CCNA Network Services Security Questions

75 of 478 questions · Page 4/7 · Network Services Security topic · Answers revealed

226
Multi-Selectmedium

Which two actions help protect access-layer switch ports from rogue DHCP servers?

Select 2 answers
A.Enable DHCP snooping globally and for the needed VLANs
B.Trust the uplink toward the legitimate DHCP server path
C.Enable PortFast on all trunks to block rogue servers
D.Disable ARP on access ports
E.Set every access port as trusted
AnswersA, B

That turns on the feature and applies it to selected VLANs.

Why this answer

DHCP snooping marks trusted and untrusted interfaces and filters server-type DHCP messages on untrusted ports. Uplink ports toward the real DHCP server or relay are typically trusted, while user-facing ports stay untrusted. Option C is incorrect because PortFast does not filter DHCP messages; it only speeds up spanning tree convergence.

Option D is incorrect because disabling ARP breaks normal communication and does not block DHCP. Option E is incorrect because marking all access ports as trusted would permit rogue DHCP servers on those ports.

Exam trap

Do not confuse port security with DHCP snooping; they address different security concerns.

Why the other options are wrong

C

PortFast is used to speed up the transition of a port to forwarding state in spanning tree, typically for end-user devices. It does not filter DHCP messages or prevent rogue DHCP servers; DHCP snooping is the correct mechanism.

D

ARP is essential for IP communication and disabling it would break network connectivity. DHCP snooping does not involve ARP; it operates at the DHCP protocol level to validate messages.

E

Setting every access port as trusted would allow any device connected to those ports to act as a DHCP server, defeating the purpose of DHCP snooping. Only ports connected to legitimate DHCP servers should be trusted.

227
MCQhard

A network engineer notices that clients in the 192.168.10.0/24 subnet are receiving the IP address 192.168.10.1 from the DHCP server, causing a duplicate IP conflict with the router’s own interface. What is the most likely cause?

A.The DHCP pool does not exclude the router’s own interface IP address.
B.The DHCP conflict logging feature is disabled on the router.
C.The DHCP lease time is set too low, causing frequent re-issuing of addresses.
D.The DHCP pool’s default-router address is misconfigured, so the client uses the router’s IP as its own.
AnswerA

When no excluded-address is configured for the router’s IP, the DHCP server treats it as available from the pool and can offer it to clients, creating a conflict. Adding 'ip dhcp excluded-address 192.168.10.1' prevents the server from offering that address.

Why this answer

The DHCP server is handing out 192.168.10.1, which is the router’s interface IP, because the pool includes the entire subnet without excluding that address. The correct fix is to configure 'ip dhcp excluded-address 192.168.10.1'. The other options describe features that do not control whether the server offers a specific address: conflict logging, lease time, and default-router settings do not prevent assignment of a duplicate address.

Exam trap

Candidates often assume that enabling DHCP conflict detection ('ip dhcp conflict logging' or 'ip address dhcp conflict') will prevent the server from assigning an address that is already in use. In reality, the server offers the address regardless; conflict detection only helps log or send notifications after the fact.

Why the other options are wrong

B

Many candidates confuse conflict detection with a preventive mechanism, thinking that enabling it would stop the assignment of an already-used address.

C

Candidates may associate short leases with instability, but the root cause is the missing exclusion, not the lease timer.

D

Beginners often conflate the default gateway with the assigned IP address, believing a mistake in the default-router setting could cause an address conflict.

228
MCQhard

A network administrator is troubleshooting an issue where internal hosts can ping the company's web server by IP address (192.0.2.10) but cannot access it using the fully qualified domain name www.example.com. The DNS server (192.0.2.5) is reachable and responds to queries. The administrator runs nslookup www.example.com from a host and receives the following output: C:\> nslookup www.example.com Server: UnKnown Address: 192.0.2.5 Name: www.example.com Address: 192.0.2.20 Based on the output, what is the most likely cause of the problem?

A.The host's DNS cache is corrupted; flush it using ipconfig /flushdns.
B.The DNS A record for www.example.com is incorrect; update it to point to 192.0.2.10.
C.The web server's firewall is blocking traffic from the host; add an allow rule.
D.The DNS server is not authoritative for the example.com zone; delegate the zone to a different server.
AnswerB

The nslookup shows the DNS server returns 198.51.100.1, but the actual server is at 192.0.2.10. Correcting the A record resolves the mismatch.

Why this answer

The nslookup output shows that www.example.com resolves to 192.0.2.20, but the web server is at 192.0.2.10. This indicates the DNS A record is incorrect and must be updated to point to the correct IP. Pinging by IP works because it bypasses DNS, confirming network connectivity.

The host's DNS cache is not the issue because nslookup queries the server directly and still returns the wrong address. The firewall is not involved since pinging by IP succeeds, and the DNS server is authoritative (the response is received).

Exam trap

The trap here is that candidates may assume a DNS server that responds to queries is functioning correctly, overlooking that the response itself can contain an incorrect A record, which is the actual cause of the resolution failure.

Why the other options are wrong

A

The nslookup output shows the DNS server is returning an incorrect IP address (198.51.100.1) for www.example.com, not a local cache issue. Flushing the DNS cache would not resolve the problem because the host is querying the DNS server and receiving the wrong answer.

C

The host can successfully ping the web server at 192.0.2.10, which indicates that ICMP traffic is not blocked by the firewall. The problem is that the host is trying to reach the wrong IP address (198.51.100.1) due to DNS resolution, not that the correct IP is being blocked.

D

The nslookup response includes the server name 'dns.example.com', which indicates that the DNS server is authoritative for the example.com zone. If it were not authoritative, the response would typically show a non-authoritative answer or refer to another server. Delegation is not needed because the server is already authoritative.

229
MCQhard

Based on the exhibit, what is the most likely reason PAT is not working correctly?

A.The inside and outside NAT interface roles are reversed.
B.PAT requires OSPF to be enabled on the WAN link.
C.The ACL must be numbered 100 instead of 1.
D.The router must use GRE before PAT can overload.
AnswerA

This is correct because the private interface should be inside and the public interface should be outside.

Why this answer

PAT is not working correctly because the inside and outside NAT roles are reversed on the interfaces. In practical terms, the private LAN-facing interface should be marked as inside, and the public-facing WAN interface should be marked as outside. In the exhibit, the router has those roles backwards, so translation logic is applied in the wrong direction.

This is a very realistic NAT troubleshooting item because the configuration is close to correct and the failure comes from one directional mistake.

Exam trap

A common exam trap is confusing the NAT inside and outside interface roles. Candidates might overlook that reversing these roles causes PAT to fail silently, as translation direction depends on correct interface designation. Misunderstanding this can lead to incorrect troubleshooting steps, such as focusing on routing protocols or ACL numbering, which do not impact PAT functionality directly.

Why the other options are wrong

B

Incorrect because PAT does not depend on OSPF or any routing protocol to function; enabling OSPF on the WAN link is unrelated.

C

Incorrect because the ACL number does not have to be 100; standard ACLs like 1 are valid for NAT configurations.

D

Incorrect because GRE tunneling is not required for PAT; PAT operates independently of GRE.

230
MCQhard

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

A.The ACL used for NAT does not match the inside client subnet.
B.GigabitEthernet0/0 should be configured as ip nat inside.
C.PAT cannot use an interface address as the translated source.
D.The router must run OSPF before NAT overload can function.
AnswerA

The overload statement references ACL 1, but ACL 1 permits 10.10.20.0/24 instead of 10.10.10.0/24.

Why this answer

The ACL matches the wrong inside subnet. NAT overload will only translate traffic that matches the source list or route map tied to the NAT statement. The interfaces are marked inside and outside correctly, so the bad match criteria is the most likely failure point.

Exam trap

A frequent exam trap is assuming that NAT overload requires routing protocols such as OSPF to function or that the outside interface cannot be used as the source address for translation. Some candidates also mistakenly believe that misconfigured interface NAT designations cause the problem when the real issue is the ACL mismatch. The trap lies in overlooking the ACL's role in defining which inside addresses are translated.

If the ACL does not include the correct inside subnet, NAT will not translate those packets, causing inside hosts to leak private IPs to the ISP. This subtle misconfiguration is often missed under exam pressure.

Why the other options are wrong

B

This option is incorrect because the ISP-facing interface is correctly configured as ip nat outside. The problem is not with the interface NAT designation but with the ACL mismatch. Changing the inside interface designation would not fix the translation issue.

C

This option is incorrect because NAT overload commonly uses the IP address of the outside interface as the translated source address. This is standard Cisco NAT behavior and not a cause of failure in this scenario.

D

This option is incorrect because NAT does not depend on routing protocols like OSPF to function. NAT translation is independent of routing protocols, so running OSPF is not required for NAT overload to work.

231
Multi-Selectmedium

Which THREE statements correctly describe the configuration of AAA with RADIUS or TACACS+ on Cisco IOS-XE?

Select 3 answers
A.RADIUS encrypts the entire packet payload, including all attributes.
B.TACACS+ encrypts the entire body of the packet but leaves the standard TCP header unencrypted.
C.TACACS+ uses UDP as its transport protocol, while RADIUS uses TCP.
D.TACACS+ separates authentication, authorization, and accounting into three distinct functions, allowing independent server configuration for each.
E.RADIUS combines authentication and authorization into a single process, meaning an access-accept packet includes both authentication success and authorization attributes.
F.When configuring 802.1X on IOS-XE, the switch acts as the authentication server and validates client credentials locally.
AnswersB, D, E

TACACS+ encrypts the entire payload (body) of the packet, ensuring confidentiality of all attributes, while the TCP header remains unencrypted for routing purposes.

Why this answer

Option B is correct: TACACS+ encrypts the entire body of the packet (including all attributes) but leaves the TCP header unencrypted. Option D is correct: TACACS+ separates authentication, authorization, and accounting into three distinct functions, allowing independent server configuration for each. Option E is correct: RADIUS combines authentication and authorization into a single process, so an access-accept packet includes both authentication success and authorization attributes.

Option A is wrong: RADIUS only encrypts the password in the Access-Request packet, not the entire payload. Option C is wrong: TACACS+ uses TCP (port 49), while RADIUS uses UDP (ports 1812/1645 for authentication, 1813/1646 for accounting). Option F is wrong: In 802.1X on IOS-XE, the switch acts as an authenticator (not the authentication server) and forwards credentials to an external RADIUS server.

Exam trap

Cisco often tests the confusion between RADIUS and TACACS+ encryption scope and transport protocols, where candidates mistakenly think RADIUS encrypts the entire payload or that TACACS+ uses UDP, when in fact RADIUS only encrypts the password and uses UDP, while TACACS+ encrypts the full body and uses TCP.

Why the other options are wrong

A

RADIUS only encrypts the password attribute in the access-request packet; the rest of the packet, including other attributes like username and authorization data, is sent in clear text. This is a key security limitation of RADIUS compared to TACACS+.

C

TACACS+ uses TCP (port 49) as its transport protocol, while RADIUS uses UDP (ports 1812/1813). This is a fundamental difference: TCP provides reliable, connection-oriented delivery, whereas UDP is connectionless and faster but less reliable.

F

In 802.1X, the switch acts as an authenticator (passing EAP messages between the client and the authentication server), not as the authentication server itself. The authentication server is typically a RADIUS server that validates client credentials.

232
PBQhard

You are connected to R1 via the console. The network has a DNS server at 203.0.113.10 that should resolve www.example.com to 203.0.113.100. However, when you ping www.example.com, it fails. Diagnose and resolve the DNS resolution issue. The DNS server is reachable via ping, but nslookup from R1 returns a server failure. Configure R1 so that it can successfully resolve www.example.com. Additionally, verify that the DNS server is correctly configured for forward and reverse lookups.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1203.0.113.2/24203.0.113.10/24linkR1R2DNS Server

Hints

  • Check the configured name-server IP address in the running-config.
  • The DNS server is reachable, but the router is querying the wrong server.
  • After fixing the name-server, ensure the DNS server has the correct A record for the domain.
A.Configure 'ip name-server 203.0.113.10' under global configuration and ensure the DNS server has an A record for www.example.com pointing to 203.0.113.100.
B.Configure 'ip domain-lookup' and 'ip name-server 10.0.0.2' under global configuration, then verify with ping www.example.com.
C.Configure 'ip domain-lookup' and 'ip host www.example.com 203.0.113.100' under global configuration, then verify with ping www.example.com.
D.Configure 'ip dns server' under global configuration to make R1 act as a DNS server, then add an A record for www.example.com.
AnswerA
solution
! R1
configure terminal
no ip name-server 10.0.0.2
ip name-server 203.0.113.10
end
write memory

Why this answer

The issue is that the DNS server IP address configured under 'ip name-server' is incorrect (10.0.0.2) instead of the actual DNS server (203.0.113.10). Additionally, the DNS server itself is not configured with the proper A record for www.example.com. The fix involves correcting the name-server address and ensuring the DNS server has the correct forward mapping.

After correcting the name-server, nslookup and dig should return the IP address 203.0.113.100. For reverse lookup, a PTR record for 203.0.113.100 pointing to www.example.com must exist on the DNS server.

Exam trap

The exam trap is that candidates may confuse the 'ip name-server' command with 'ip host' or 'ip dns server'. They might also overlook the need to verify the DNS server's records. Always check the configured name-server IP first when DNS resolution fails.

Why the other options are wrong

B

The specific factual error: The name-server address must match the actual DNS server; using 10.0.0.2 will not resolve the hostname.

C

The specific factual error: The 'ip host' command creates a static mapping, not a DNS resolution. The question requires DNS resolution to work, not a static override.

D

The specific factual error: The 'ip dns server' command enables DNS server services on the router, but the router is not meant to be a DNS server in this scenario. The fix is to point to the existing DNS server.

233
MCQeasy

Why is SSH preferred over Telnet for device management?

A.SSH uses UDP and is therefore faster
B.SSH encrypts the session traffic
C.SSH works only on Layer 2 networks
D.SSH does not require user authentication
AnswerB

That is the main security advantage.

Why this answer

SSH encrypts the management session, including usernames, passwords, and commands. Telnet sends traffic in clear text, which makes it unsafe on modern networks.

Exam trap

A frequent exam trap is the misconception that SSH uses UDP or does not require user authentication. Some candidates mistakenly believe SSH is faster because it uses UDP, but SSH actually uses TCP to ensure reliable, ordered delivery of encrypted data. Another trap is thinking SSH works only on Layer 2 networks, whereas it operates over IP and can be used across routed networks.

Additionally, assuming SSH does not require authentication is incorrect; SSH mandates authentication to establish a secure session. Recognizing these facts helps avoid selecting incorrect options related to SSH’s protocol and security features.

Why the other options are wrong

A

Option A incorrectly states that SSH uses UDP and is therefore faster. SSH actually uses TCP to ensure reliable and secure delivery of encrypted data, so this option is false.

C

Option C incorrectly claims SSH works only on Layer 2 networks. SSH operates over IP (Layer 3) and can be used across routed networks, so this option is false.

D

Option D falsely asserts that SSH does not require user authentication. SSH requires authentication to establish a secure session, making this option incorrect.

234
MCQhard

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry best matches the requirement?

A.deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
B.deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
C.deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
D.permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
AnswerA

This is correct because it blocks only TCP port 80 traffic from the source subnet to the web server.

Why this answer

The correct ACL entry is an extended ACL deny statement that matches TCP from the source subnet to the destination host on port 80. In practical terms, the requirement is narrow: block HTTP only, from one source network to one server, while allowing everything else. That means using `deny tcp` with the right source, destination, and port is more accurate than using a broad `deny ip`.

This is a classic ACL precision question. The exam is testing whether you can match the requirement exactly rather than overblocking.

Exam trap

A common exam trap is selecting a deny statement that blocks all IP traffic (option B) instead of just HTTP traffic. This overblocking disrupts legitimate services beyond HTTP, violating the requirement to allow all other traffic. Another trap is denying UDP port 80 (option C), which is ineffective because HTTP uses TCP, not UDP.

Additionally, mistakenly permitting TCP port 80 traffic (option D) contradicts the goal of blocking HTTP access. Understanding the difference between protocol types and the impact of broad versus specific ACL entries is essential to avoid these pitfalls.

Why the other options are wrong

B

Option B denies all IP traffic from the source subnet to the destination host, which is too broad and blocks all services, not just HTTP, violating the requirement to allow other traffic.

C

Option C denies UDP traffic on port 80, but HTTP uses TCP, so this entry would not block HTTP traffic and fails to meet the requirement.

D

Option D permits TCP traffic on port 80, which contradicts the requirement to block HTTP traffic from the source subnet to the web server.

235
Drag & Dropmedium

Drag and drop the following steps into the correct order to trace the DNS resolution process from a client query to receiving an A-record response.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The client first sends its query to a recursive resolver (often provided by the ISP or a public DNS service). The resolver then queries a root name server to find the TLD server for the domain's top-level domain (e.g., .com). Next, the resolver queries the TLD server to learn the authoritative name server for the specific domain.

Finally, the resolver queries that authoritative server, which responds with the A record containing the IP address. Each step depends on the previous one because higher-level servers only delegate to lower levels, not store final records. The resolver then caches the response and returns it to the client, completing the process.

Nslookup and dig are diagnostic tools used after this resolution if records are missing or incorrect, but they are not part of the resolution steps themselves.

Exam trap

Do not confuse the order of root and TLD queries. The root server is always queried first to find the TLD server. Also, remember that the recursive resolver caches responses, so not every query goes through the full hierarchy.

236
MCQhard

Based on the exhibit, why are clients in VLAN 70 failing to resolve hostnames even though they can reach remote IP addresses?

A.The clients are missing valid DNS server information.
B.The default gateway must be removed from the DHCP scope.
C.The clients must use PPP before DNS works.
D.The VLAN must be converted to the native VLAN on all trunks.
AnswerA

This is correct because hostname-based access fails while direct IP access works, and the scope shown does not provide a DNS server option.

Why this answer

The strongest explanation is that the clients are missing valid DNS server information. In practical terms, successful reachability to remote IP addresses proves that Layer 3 forwarding is working. The failure occurs only when a hostname is used, which points to a naming service problem rather than a general connectivity problem. The DHCP scope shown provides an address and default gateway, but no DNS server option is defined.

This is a very realistic IP-services troubleshooting pattern because the network path works while application usability still fails.

Exam trap

A frequent exam trap is to mistake the inability to resolve hostnames as a routing or VLAN trunking problem. Candidates might incorrectly believe that removing the default gateway or converting the VLAN to the native VLAN on trunks will resolve the issue. However, these options do not address DNS resolution, which is an application-layer service independent of Layer 3 forwarding.

The trap arises because clients can reach remote IP addresses, misleading candidates to focus on routing or VLAN configuration rather than missing DNS server information in the DHCP scope.

Why the other options are wrong

B

Removing the default gateway from the DHCP scope is incorrect because the default gateway is essential for routing traffic outside the local VLAN. Its presence does not cause hostname resolution failures.

C

The suggestion that clients must use PPP before DNS works is incorrect because PPP is unrelated to DNS resolution in a typical VLAN and DHCP environment. DNS operates independently of PPP.

D

Converting the VLAN to the native VLAN on all trunks does not affect DNS resolution. This option addresses Layer 2 trunking issues, which are unrelated to the hostname resolution problem described.

237
Matchingmedium

Drag and drop the DNS record types on the left to their correct descriptions or purposes on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Creates an alias from one domain name to another

Specifies the mail server responsible for accepting email on behalf of a domain

Identifies the authoritative name servers for a DNS zone

Used for reverse DNS lookup, mapping an IP address to a hostname

Why these pairings

These pairings correctly match each DNS record type to its function: A maps hostnames to IPv4, AAAA to IPv6, CNAME creates an alias, MX specifies mail servers, NS identifies authoritative name servers, and PTR enables reverse DNS lookup.

Exam trap

Be careful not to confuse A and AAAA records based on address family, or to mix up CNAME and MX records. Always associate the record type with its specific function.

238
Matchingmedium

Match each service or visibility technology to the most appropriate use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting device events and messages centrally

Reading interface status and counters from devices

Finding which hosts are using the most bandwidth

Keeping event timelines consistent across systems

Why these pairings

Syslog collects device events and messages centrally, providing a centralized log repository. SNMP reads interface status and counters from devices, offering real-time device monitoring. NetFlow analyzes network traffic to identify bandwidth usage by host, making it ideal for finding top talkers.

NTP synchronizes clocks across systems to maintain consistent event timelines. Each technology is matched to its primary use case.

Exam trap

The trap here is that many technologies have overlapping capabilities (e.g., SNMP can also monitor interface traffic, but it is not a traffic analysis tool like NetFlow). Candidates must focus on the primary, most specific use case for each technology as defined in Cisco documentation.

239
MCQhard

An internal server must always be reachable from outside using the same public IP address. Which translation approach is most appropriate?

A.Static NAT
B.PAT overload
C.No NAT
D.DHCP relay
AnswerA

This is correct because static NAT creates a fixed public-to-private mapping for the server.

Why this answer

A static NAT mapping is the most appropriate approach. In plain language, the outside world needs a stable public address that always represents the same internal server. Static NAT provides that fixed one-to-one relationship, which makes the service reachable predictably.

PAT is better suited for many outbound users sharing one public address, not for presenting one inside server with a consistent external identity. The correct answer is the one that provides a permanent mapping.

Exam trap

A common exam trap is selecting PAT overload instead of static NAT for a server that must be reachable from outside using the same public IP. PAT overload is designed for many internal hosts sharing a single public IP for outbound connections, not for providing a fixed public IP for inbound access. This misunderstanding leads to incorrect assumptions about how inbound traffic is handled.

The exam tests your ability to distinguish between dynamic port-based translation and static one-to-one mappings, so confusing these concepts can cause you to choose the wrong NAT approach.

Why the other options are wrong

B

PAT overload is incorrect because it allows multiple internal hosts to share a single public IP for outbound traffic but does not provide a stable public IP for inbound connections to a specific server.

C

No NAT is incorrect because private IP addresses are not routable on the Internet, so the internal server would not be reachable from outside without address translation.

D

DHCP relay is unrelated to NAT or external reachability; it only forwards DHCP requests between clients and servers across subnets and does not affect how the server is accessed externally.

240
MCQmedium

R1 has these static routes configured. When the primary WAN path is up, which route will be installed in the routing table for traffic to 172.16.50.0/24?

A.The route via 10.1.1.2
B.The route via 10.2.2.2
C.The default route via 10.3.3.2
D.Both routes load-balance automatically because the prefix is identical.
AnswerA

It has the lowest AD for that exact prefix.

Why this answer

The route with the lowest administrative distance wins when multiple routes to the same prefix exist. The route via 10.1.1.2 has AD 1, so it is preferred over the floating static route with AD 5. The default route is less specific and does not beat an exact /24 match.

Exam trap

A frequent exam trap is believing that both static routes to the same prefix will load-balance traffic simply because they share the same destination network. This misconception ignores the role of administrative distance, which Cisco uses to select a single best route. Since the two static routes have different AD values (1 and 5), the router will not load-balance but will prefer the route with AD 1 exclusively.

Misreading the floating static route as an active equal-cost path can lead to incorrect answers and misunderstandings about route failover behavior.

Why the other options are wrong

B

This option is incorrect because the route via 10.2.2.2 has a higher administrative distance (AD 5), making it a floating static route that only becomes active if the primary route fails.

C

This option is incorrect because the default route via 10.3.3.2 is less specific than the /24 static routes and will not be installed when a more specific route exists.

D

This option is incorrect because load balancing requires routes to have equal administrative distances and metrics. Since the static routes have different ADs, the router does not load-balance between them.

241
MCQhard

A host receives a correct IP address and subnet mask from DHCP but still cannot reach remote networks. Local subnet communication works. Which missing DHCP option is the strongest suspect?

A.Default gateway information
B.An STP root bridge ID
C.A voice VLAN value
AnswerA

This is correct because the host needs a default gateway for off-subnet traffic.

Why this answer

The strongest suspect is the default gateway option. In practical terms, the host can already identify local destinations because the subnet mask is present. That is why local communication still works. What it does not have is the next hop needed for off-subnet traffic. Without a default gateway, remote communication usually fails.

This is a very common host-troubleshooting scenario. It separates basic local addressing from the additional information required for off-subnet reachability.

Exam trap

A common exam trap is selecting options like STP root bridge ID or voice VLAN as the cause of remote connectivity failure. These options relate to Layer 2 switching or voice VLAN segmentation and do not affect IP routing or host reachability to remote networks. Candidates might confuse DHCP options that influence Layer 2 behavior with those critical for Layer 3 routing.

The key mistake is overlooking the default gateway option, which is essential for off-subnet traffic forwarding. This trap tests the candidate’s understanding of DHCP’s role in providing routing information, not just IP addressing.

Why the other options are wrong

B

An STP root bridge ID is irrelevant to host IP reachability because it pertains to Layer 2 spanning tree topology and does not affect IP routing or DHCP configuration for hosts.

C

A voice VLAN value is specific to voice traffic segmentation on switches and does not influence a host’s ability to route IP packets to remote networks, making it unrelated to the connectivity issue.

D

A router ID is a concept used in routing protocols like OSPF and does not apply to DHCP or host IP configuration, so it cannot cause the described connectivity problem.

242
MCQmedium

A network team wants routers and switches to have consistent timestamps in logs so event correlation is accurate during an outage. Which service should they verify first?

A.DNS
B.NTP
D.CDP
AnswerB

Correct choice.

Why this answer

Consistent timestamps depend on synchronized clocks. NTP is the service used to keep network devices aligned to the same time reference, which makes syslog analysis and troubleshooting much more reliable.

Exam trap

Don't confuse protocols with similar acronyms or those related to network management. Focus on the specific function of time synchronization.

Why the other options are wrong

A

DNS (Domain Name System) resolves hostnames to IP addresses and has no role in time synchronization. DNS does not provide timestamp information or clock setting capabilities. Verifying DNS would not help ensure consistent timestamps in logs.

C

SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices, not for time synchronization. While SNMP can retrieve device uptime or timestamps from MIBs, it does not set or synchronize clocks. Relying on SNMP for time consistency would not correct clock drift.

D

CDP (Cisco Discovery Protocol) is a Layer 2 protocol used to discover neighboring Cisco devices and their capabilities. It does not provide time synchronization or affect timestamps in logs. CDP is irrelevant for ensuring consistent timestamps.

243
Matchingmedium

Match each security term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of permitted actions after identity is verified

Recording of activity or usage information

Protection against unauthorized modification

Why these pairings

These are common security threats. Phishing, ransomware, DDoS, man-in-the-middle, zero-day, and social engineering each have distinct meanings as described.

Exam trap

The exam often tests your ability to differentiate between attack types that share common delivery methods (e.g., email) but have different objectives and mechanisms. Focus on the primary goal of each attack: phishing aims to steal credentials, ransomware aims to extort money, DDoS aims to disrupt availability, and MitM aims to intercept data.

244
MCQhard

A router is configured with a static NAT mapping for an internal server. What is the main operational advantage of this design for outside clients?

A.The server is represented by a fixed public address that outside clients can reach predictably
B.The server automatically shares its public address with all inside users through overload
C.The server no longer needs an IP address on the internal network
D.The mapping removes the need for routing to the server
AnswerA

This is correct because static NAT creates a stable one-to-one mapping.

Why this answer

The main operational advantage is predictability. In plain language, outside clients always know which public IP address represents the internal server. That stable one-to-one mapping makes the server easier to reach consistently from external networks. This is exactly why static NAT is commonly used for inside services that need outside reachability.

This differs from PAT, which is optimized for many outbound user sessions sharing fewer public addresses. Static NAT is valuable when a specific device or service must have a stable external identity.

Exam trap

A frequent exam trap is confusing static NAT with PAT (Port Address Translation). While PAT allows many internal devices to share one public IP by using different port numbers, static NAT assigns a fixed public IP to a single internal device. Selecting an answer that suggests the server shares its public address with all inside users (like option B) is incorrect because static NAT does not perform address overload.

Another trap is assuming static NAT removes the need for routing; however, routing is still required to forward packets to the internal server. Misunderstanding these differences can lead to incorrect answers about NAT behavior and design advantages.

Why the other options are wrong

B

This option is incorrect because it describes PAT behavior, where multiple inside users share a public IP via port overload. Static NAT does not share the public address among users.

C

This option is incorrect because the internal server still requires a valid IP address on the internal network for routing and communication; static NAT does not remove this requirement.

D

This option is incorrect because NAT translates addresses but does not eliminate the need for routing. Proper routing is still necessary to deliver packets to the internal server.

245
MCQhard

Refer to the exhibit. A network engineer is troubleshooting DHCP issues on a branch office network. Several users report that new devices are unable to obtain IP addresses, even though the DHCP pool configured on R1 appears to have sufficient free addresses. The engineer executes the show ip dhcp conflict command and observes the output. Based on the output, what is the most likely cause of the problem?

A.The DHCP scope is misconfigured with an exclusion range that includes 192.168.1.50 to 192.168.1.59.
B.The ping timeout on the DHCP server is set too low, causing it to falsely detect conflicts.
C.Several hosts on the network are using static IP addresses from the DHCP pool range, causing the DHCP server to mark those addresses as conflicts and depleting the available pool.
D.The DHCP server is not properly releasing expired leases, causing the conflict table to fill up.
AnswerC

Each conflict entry with detection method 'Ping' indicates the server attempted to verify the address and received a reply, meaning a device is already using that IP statically or from another source. The server then marks it as a conflict and withdraws it from the pool, shrinking the pool until no addresses remain free.

Why this answer

The exhibit lists ten IP addresses (192.168.1.50 through .59) that have been detected as conflicts via Ping. This means the DHCP server sent ICMP echo requests to these addresses before offering them and received replies, confirming that hosts with those IPs already exist on the network—likely devices with static IP configurations. The server then marks them as conflicts and excludes them from the pool, reducing the number of available addresses.

With multiple static hosts consuming the address space, the DHCP pool becomes effectively exhausted, preventing new devices from obtaining IPs.

Exam trap

Candidates often mistakenly believe the ping timeout on the server is too short, causing false conflict detections. However, the output explicitly shows successful detection via Ping, meaning the server received a reply, so the conflicts are real and the addresses are genuinely in use.

Why the other options are wrong

A

Candidates may confuse administratively excluded addresses with dynamically detected conflicts.

B

The misconception is that aggressive ping settings create false conflicts, when in fact a conflict entry proves a reply was received.

D

Candidates might think that conflicts represent stale entries, but a conflict is a permanent record of a detected collision, not a lease state.

246
MCQhard

SW2 receives the following STP details for VLAN 10: The root bridge ID is 32768:0001.0001.0001 (SW1), and SW2's bridge ID is 32768:0002.0002.0002. Its interface Gi0/1 has a path cost of 4 to the root, while Gi0/2 has a path cost of 19. Based on this information, which statement is correct?

A.SW2 is the root bridge for VLAN 10.
B.Gi0/1 on SW2 is the root port.
C.All SW2 ports in VLAN 10 must be designated ports.
D.STP is disabled because the priorities are equal.
AnswerB

The output states that the root is reached through Port 1, which maps to Gi0/1.

Why this answer

The root bridge has the lowest bridge ID. SW1 is the root because its bridge ID is lower than SW2's local bridge ID. On a non-root switch, the port with the best path toward the root becomes the root port, so Gi0/1 is the root port here.

Exam trap

A common exam trap is to incorrectly conclude that STP is disabled when bridge priorities are equal. Candidates may mistakenly believe that equal priorities cause STP to fail or not elect a root bridge. However, STP always elects a root bridge by comparing the MAC addresses as a tiebreaker when priorities match.

Another trap is assuming all ports on a non-root switch must be designated ports, ignoring the existence of a root port that leads toward the root bridge. Misreading the root port can lead to incorrect answers about port roles and network topology.

Why the other options are wrong

A

This option is incorrect because the root bridge ID shown in the STP details differs from SW2's local bridge ID, indicating SW2 is not the root bridge for VLAN 10.

C

This option is wrong since a non-root switch does not have all ports as designated ports; it must have one root port and may have other ports as designated or blocked.

D

This is incorrect because equal priorities do not disable STP; the protocol uses the MAC address portion of the bridge ID to break ties and continue operation.

247
Multi-Selectmedium

Which two statements accurately describe why NTP and Syslog are often configured together?

Select 2 answers
A.Syslog provides event visibility, while NTP helps keep timestamps consistent across devices.
B.Consistent time improves the usefulness of centralized logs and event correlation.
C.NTP replaces the need for any event logging.
D.Syslog automatically assigns the NTP server address to all devices.
E.Both services can be used only on routers, not switches.
AnswersA, B

This is correct because the two services complement each other operationally.

Why this answer

NTP and Syslog are often configured together because logs become much more useful when the device clocks are aligned. In practical terms, Syslog provides the event messages, while NTP helps ensure that the timestamps on those messages are consistent across the environment. That makes troubleshooting and incident analysis more reliable.

This is a very practical operations concept and comes up often in real troubleshooting workflows.

Exam trap

A common exam trap is selecting the option that NTP replaces the need for event logging or that Syslog automatically configures NTP server addresses. Candidates might confuse time synchronization with logging functionality, but NTP only provides accurate time, not event data. Similarly, Syslog collects logs but does not manage NTP settings.

Misunderstanding these roles can lead to incorrect answers, as the two services complement each other but serve distinct purposes in network management.

Why the other options are wrong

C

This option is incorrect because NTP only synchronizes time and does not replace the need for event logging, which is handled by Syslog or other logging mechanisms.

D

This option is incorrect because Syslog does not configure NTP server addresses or manage time synchronization; these are separate configuration tasks.

E

This option is incorrect because both NTP and Syslog are widely used on various network devices, including routers and switches, not limited to routers alone.

248
Matchingmedium

Match each troubleshooting observation to the most likely primary area to investigate first.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

When users can reach servers by IP but not by hostname, DNS resolution is failing. Hosts not receiving addresses automatically indicate DHCP server or relay issues. Device logs with mismatched timestamps point to NTP misconfiguration.

If engineers cannot see centralized events, syslog forwarding or collector configuration is likely at fault.

Exam trap

Candidates may confuse DHCP and DNS symptoms, or mistakenly suspect routing when reachability by IP works but hostname fails.

249
MCQmedium

Exhibit: PCs in VLAN 20 are not receiving addresses from a DHCP server in another subnet. The switch SVI for VLAN 20 is up, and routing is working. Which configuration is most likely missing on the gateway for VLAN 20?

A.ip default-gateway 10.20.20.1
B.ip helper-address 10.99.99.10
C.switchport trunk allowed vlan 20
D.spanning-tree portfast default
AnswerB

That forwards DHCP broadcasts to the remote server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. An ip helper-address on the client gateway interface relays those requests to a remote DHCP server.

Exam trap

A frequent exam trap is selecting the ip default-gateway command as the solution for DHCP relay issues. This command only applies to Layer 2 switches for their own management traffic and does not forward DHCP broadcasts across routed interfaces. Candidates may also mistakenly focus on VLAN trunking or spanning-tree settings, which do not affect DHCP relay functionality.

The key is to recognize that DHCP broadcasts must be explicitly forwarded by the router or Layer 3 switch interface using ip helper-address to reach a DHCP server in another subnet.

Why the other options are wrong

A

The ip default-gateway command configures the default gateway for a Layer 2 switch’s management interface and does not forward DHCP broadcasts. Since the question involves DHCP relay across routed VLANs, this command is irrelevant.

C

The switchport trunk allowed vlan 20 command controls VLAN traffic allowed on a trunk link but does not influence DHCP relay or routing between VLANs. The issue is DHCP relay, not VLAN trunk configuration.

D

The spanning-tree portfast default command enables PortFast on switch ports to speed up STP convergence and does not affect DHCP relay or routing. It is unrelated to the problem of clients not receiving DHCP addresses.

250
MCQhard

Refer to the exhibit. An administrator is trying to access a web server in the DMZ at 192.168.1.10 using HTTPS, but the connection times out. The web server is confirmed to be running and listening on both port 80 and port 443. The administrator examines the access list configuration on the perimeter router. Based on the output of the show access-lists command, what is the most likely cause of the failure?

A.The access list does not include a permit statement for TCP port 443.
B.The access list is applied in the wrong direction on the interface.
C.The web server is not actually listening on TCP port 443, despite the configuration.
D.The 'deny ip any any log' statement at the end of the access list is blocking the HTTPS traffic, so it must be removed.
AnswerA

The only permit entry for the 192.168.1.0/24 network is for 'eq www' (TCP port 80). No entry exists for port 443, so HTTPS traffic is denied by the explicit or implicit deny.

Why this answer

Line 10 of ACL 100 explicitly permits only TCP traffic with destination port 80 ('eq www'). HTTPS relies on TCP port 443, which is not matched by any permit entry. Consequently, HTTPS traffic from any source to any host in 192.168.1.0/24 hits the explicit deny at line 20 (or the implicit deny) and is dropped.

The high match count on the deny statement (1356) confirms that traffic other than HTTP is being blocked, including HTTPS.

Exam trap

Many candidates incorrectly select option D because they see the explicit deny at the end of the ACL and think removing it will solve the problem. However, even without that explicit deny, the implicit deny-all at the end of any ACL would still drop the HTTPS traffic. The real fix is to add a permit statement for TCP port 443 before the deny.

Why the other options are wrong

B

Candidates may assume the ACL is not applied correctly, but without interface details this conclusion cannot be drawn from the given output.

C

Candidates might blame the server configuration rather than the network ACL, but the question stem provides the server state to rule this out.

D

This is a common misconception: the explicit deny is not the root cause; the missing permit is the real issue. Removing the deny without adding a permit for HTTPS would still result in the traffic being blocked by the implicit deny.

251
MCQhard

An administrator wants to prevent users from browsing to one specific web server while still allowing them to reach other web destinations. Which ACL design principle is most important here?

A.Use the narrowest possible match so only the intended traffic is denied.
B.Always deny all IP traffic to the destination subnet first.
C.Use a standard ACL because destination details never matter.
D.Place the ACL only where no routing exists.
AnswerA

This is correct because precise ACL design reduces unintended side effects.

Why this answer

The most important principle is to write the ACL as narrowly as possible so it matches only the unwanted traffic and does not overblock unrelated traffic. In practical terms, the rule should target the specific destination and service being denied rather than using a broader deny that unintentionally blocks other communication.

This is a precision-and-scope question. Good ACL design is as much about what you avoid blocking as what you intend to block.

Exam trap

Avoid using broad deny statements that block more than necessary. Focus on precision by targeting both IP and port.

Why the other options are wrong

B

This option is wrong because denying all IP traffic to the destination subnet would block all traffic to that subnet, not just the specific web server, which contradicts the requirement to allow access to other web destinations.

C

Using a standard ACL ignores the importance of destination details, which are crucial for selectively denying access to one specific web server while allowing others. This approach would lead to broader access restrictions than intended.

D

Placing the ACL only where no routing exists is incorrect because it does not address the requirement of selectively blocking traffic to a specific web server while allowing access to others. ACLs must be strategically placed to control traffic flow effectively based on routing paths.

252
Multi-Selecthard

An engineer wants all devices to send logs to 10.10.10.50 and also stamp those logs with consistent time from 10.10.10.60. Which two configurations are required on a Cisco device?

Select 2 answers
A.logging host 10.10.10.50
B.ntp server 10.10.10.60
C.ip helper-address 10.10.10.50
D.snmp-server host 10.10.10.60
E.service timestamps log localtime
AnswersA, B

This sends syslog messages to the collector.

Why this answer

One configuration points the device to the syslog collector, and the other points it to the NTP server. The requirement is about centralized logging and accurate timestamps, so both services must be configured. Option E, 'service timestamps log localtime', is a valid command but it only sets the timestamp format to local time; without an NTP server, timestamps will not be consistent across devices.

Exam trap

A common exam trap is selecting commands related to SNMP or DHCP relay, such as 'snmp-server host' or 'ip helper-address', mistakenly believing they configure logging or time synchronization. Candidates may also choose 'service timestamps log localtime' expecting it to standardize timestamps, but without NTP synchronization, timestamps remain inconsistent across devices. The trap lies in confusing the purpose of these commands with syslog and NTP functions.

The question specifically requires centralized logging and consistent timestamps, which only 'logging host' and 'ntp server' commands fulfill together.

Why the other options are wrong

C

'ip helper-address 10.10.10.50' is incorrect because it is used to relay broadcast traffic like DHCP requests, not for syslog or time synchronization.

D

'snmp-server host 10.10.10.60' is incorrect because SNMP manages network monitoring and traps, but does not synchronize device time or configure syslog destinations.

E

'service timestamps local' is insufficient alone because it adds timestamps but does not synchronize time across devices, so timestamps may remain inconsistent without NTP.

253
MCQhard

A user can authenticate successfully to a network device but is denied access to certain commands. Which statement best explains the situation?

A.Authentication succeeded, but authorization limits the user's command access.
B.The device lost all routing information after login.
C.The subnet mask on the user workstation is incorrect.
D.Syslog is blocking the commands for security reasons.
AnswerA

This is correct because permission scope after login is an authorization function.

Why this answer

The situation is best explained by authorization controls. In practical terms, authentication confirms who the user is, but authorization determines what that user can do after login. A successful login followed by restricted command access means the identity is valid but the permission set is limited.

This is one of the most important practical distinctions within AAA.

Exam trap

A common exam trap is assuming that successful authentication means unrestricted access to all device commands. Candidates often confuse authentication with authorization, thinking that if a user can log in, they should have full command privileges. This misunderstanding leads to incorrect answers suggesting routing issues or workstation configuration problems as causes for command denial.

However, Cisco devices distinctly separate authentication (identity verification) from authorization (permission enforcement). Authorization policies can restrict command access even after a successful login, which is the correct explanation in this scenario.

Why the other options are wrong

B

This option is incorrect because losing routing information after login does not selectively deny commands. Routing issues affect packet forwarding, not user command permissions, so it does not explain the selective command denial.

C

This option is invalid because an incorrect subnet mask on the user's workstation would affect network connectivity, not command access on the device after successful login. It does not relate to authorization or command restrictions.

D

This option is wrong since Syslog is a logging mechanism that records events but does not block or restrict user commands. It provides visibility but does not enforce command authorization or deny access.

254
Matchingmedium

Match each AAA component or related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verification of identity

Determination of allowed actions

Recording of activity or usage details

Credential store on the device used for local checks

Why these pairings

In AAA, Authentication verifies identity (who you are), Authorization determines allowed actions (what you can do), Accounting records activity for auditing. A local database stores credentials on the device for local authentication checks. These definitions directly match the pairs in the question.

Exam trap

Learners often confuse the roles of Authentication (identity), Authorization (permissions), and Accounting (logging), or mix them with AAA protocols like RADIUS or TACACS+.

255
MCQhard

A network administrator wants to receive an immediate notification from a device when a significant event occurs, rather than polling the device repeatedly. Which SNMP feature is most associated with that requirement?

A.SNMP traps
B.Syslog severity 7
C.DHCP relay
D.NetFlow exporters
AnswerA

This is correct because traps are unsolicited event notifications sent by the device.

Why this answer

SNMP traps are the correct answer because they are an SNMP feature that sends unsolicited, event-driven notifications from the device to the management system when a significant event occurs, eliminating the need for polling. Option B (syslog severity 7) is incorrect because syslog is a separate protocol for logging; while syslog messages are also sent unsolicited, the question specifically asks for an SNMP feature. Options C (DHCP relay) and D (NetFlow exporters) are unrelated to immediate event notifications: DHCP relay forwards broadcast requests, and NetFlow exports traffic flow data for analysis.

Exam trap

A frequent exam trap is mistaking syslog messages or NetFlow exporters as the mechanism for immediate event notifications in SNMP. Syslog severity levels, such as severity 7, relate to logging detail but do not trigger unsolicited alerts to management stations. Similarly, NetFlow exporters focus on traffic flow analysis rather than event-driven notifications.

Candidates may also confuse DHCP relay, which is unrelated to SNMP, with notification features. The key is to remember that only SNMP traps send unsolicited, immediate notifications, distinguishing them from polling or other monitoring tools.

Why the other options are wrong

B

Syslog severity 7 refers to debug-level logging detail but does not trigger unsolicited alerts; syslog messages require polling or log monitoring and are not part of SNMP's event-driven notification.

C

DHCP relay is a mechanism to forward DHCP requests across networks and has no role in SNMP or event-driven notifications, making it irrelevant to the question.

D

NetFlow exporters provide detailed traffic flow information for analysis but do not send immediate event notifications; they are unrelated to SNMP traps or polling mechanisms.

256
MCQhard

Exhibit: A standard ACL meant to block host 10.10.10.50 from reaching any remote network was applied inbound on the branch router's LAN interface, but users report that all local traffic from that host is now blocked. What is the better placement?

A.Leave it inbound on the LAN because standard ACLs belong near the source
B.Move it outbound on the WAN-facing interface closer to the destination
C.Convert it to a VTY access-class
D.Apply it inbound on all switch access ports
AnswerB

Correct choice.

Why this answer

A standard ACL matches only the source address. If it is placed near the source, it can block that host from reaching destinations you did not intend to affect. Standard ACLs are best placed close to the destination.

Exam trap

A frequent exam trap is believing that standard ACLs should always be applied inbound near the source to block unwanted traffic early. Since standard ACLs filter only by source IP, placing them inbound on a LAN interface can block all traffic from that host, including local communications within the LAN. This leads to unintended network outages and user complaints.

The trap is confusing the ACL placement rule for extended ACLs, which are placed near the source, with the rule for standard ACLs, which should be placed near the destination to avoid over-blocking.

Why the other options are wrong

A

Leaving the standard ACL inbound on the LAN interface is incorrect because standard ACLs filter only by source IP, which causes all traffic from that host, including local LAN traffic, to be blocked. This disrupts local communications and is not best practice.

C

Converting the ACL to a VTY access-class is irrelevant to the question because VTY access-classes control remote management access to the router, not general traffic filtering from a host to remote networks.

D

Applying the ACL inbound on all switch access ports is impractical and inefficient. It would block traffic at multiple points unnecessarily and does not address the specific need to filter traffic from the host to remote networks.

257
MCQhard

Why is the combination of strong authentication and centralized logging better than either control by itself?

A.Authentication improves prevention, while centralized logging improves visibility and investigation.
B.They are redundant because both perform exactly the same task.
C.Centralized logging makes authentication unnecessary.
D.Strong authentication removes the need for any event records.
AnswerA

This is correct because the two controls complement each other.

Why this answer

The combination is better because strong authentication helps prevent unauthorized access, while centralized logging helps detect, review, and investigate what happened across the environment. In practical terms, one control is stronger on prevention, and the other is stronger on visibility and accountability. Together they provide broader protection than either one alone.

This reflects a real security principle: mature security depends on layers of control, not one mechanism trying to do every job.

Exam trap

A common exam trap is believing that strong authentication alone is enough to secure a network, leading to the misconception that event logging is unnecessary. Candidates may also incorrectly assume that centralized logging can replace authentication by simply recording events without preventing unauthorized access. This misunderstanding overlooks the complementary roles these controls play: authentication stops unauthorized users upfront, while logging provides the visibility needed to detect and investigate incidents.

Ignoring either control weakens overall security and can cause candidates to select incorrect answers that underestimate the importance of layered defenses.

Why the other options are wrong

B

This option is incorrect because authentication and logging serve different purposes; authentication controls access, while logging records events. They are not redundant but complementary.

C

This option is wrong because centralized logging only records events and does not prevent unauthorized access, so it cannot replace strong authentication.

D

This option is incorrect because even with strong authentication, event records remain essential for auditing, troubleshooting, and investigating security incidents.

258
Multi-Selectmedium

Which two statements accurately describe basic WLAN security at the CCNA level?

Select 2 answers
A.WPA2 is generally considered stronger than WEP for wireless security.
B.Open wireless access provides meaningful default encryption.
C.Open wireless access does not provide the same protection as a secured WLAN.
D.A longer SSID makes WEP cryptographically strong.
E.WPA2 relies on TKIP encryption
AnswersA, C

This is correct because WPA2 provides significantly better security than WEP.

Why this answer

WPA2 uses AES-CCMP encryption and is much stronger than WEP, which uses weak RC4. Open wireless networks (no security) provide no encryption, so they are less secure than a secured WLAN. Option B is false because open networks have no default encryption.

Option D is false because SSID length does not affect WEP's cryptographic strength; WEP is inherently weak regardless of SSID. Option E is false because WPA2 is a security protocol, not a duplex mode.

Exam trap

Avoid confusing open networks with secured ones and remember that WEP is outdated and insecure.

Why the other options are wrong

B

Open wireless access does not provide any default encryption, so it is not secure.

D

A longer SSID does not strengthen WEP; WEP's vulnerability is due to its use of static keys and weak RC4 algorithm, not SSID length.

E

WPA2 is a wireless security standard (Wi-Fi Protected Access 2), unrelated to Ethernet duplex modes.

259
Multi-Selecthard

Users can browse websites by IP address but not by hostname. The default gateway is reachable and general internet connectivity works. Which two causes are the most likely?

Select 2 answers
A.The clients are missing a valid DNS server setting
B.DNS queries may be blocked somewhere along the path
C.The routers are missing NTP configuration
D.The switch access ports should be changed to dynamic desirable
AnswersA, B

Name resolution will fail if clients do not know where to send DNS queries.

Why this answer

If IP connectivity works but hostnames fail, the problem is usually DNS configuration or DNS reachability, not general routing.

Exam trap

A frequent exam trap is to assume that if users cannot browse websites by hostname, the problem must be with routing or the default gateway. However, the question states the default gateway is reachable and general internet connectivity works, which rules out routing issues. Another trap is to confuse unrelated configurations like NTP or switch port settings as causes for DNS failures.

The key is to focus on DNS-specific causes: missing DNS server settings on clients or DNS traffic being blocked. Misinterpreting these symptoms leads to incorrect answers that do not address the root cause of hostname resolution failure.

Why the other options are wrong

C

Incorrect. NTP configuration affects time synchronization but does not impact DNS resolution or hostname-based browsing, so it is unrelated to this issue.

D

Incorrect. Changing switch access ports to dynamic desirable affects VLAN trunk negotiation (DTP) but does not influence DNS resolution or hostname connectivity.

260
Multi-Selectmedium

Which two statements accurately describe why DNS issues can look like general connectivity problems to users?

Select 2 answers
A.Users often access services by name, so failed name resolution can feel like total connectivity loss.
B.Testing by IP address versus hostname can help distinguish DNS issues from raw path issues.
C.DNS failure automatically means the default gateway is missing.
D.If DNS fails, DHCP and NTP must also fail immediately.
E.DNS replaces the need for routing between subnets.
AnswersA, B

This is correct because users usually experience services through names rather than raw IP addresses.

Why this answer

DNS issues can look like general connectivity problems because many users think in terms of names, not IP addresses. In practical terms, they may report that 'the network is down' when the actual routed path works but hostname resolution does not. That is why testing by IP versus name is such a useful troubleshooting step.

The distinction between transport reachability and naming is critical in user-facing support.

Exam trap

A common exam trap is assuming that DNS failure means the default gateway or other network infrastructure is missing or malfunctioning. Candidates might incorrectly link DNS issues to routing failures or DHCP and NTP outages, which are separate services. This misunderstanding leads to wasted troubleshooting effort on routing tables or gateway configurations when the real problem lies in DNS server availability or client resolver settings.

The exam tests your ability to isolate DNS as an application-layer service distinct from network-layer connectivity.

Why the other options are wrong

C

Incorrect because DNS failure does not imply the default gateway is missing. Routing and DNS are separate functions, and gateway issues are unrelated to DNS resolution.

D

Incorrect because DHCP and NTP are independent IP services. DNS failure does not cause these services to fail immediately or automatically.

E

Incorrect because DNS does not replace routing. DNS resolves names to IP addresses, while routing protocols determine packet forwarding between subnets.

261
Matchingmedium

Match each management or monitoring concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted remote administration

Framework for authentication, authorization, and accounting

Centralized event and log reporting

Clock synchronization across devices

Why these pairings

SSH provides encrypted remote administration by encrypting the entire session, unlike unsecured protocols like Telnet. AAA is the foundational framework for network access control, covering who can authenticate, what operations they are authorized to perform, and what they did via accounting. Syslog enables centralized collection of event and log messages from multiple devices for monitoring and troubleshooting.

NTP synchronizes system clocks across network devices, ensuring consistent timestamps for logging and security functions.

Exam trap

Learners often confuse Syslog with SNMP; Syslog is for log collection only, not for device polling or real-time monitoring.

262
Multi-Selectmedium

Which three features are used to mitigate Layer 2 security threats on a Cisco switch? (Choose three.)

Select 3 answers
.PortFast on all access ports to prevent STP convergence delays.
.Dynamic ARP Inspection (DAI) to prevent ARP spoofing.
.DHCP snooping to build a trusted binding database.
.BPDU guard to shut down ports receiving BPDUs on access ports.
.EtherChannel load balancing to increase bandwidth.
.VLAN 1 as the native VLAN on trunk ports for management.

Why this answer

Dynamic ARP Inspection (DAI) mitigates ARP spoofing attacks by intercepting ARP packets on untrusted ports and validating them against the DHCP snooping binding database, ensuring that only legitimate ARP responses are forwarded. DHCP snooping builds a trusted binding database by monitoring DHCP messages and recording IP-to-MAC address mappings, which is used by DAI and IP Source Guard to prevent IP and MAC spoofing. BPDU guard protects against STP manipulation attacks by error-disabling an access port if it receives a BPDU, preventing unauthorized switches from participating in the spanning tree topology.

EtherChannel load balancing is a method for increasing bandwidth and redundancy, not a Layer 2 security mitigation. Using VLAN 1 as the native VLAN is a known security risk that can facilitate VLAN hopping attacks, so it is not a mitigation feature.

Exam trap

Cisco often tests the distinction between features that improve STP convergence (like PortFast) and features that provide security (like BPDU guard), causing candidates to mistakenly select PortFast as a security feature.

263
PBQhard

You are connected to R1, a multilayer switch acting as a DNS forwarder for two VLANs. Users on VLAN 10 report that they cannot resolve 'files.example.com' while VLAN 20 works fine. The DNS server 198.51.100.53 is reachable but returns SERVFAIL for queries from subnet 192.168.10.0/24, while server 203.0.113.53 responds correctly for both VLANs. Diagnose and fix the DNS resolution issue using nslookup and dig, then adjust the IOS-XE configuration to ensure proper name resolution. Choose the best fix that permanently resolves the problem.

Network Topology
G0/0/010.0.0.1/30198.51.100.53linkG0/0/1.10192.168.10.1/24G0/0/1.20192.168.20.1/24R1DNS ServersVLAN 10VLAN 20

Hints

  • The first DNS server returns SERVFAIL for the A record query.
  • The second DNS server resolves the name correctly.
  • Use 'no ip name-server <ip>' to remove a faulty server.
A.Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53.
B.Add a static DNS entry for 'files.example.com' using 'ip host files.example.com 10.0.0.1' on R1.
C.Change the DNS server order so that the working server is primary using 'ip name-server 203.0.113.53 198.51.100.53'.
D.Configure the router to use only the faulty server by removing the working server with 'no ip name-server 203.0.113.53'.
AnswerA
solution
! R1
configure terminal
no ip name-server 198.51.100.53
end

Why this answer

The faulty DNS server 198.51.100.53 returns SERVFAIL for the A record query, indicating a misconfiguration or missing record on that server. Although reordering (Option C) would allow resolution to work by querying the functional server first, it is not the optimal fix because the broken server remains in the list and could still be used if the primary times out or for future queries. The best practice is to completely remove the faulty server using 'no ip name-server 198.51.100.53'.

Option B adds a static entry that only helps one domain and does not address the root cause. Option D would make the router use only the broken server, worsening the problem.

Exam trap

Do not confuse a reachable DNS server with a functional one. SERVFAIL means the server is responding but cannot resolve the query. The solution is to remove the faulty server, not reorder or add static entries.

Why the other options are wrong

C

Reordering the name servers works around the issue temporarily but leaves the faulty server in the configuration, which is not a permanent solution and violates best practice of removing misconfigured DNS servers.

264
MCQeasy

A small office wants branch routers to automatically hand out IP addresses, default gateway values, and DNS servers to clients. Which service should be configured?

AnswerB

DHCP supplies addressing parameters to clients.

Why this answer

DHCP is built for this exact job. It centrally provides addressing details so endpoints do not need to be configured by hand.

Exam trap

A common exam trap is confusing DHCP with other network services like DNS, NTP, or TACACS+. DNS only resolves domain names to IP addresses and does not assign IP addresses or default gateways. NTP synchronizes time across devices but does not handle IP addressing.

TACACS+ is an AAA protocol used for authentication and authorization, not for assigning IP addresses or network parameters. Selecting any of these instead of DHCP leads to incorrect answers because they do not fulfill the requirement of automatically handing out IP addresses and related network configuration to clients.

Why the other options are wrong

A

DNS resolves domain names to IP addresses but does not assign IP addresses, default gateways, or DNS server settings to clients. It is not responsible for automatic IP configuration, so it is incorrect for this question.

C

NTP synchronizes time across network devices and does not provide IP addressing or network configuration parameters to clients, making it irrelevant for this question.

D

TACACS+ is an AAA protocol used for authentication, authorization, and accounting. It does not handle IP address assignment or network parameter distribution, so it is not the correct service here.

265
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be able to reach the internet via PAT (overload) using the public IP 203.0.113.1 on interface GigabitEthernet0/1. Additionally, a web server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is not working. Identify and fix all issues.

Hints

  • Check the ACL for the correct inside network.
  • The PAT command is missing a keyword to enable port address translation.
  • Ensure the 'overload' keyword is present in the ip nat inside source list command.
A.Change ACL 100 to permit 192.168.1.0 0.0.0.255, add 'overload' to the ip nat inside source list command, and verify with 'show ip nat translations'.
B.Change ACL 100 to permit 192.168.1.0 0.0.0.255 and add the 'overload' keyword to the ip nat inside source list command.
C.Add the 'overload' keyword to the ip nat inside source list command and verify with 'show ip nat translations'.
D.Change ACL 100 to permit 192.168.1.0 0.0.0.255 and verify with 'show ip nat translations'.
AnswerA
solution
! R1
conf t
no access-list 100
access-list 100 permit 192.168.1.0 0.0.0.255
ip nat inside source list 100 interface GigabitEthernet0/1 overload
end

Why this answer

The configuration has two issues: (1) ACL 100 permits 192.168.2.0/24 instead of 192.168.1.0/24, so the inside traffic is not matched for PAT. (2) The 'ip nat inside source list' command lacks the 'overload' keyword, preventing port address translation. The static NAT entry for the web server is correctly configured and does not depend on the ACL; it will work once the ACL is fixed. To resolve: change ACL 100 to permit 192.168.1.0 0.0.0.255, add 'overload' to the ip nat inside source list command, and verify with 'show ip nat translations'.

Exam trap

Candidates often overlook that the ACL must match the inside network exactly, and that 'overload' is required for PAT. Additionally, they may forget to verify with 'show ip nat translations' to confirm the configuration is working.

Why the other options are wrong

B

The answer fails to include the verification step, which is a critical part of troubleshooting and ensuring the configuration is applied correctly.

C

The ACL must match the correct inside network; without fixing it, PAT will not apply to the intended traffic.

D

The 'overload' keyword is essential for PAT; omitting it means the router will perform dynamic NAT without port translation, which is insufficient for multiple hosts.

266
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a DHCP server on a Cisco IOS-XE router and enable DHCP relay on a remote subnet, following Cisco's recommended configuration sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The recommended order is to first create the DHCP pool with network and default-router, then exclude addresses, and finally enable DHCP relay on the remote interface. While the 'ip dhcp excluded-address' command can technically be issued before or after the pool definition, Cisco documentation typically shows the pool created first. The critical requirement is that DHCP relay is configured last, after the DHCP server is fully configured.

Options B and D place relay first, which is incorrect.

Exam trap

A common mistake is to configure DHCP relay before the DHCP server, or to think the order of pool and exclusion is irrelevant for the exam. While both orders are technically valid, the question expects the standard order of pool first, then exclusion.

267
MCQhard

Refer to the exhibit. A network administrator is troubleshooting an NTP synchronization issue on R1. The router is configured with the command ntp server 10.1.1.100, but the clock remains unsynchronized. The administrator issues the show ntp status command. What is the most likely cause of the problem?

A.The NTP authentication key configured on R1 does not match the one on the server.
B.The system time on R1 is set to an epoch that is too far from the server's time, causing NTP to refuse to synchronize.
C.The NTP service is not enabled on R1; the 'ntp server' command only defines a server but does not start the NTP process.
D.The router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list.
AnswerD

The exhibit clearly shows 'no reference clock' and stratum 16, which indicates that R1 has not received any NTP packets from the configured server. This is a classic symptom of network unreachability—the router’s NTP requests are not making it to the server or responses are not coming back, often caused by a missing route or an ACL filtering UDP 123.

Why this answer

The output shows 'Clock is unsynchronized, stratum 16, no reference clock,' which means the router has not received any valid NTP updates from the configured server. This state is typical when the NTP server 10.1.1.100 is unreachable at the network layer—either because of a missing route or an ACL blocking UDP port 123. If the server were reachable but authentication failed, the output might still show a reference clock (but unsynchronized) or show reachability in the NTP associations table, which is absent here.

Exam trap

Many candidates mistakenly believe that any NTP unsynchronized state is caused by authentication mismatch. However, authentication failures allow packets to be received; they are dropped after auth check, so the router might still see the server as reachable (but not usable) in show ntp associations. The complete absence of a reference clock strongly suggests a reachability issue, not an authentication problem.

Why the other options are wrong

A

Candidates often confuse unsynchronized status with authentication issues, but authentication failures do not prevent reception of packets; they just discard them after arrival.

B

A common myth is that NTP cannot sync if the clocks are too far apart. While extreme offsets may delay sync, they do not prevent the router from hearing the server, so the reference clock field would still show the server’s IP or clock ID.

C

Some candidates mistakenly believe that a separate 'ntp enable' command is required. In IOS, configuring an ntp server automatically enables NTP, so the service is active.

268
MCQmedium

Which security concept gives a user only the permissions required to perform assigned tasks and nothing more?

A.Defense in depth
B.Least privilege
C.Segmentation
D.Availability
AnswerB

Correct. Users receive only the access they need.

Why this answer

Least privilege is the security principle that grants users only the specific permissions necessary to perform their job functions, minimizing potential damage from errors or malicious actions. Defense in depth is a layered security strategy using multiple controls, not a principle of limiting permissions. Segmentation divides a network into isolated segments to contain threats, but does not directly govern individual user permissions.

Availability ensures systems and data are accessible when needed, which is unrelated to restricting access rights.

Exam trap

Don't confuse access control methods like RBAC, DAC, or MAC with the principle of least privilege, which specifically minimizes permissions.

Why the other options are wrong

A

Defense in depth refers to a layered security approach that employs multiple security measures to protect information. It does not specifically address the principle of granting users only the necessary permissions for their tasks.

C

Segmentation refers to dividing a network into segments to enhance security and manageability, rather than limiting user permissions. It does not directly address the concept of granting only necessary permissions to users.

D

Availability refers to ensuring that systems and data are accessible when needed, which does not relate to limiting user permissions for task completion. This option does not address the principle of restricting access based on necessity.

269
Matchingmedium

Match each service to the symptom it most directly relates to when troubleshooting.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Users can reach resources by IP but not by hostname

Hosts are not receiving IP settings automatically

Logs from different devices do not line up in time

Operations team needs visibility into traffic conversations

Why these pairings

Each service is paired with a symptom directly related to its malfunction.

Exam trap

Be careful not to confuse symptoms that often occur together (like congestion causing both drops and latency) with direct cause-and-effect relationships. The question asks for the most direct symptom, not a correlated one.

270
MCQhard

R1 and R2 should form an OSPF adjacency on their shared GigabitEthernet link, but they remain stuck in EXSTART. What is the most likely cause?

A.The routers are using different OSPF areas.
B.The interface MTU values do not match.
C.One side is configured as passive-interface.
D.The subnet mask on the link is incorrect.
AnswerB

This is the classic cause of OSPF neighbors getting stuck in EXSTART or EXCHANGE.

Why this answer

The MTU values do not match. OSPF neighbors can discover each other and even move through earlier states, but an MTU mismatch commonly leaves them stuck in EXSTART or EXCHANGE because the routers do not agree on database description packet sizing. Area mismatch, network mismatch, and passive-interface issues usually prevent a much earlier stage of adjacency formation.

Exam trap

A common exam trap is selecting area mismatch or passive-interface as the cause of OSPF adjacency stuck in ExStart. While area mismatch prevents neighbor formation entirely, and passive-interface stops hello packets, these issues cause earlier failures, not ExStart stalls. The ExStart state specifically involves negotiating database description packets, which requires matching MTU values.

Candidates often overlook MTU mismatches because neighbors appear in the topology, misleading them to suspect other configuration errors. Understanding that MTU mismatch allows neighbor discovery but blocks database synchronization is key to avoiding this trap.

Why the other options are wrong

A

Both routers are configured in area 0, so area mismatch is not the cause. Area mismatches prevent neighbor discovery, which would stop adjacency formation before ExStart.

C

If one interface is passive, OSPF hello packets are not sent, preventing neighbor formation altogether. This would stop adjacency formation earlier than ExStart.

D

The subnet mask is consistent on both sides, allowing neighbor discovery. Incorrect subnet masks would prevent neighbors from recognizing each other, blocking adjacency before ExStart.

271
Multi-Selectmedium

Which two statements about NTP are correct? (Choose two.)

Select 2 answers
A.Accurate time helps correlate log messages across multiple devices.
B.NTP replaces the need for DNS in enterprise networks.
C.NTP synchronizes clocks between network devices and time sources.
D.NTP is used to negotiate EtherChannel parameters.
AnswersA, C

Correct. Synchronized timestamps improve troubleshooting.

Why this answer

NTP synchronizes time across devices, which is important for logging, certificates, and event correlation.

Exam trap

A common exam trap is mistaking NTP for a service that replaces DNS or manages link aggregation like EtherChannel. Some candidates incorrectly believe NTP handles domain name resolution or negotiates EtherChannel parameters because these are also fundamental network services. However, NTP’s sole purpose is to synchronize time across devices.

Selecting options that confuse NTP with DNS or EtherChannel leads to incorrect answers. Understanding that NTP only manages time synchronization helps avoid this trap and ensures accurate selection of correct options related to time correlation and clock synchronization.

Why the other options are wrong

B

This option is incorrect because NTP does not replace DNS. DNS resolves domain names to IP addresses, while NTP only synchronizes time across devices.

D

This option is incorrect because NTP does not negotiate EtherChannel parameters. EtherChannel negotiation is handled by protocols like PAgP or LACP, unrelated to time synchronization.

272
Multi-Selectmedium

Which two statements about standard and extended IPv4 ACLs are correct?

Select 2 answers
A.A standard ACL matches only the source IPv4 address.
B.An extended ACL can match protocol information and Layer 4 ports.
C.A standard ACL is normally placed as close to the source as possible.
D.An extended ACL cannot filter ICMP traffic.
E.Both ACL types require named ACL syntax to match traffic.
AnswersA, B

That is the key limitation of a standard ACL.

Why this answer

Standard ACLs match only the source IPv4 address, while extended ACLs can match protocol and source and destination details including ports. Because standard ACLs are less granular, they are usually placed closer to the destination. Extended ACLs are usually placed closer to the source.

Exam trap

A frequent exam trap is assuming that standard ACLs can filter traffic based on protocol types or Layer 4 ports, which they cannot. This misconception leads to incorrect placement decisions, such as placing standard ACLs near the source, which risks blocking legitimate traffic from other sources. Another trap is believing extended ACLs cannot filter ICMP traffic, but extended ACLs do support ICMP filtering.

Misunderstanding these facts can cause confusion in both exam scenarios and real-world network design, resulting in incorrect ACL configurations and ineffective traffic control.

Why the other options are wrong

C

This option is incorrect because standard ACLs are usually placed closer to the destination, not the source, to avoid blocking legitimate traffic from other sources.

D

This option is incorrect since extended ACLs can filter ICMP traffic by specifying the ICMP protocol in the ACL configuration.

E

This option is incorrect because both numbered and named ACLs are valid for standard and extended ACLs; named ACL syntax is not required.

273
Multi-Selectmedium

Which two statements accurately describe why source restriction and logging are often used together for administrative access?

Select 2 answers
A.Source restriction narrows the allowed origin space for administrative sessions.
B.Logging improves visibility and accountability for what happened during administrative access.
C.Logging removes the need for authentication.
D.Source restriction works only when Syslog is disabled.
E.Both controls exist only for guest wireless networks.
AnswersA, B

This is correct because source filtering reduces where management traffic is permitted from.

Why this answer

Source restriction and logging are often used together because they help answer two different security questions. In practical terms, source restriction limits where administrative sessions may originate, while logging helps show what happened once access was attempted or granted. This combination improves both exposure reduction and post-event visibility.

This is a strong layered-security reasoning item because it focuses on complementary controls rather than one-control thinking.

Exam trap

A frequent exam trap is to believe that logging can replace source restriction or that source restriction only works if logging is disabled. Candidates may incorrectly think that visibility through logs is enough to secure administrative access, ignoring the importance of limiting where management sessions can originate. Another mistake is to assume these controls are only relevant for guest wireless networks, which is false because they apply broadly to all management-plane security.

Understanding that source restriction and logging serve distinct but complementary roles is critical to avoid this trap.

Why the other options are wrong

C

Logging provides visibility but does not replace authentication; authentication is still required for access.

D

Source restriction operates independently of Syslog; it does not require Syslog to be disabled or enabled.

E

Source restriction and logging apply to all administrative access, not just guest wireless networks, which is too narrow of a context.

274
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a remote subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The relay agent must be configured first by setting the ip helper-address on the client-facing interface, then verifying connectivity to the DHCP server. The DORA process should be observed using a relay-specific debug command such as debug ip dhcp relay; the originally listed debug ip dhcp server packet would show no output on a pure relay agent, making it incorrect for verification.

Exam trap

A common trap is placing the ip helper-address on the wrong interface or using the wrong debug command. Always place the helper address on the client-facing interface, and verify relay operation with debug ip dhcp relay, not debug ip dhcp server packet.

275
MCQmedium

Which field is modified by each router hop in an IPv4 packet to prevent endless forwarding loops?

A.Source port
B.TTL
C.Sequence number
D.CRC in the Ethernet trailer
AnswerB

Correct. TTL is reduced each time the packet crosses a router.

Why this answer

The Time to Live field is decremented at each hop.

Exam trap

A frequent exam trap is selecting transport-layer fields like source port or sequence number as the field modified by each router hop. These fields are part of TCP or UDP headers and remain unchanged by routers during forwarding. Another common mistake is confusing the Ethernet frame CRC with the TTL; while the CRC is recalculated on each link to verify frame integrity, it does not control packet lifetime or prevent routing loops.

Misunderstanding these distinctions can lead to incorrect answers about how routers manage packet forwarding and loop prevention.

Why the other options are wrong

A

Source port is a transport-layer field used by TCP/UDP to identify application endpoints and is not modified by routers during forwarding, so it cannot prevent forwarding loops.

C

Sequence number is part of the transport layer used for ordering segments in TCP and is not altered by routers, so it does not affect packet forwarding or loop prevention.

D

CRC in the Ethernet trailer is recalculated on each link to verify frame integrity but does not influence IP packet forwarding decisions or prevent routing loops.

276
MCQhard

The SVI for VLAN 20 has `ip nat outside` and the WAN interface has `ip nat inside`. Hosts in VLAN 20 must reach the internet through PAT, but users report no external connectivity. Which configuration issue best explains the problem?

A.The ACL should deny 192.168.20.0/24 instead of permit it
B.The interfaces are marked with inside and outside in the wrong places
C.PAT cannot be used with a /30 WAN link
D.NAT overload requires a route-map instead of an ACL
AnswerB

Reversed NAT roles stop the expected translations.

Why this answer

NAT overload works only when the inside and outside interfaces are identified correctly. Here the roles are reversed, so translations are not built in the right direction.

Exam trap

A frequent exam trap is assuming that the ACL or the subnet mask is the cause of NAT failure when the real issue is reversed inside and outside interface roles. Candidates often overlook the importance of interface designation commands (ip nat inside and ip nat outside), which are crucial for NAT operation. Without correct interface roles, the router cannot translate addresses properly, causing hosts to lose external connectivity even if ACLs and routing are correct.

This trap is tempting because ACLs and subnetting are more familiar concepts, but interface roles are equally critical for NAT to function.

Why the other options are wrong

A

Option A is incorrect because the ACL used for NAT must permit the inside local subnet (192.168.20.0/24) to allow translation. Denying this subnet would block NAT translation, but the question states the ACL permits it, so this is not the cause.

C

Option C is incorrect because a /30 WAN link is commonly used in point-to-point connections and does not prevent PAT from functioning. PAT works independently of the WAN subnet size.

D

Option D is incorrect because NAT overload can be configured using a standard ACL; a route-map is optional and not required. The absence of a route-map does not cause the connectivity issue described.

277
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence the DNS resolution process from a client query to receiving an A-record response, followed by the nslookup and dig diagnostic workflow for troubleshooting missing or wrong DNS records.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The DNS resolution process starts with the client query, server response, and client use. Troubleshooting follows with nslookup for basic queries and dig for detailed diagnostics.

Exam trap

Do not confuse the order of DNS resolution with the troubleshooting workflow. The client uses the IP address immediately after receiving the response; troubleshooting tools are used only when there is a problem.

278
MCQhard

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

A.The SSH ACL is misconfigured and denies port 22 from the management subnet.
B.The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.
C.Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.
D.RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.
AnswerB

DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

Why this answer

The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database.

DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

Exam trap

Cisco often tests the interaction between security features like DAI and static IP hosts, where candidates overlook that DAI requires explicit static bindings for non-DHCP clients, leading to connectivity failures that appear as timeouts rather than explicit denials.

Why the other options are wrong

A

Misunderstanding ACL processing—assumes a simple subnet permit ACL would block port 22 by default, but the ACL entry permits all traffic from the subnet, not just specific ports.

C

Assumes port security is the first cause of connectivity failure when MAC limits are configured, but the symptom does not indicate a port security violation; the port would need to go into err-disabled, which is not mentioned.

D

AAA failures manifest as authentication errors or prompts that time out after attempting RADIUS, but they typically affect all attempts, not a single source, unless combined with ACLs that permit other hosts but block this one.

279
Multi-Selectmedium

Which TWO statements correctly describe the differences between RADIUS and TACACS+ when configuring AAA on IOS-XE?

Select 2 answers
A.RADIUS encrypts the entire packet body, while TACACS+ encrypts only the password.
B.TACACS+ uses TCP port 49, while RADIUS uses UDP ports 1812 and 1813.
C.RADIUS supports command-level authorization, whereas TACACS+ does not.
D.TACACS+ separates authentication, authorization, and accounting into distinct processes, while RADIUS combines authentication and authorization.
E.Both RADIUS and TACACS+ can be used for 802.1X port-based authentication on IOS-XE.
AnswersB, D

TACACS+ uses TCP for reliable transport on port 49, while RADIUS uses UDP (port 1812 for authentication/authorization, 1813 for accounting).

Why this answer

Options B and D are correct. TACACS+ uses TCP port 49, while RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting). TACACS+ separates authentication, authorization, and accounting into three distinct processes, whereas RADIUS combines authentication and authorization.

Option A is incorrect because TACACS+ encrypts the entire packet body, while RADIUS encrypts only the password. Option C is incorrect because TACACS+ supports command-level authorization, while RADIUS does not. Option E is incorrect because 802.1X port-based authentication uses RADIUS, not TACACS+.

Exam trap

Cisco often tests the encryption behavior (Option A) as a trap, because candidates confuse which protocol encrypts the entire packet versus just the password, and they also test the authorization granularity (Option C) to see if you know that TACACS+ supports command-level authorization while RADIUS does not.

Why the other options are wrong

A

TACACS+ encrypts the entire packet, while RADIUS encrypts only the password – the opposite of what this option states.

C

TACACS+ supports command-level authorization, whereas RADIUS does not – this option reverses the capabilities.

E

802.1X port-based authentication uses RADIUS, not TACACS+, as specified by the IEEE 802.1X standard.

280
PBQhard

You are connected to R1. The network has two routers (R1 and R2) connected via a serial link (S0/0/0). R1's GigabitEthernet0/0 connects to the 192.168.1.0/24 LAN. An extended ACL must be configured on R1 to permit only HTTPS traffic (TCP port 443) from host 192.168.1.10 to server 203.0.113.5 (reachable via R2), and deny all other traffic from the LAN to the server. Currently, the ACL is applied inbound on G0/0 but valid HTTPS traffic is being blocked. Troubleshoot and fix the configuration.

Hints

  • The current ACL uses 'any' source, but the requirement is to restrict to a specific host.
  • The order of ACL entries matters; the first match is applied.
  • The implicit deny at the end blocks all traffic that does not match a permit statement.
A.The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP.
B.The ACL is applied inbound on G0/0, but it should be applied outbound on G0/0 to filter traffic leaving the LAN.
C.The ACL should be applied to the serial interface S0/0/0 instead of G0/0 to filter traffic going to R2.
D.The ACL is missing a deny statement for all other traffic from the LAN to the server, and the permit ip any any allows everything, including unwanted traffic.
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_SERVER
ip access-list extended BLOCK_SERVER
permit tcp host 192.168.1.10 host 203.0.113.5 eq 443
deny tcp host 192.168.1.10 host 203.0.113.5 eq 80
deny ip any host 203.0.113.5
permit ip any any
end

Why this answer

The ACL BLOCK_SERVER is intended to block HTTP (port 80) to the server but permit HTTPS (port 443). However, the ACL denies TCP traffic to port 80 from any source, but the permit ip any any statement permits all IP traffic, including HTTPS. The implicit deny at the end would block HTTPS only if the permit were removed.

The actual fault is that the ACL is applied inbound on G0/0, but the source address for traffic from the LAN is 192.168.1.10 (not any), and the destination port is 443 (not 80). The current ACL permits all traffic, including HTTPS, so the problem must be that the ACL is too permissive (allowing HTTP) or that the implicit deny is blocking HTTPS due to a misordering. In this case, the ACL is actually permitting everything (including HTTP) because of permit ip any any.

To fix, the ACL should explicitly permit HTTPS from host 192.168.1.10, deny HTTP from that host, and deny all other traffic to the server, with a permit ip any any only for other destinations. The correct sequence: permit tcp host 192.168.1.10 host 203.0.113.5 eq 443, deny tcp host 192.168.1.10 host 203.0.113.5 eq 80, permit ip any any.

Exam trap

Be careful not to assume that an ACL with a permit ip any any will automatically block specific traffic; it actually permits everything. The implicit deny only applies if there is no matching permit statement. Also, pay attention to the specific requirements: the ACL must deny HTTP but permit HTTPS from the host.

Why the other options are wrong

B

The direction of ACL application is correct; inbound on the interface where traffic enters the router is standard for filtering traffic from the LAN.

C

ACLs should be applied as close to the source as possible to deny traffic early. Applying on the serial interface would still work but is less efficient and not the best practice.

D

The permit ip any any allows all traffic, so HTTPS should be allowed. The problem says HTTPS is blocked, so the issue must be something else, like a missing explicit permit or a misordering.

281
PBQhard

You are connected to R1. The network uses DNS to resolve hostnames for remote device management. Currently, R1 cannot resolve the hostname 'ServerA' via DNS. Using the nslookup and dig commands, you have gathered the following outputs: nslookup ServerA Server: 203.0.113.1 Address: 203.0.113.1#53 Name: ServerA.example.com Address: 203.0.113.10 dig ServerA ... ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ... ... The show running-config command shows that 'ip domain-lookup' is enabled, the name-server is 203.0.113.1, and no static host entries are configured. Diagnose and fix the DNS resolution failure. Ensure that R1 can successfully resolve 'ServerA' to its intended IP address 198.51.100.10.

Hints

  • Check the output of 'nslookup' and 'dig' carefully; nslookup may show a different IP than expected.
  • The DNS server returns a response but with an incorrect record — consider using a static host entry or a different DNS server.
  • Verify that the DNS server's A record for ServerA actually points to 198.51.100.10, not 203.0.113.10.
A.Add a static host entry: 'ip host ServerA 198.51.100.10'
B.Change the DNS server to 8.8.8.8 using 'ip name-server 8.8.8.8'
C.Enable 'ip domain lookup' with 'ip domain-lookup' command
D.Configure the correct domain name using 'ip domain-name example.com'
AnswerA
solution
! R1
! Remove the incorrect static host entry if present (optional, but to force DNS resolution)
no ip host ServerA
! Alternatively, correct the DNS server or add a correct static entry:
ip host ServerA 198.51.100.10
! Or configure a different DNS server that has the correct A record:
ip name-server 198.51.100.1

Why this answer

The nslookup output misleadingly shows a response with IP 203.0.113.10, but the dig output reveals NXDOMAIN, indicating the DNS server has no valid A record for ServerA. The returned address is a default domain record that does not point to the correct device. Since the external DNS server cannot be modified, the quickest and valid fix is to add a static host entry on R1 using 'ip host ServerA 198.51.100.10', which overrides DNS and ensures correct resolution.

Option B is incorrect because changing to 8.8.8.8 would still depend on a remote server having the correct record, which is not guaranteed. Option C is wrong because 'ip domain-lookup' is already enabled, so disabling/enabling it has no effect. Option D is wrong because modifying the domain name only affects how FQDN is built but does not fix the missing A record or wrong IP issue.

Exam trap

Do not assume that a DNS server that responds is correctly configured. Always verify the actual record returned. The nslookup output may show a response, but the IP could be wrong.

Use 'dig' to see the exact answer section. Also, remember that static host entries override DNS and are useful for troubleshooting.

Why the other options are wrong

B

The DNS server is reachable and responds, but with incorrect data. Simply changing the server may not fix the issue if the new server also lacks the correct record.

C

The command 'ip domain-lookup' enables DNS resolution, but it is enabled by default. The problem is the incorrect DNS record, not the feature being disabled.

D

The domain name is already being used in the query (ServerA.example.com). Configuring a different domain name would change the query but not fix the incorrect record for ServerA.

282
MCQhard

Clients on a network can browse the internet by IP address but fail when using hostnames. What is the most likely problem?

A.The default gateway on the PC is incorrect.
B.The client is using the wrong DNS server address.
C.NAT overload is failing on the edge router.
D.The switchport must be converted to a routed port.
AnswerB

That is the direct cause of hostname resolution failure here.

Why this answer

The client can browse by IP address but not by hostname, which indicates that IP connectivity and routing are functional, but name resolution is failing. Since DNS translates hostnames to IP addresses, the most likely fault is that the client is configured with an incorrect DNS server address, preventing it from resolving domain names.

Exam trap

Cisco often tests the distinction between IP connectivity issues and name resolution issues, and the trap here is that candidates may incorrectly blame the default gateway or NAT when the symptom clearly isolates the problem to DNS.

Why the other options are wrong

A

This option is wrong because if the default gateway on the PC were incorrect, the client would not be able to reach any external IP addresses, not just hostnames. The issue specifically pertains to DNS resolution, not routing.

C

NAT overload failing on the edge router would typically affect the ability to connect to the internet entirely, not just when using hostnames. Since clients can browse by IP, this indicates NAT is functioning correctly.

D

This option is wrong because the issue described pertains to DNS resolution, not layer 2 switching or routing. The problem is related to hostname resolution failures, which are not affected by the switchport type.

283
MCQmedium

On a router performing NAT, where should ip nat inside be applied?

A.On the interface facing the internal private network
B.On the interface facing the ISP only
C.On every routed interface on the router
D.Only on loopback interfaces
AnswerA

That is the inside side of the translation boundary.

Why this answer

The inside designation belongs on the interface facing the private internal network. The outside designation belongs on the interface facing the public or external network.

Exam trap

A frequent exam trap is misapplying the ip nat inside command to the interface facing the ISP or external network. This mistake reverses the NAT boundary, causing translation to fail because the router expects private addresses on the inside interface only. Another trap is assuming all interfaces require NAT configuration, leading to unnecessary or incorrect commands on unrelated interfaces.

Additionally, some candidates incorrectly think loopback interfaces should be marked inside or outside, but NAT operates on interfaces connected to actual networks. Recognizing that ip nat inside must be on the internal private network interface prevents these common errors.

Why the other options are wrong

B

Incorrect. The interface facing the ISP is typically marked with ip nat outside, not ip nat inside, because it represents the public or external side of the NAT boundary.

C

Incorrect. Not every routed interface requires NAT configuration. Only interfaces that participate in NAT translation should be marked as inside or outside to define the translation boundaries.

D

Incorrect. NAT is not limited to loopback interfaces, and loopbacks are generally not used for NAT inside or outside designation since NAT operates on interfaces connected to real networks.

284
MCQmedium

Users in 10.10.10.0/24 must be prevented from reaching the web server at 172.16.1.10 over HTTP, but all other traffic should be allowed. Which ACL entry should appear first in the ACL?

A.permit tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
B.deny ip 10.10.10.0 0.0.0.255 host 172.16.1.10
C.deny tcp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
D.deny udp 10.10.10.0 0.0.0.255 host 172.16.1.10 eq 80
AnswerC

This is correct because HTTP uses TCP port 80, and the requirement is narrowly focused on blocking that traffic from one subnet to one host.

Why this answer

The requirement is specific: block HTTP traffic from one source subnet to one server, but allow everything else. In plain terms, you do not want to shut off all communication to the server or all communication from the users. You only want to stop normal web traffic that uses TCP port 80. That means the ACL should start with a deny statement that matches TCP from 10.10.10.0/24 to host 172.16.1.10 on destination port 80.

Using `deny ip` would block every IP-based protocol to that host, which is broader than the requirement. Using UDP port 80 does not match normal HTTP. And a permit statement would do the opposite of what is needed.

Exam trap

A frequent exam trap is selecting a deny ip statement to block HTTP traffic, which seems simpler but actually blocks all IP traffic from the source subnet to the destination host. This overbroad denial disrupts legitimate communications such as DNS, SSH, or other TCP/UDP services, violating the requirement to allow all other traffic. Another trap is denying UDP port 80, which is incorrect because HTTP uses TCP, not UDP.

Candidates may also mistakenly place a permit statement first, which would allow the HTTP traffic instead of blocking it. Recognizing the correct protocol and port and placing the deny statement first is critical to avoid these pitfalls.

Why the other options are wrong

A

This option permits TCP traffic from 10.10.10.0/24 to the web server on port 80, which is the exact traffic that must be blocked. Therefore, it contradicts the requirement and is incorrect.

B

This option denies all IP traffic from the source subnet to the destination host, which is too broad. It blocks all protocols and ports, not just HTTP, violating the requirement to allow other traffic.

D

This option denies UDP traffic on port 80, but HTTP uses TCP port 80. Denying UDP port 80 does not block HTTP traffic and therefore does not meet the requirement.

285
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure AAA with a RADIUS server and enable 802.1X port authentication on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins by entering global configuration mode, then configuring the RADIUS server host and key before enabling AAA globally. Although AAA can be enabled without a RADIUS server, Cisco recommends defining the server before creating the authentication method list that references it to avoid configuration errors. After enabling AAA, define the authentication method list for 802.1X, then enter interface configuration mode, enable 802.1X port authentication, apply the method list to the interface, and finally verify the configuration.

Exam trap

A common mistake is defining the authentication method list before configuring the RADIUS server, which causes a reference error; the server must be defined before the method list that uses it, even though AAA itself can be enabled earlier.

286
PBQhard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2 using key 'cisco123' for authentication. Then troubleshoot why 802.1X on interface GigabitEthernet0/1 remains in unauthorized state. Ensure that the default login authentication uses RADIUS first, then local fallback, and fix any configuration issues that prevent 802.1X from working.

Network Topology
G0/010.0.0.1/3010.0.0.2/30linkG0/1linkR1RADIUS ServerClient PC

Hints

  • Check the AAA authentication method for dot1x — it currently uses 'local' but no local users exist.
  • The default login authentication also uses 'local' — you need to add RADIUS as primary method.
  • Ensure the RADIUS server's IP and key are correct — but the issue is the authentication method list, not connectivity.
A.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default group radius local' and ensure the RADIUS server is reachable with the correct key.
B.Configure 'aaa authentication dot1x default local' and 'aaa authentication login default local' and create a local user with the same credentials as the RADIUS server.
C.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default local' and ensure the RADIUS server key is 'cisco123'.
D.Configure 'aaa authentication dot1x default group radius' and 'aaa authentication login default group radius local' and change the RADIUS server key to 'cisco'.
AnswerA
solution
! R1
configure terminal
aaa authentication login default group radius local
aaa authentication dot1x default group radius
end
write memory

Why this answer

The 802.1X port is stuck in UNAUTHORIZED because AAA authentication for dot1x is set to 'local' but there is no local user database configured. Additionally, the RADIUS server is configured but not used for dot1x or login. The fix is to change 'aaa authentication dot1x default' to use group radius, and 'aaa authentication login default' to group radius local for fallback.

Also ensure the RADIUS server is reachable and the key matches the server.

Exam trap

Candidates often forget that 802.1X requires a RADIUS server for authentication, not local, and that the login authentication method list must also be configured correctly. They may also overlook the need for the RADIUS key to match exactly.

Why the other options are wrong

B

The specific factual error is that 802.1X should use RADIUS for authentication, not local, and the login default should have RADIUS as the primary method.

C

The specific factual error is that the login default should be 'group radius local' to meet the requirement of RADIUS first then local fallback.

D

The specific factual error is that the key must match exactly; changing it to 'cisco' would break communication with the RADIUS server.

287
MCQmedium

A host can reach other devices on its local subnet, but it cannot reach remote networks. The host has a valid IP address and subnet mask. Which missing item is the strongest suspect?

A.Default gateway information
B.STP priority information
C.A voice VLAN setting
D.An OSPF process ID
AnswerA

This is correct because the host needs a next hop for off-subnet traffic.

Why this answer

The strongest suspect is a missing default gateway. In practical terms, the host can still identify and reach local addresses because it has its own IP and subnet mask. But without a default gateway, it has no next hop for destinations outside the local subnet. That is why local communication works while remote communication fails.

This is one of the most common host-configuration troubleshooting patterns on the exam and in real networks.

Exam trap

A common exam trap is selecting options related to routing protocols like OSPF or Layer 2 technologies such as STP or VLANs when the issue is actually a missing default gateway. Candidates might incorrectly assume that the host needs an OSPF process ID or STP priority to reach remote networks. However, hosts do not run routing protocols and do not participate in STP decisions.

The real problem is the absence of default gateway information, which prevents the host from forwarding packets beyond its local subnet. Misunderstanding this leads to incorrect answers that focus on advanced protocols rather than basic IP configuration.

Why the other options are wrong

B

Incorrect because STP priority is a Layer 2 switch parameter that does not affect host IP routing or the ability to reach remote networks. Hosts do not participate in STP decisions.

C

Incorrect because voice VLAN settings relate to Layer 2 segmentation for voice traffic and do not impact the host’s IP routing or default gateway configuration needed for remote communication.

D

Incorrect because hosts do not run routing protocols like OSPF and do not require an OSPF process ID. Routing protocols are configured on routers, not end hosts.

288
MCQhard

After enabling Dynamic ARP Inspection on VLAN 20, a network engineer notices that some hosts lose connectivity. The affected hosts have correct IP addresses and MAC addresses, but they cannot ping the default gateway. All other hosts on the same VLAN work fine. Further investigation reveals that the non-functioning hosts are using static IP configurations, while the working hosts are DHCP clients. What is the most likely cause?

A.The DHCP snooping binding table is exhausted and cannot accept new bindings for the static hosts.
B.IP Source Guard is also enabled on VLAN 20 and is blocking traffic from hosts that have no DHCP snooping binding.
C.DAI is dropping ARP packets from the static hosts because they do not have a corresponding entry in the DHCP snooping binding table.
D.The switch is detecting ARP spoofing from the static hosts and has shut down their switchport interfaces for security.
AnswerC

When DAI is enabled, it checks every ARP packet on untrusted ports against the DHCP snooping binding table. Since the static hosts have no DHCP lease, no binding exists, and DAI drops their ARP packets, preventing them from learning the gateway MAC address and causing loss of connectivity.

Why this answer

Dynamic ARP Inspection (DAI) uses the DHCP snooping binding table to validate ARP packets. Hosts with statically assigned IP addresses have no DHCP binding entry, so DAI considers their ARP packets invalid and drops them, preventing these hosts from resolving MAC addresses and thus causing loss of connectivity.

Exam trap

Option B (IP Source Guard) is tempting because both features rely on the DHCP snooping binding table, but IP Source Guard filters IP data traffic, not ARP packets. The specific symptom of failed ARP resolution after enabling DAI points directly to DAI's ARP validation, not IP traffic filtering.

Why the other options are wrong

A

Candidates may think that a large number of untrusted hosts could overwhelm the binding table, but static hosts do not interact with DHCP and would not fill the table or be rejected.

B

Candidates often confuse DAI and IP Source Guard since both use DHCP snooping; however, DAI specifically validates ARP packets, which matches the symptom of connectivity loss due to ARP resolution failure.

D

Some candidates might associate ARP security features with port shutdown, but standard DAI operation does not disable ports, and the symptom does not indicate interface down events.

289
Matchingmedium

Match each user or host symptom to the service most directly suggested first.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

DNS translates domain names to IP addresses; when a device reaches sites by IP but not by name, the most direct cause is DNS failure. DHCP automatically assigns IP configurations; a host not receiving an IP configuration automatically points directly to a DHCP issue. NTP synchronizes clocks across devices; event timelines from multiple devices not aligning indicates an NTP problem.

Syslog centralizes device logs; administrators cannot see centralized events suggests Syslog is misconfigured or unreachable.

Exam trap

The trap is to associate 'host does not receive IP configuration' with DNS or NTP, but the most direct service is DHCP.

290
PBQhard

You are connected to R1. Configure an extended ACL on R1 to permit HTTP traffic from the 192.168.1.0/24 network to the 10.0.0.0/30 network, and deny all other IP traffic. Apply the ACL inbound on the interface facing the 192.168.1.0/24 network. The current configuration has an ACL that is too permissive; you must explicitly remove the existing ACL before applying the new one. Correct the configuration.

Network Topology
G0/0192.168.1.1/24192.168.1.0/24G0/110.0.0.1/3010.0.0.0/30R1HostsR2

Hints

  • The existing ACL allows all IP traffic; you need to restrict it to HTTP only.
  • Use a wildcard mask of 0.0.0.255 for the source network and 0.0.0.3 for the destination /30 network.
  • Apply the ACL inbound on the interface that receives traffic from the 192.168.1.0/24 network.
A.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
B.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 deny ip any any interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
C.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 interface gigabitEthernet0/0 ip access-group HTTP_ONLY in
D.ip access-list extended HTTP_ONLY permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80 permit ip any any interface gigabitEthernet0/0 no ip access-group PERMIT_ALL in ip access-group HTTP_ONLY in
AnswerA
solution
! R1
configure terminal
ip access-list extended HTTP_ONLY
permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.3 eq 80
exit
interface gigabitEthernet0/0
no ip access-group PERMIT_ALL in
ip access-group HTTP_ONLY in
end

Why this answer

The existing ACL PERMIT_ALL allows all IP traffic, which must be replaced by a new ACL that permits only TCP port 80 (HTTP) from 192.168.1.0/24 to 10.0.0.0/30 and denies everything else. Because the requirement specifies explicit removal of the old ACL, you must first issue 'no ip access-group PERMIT_ALL in' under the interface before applying the new ACL. The extended ACL has an implicit deny at the end, so no separate deny statement is needed.

Therefore, the correct sequence is: create the ACL HTTP_ONLY with the permit statement, enter the interface, remove the old ACL, and apply the new one inbound.

Exam trap

Many learners forget that an explicit 'no ip access-group' command is required if the task demands explicit removal. Simply applying a new ACL over an existing one replaces it, but that does not fulfill a requirement to explicitly remove the old ACL.

Why the other options are wrong

C

Option C applies the new ACL without explicitly removing the old one, which violates the explicit removal requirement.

291
PBQmedium

You are connected to R1 via the console. R1 is a router that connects to the internet via GigabitEthernet0/0 (198.51.100.1/30) and to the internal network via GigabitEthernet0/1 (10.1.1.1/24). You need to implement a security policy that permits HTTP traffic (port 80) from the internal network to a web server at 10.1.1.100, and denies all other traffic from internal hosts to the internet. The ACL should be named 'INTERNET-FILTER' and applied inbound on GigabitEthernet0/1.

Network Topology
G0/110.1.1.1/24G0/0198.51.100.1/30Web ServerInternalR1ISPInternet

Hints

  • The ACL should be applied to the interface facing the internal network.
  • The permit statement must be before the deny statement.
  • Use the 'eq' keyword to specify port 80.
A.ip access-list extended INTERNET-FILTER permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.100 eq 80 deny ip 10.1.1.0 0.0.0.255 any ! interface GigabitEthernet0/1 ip access-group INTERNET-FILTER in
B.ip access-list standard INTERNET-FILTER permit 10.1.1.0 0.0.0.255 ! interface GigabitEthernet0/1 ip access-group INTERNET-FILTER in
C.ip access-list extended INTERNET-FILTER permit tcp host 10.1.1.100 10.1.1.0 0.0.0.255 eq 80 deny ip any any ! interface GigabitEthernet0/1 ip access-group INTERNET-FILTER in
D.ip access-list extended INTERNET-FILTER permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.100 eq 80 deny ip any any ! interface GigabitEthernet0/0 ip access-group INTERNET-FILTER in
AnswerA
solution
! R1
ip access-list extended INTERNET-FILTER
permit tcp 10.1.1.0 0.0.0.255 host 10.1.1.100 eq 80
deny ip 10.1.1.0 0.0.0.255 any
interface GigabitEthernet0/1
ip access-group INTERNET-FILTER in

Why this answer

The named extended ACL filters traffic based on source, destination, and protocol. The permit allows HTTP from internal to the web server. The deny blocks all other internal-to-internet traffic.

Applying it inbound on the internal interface filters traffic as it enters the router.

Exam trap

Watch out for the direction of the ACL application: inbound on the internal interface filters traffic entering the router from the internal network. Also, remember that extended ACLs are needed when filtering by destination or port.

Why the other options are wrong

B

Standard ACLs cannot match destination IP addresses or port numbers; they only match source IP addresses.

C

The ACL entry incorrectly specifies the web server as the source and the internal network as the destination, which is the opposite of the required direction.

D

Applying the ACL inbound on the external interface filters traffic entering from the internet, not traffic from the internal network. The correct placement is inbound on the internal interface.

292
MCQmedium

Exhibit: After PAT is configured, inside users can browse the internet, but the engineer wants to verify that translations are actually being created. Which command is the best choice?

A.show access-lists
B.show ip nat translations
C.show ip route
D.debug ip packet detail
AnswerB

This directly displays the current NAT entries.

Why this answer

The NAT translation table shows the inside local and inside global addresses and confirms whether active translations are being built.

Exam trap

A common exam trap is choosing 'show access-lists' or 'show ip route' to verify NAT translations. While ACLs and routing tables are important for network security and path selection, they do not display active NAT translation entries. Another tempting but incorrect choice is 'debug ip packet detail', which provides excessive information and can overwhelm the candidate, making it unsuitable for simple verification.

The correct command, 'show ip nat translations', directly reveals the current NAT table, confirming whether PAT translations are being created and maintained.

Why the other options are wrong

A

'show access-lists' displays the configured ACLs and their hit counts but does not show active NAT translation entries. It cannot confirm whether PAT translations are being created or maintained.

C

'show ip route' shows the routing table with network paths and next hops but does not provide any information about NAT translation sessions or port mappings, making it unsuitable for verifying PAT.

D

'debug ip packet detail' provides detailed packet-level debugging information, which is more intrusive and verbose than necessary for basic NAT verification, and can impact device performance.

293
Matchingmedium

Match each NAT or address-related term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The private address used by the host on the internal network

The address representing the internal host to outside networks

A fixed one-to-one address mapping

A many-to-one translation approach using ports

Why these pairings

Inside local is the private IP address assigned to a host inside the internal network. Inside global is the public IP address that represents that internal host to external networks. Static NAT creates a permanent one-to-one mapping between an inside local and an inside global address.

PAT (Port Address Translation) extends NAT by using port numbers to map multiple inside local addresses to a single inside global address.

Exam trap

The trap is that all options involve IP address translation or special addresses, but only static NAT is a one-to-one manual mapping. Candidates often confuse static NAT with PAT or dynamic NAT, or mistakenly think loopback is a NAT term.

294
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits web traffic from the 10.1.1.0/24 network to the server 192.168.2.10 while blocking all other traffic inbound on GigabitEthernet0/1.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

ACL configuration requires defining permit/deny statements first, then applying to the interface inbound, and finally verification.

Exam trap

A common trap is to think that you can apply an ACL to an interface before defining it, or that verification should be done before application. Always remember: define, apply, then verify.

295
Multi-Selectmedium

Which TWO DHCP snooping trust states are valid on a Cisco switch? (Choose two.)

Select 2 answers
A.Trusted
B.Untrusted
C.Secure
D.Authorized
E.Relay
AnswersA, B

A trusted port is configured using 'ip dhcp snooping trust' and is allowed to forward all DHCP messages, including server responses. This is typically applied to ports connecting to DHCP servers or upstream relay agents.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages on a switch. The only two valid trust states are 'trusted' and 'untrusted'. A trusted port is typically an uplink to a legitimate DHCP server, while an untrusted port is a downstream port where DHCP client messages are expected and server-originated messages are blocked.

Exam trap

Cisco often tests the exact terminology of DHCP snooping trust states, and the trap here is that candidates confuse 'trusted' and 'untrusted' with other security terms like 'secure' or 'authorized' from different features (e.g., port security or 802.1X).

Why the other options are wrong

C

This is a distractor term that does not exist in the DHCP snooping configuration. The correct states are trusted and untrusted.

D

This term is borrowed from other security contexts and is not applicable to DHCP snooping trust states.

E

This confuses the DHCP relay agent feature with DHCP snooping trust states. They are different mechanisms.

296
Matchingmedium

Match each service with the best operational purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Translates hostnames into IP addresses

Automatically assigns host addressing information

Sends event and logging messages to a collector

Monitors and manages devices using managed objects

Why these pairings

DNS resolves hostnames to IP addresses, DHCP automatically assigns IP addressing information, Syslog forwards event and log messages to a central collector, and SNMP monitors and manages network devices using managed objects. Each matching pair reflects the primary function of the service without introducing unrelated protocols.

Exam trap

Avoid confusing DNS with DHCP or other services. DNS resolves names; DHCP assigns IPs. Remember that each service has a unique primary purpose.

297
MCQhard

Exhibit: A client can ping 8.8.8.8 but cannot browse to www.example.com. Which service is most likely failing?

AnswerB

Correct choice.

Why this answer

The client has IP connectivity because it can reach 8.8.8.8 directly. The problem appears only when using a hostname, which points to a DNS resolution issue rather than a routing issue.

Exam trap

A frequent exam trap is assuming that successful ping to an IP address means all network services are functioning correctly. Candidates often overlook that ping uses numeric IP addresses and does not test DNS resolution. This leads to the incorrect conclusion that the network is fully operational, causing them to eliminate DNS as a problem.

The trap is reinforced by the presence of other options like DHCP snooping or HSRP, which are unrelated to hostname resolution but may seem plausible. Recognizing that DNS specifically enables hostname-to-IP translation is essential to avoid this mistake.

Why the other options are wrong

A

NTP (Network Time Protocol) synchronizes clocks across devices but does not affect the ability to resolve domain names or browse websites. Since the client can ping an IP address, time synchronization issues are unlikely to cause the browsing failure.

C

DHCP snooping is a security feature that prevents rogue DHCP servers but does not directly impact DNS resolution or hostname-based browsing. The client already has IP connectivity, so DHCP snooping is not the issue.

D

HSRP provides gateway redundancy and failover but does not influence DNS or hostname resolution. Since the client can reach an external IP, the default gateway is functioning, so HSRP failure is unlikely.

298
MCQhard

Based on the exhibit, what is the strongest explanation for why clients can browse by IP address but not by hostname?

A.Name resolution is failing even though IP connectivity works.
B.The client has the wrong default gateway.
C.The switch trunk native VLAN is wrong.
D.The server must run PPP before hostnames can work.
AnswerA

This is correct because the difference between IP success and hostname failure points to DNS.

Why this answer

The strongest explanation is a DNS failure or DNS configuration problem. In practical terms, successful browsing by IP address shows that the client can already reach the destination over the network path. When the same service fails only by hostname, the issue is much more likely in name resolution than in routing, switching, or raw connectivity.

This is one of the most useful support patterns because it quickly separates path problems from naming problems.

Exam trap

A frequent exam trap is assuming that if hostname resolution fails, the problem must be with routing or VLAN configurations such as the default gateway or switch trunk native VLAN. However, since clients can browse by IP address, these path elements are functioning correctly. Misattributing the failure to routing or VLAN issues wastes time and leads to incorrect answers.

The key mistake is not recognizing that DNS operates at a higher layer and that name resolution failures are distinct from IP connectivity problems.

Why the other options are wrong

B

Option B is incorrect because the client can already reach the server by IP address, proving the default gateway is functioning properly and not the cause of hostname resolution failure.

C

Option C is wrong since a switch trunk native VLAN mismatch would cause broader connectivity issues, not just hostname resolution failures. The symptom is specific to name-based access, not total path failure.

D

Option D is incorrect because PPP is unrelated to DNS or hostname resolution in this context. PPP is a WAN protocol and does not affect LAN-based DNS name resolution.

299
MCQmedium

A small office network uses a single public IP address on its router's WAN interface. The network administrator needs to allow all internal hosts to access the internet, but must also ensure that an internal web server with a private IP address is reachable from the internet. Which NAT configuration should the administrator implement to meet both requirements?

A.Configure dynamic NAT with a pool of public IPs and static NAT for the web server.
B.Configure PAT (overload) for internal hosts and static NAT for the web server.
C.Configure only PAT (overload) for all internal hosts including the web server.
D.Configure static NAT for the web server and use only the public IP for internal hosts.
AnswerB

PAT allows multiple internal hosts to share the single public IP for outbound traffic, while static NAT provides a permanent mapping for inbound traffic to the web server.

Why this answer

Option B is correct because PAT (Port Address Translation), also known as NAT overload, allows multiple internal hosts to share a single public IP address by mapping each session to a unique port number, satisfying the requirement for internet access. Static NAT is then used to create a one-to-one mapping from the public IP (on a specific port) to the private IP of the internal web server, making it reachable from the internet. This combination meets both outbound connectivity for all hosts and inbound access to the web server without needing additional public IPs.

Exam trap

Cisco often tests the misconception that PAT alone can handle inbound traffic, but the trap here is that PAT only translates outbound sessions unless a static entry is explicitly configured for the server, leading candidates to incorrectly select option C.

Why the other options are wrong

A

Only one public IP is available, so a pool cannot be created.

C

Inbound access to the web server would not be possible without a static mapping.

D

Internal hosts would not be able to access the internet because they lack public IP assignments.

300
Matchingmedium

Match each infrastructure service to the operational problem it most directly addresses.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hosts can reach services by IP but not by hostname

Clients are not receiving IP settings automatically

Device time and log timestamps are inconsistent

Administrators need one place to collect device events

Why these pairings

DNS resolves names; DHCP assigns IPs; NTP syncs time; SNMP monitors devices; Syslog centralizes logs; NetFlow analyzes traffic.

Exam trap

The trap is confusing the roles of DNS and DHCP. Both involve IP addresses, but DNS resolves names, while DHCP assigns addresses. Also, avoid associating DNS with time sync (NTP) or monitoring (SNMP).

← PreviousPage 4 of 7 · 478 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Services Security questions.