secure for remote CLI administration, whereas Telnet transmits data in plaintext and is considered less secure. Option C is incorrect because SSH does not eliminate authentication; it requires authentication and often enforces stronger policies. Option D is false because SSH and Telnet are independent protocols; Telnet is not required for SSH to operate.

Option E is wrong because SSH is used on routers, switches, firewalls, and many other devices, not only wireless controllers.

Exam trap

Don't confuse protocol security features with ease of configuration or performance. Focus on security benefits.

Why the other options are wrong

C

SSH does not eliminate the need for authentication and authorization policies; it only provides a secure transport layer. Network devices still require AAA (Authentication, Authorization, and Accounting) or local username/password configurations to control access.

D

Telnet is not a prerequisite for SSH; they are independent protocols. SSH can be configured and used on a device without Telnet ever being enabled. In fact, many devices have SSH enabled by default while Telnet is disabled for security reasons.

E

SSH is not limited to wireless controllers; it is widely used on routers, switches, firewalls, servers, and many other network devices. It is a universal protocol for secure remote administration across all types of infrastructure.

130
MCQmedium

Which ACL statement permits only SSH from host 10.10.10.50 to server 192.168.1.10?

A.permit tcp host 10.10.10.50 host 192.168.1.10 eq 22
B.permit udp host 10.10.10.50 host 192.168.1.10 eq 22
C.permit tcp any host 192.168.1.10 eq 22
D.permit ip host 10.10.10.50 host 192.168.1.10
AnswerA

This matches the correct protocol, source, destination, and destination port.

Why this answer

SSH uses TCP destination port 22. The source is the single host 10.10.10.50 and the destination is the single host 192.168.1.10.

Exam trap

A common exam trap is selecting an ACL statement that permits UDP traffic on port 22 or permits all IP traffic from the source host. Since SSH exclusively uses TCP on port 22, permitting UDP or all IP protocols can either block SSH access or allow unintended traffic. Another trap is using 'any' as the source, which opens access to all hosts instead of restricting it to the specific host 10.10.10.50.

These mistakes lead to either overly permissive or overly restrictive ACLs, failing the security objective and the exam requirement.

Why the other options are wrong

B

Option B incorrectly permits UDP traffic on port 22, but SSH uses TCP, not UDP, so this rule would not allow SSH connections and is therefore invalid.

C

Option C permits TCP traffic from any source to the destination host on port 22, which is too broad because it does not restrict access to the specific source host 10.10.10.50 as required.

D

Option D permits all IP traffic from the source host to the destination host without restricting to TCP or port 22, allowing all protocols and ports, which is not limited to SSH and is too permissive.

131
PBQhard

You are connected to R1. Configure static NAT for a public web server (198.51.100.10 to 192.168.1.10) and PAT for the 192.168.1.0/24 LAN to use interface GigabitEthernet0/1 with overload. The current configuration has misconfigured NAT that prevents both types from working. Identify and fix the issues so that internal hosts can access the internet and external hosts can reach the internal web server.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30Internal hostsLANR1InternetISP

Hints

  • Check the NAT direction on each interface: which one faces the internal LAN and which faces the internet?
  • Look at the ACL in the PAT command — does it match the correct subnet?
  • The PAT command is missing a keyword that enables port multiplexing.
A.Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
B.Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and change ACL 1 to permit 192.168.2.0 0.0.0.255.
C.Change interface GigabitEthernet0/1 to 'ip nat inside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
D.Change interface GigabitEthernet0/1 to 'ip nat outside', remove the 'overload' keyword from the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
no ip nat inside source list 1 interface GigabitEthernet0/1
ip nat inside source list 1 interface GigabitEthernet0/1 overload
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
end

Why this answer

Three issues exist: (1) GigabitEthernet0/1 is the outside interface but is configured as 'ip nat inside' — it should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword, so it does one-to-one translation instead of port address translation. (3) ACL 1 permits 192.168.2.0/24, but the inside LAN is 192.168.1.0/24 — the ACL must match the correct subnet. Correcting these allows PAT for the LAN and static NAT for the web server.

Exam trap

Watch out for three common traps: (1) Misidentifying inside vs. outside interfaces—the interface facing the public network is always outside. (2) Forgetting the 'overload' keyword for PAT—without it, you get dynamic NAT, not PAT. (3) Using the wrong ACL—the ACL must match the inside network exactly.

Why the other options are wrong

B

The ACL must match the inside network; permitting a different subnet will not translate traffic from the correct LAN.

C

The NAT inside/outside designation is based on the direction of traffic; the interface facing the public network must be outside.

D

Without 'overload', the router will not use port numbers to multiplex multiple inside hosts to a single public IP.

132
MCQmedium

Exhibit: A user can ping 8.8.8.8 successfully but cannot browse to www.example.com by name. Which service is the most likely failing component?

A.NTP
B.DNS
D.CDP
AnswerB

Name resolution failure fits the symptoms exactly.

Why this answer

If connectivity to an IP address works but name-based access fails, the path is up and the problem is usually name resolution. DNS is the service that translates hostnames into IP addresses.

Exam trap

A common exam trap is assuming that because a user can ping an IP address like 8.8.8.8, all network services are functioning correctly. This leads to mistakenly blaming routing or connectivity issues rather than DNS. Candidates may also confuse NTP or Syslog as affecting web access, but these services do not resolve domain names.

Misunderstanding the role of CDP as a discovery protocol rather than a name resolution service can also cause confusion. The key trap is not recognizing that ping tests IP connectivity but DNS is required for translating domain names to IP addresses.

Why the other options are wrong

A

NTP (Network Time Protocol) synchronizes clocks across network devices but does not impact the ability to resolve domain names or browse websites. Time synchronization issues rarely cause name resolution failures, so NTP is not the failing component here.

C

Syslog collects and stores system logs for monitoring and troubleshooting but does not affect DNS resolution or web browsing. A syslog failure would not prevent browsing by hostname, so it is not the cause.

D

CDP (Cisco Discovery Protocol) is used for discovering directly connected Cisco devices and does not play any role in DNS or web name resolution. CDP failure would not cause inability to browse websites by name.

133
PBQmedium

You are connected to R1 via console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network administrator needs to monitor R1's system messages. Configure R1 to send syslog messages with severity level 5 (notifications) and above to the syslog server at 10.0.0.2. Also, ensure that logging is enabled and that messages include the timestamp and source interface.

Hints

  • Use 'logging host' to specify the syslog server.
  • Set the severity with 'logging trap' using the severity name or number.
  • Configure the source interface with 'logging source-interface'.
A.logging on logging trap notifications logging source-interface GigabitEthernet0/0 logging host 10.0.0.2 service timestamps log datetime
B.logging on logging trap informational logging source-interface GigabitEthernet0/1 logging host 10.0.0.2 service timestamps log datetime
C.logging on logging trap 5 logging source-interface GigabitEthernet0/0 logging 10.0.0.2 service timestamps
D.logging on logging trap notifications logging source-interface GigabitEthernet0/1 logging host 10.0.0.2 service timestamps debug datetime
AnswerA
solution
! R1
logging host 10.0.0.2
logging trap notifications
logging source-interface GigabitEthernet0/0
logging on
service timestamps log datetime msec

Why this answer

The logging commands enable syslog output. 'logging trap notifications' sets severity to 5 (notifications). 'logging source-interface' ensures syslog messages originate from a consistent IP. 'service timestamps' adds time information to log entries for easier troubleshooting.

Exam trap

Pay close attention to the exact syntax of commands: 'logging host' vs 'logging', 'service timestamps log' vs 'service timestamps debug'. Also, remember that the source interface should be the one closest to the syslog server, not necessarily the LAN interface. Severity levels: emergencies (0) to debugging (7); notifications is level 5.

Why the other options are wrong

B

The specific factual error: The trap level is set too low (informational instead of notifications), and the source interface is incorrect.

C

The specific factual error: The logging host command is missing the 'host' keyword, and the timestamps command is incomplete.

D

The specific factual error: The timestamps command applies to debug messages instead of log messages, and the source interface is wrong.

134
Matchingeasy

Match each network service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Assigns IP addressing parameters to clients

Synchronizes device time

Sends event messages to a logging server

Why these pairings

DNS resolves human-readable hostnames to IP addresses, enabling users to access websites by name. DHCP automatically assigns IP addresses, subnet masks, default gateways, and other parameters to clients, simplifying network configuration. NTP synchronizes clocks across network devices to ensure consistent timestamps for logs and transactions.

Syslog sends event messages from network devices to a central logging server for monitoring and troubleshooting.

Exam trap

Learners often confuse the purpose of Syslog with SNMP, but Syslog is specifically for sending event messages to a logging server, not for gathering statistics or management.

135
Multi-Selecthard

A switch interface connected to a Cisco IP phone with a PC behind it must carry voice and data correctly. Which two switchport commands are appropriate on that access port?

Select 2 answers
A.switchport mode trunk
B.switchport access vlan 10
C.switchport voice vlan 20
D.channel-group 1 mode active
E.spanning-tree cost 1
AnswersB, C

That assigns the PC data VLAN.

Why this answer

The access VLAN carries the workstation data traffic, and the voice VLAN carries tagged voice traffic for the IP phone. That is the standard campus switchport design for a phone with a PC behind it. The port itself remains an access port, but the two most directly relevant commands here are the access VLAN and voice VLAN assignments.

Exam trap

Don't confuse trunk mode with the need for VLAN tagging; access ports can handle both data and voice VLANs without being trunks.

Why the other options are wrong

A

Configuring an access port as a trunk would cause the switch to expect 802.1Q tagging on all frames, but the PC behind the phone typically sends untagged frames. This would break connectivity for the PC unless the phone is configured to tag PC traffic, which is not standard.

D

The channel-group command is used to create an EtherChannel, which bundles multiple physical links into a single logical link. This is not relevant for a single access port connecting to an IP phone and PC, as there is only one physical link.

E

The spanning-tree cost command manually sets the STP path cost for a port, which is used for loop prevention. It does not affect VLAN assignment or voice/data separation, so it does not address the requirement of carrying voice and data correctly.

136
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP router at 10.0.0.2/30. The internal network has a web server at 192.168.1.10 and a mail server at 192.168.1.20. You need to configure NAT so that internal hosts can access the internet (PAT overload) and external users can reach the web server via public IP 203.0.113.10 and the mail server via public IP 203.0.113.11. The inside interface is GigabitEthernet0/1 (192.168.1.1/24) and the outside interface is GigabitEthernet0/0.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/3010.0.0.2/30PCsinternal networkR1ISPR2

Hints

  • Define an ACL to match internal traffic.
  • Apply NAT inside/outside on the correct interfaces.
  • Use 'overload' for PAT.
A.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 extendable ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25 extendable
B.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat outside interface GigabitEthernet0/0 ip nat inside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25
C.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static 192.168.1.10 203.0.113.10 ip nat inside source static 192.168.1.20 203.0.113.11
D.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat outside source static tcp 203.0.113.10 80 192.168.1.10 80 ip nat outside source static tcp 203.0.113.11 25 192.168.1.20 25
AnswerA
solution
! R1
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

The named standard ACL PERMIT_INTERNAL permits all internal hosts in 192.168.1.0/24. The 'ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload' command enables PAT, translating internal addresses to the outside interface's IP. Static NAT entries map web and mail servers to public IPs with the 'extendable' keyword to allow both PAT and static NAT.

Proper interface NAT direction (inside/outside) is crucial.

Exam trap

Watch out for interface NAT direction: the inside interface is the one facing your internal network, and the outside interface faces the ISP. Also, remember that static NAT for servers must specify protocol and port to avoid mapping the entire IP. The 'extendable' keyword is often needed when combining PAT and static NAT.

Why the other options are wrong

B

The NAT interface directions are reversed; the internal-facing interface must be 'ip nat inside' and the external-facing interface must be 'ip nat outside'.

C

Static NAT for services must include the protocol (tcp/udp) and port number to map specific services; otherwise, it maps the entire IP address, which is not desired here.

D

The 'ip nat outside source static' command is used for translating the source address of inbound packets (e.g., for load balancing), not for mapping a public IP to an internal server. For inbound access to servers, 'ip nat inside source static' is required.

137
PBQhard

You are connected to R1. The network administrator wants to permit only HTTPS traffic (TCP port 443) from the 192.0.2.0/24 network to the 203.0.113.0/24 network, while denying all other IP traffic. Currently, an ACL applied inbound on G0/1 is blocking all traffic, including HTTPS. Identify the issue and correct the ACL configuration so that only HTTPS traffic is permitted.

Network Topology
G0/1192.0.2.1/24linkG0/1203.0.113.1/24InternetR1R2

Hints

  • The ACL is currently blocking all traffic because of the deny any any entry.
  • You need to remove the existing ACL and recreate it with a permit statement for HTTPS.
  • Remember the implicit deny at the end of every ACL; you don't need an explicit deny statement.
A.Remove the existing ACL, then create an extended ACL with a permit statement for tcp 192.0.2.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 443, and apply it inbound on G0/1.
B.Add a permit statement for tcp 192.0.2.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 443 before the existing deny ip any any entry in the ACL.
C.Remove the existing ACL and create a standard ACL with permit 192.0.2.0 0.0.0.255, then apply it inbound on G0/1.
D.Remove the existing ACL and create an extended ACL with a permit statement for tcp any any eq 443, then apply it inbound on G0/1.
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_IN
ip access-list extended BLOCK_IN
permit tcp 192.0.2.0 0.0.0.255 203.0.113.0 0.0.0.255 eq 443
end
write memory

Why this answer

The ACL BLOCK_IN currently has a single deny ip any any entry, which blocks all traffic inbound on G0/1. The correct solution is to first remove the existing ACL, then create a new extended ACL that permits TCP 443 from source network 192.0.2.0/24 to destination network 203.0.113.0/24, and apply it inbound on G0/1. The implicit deny at the end of the ACL will then block all other traffic, achieving the desired policy.

Exam trap

The exam trap is that candidates may think adding a permit statement before the deny will work, but if they add a new entry without specifying a sequence number, it is inserted after the existing deny ip any any, so the deny remains first and blocks all traffic.

Why the other options are wrong

B

The specific factual error is that the order of entries matters; a deny any any at the end would block all traffic, but here it is placed before the permit, so the deny is evaluated first.

C

The specific factual error is that standard ACLs lack the capability to filter by protocol or port; extended ACLs are required for such granularity.

D

The specific factual error is that the permit statement uses 'any' for source and destination, making it too permissive and not matching the specified networks.

138
MCQmedium

Why is NTP especially valuable when a network uses centralized Syslog servers?

A.Because synchronized clocks make log timestamps easier to correlate across devices
B.Because NTP converts Syslog into a routing protocol
C.Because NTP automatically creates DHCP pools
D.Because NTP eliminates the need for a Syslog server
AnswerA

This is correct because NTP improves the usefulness of centralized logs by aligning time.

Why this answer

NTP is especially valuable because centralized logs are much easier to interpret when device clocks are synchronized. In plain language, if multiple routers and switches send messages to one logging server but each device believes a different time, the event sequence becomes confusing. NTP helps align those clocks so the timestamps in the logs are consistent and the team can reconstruct incidents more accurately.

This is a practical operations concept rather than a syntax question. Syslog solves the collection problem, and NTP solves the time-correlation problem. Together they make logs more useful than either one alone. That is why the best answer focuses on timestamp consistency rather than on routing, VLAN, or NAT behavior.

Exam trap

A common exam trap is selecting an answer that incorrectly attributes routing or DHCP functions to NTP, such as thinking NTP converts Syslog into a routing protocol or automatically creates DHCP pools. These options confuse NTP’s fundamental role in time synchronization with unrelated network services. Another trap is assuming NTP eliminates the need for a Syslog server, which is false because NTP only provides accurate timestamps; it does not collect or store logs.

Understanding that NTP’s value lies in timestamp consistency, not in changing or replacing other protocols, is critical to avoid these mistakes.

Why the other options are wrong

B

Incorrect because NTP does not convert Syslog into a routing protocol; NTP’s function is strictly time synchronization, unrelated to routing protocols.

C

Incorrect because NTP does not create DHCP pools; DHCP pool creation is unrelated to time synchronization and is managed by DHCP services.

D

Incorrect because NTP does not eliminate the need for a Syslog server; it complements Syslog by providing accurate timestamps but does not replace log collection.

139
MCQhard

A switch is configured with DHCP snooping and Dynamic ARP Inspection. Hosts suddenly lose connectivity after changing IP settings manually. Which explanation is strongest?

A.DAI is rejecting ARP traffic because the manual IP change does not match trusted snooping bindings.
B.STP is blocking the host because its MAC address changed.
C.OSPF authentication failed on the access port.
D.The switch requires PPP authentication before allowing ARP traffic.
AnswerA

This is correct because DAI validates ARP against trusted information, often sourced from DHCP snooping.

Why this answer

The correct answer is A because DAI uses DHCP snooping binding to validate ARP messages; a manual IP change creates a mismatch, causing DAI to block ARP. Option B is incorrect because STP prevents loops and does not block based on MAC address changes. Option C is incorrect because OSPF authentication is a routing protocol feature irrelevant on an access port.

Option D is incorrect because PPP authentication applies to serial links, not Ethernet ARP.

Exam trap

Be cautious not to confuse DHCP snooping's role with DHCP server functionality or ARP cache operations.

Why the other options are wrong

B

STP (Spanning Tree Protocol) prevents loops in redundant topologies and does not block hosts based on IP or MAC address changes. It operates at Layer 2 and is unrelated to IP address configuration.

C

OSPF is a Layer 3 routing protocol used between routers, not on access ports connecting hosts. OSPF authentication is configured on router interfaces and does not apply to host ARP traffic on a switch.

D

PPP (Point-to-Point Protocol) authentication is used on serial links or PPPoE connections, not on Ethernet switch ports. It is unrelated to ARP inspection or DHCP snooping in a switched network.

140
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (overload) on a Cisco router using a single public IP address on the outside interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: first enter global configuration mode, then define the access list that matches inside traffic. Next, mark the inside and outside interfaces with `ip nat inside` and `ip nat outside` respectively. Finally, enable PAT with overload using `ip nat inside source list <acl> interface <outside-if> overload`.

This order ensures the router knows which interfaces are internal and external, which traffic to translate, and how to perform the translation.

Exam trap

Learners often forget to assign the 'ip nat inside' and 'ip nat outside' interface commands, or they configure them in the wrong order relative to the source NAT statement.

141
MCQhard

A branch router uses PAT for Internet access. Users can browse out, but the administrator wants a specific internal web server to be reachable from outside on a consistent public address. Which design fits that requirement best?

A.Use static NAT for the server and PAT for general user outbound traffic.
B.Use only PAT for everything, including predictable outside server reachability.
C.Disable NAT entirely because private IPv4 addresses are Internet-routable.
D.Use DHCP relay to publish the server externally.
AnswerA

This is correct because static NAT gives the server a fixed public identity while PAT supports many internal users.

Why this answer

The best design is to use static NAT for the internal web server while continuing to use PAT for general user outbound access. In plain language, PAT is ideal for many inside users sharing one public address for ordinary outbound traffic, but a server that must be reachable predictably from the outside needs a fixed public identity. Static NAT provides that one-to-one mapping.

This is a practical mixed-design scenario. The network can use PAT for user convenience and address conservation while still reserving a stable translation for a server that external clients need to find reliably. The correct answer recognizes that different NAT methods can serve different purposes in the same environment.

Exam trap

A common exam trap is selecting PAT alone to provide external access to an internal server. While PAT efficiently supports many users sharing one public IP for outbound traffic, it does not assign a fixed public IP to any internal host. This means the server’s public identity changes dynamically, preventing reliable inbound connections.

Candidates often confuse PAT’s port translation with static IP mapping, overlooking that servers need static NAT for consistent external reachability. Misunderstanding this distinction leads to incorrect answers and design flaws in real networks.

Why the other options are wrong

B

Incorrect because PAT alone cannot provide a stable public IP for inbound connections to a server, making it unsuitable for predictable external access to internal services.

C

Incorrect because private IPv4 addresses are not routable on the Internet, so disabling NAT would prevent internal hosts from accessing external networks and external clients from reaching internal servers.

D

Incorrect because DHCP relay is used to forward DHCP requests across networks and does not influence NAT or the public accessibility of internal servers.

142
Multi-Selecthard

Exhibit: A company wants to export traffic statistics from routers to a collector for visibility into top talkers and application usage. Which two statements are accurate?

Select 2 answers
A.NetFlow can export flow data to a collector
B.NetFlow helps identify traffic patterns and top talkers
C.Syslog and NetFlow are the same feature with different names
D.NetFlow replaces routing protocols for path selection
E.NetFlow only works on Layer 2 switches and never on routers
AnswersA, B

That is exactly what it is for.

Why this answer

NetFlow exports flow records to a collector and is useful for traffic analysis and accounting visibility, enabling identification of top talkers and application usage (options A and B are correct). Syslog reports events and messages, but does not replace flow records for conversation-level traffic statistics, so option C is incorrect. NetFlow does not replace routing protocols for path selection; it is a traffic monitoring tool, not a routing mechanism, so option D is incorrect.

NetFlow works on routers and Layer 3 switches, not only Layer 2 switches, so option E is incorrect.

Exam trap

Be cautious not to confuse general network monitoring tools like Syslog and SNMP with specialized traffic analysis tools like NetFlow.

Why the other options are wrong

D

NetFlow does not replace routing protocols; it is a monitoring tool that provides traffic statistics, not a path-selection mechanism.

E

NetFlow operates on routers and Layer 3 switches, not just Layer 2 switches, and is commonly used on routers for traffic analysis.

143
PBQmedium

You are connected to R1 via the console. R1 is an NTP client that should synchronize its clock with NTP server 192.168.1.100. The timezone is UTC-5 (Eastern Standard Time). Configure NTP on R1 so that it becomes an NTP client. Additionally, configure the router to log NTP synchronization status messages to the console and buffer logging using the numeric severity level 6 (informational).

Network Topology
G0/0192.168.1.1/24LANR1NTP server

Hints

  • Use ntp server command to point to the NTP server.
  • Logging level 6 corresponds to informational.
  • Buffered and console logging commands are separate.
A.ntp server 192.168.1.100 logging console informational logging buffered informational
B.ntp peer 192.168.1.100 logging console 6 logging buffered 6
C.ntp server 192.168.1.100 logging console 6 logging buffered 6
D.ntp server 192.168.1.100 logging console informational logging buffered 6
AnswerC
solution
! R1
ntp server 192.168.1.100
logging buffered 6
logging console 6

Why this answer

The correct NTP client command is 'ntp server 192.168.1.100', not 'ntp peer'. The logging commands must use the numeric level 6 to match the requirement. 'logging console 6' and 'logging buffered 6' achieve this; keyword 'informational' is technically valid but does not follow the explicit numeric specification. Mixing numeric and keyword is also incorrect under the given requirement.

Exam trap

Candidates often overlook the explicit requirement to use the numeric severity level and may choose options with the keyword 'informational', which are technically valid but do not meet the specified condition.

Why the other options are wrong

A

Uses the keyword 'informational' instead of the required numeric level 6.

B

Uses 'ntp peer' instead of 'ntp server', and uses numeric levels but the primary command is wrong.

D

Mixes numeric and keyword severity levels; must use numeric 6 for both console and buffer.

144
MCQmedium

An automation script needs to send a bearer token when calling a controller REST API over HTTPS. Where is that token most commonly included?

A.In the HTTP Authorization header
B.In the Ethernet trailer
C.In the DNS response section
D.In the TCP checksum field
AnswerA

That is the standard way bearer tokens are presented.

Why this answer

Bearer tokens are typically sent in the HTTP Authorization header. Query parameters or request bodies may carry credentials in some custom APIs, but the normal REST pattern is an Authorization header such as 'Authorization: Bearer <token>'.

Exam trap

Remember that bearer tokens are part of the request, not the response, and should be in the Authorization header, not in query parameters or the request body.

Why the other options are wrong

B

The Ethernet trailer contains a Frame Check Sequence (FCS) for error detection at Layer 2, not application-layer data like bearer tokens. Tokens are part of the HTTP application layer and are never placed in the Ethernet trailer.

C

DNS responses contain resource records like A, AAAA, or CNAME, which map domain names to IP addresses. They have no role in carrying authentication tokens for REST API calls, as DNS is a separate protocol for name resolution.

D

The TCP checksum field is used for error detection of the TCP segment header and payload at the transport layer. It is computed by the sender and verified by the receiver; it does not carry any application data such as bearer tokens.

145
PBQhard

You are connected to R1, a Cisco IOS-XE router that serves as the DNS resolver for the local network. The router can reach the DNS server at 198.51.100.53, but internal hosts cannot resolve the hostname 'fileserver.courseiva.com' (expected IP 203.0.113.10). Which configuration will resolve the issue?

Network Topology
G0/0192.168.1.1/24R1switch

Hints

  • The DNS server returns NXDOMAIN, meaning it has no record for that hostname or IP.
  • Use the 'ip host' command to create a static DNS entry on the router.
  • For reverse lookup, the PTR record must be configured; a single 'ip host' with the IP first automatically creates a PTR entry.
A.Add a static host entry: ip host fileserver.courseiva.com 203.0.113.10
B.Change the DNS server to 203.0.113.53 using the command 'ip name-server 203.0.113.53'
C.Add a static route to 198.51.100.53 via the next-hop interface
D.Configure the router to use the DNS server at 8.8.8.8 using 'ip name-server 8.8.8.8'
AnswerA
solution
! R1
ip host fileserver.courseiva.com 203.0.113.10
ip host 203.0.113.10 fileserver.courseiva.com

Why this answer

The DNS server is reachable but does not have an A record for fileserver.courseiva.com, so NXDOMAIN is returned. The router can resolve the name locally by adding a static host entry with `ip host`. This bypasses the external DNS and directly maps the hostname to the correct IP.

Changing the DNS server to another unknown IP does not guarantee resolution, and static routes or external public DNS are irrelevant for this internal name.

Exam trap

Candidates often attempt to change the DNS server IP or troubleshoot routing, but the core issue is the absence of a DNS record. The `ip host` command provides a simple, static solution without altering external DNS infrastructure.

Why the other options are wrong

B

The current DNS server is reachable but lacks the record; simply changing the DNS server to an arbitrary IP would not guarantee resolution unless that server is known to hold the correct record, and there is no indication that 203.0.113.53 is a valid DNS server.

C

DNS resolution failure is not due to routing: the router can already reach the DNS server. Adding a static route will not fix missing DNS records.

D

The Google public DNS server likely does not have an entry for the internal hostname fileserver.courseiva.com, so this will not enable resolution.

146
MCQhard

A network administrator has configured 802.1X port-based authentication on a Cisco IOS-XE switch for a new access port connected to a user workstation. The workstation is failing to gain network access. The switch port is in the 'authorized' state, but the workstation cannot ping the default gateway. The administrator checks the running configuration and the authentication session details. What is the most likely cause of the issue?

A.The RADIUS server has not been configured with the correct shared secret, causing authentication to fail silently.
B.The RADIUS server returned a VLAN ID that placed the port in a VLAN lacking connectivity to the default gateway, such as a VLAN without an SVI or incorrect subnet assignment.
C.The switch port is in 'err-disabled' state due to a port-security violation, preventing any traffic.
D.The workstation's supplicant is not configured with the correct EAP method, causing the authentication to use the guest VLAN instead.
AnswerB

After successful 802.1X authentication, the switch can dynamically assign the port to a VLAN specified in the RADIUS Access-Accept message. If that VLAN exists but is not the correct user VLAN—for example, a dead-end VLAN or a VLAN where the default gateway IP is not configured or reachable—the device will appear authorized but will be unable to reach the gateway, exactly matching the symptoms.

Why this answer

The switch port is in the 'authorized' state, indicating that 802.1X authentication succeeded and the RADIUS server sent an Access-Accept. However, the workstation cannot ping the default gateway, pointing to a connectivity issue after authentication. The most likely cause is that the RADIUS server returned a VLAN assignment (via the Tunnel-Private-Group-ID attribute) that placed the port in a VLAN that is not the intended one, such as a management VLAN without a gateway, or a VLAN missing a routed SVI, leaving the workstation isolated despite successful authentication.

Exam trap

Cisco often tests the distinction between authentication success (port state 'authorized') and network connectivity success (correct VLAN assignment), tricking candidates into focusing on authentication failures when the real issue is a post-authentication VLAN misconfiguration.

Why the other options are wrong

A

The show authentication sessions output indicates 'Authz Success', meaning authentication and authorization succeeded. A shared secret mismatch would cause authentication failure, not a successful authorization.

C

The show command output clearly shows the port status as 'AUTHORIZED' and 'Authz Success'. There is no indication of err-disable. Port-security violations would show a different status, such as 'err-disabled' or 'security-violation'.

D

The output shows 'authVlan = 100' and the session is authorized with 'method = dot1x' and 'status = AUTHORIZED'. This indicates the supplicant successfully authenticated and was placed in the auth VLAN, not the guest VLAN. If the supplicant had failed, the port would be in the guest VLAN.

147
MCQhard

An engineer is allowed to log in to a router but cannot enter configuration mode. Which AAA function most directly explains that outcome?

A.Authorization
B.Authentication
C.Accounting
D.DNS
AnswerA

This is correct because authorization determines what the authenticated user is permitted to do.

Why this answer

Authorization most directly explains the outcome. In practical terms, the user has already passed authentication because login succeeded, but the permissions assigned to that identity do not allow configuration-level actions. This is exactly the sort of role separation authorization is meant to enforce.

This is a good example of why authentication and authorization are not the same thing.

Exam trap

A common exam trap is assuming that authentication alone controls all user permissions after login. Candidates often confuse authentication with authorization, thinking that successful login means full access. However, authentication only verifies identity, while authorization determines what commands or modes the user can access.

This confusion leads to incorrect answers, especially when a user can log in but cannot enter configuration mode. Remember, authorization is the AAA function that restricts user capabilities after authentication succeeds.

Why the other options are wrong

B

Authentication is incorrect because it only verifies the user's identity to allow login; it does not control what commands or modes the user can access after login.

C

Accounting is incorrect because it only records user activity and command usage for auditing purposes and does not influence login permissions or command access.

D

DNS is incorrect because it is related to name resolution and does not control user authentication, authorization, or command permissions on network devices.

148
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a VLAN 10 subnet and enable DHCP relay for a remote client on VLAN 20.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to globally exclude IP addresses first, preventing the DHCP server from assigning reserved addresses. Then define the DHCP pool for VLAN 10 with network parameters, enable DHCP relay on the VLAN 20 interface so it forwards requests to the server, and finally verify the service is functioning. Options that place relay before pool or exclusions after pool misorder these essential configuration steps and deviate from recommended practice.

Exam trap

Many learners mistakenly think DHCP relay must be enabled before pool creation or that exclusions are a sub‑mode command inside the pool; in fact, exclusions are configured globally and should be defined before the pool to avoid accidental assignment of excluded IPs.

149
Drag & Dropmedium

Drag and drop the following IOS-XE CLI commands into the correct order to configure AAA with a RADIUS server and then enable 802.1X port authentication on an interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

AAA configuration must precede 802.1X. The order is global AAA setup, then global 802.1X enablement, followed by per-interface authentication configuration.

Exam trap

Do not confuse the order of global AAA enablement and RADIUS server definition. AAA must be enabled first. Also, remember that global 802.1X enablement comes before interface-specific commands.

150
MCQhard

A network engineer has enabled DHCP snooping on a Catalyst switch to prevent rogue DHCP servers. All access ports in VLAN 10 are untrusted. A router attached to a trunk port on the switch acts as the default gateway for VLAN 10 and is configured with the ip helper-address 10.1.2.5, which points to a remote DHCP server. After enabling DHCP snooping, hosts in VLAN 10 cannot obtain IP addresses; packet captures show DHCPDISCOVER messages are sent, but no DHCPOFFER is received. What is the most likely cause?

A.The router's ip helper-address command is pointing to an incorrect DHCP server IP address.
B.The switch port connecting to the router is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet, so the switch needs a switched virtual interface (SVI) in VLAN 10 with an IP address for Layer 3 connectivity.
D.DHCP snooping is dropping DHCPDISCOVER messages because the client access ports are untrusted.
AnswerB

DHCP snooping trusts only designated ports to forward DHCP server messages. Since the router relays the DHCPOFFER onto the trunk port, an untrusted port will cause the switch to discard the offer, resulting in DHCP failure.

Why this answer

DHCP snooping treats all ports as untrusted by default. When a router acting as a DHCP relay is connected to an untrusted trunk port, the switch drops DHCPOFFER messages received from the router because they originate from an untrusted interface. Configuring the trunk port as trusted allows DHCP server responses (OFFER, ACK) to pass through to clients.

Exam trap

Cisco often tests the distinction that DHCP snooping blocks DHCP server messages (OFFER/ACK/NAK) on untrusted ports, not client messages (DISCOVER/REQUEST), leading candidates to incorrectly assume client messages are dropped.

Why the other options are wrong

A

This distractor exploits the common tendency to blame the helper address configuration first, overlooking the security feature that silently drops the returning DHCPOFFER.

C

This plays on the misconception that a switch requires an IP address on the client VLAN to facilitate DHCP, when in fact the router acting as the relay agent provides Layer 3 connectivity.

D

This misinterprets DHCP snooping behavior: it assumes all DHCP traffic is filtered on untrusted ports, overlooking the critical distinction that only server-side messages are blocked, not client requests.

← PreviousPage 2 of 7 · 478 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Services Security questions.