CCNA Network Services Security Questions

75 of 478 questions · Page 5/7 · Network Services Security topic · Answers revealed

301
MCQeasy

Which protocol is used to resolve a hostname such as www.example.com into an IP address?

AnswerA

DNS maps hostnames to IP addresses.

Why this answer

DNS resolves names to addresses. DHCP hands out addressing parameters, NTP synchronizes time, and SNMP is used for management and monitoring.

Exam trap

A frequent exam trap is mistaking DHCP for DNS because both protocols are essential IP services and often appear together in network configurations. Candidates may incorrectly select DHCP, thinking it resolves hostnames, but DHCP only assigns IP addresses and network parameters, not name resolution. Another trap is confusing NTP or SNMP with DNS due to their roles in network operations; however, NTP synchronizes time and SNMP manages devices, neither resolving hostnames.

Understanding that DNS specifically maps domain names to IP addresses prevents this common mistake.

Why the other options are wrong

B

DHCP is incorrect because it only leases IP addressing information and other network parameters to clients; it does not translate hostnames to IP addresses, which is the core function of DNS.

C

NTP is incorrect as it is used solely for synchronizing clocks across network devices and does not handle any form of hostname or IP address resolution.

D

SNMP is incorrect because it is a protocol for monitoring and managing network devices, not for resolving hostnames or IP addresses.

302
Multi-Selectmedium

Which two statements accurately describe DNS in normal network operation?

Select 2 answers
A.DNS helps resolve hostnames into IP-related information.
B.DNS makes networks easier for humans to use by allowing names instead of raw IP addresses.
C.DNS dynamically assigns host IP addresses like DHCP.
D.DNS replaces the need for default gateways.
E.DNS is the spanning-tree protocol used on VLAN trunks.
AnswersA, B

This is correct because name resolution is the main purpose of DNS.

Why this answer

DNS helps translate human-friendly names into IP-related information. In plain language, it allows users and applications to work with names instead of memorizing numeric addresses. It also means that a network can change the underlying IP address of a service while keeping the public-facing name the same. DNS is therefore both a usability service and an important abstraction layer.

The wrong answers often confuse DNS with DHCP or routing protocols. The two correct answers are the ones that preserve its role in name resolution and human-friendly network use.

Exam trap

A frequent exam trap is mistaking DNS for DHCP or routing protocols. Some candidates incorrectly believe DNS dynamically assigns IP addresses like DHCP or that it replaces the need for default gateways. This confusion arises because both DNS and DHCP are IP services but serve fundamentally different roles.

DNS strictly resolves hostnames to IP addresses and does not handle IP address allocation or routing decisions. Misinterpreting DNS’s function can lead to selecting incorrect answers that describe DHCP’s role or routing concepts, which do not apply to DNS.

Why the other options are wrong

C

Option C is incorrect because DNS does not assign IP addresses; this is the role of DHCP. Confusing these two services is a common error, but they serve distinct purposes in IP networking.

D

Option D is wrong because DNS does not replace default gateways. Default gateways are necessary for routing traffic between different networks, a function unrelated to DNS name resolution.

E

Option E is incorrect as DNS is unrelated to the Spanning Tree Protocol (STP), which manages Layer 2 loop prevention on VLAN trunks. DNS operates at higher layers for name resolution.

303
MCQmedium

What problem does DHCP snooping help prevent?

A.Unauthorized DHCP server responses from user-facing ports
B.Layer 3 route loops
C.Trunk encapsulation mismatch
D.Weak SSH ciphers
AnswerA

Correct. This is the main value of DHCP snooping.

Why this answer

DHCP snooping marks interfaces as trusted or untrusted and blocks rogue DHCP server messages arriving on untrusted ports.

Exam trap

A frequent exam trap is selecting options related to Layer 3 routing issues or encryption weaknesses, such as route loops or weak SSH ciphers, when asked about DHCP snooping. Candidates may mistakenly think DHCP snooping prevents routing problems or secures SSH sessions. However, DHCP snooping specifically targets unauthorized DHCP server messages at Layer 2 and does not affect routing protocols or encryption.

Misunderstanding this scope leads to incorrect answers. Remember, DHCP snooping’s primary function is to block rogue DHCP servers on untrusted ports, not to solve routing or encryption problems.

Why the other options are wrong

B

Incorrect. Layer 3 route loops are routing protocol issues and are not addressed by DHCP snooping, which operates at Layer 2 for DHCP message validation.

C

Incorrect. Trunk encapsulation mismatches relate to VLAN tagging and trunk negotiation, which DHCP snooping does not influence or prevent.

D

Incorrect. Weak SSH ciphers pertain to encryption security and have no connection to DHCP snooping, which focuses solely on DHCP message filtering.

304
MCQhard

Users on the inside network can browse the web, but the company now needs an internal web server at 192.168.10.50 to be reachable consistently from outside using one public IP address. Which design is most appropriate?

A.Use static NAT for the server and continue using PAT for user outbound access.
B.Use PAT only for everything, including the published server.
C.Disable NAT because private IPv4 addresses are Internet-routable.
D.Use DHCP relay for the server to make it reachable from outside.
AnswerA

This is correct because static NAT provides a stable public mapping for the server, while PAT still supports many outbound users.

Why this answer

The best design is static NAT for the server while continuing to use PAT for general user outbound traffic. In plain language, user browsing and server publishing are two different requirements. PAT is great for letting many inside users share one public address for outbound access. But a server that outside clients must find reliably needs a fixed one-to-one public identity. That is exactly what static NAT provides.

This is an important design distinction. PAT solves address conservation for many clients. Static NAT solves predictability for inbound access to a specific internal system. The strongest answer is the one that uses each NAT method for the job it fits best.

Exam trap

A common exam trap is selecting PAT for both outbound and inbound traffic, mistakenly believing PAT can provide a stable public IP for a server. PAT dynamically assigns ports for outbound sessions but does not guarantee a fixed public IP and port combination for inbound connections. This leads to unpredictable external access to the internal server, which fails the requirement for consistent reachability.

Another trap is disabling NAT entirely, which ignores that private IPv4 addresses are not routable on the public Internet, making the server unreachable externally. Misunderstanding DHCP relay as a solution for public reachability is also a frequent error, as DHCP relay only forwards DHCP requests and does not affect NAT or routing.

Why the other options are wrong

B

Option B is incorrect because using PAT alone cannot guarantee a fixed public IP and port for the internal server. PAT dynamically assigns ports for outbound sessions, which prevents predictable inbound access to the server from outside.

C

Option C is incorrect because private IPv4 addresses are not routable on the public Internet. Disabling NAT would make the internal server unreachable externally, violating the requirement for consistent outside access.

D

Option D is incorrect because DHCP relay only forwards DHCP requests between clients and servers and does not affect NAT or the server's public reachability. It does not solve the problem of making the internal web server accessible from outside.

305
MCQmedium

A show ip nat translations command displays this entry: Inside global 203.0.113.10:30001 Inside local 192.168.10.25:51514 Outside local 198.51.100.20:443 Outside global 198.51.100.20:443 Which statement is correct?

A.192.168.10.25 is the inside local address of the host
B.203.0.113.10 is the inside local address of the host
C.198.51.100.20 is the translated private address of the internal client
D.The entry proves static NAT is being used without port translation
AnswerA

Correct. 192.168.10.25 is the real private address of the inside host.

Why this answer

Inside local is the actual address assigned to the inside host before translation. The inside global address is the public representation used after NAT, and the port values show PAT is in use.

Exam trap

Be careful not to confuse inside local with inside global addresses, and understand the difference between local and global in NAT terminology.

Why the other options are wrong

B

This option is wrong because 203.0.113.10 is the inside global address, not the inside local address. The inside local address is 192.168.10.25, which is correctly identified in option A.

C

This option is incorrect because 198.51.100.20 is the outside local address, not a translated private address. The inside local address is specifically 192.168.10.25, as indicated in the NAT translation entry.

D

This option is incorrect because the entry shows that 203.0.113.10 is the inside global address, not the inside local address. The inside local address is 192.168.10.25, which is correctly identified in option A.

306
MCQhard

A DHCP client on VLAN 30 is not receiving an IP address from a DHCP server (10.99.99.20) on another subnet. The SVI for VLAN 30 is configured with an IP address and is up, but the DHCP relay command is missing. Which command should be added to the SVI configuration?

A.ip directed-broadcast
B.ip helper-address 10.99.99.20
C.service dhcp-server 10.99.99.20
D.default-router 10.99.99.20
AnswerB

The helper address forwards DHCP broadcasts as unicast to the server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. On an SVI or routed interface facing the clients, an ip helper-address relays those broadcasts to the DHCP server on another subnet.

Exam trap

A frequent exam trap is selecting ip directed-broadcast or default-router as the solution for DHCP relay issues. ip directed-broadcast only enables forwarding of directed broadcasts but does not relay DHCP requests to servers on other subnets. default-router is a DHCP pool parameter that assigns a gateway to clients but does not affect how DHCP broadcasts are forwarded. Another trap is assuming service dhcp-server is an interface command for relay, which it is not. These distractors test your understanding of DHCP relay mechanisms and Cisco IOS command usage.

Why the other options are wrong

A

The ip directed-broadcast command enables forwarding of directed broadcasts but does not relay DHCP requests. It is unrelated to DHCP relay and will not solve the problem of clients not receiving addresses from a remote DHCP server.

C

service dhcp-server is not a valid Cisco IOS interface command for DHCP relay. It does not configure the router to forward DHCP broadcasts and thus will not resolve the issue.

D

default-router is a DHCP pool parameter used to assign the default gateway IP address to clients. It does not configure the interface to relay DHCP broadcasts and is not relevant to the relay configuration.

307
MCQhard

Users on the inside network can browse the Internet through PAT, but an internal web server must now be reachable from outside on a predictable public IP. Which change best fits the requirement?

A.Add static NAT for the server and continue using PAT for user browsing.
B.Replace PAT entirely with DHCP relay.
C.Disable NAT because the server already has a private address.
D.Move the server into the native VLAN.
AnswerA

This is correct because static NAT gives the server a stable public identity while PAT still serves outbound users.

Why this answer

The best change is to add a static NAT mapping for the internal web server while keeping PAT in place for ordinary users. In practical terms, PAT is excellent for many internal clients sharing one public address for outbound traffic, but it does not give an internal server the stable one-to-one public identity that outside clients expect for predictable inbound access.

This is a standard NAT design distinction. User browsing and published server access are different requirements, and the best design often uses PAT for one and static NAT for the other.

Exam trap

A frequent exam trap is selecting DHCP relay or VLAN changes as solutions for making an internal server reachable from outside. DHCP relay only forwards DHCP requests across subnets and does not provide any public IP mapping or NAT functionality. Similarly, moving a server into the native VLAN does not affect its public IP address or NAT translation.

Another common mistake is disabling NAT entirely, which breaks Internet connectivity because private IP addresses cannot be routed on the public Internet. Understanding that static NAT is required for predictable inbound access while PAT supports outbound user browsing is critical to avoid these traps.

Why the other options are wrong

B

Incorrect because DHCP relay only forwards DHCP requests and does not provide any mechanism for publishing an internal server to the Internet or managing NAT translations.

C

Incorrect because disabling NAT leaves the internal server with a private IP address that is not routable on the Internet, making it unreachable from outside networks.

D

Incorrect because moving the server into the native VLAN affects only Layer 2 segmentation and does not provide a public IP address or NAT translation necessary for Internet access.

308
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network has an NTP server at 192.168.1.200. R1 must be configured as an NTP client to synchronize its time with the server. Additionally, R1 should serve as an NTP server for internal devices on the LAN with a stratum of 5 to maintain proper hierarchy. The time zone is UTC. No NTP configuration exists. Configure NTP on R1 as specified.

Network Topology
G0/1192.168.1.1/24192.168.1.200G0/010.0.0.1/30NTP ServerLANR1WANISP

Hints

  • The ntp server command configures the router as a client.
  • The ntp master command enables the router to act as a server for other devices.
  • Time zone should be set before NTP synchronization.
A.R1(config)# ntp server 192.168.1.200 R1(config)# ntp master 5 R1(config)# clock timezone UTC 0
B.R1(config)# ntp server 192.168.1.200 R1(config)# ntp master R1(config)# clock timezone UTC 0
C.R1(config)# ntp server 192.168.1.200 R1(config)# ntp master 5 R1(config)# clock timezone EST 5
D.R1(config)# ntp server 10.0.0.2 R1(config)# ntp master 5 R1(config)# clock timezone UTC 0
AnswerA
solution
! R1
ntp server 192.168.1.200
ntp master
clock timezone UTC 0

Why this answer

Option A correctly configures R1 as an NTP client pointing to the NTP server at 192.168.1.200, enables R1 to serve time to LAN devices using `ntp master 5` which sets the required stratum to 5, and sets the accurate UTC time zone. Option B fails because `ntp master` without a stratum number defaults to stratum 8, which does not satisfy the explicit stratum 5 requirement. Option C uses an incorrect time zone (EST) instead of the required UTC.

Option D points to an IP (10.0.0.2) that is not the NTP server—the correct server is at 192.168.1.200.

Exam trap

Watch for forgetting to specify the stratum number when the `ntp master` command is required; without it, the router defaults to stratum 8, which may not meet design requirements.

Why the other options are wrong

B

Uses `ntp master` without a stratum number, defaulting to stratum 8 instead of the required stratum 5.

C

Sets the wrong time zone (EST) instead of UTC.

D

Points to the ISP IP 10.0.0.2 instead of the actual NTP server at 192.168.1.200.

309
Multi-Selectmedium

Which TWO statements about IPv4 and IPv6 ACLs are true?

Select 2 answers
A.Standard IPv4 ACLs use numbers in the range 100-199.
B.Extended IPv4 ACLs should be placed as close to the source as possible to minimize unnecessary traffic on the network.
C.IPv6 ACLs are always named and can filter traffic based on source and destination IPv6 addresses, as well as protocol types.
D.Standard IPv4 ACLs filter only the source IP address and are best placed close to the source to be most effective.
E.Numbered ACLs allow individual access control entries (ACEs) to be deleted without removing the entire ACL.
AnswersB, C

Extended ACLs can match traffic with great specificity (source, destination, protocol, ports). Placing them near the source drops unwanted packets early, saving bandwidth and processing on downstream devices.

Why this answer

Option B is correct because extended IPv4 ACLs filter on source and destination IP addresses, ports, and protocols, so placing them as close to the source as possible prevents unwanted traffic from traversing the network, reducing bandwidth waste and security risks. This is a best practice for extended ACLs, unlike standard ACLs which should be placed close to the destination.

Exam trap

Cisco often tests the placement rule reversal—candidates confuse standard ACL placement (close to destination) with extended ACL placement (close to source), or mix up the number ranges for standard vs. extended ACLs.

Why the other options are wrong

A

The number range 100–199 is used for extended ACLs, not standard ones.

D

The placement advice is reversed: standard ACLs belong near the destination, not the source.

E

This is a common misconception; the ability to delete individual ACEs is a feature of named ACLs, not numbered.

310
MCQhard

A company wants a server on the inside network to be reachable consistently from outside using one known public IP address. Which NAT approach best fits that goal?

A.Static NAT
B.PAT overload only
C.No NAT at all, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because static NAT provides a permanent one-to-one mapping suitable for a reachable internal server.

Why this answer

Static NAT best fits that goal because it creates a fixed, predictable one-to-one mapping between the internal server and a public address. In plain language, outside systems always know which public IP represents that server. This predictability is exactly what is needed when a service must be reachable consistently from the outside.

PAT is better suited for many outbound clients sharing one address, not for presenting one inside server with a permanent public identity. Dynamic NAT from a pool can also vary depending on design. The correct answer is the one that provides the most stable and direct one-to-one mapping.

Exam trap

A frequent exam trap is selecting PAT overload as the solution for making an internal server reachable from outside. PAT is designed for multiple internal clients to share a single public IP for outbound connections, not for providing a fixed public IP to a server. Another common mistake is thinking private IP addresses can be accessed directly from the Internet without NAT, which is incorrect because private IPs are non-routable externally.

Misunderstanding DHCP relay as related to NAT or public reachability is also a trap; DHCP relay only forwards DHCP requests and does not affect NAT mappings or external accessibility.

Why the other options are wrong

B

PAT overload is incorrect because it is designed for many internal clients sharing a single public IP for outbound traffic, not for providing a fixed public IP to a server.

C

No NAT is incorrect since private IPv4 addresses are not routable on the Internet and require NAT to be accessible externally.

D

DHCP relay is unrelated to NAT or public reachability; it only forwards DHCP requests and does not affect how internal servers are accessed from outside.

311
MCQhard

R1 learns three OSPF routes to different destinations: O 10.10.10.0/24 O IA 10.20.20.0/24 O E2 10.30.30.0/24 Which statement is correct about these route types?

A.O IA is an external route redistributed from another routing protocol.
B.O E2 is an OSPF external type 2 route.
C.O means the route was learned through EIGRP.
D.All three routes were learned from the same OSPF area type.
AnswerB

That is exactly what the code means.

Why this answer

An O route is intra-area, O IA is interarea, and O E2 is an external type 2 route redistributed into OSPF. The codes describe route origin, not just preference. CCNA expects you to identify them quickly when reading the routing table.

Exam trap

A frequent exam trap is confusing the OSPF route codes, especially mistaking 'O IA' (inter-area) for an external route redistributed from another protocol. Candidates often incorrectly assume that 'O IA' means external, but it actually represents routes learned from a different OSPF area within the same autonomous system. Another common mistake is thinking the 'O' code indicates EIGRP routes, which it does not; EIGRP uses different codes such as 'D'.

This confusion can cause candidates to select incorrect answers about route origins or types. Carefully distinguishing between intra-area, inter-area, and external routes based on OSPF codes is essential to avoid this pitfall.

Why the other options are wrong

A

Option A incorrectly states that 'O IA' is an external route redistributed from another routing protocol. In reality, 'O IA' stands for inter-area routes within OSPF, not external routes. External routes use 'O E1' or 'O E2' codes.

C

Option C incorrectly claims that 'O' means the route was learned through EIGRP. The 'O' code is exclusive to OSPF intra-area routes. EIGRP routes use the code 'D' in Cisco routing tables.

D

Option D is incorrect because the three routes represent different OSPF route types: intra-area (O), inter-area (O IA), and external (O E2). They do not all come from the same OSPF area type.

312
MCQhard

A switch should disable an edge port immediately if a BPDU is received on it. Which feature is intended for that specific behavior?

AnswerA

This is correct because BPDU Guard disables the edge port when a BPDU is received.

Why this answer

The feature is BPDU Guard. In plain language, the administrator is treating the port as an end-device-only edge interface and wants the switch to react aggressively if it ever sees spanning-tree control traffic there. BPDU Guard does exactly that: if a BPDU appears on a protected edge port, the switch places the interface into an err-disabled state to help prevent accidental loops or rogue switch connections.

This is different from root guard and loop guard, which solve other spanning-tree control problems. BPDU Guard is the specific answer when the requirement is “if you ever hear a BPDU here, shut the port down quickly.”

Exam trap

A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Candidates may incorrectly select Root Guard because it also deals with BPDUs, but Root Guard only blocks ports from becoming root ports and does not disable the port immediately. Loop Guard protects against unidirectional link failures and does not shut down ports upon BPDU receipt.

Another mistake is thinking UDLD handles BPDU protection; however, UDLD only detects unidirectional physical link failures and is unrelated to STP BPDU processing. Understanding that BPDU Guard uniquely disables edge ports upon BPDU detection is critical to avoid this trap.

Why the other options are wrong

B

Loop Guard is incorrect because it protects against unidirectional link failures by preventing a port from transitioning to forwarding when BPDUs stop, but it does not disable a port upon BPDU receipt.

C

Root Guard is incorrect because it prevents a port from becoming a root port by blocking superior BPDUs but does not disable the port immediately when a BPDU is received on an edge port.

D

UDLD is incorrect because it detects unidirectional physical link failures and does not interact with BPDU processing or disable ports based on BPDU reception.

313
MCQhard

A wireless site reports that users can connect to the SSID, but performance drops sharply around the conference area whenever the room fills up. Based on the exhibit, what is the most likely cause?

A.Adjacent-channel interference caused by overlapping 2.4 GHz channels
B.A DHCP exhaustion problem on the WLAN
C.An authentication mismatch between the APs and clients
D.A missing default route on the wireless controller
AnswerA

Channel 3 overlaps with both 1 and 6, which is a common performance problem.

Why this answer

The 2.4 GHz radios are using overlapping channels. In 2.4 GHz, the standard non-overlapping channels are 1, 6, and 11 in many regulatory domains. Using channels 1, 3, and 6 creates adjacent-channel interference, which hurts throughput especially in dense client areas.

Exam trap

A common exam trap is to confuse wireless connectivity issues caused by RF interference with DHCP or authentication problems. Because users can connect to the SSID, candidates might incorrectly suspect DHCP exhaustion or authentication mismatches. However, DHCP exhaustion prevents clients from obtaining IP addresses, not causing throughput drops.

Similarly, authentication mismatches prevent connection entirely. Another trap is to blame routing issues like a missing default route on the wireless controller, which affects network reachability but not local wireless signal quality. The key is to recognize that overlapping 2.4 GHz channels cause adjacent-channel interference, which degrades performance even when clients connect successfully.

Why the other options are wrong

B

Incorrect. DHCP exhaustion would prevent some clients from obtaining IP addresses, but it does not cause RF interference or a sharp drop in wireless throughput. Since users can connect, DHCP exhaustion is unlikely.

C

Incorrect. An authentication mismatch would prevent clients from connecting to the SSID. Since users can connect, authentication is working properly and is not the cause of performance degradation.

D

Incorrect. A missing default route on the wireless controller affects upstream network connectivity but does not cause local RF interference or throughput drops in the wireless environment.

314
MCQeasy

Based on the JSON snippet below, which statement is correct? { "device": { "hostname": "R1", "interfaces": [ {"name": "Gig0/0", "status": "up"}, {"name": "Gig0/1", "status": "down"} ] } }

A.interfaces is a JSON array containing two objects.
B.device is a JSON array.
C.status is a JSON array with two strings.
D.hostname is a nested array under interfaces.
AnswerA

Square brackets indicate an array, and each entry inside is an object.

Why this answer

The value associated with interfaces is an array because it is enclosed in square brackets and contains multiple objects. The device element itself is an object, and each interface entry inside the array is also an object.

Exam trap

A frequent exam trap is misidentifying the JSON structure by assuming that "interfaces" is an object rather than an array. Since "interfaces" contains multiple entries, it must be an array, indicated by square brackets. Another pitfall is thinking "device" is an array because it contains multiple keys, but it is actually an object enclosed in curly braces.

Misreading "status" as an array of strings instead of a string value inside each interface object can also cause confusion. These mistakes stem from not carefully noting the JSON syntax, which is critical for understanding device data representation in Cisco automation and APIs.

Why the other options are wrong

B

Incorrect. The device key is enclosed in curly braces, making it a JSON object, not an array. It groups hostname and interfaces under one entity.

C

Incorrect. The status field is a string within each interface object, not an array. Each interface has its own status string indicating up or down.

D

Incorrect. The hostname is a string property directly inside the device object and is not nested inside the interfaces array or any other array.

315
MCQhard

A network administrator has configured a Cisco switch as a DHCP server for the 192.168.1.0/24 subnet. Hosts in VLAN 10 are unable to obtain IP addresses via DHCP. The switch's SVI for VLAN 10 is up/up. What is the most likely cause of the problem?

A.The VLAN 10 SVI is not configured with an IP address in the 192.168.1.0/24 subnet.
B.The DHCP server is including the network and broadcast addresses in the pool, causing conflicts. Use the 'ip dhcp excluded-address' command to exclude them.
C.DHCP snooping is blocking DHCP messages on the switch port connected to the hosts.
D.The DHCP pool is not bound to VLAN 10. Use the 'vlan' command under the pool configuration.
AnswerB

The conflict detection shows that addresses 192.168.1.1 (network) and 192.168.1.254 (broadcast) are in conflict. These should be excluded to prevent the DHCP server from leasing them.

Why this answer

Option B is correct. The most likely cause is that the DHCP server pool includes the network (192.168.1.0) and broadcast (192.168.1.255) addresses, which are reserved and cannot be leased. When a host requests an IP, the server may attempt to assign one of these addresses, causing a conflict and preventing successful DHCP lease completion.

Using the 'ip dhcp excluded-address' command to exclude these addresses from the pool resolves the issue. Option A is not the best answer because the SVI for VLAN 10 is up/up and must already have an IP address in the 192.168.1.0/24 subnet for the DHCP server to offer addresses to that subnet; if it were missing, DHCP would fail completely, but the symptom would likely be no offers at all, not address conflicts. The problem described is consistent with the pool including reserved addresses, which is a common misconfiguration.

Exam trap

Learners often overlook that the DHCP pool's range must exclude network and broadcast addresses; they may incorrectly suspect DHCP snooping, an SVI misconfiguration, or a missing VLAN binding instead.

Why the other options are wrong

A

The SVI must have an IP address for routing, but the DHCP server can serve addresses from any pool regardless of the SVI's subnet. The issue is with the pool itself.

C

If DHCP snooping were blocking messages, the 'Malformed messages' counter might increase, but the server would still receive some messages. The zero count indicates no messages are reaching the server.

D

There is no 'vlan' command under a DHCP pool. The pool serves all hosts in the subnet regardless of VLAN association.

316
MCQhard

Why is administratively shutting down unused switch ports considered a useful hardening practice?

A.Because it reduces attack surface by removing unused active connection points.
B.Because it forces all users to manage devices with SSH.
C.Because it converts remaining ports into trunks.
D.Because it replaces VLAN segmentation.
AnswerA

This is correct because unused enabled ports are avoidable exposure points.

Why this answer

Unused active ports create unnecessary exposure. In practical terms, if a port is not needed, leaving it active gives someone an opportunity to connect a device where no legitimate business need exists. Shutting the port down removes that access point and reduces attack surface.

This is a simple but effective hardening measure. It does not replace other controls, but it removes a risk that does not need to exist in the first place.

Exam trap

Do not confuse port shutdown with performance improvements or VLAN configuration changes; focus on security implications.

Why the other options are wrong

B

This option is incorrect because administratively shutting down unused switch ports does not enforce SSH for device management; it simply disables unused ports to enhance security.

C

This option is wrong because administratively shutting down unused switch ports does not convert remaining ports into trunk ports; it simply disables access ports to enhance security.

D

This option is wrong because administratively shutting down unused switch ports does not directly replace VLAN segmentation; rather, it focuses on reducing the number of active ports to mitigate security risks.

317
MCQmedium

A user reports that websites can be opened by IP address but not by hostname. Which service is the strongest suspect?

AnswerA

This is correct because DNS is responsible for hostname resolution.

Why this answer

DNS is the strongest suspect because the network path clearly works at the IP layer. In practical terms, if the user can reach the site by numeric address, then routing and basic connectivity are functioning. The missing piece is name resolution, and that is exactly what DNS provides.

This is one of the clearest troubleshooting patterns in networking. If names fail but IP works, start with DNS.

Exam trap

A common exam trap is selecting PAT or port security as the cause of hostname resolution failure. PAT manages IP address translation for outbound connections but does not resolve hostnames, so it cannot cause DNS failures. Similarly, port security restricts switch port access based on MAC addresses and does not affect DNS or name resolution.

Another tempting but incorrect choice is STP, which operates at Layer 2 to prevent loops and has no role in IP name resolution. Candidates must avoid confusing these distinct network services and focus on DNS when hostname resolution fails but IP connectivity works.

Why the other options are wrong

B

STP (Spanning Tree Protocol) is incorrect because it operates at Layer 2 to prevent network loops and does not handle hostname resolution or IP services.

C

PAT (Port Address Translation) is incorrect because it translates private IP addresses to public IPs for outbound traffic but does not affect DNS or hostname resolution.

D

Port security is incorrect because it controls access to switch ports based on MAC addresses and does not provide or affect hostname resolution services.

318
MCQhard

Hosts on the inside network can reach the internet, but return traffic is failing after a new router was installed. The router's configuration shows that the LAN-facing interface has been configured with 'ip nat outside' and the WAN-facing interface with 'ip nat inside'. What configuration mistake is the most likely cause?

A.The NAT inside and outside interface roles are reversed.
B.The ACL must deny RFC1918 traffic before NAT can work.
C.PAT cannot use an interface address for overload.
D.The inside subnet must be configured as /24 on both interfaces.
AnswerA

That is the key problem shown.

Why this answer

NAT overload requires the LAN-facing interface to be marked as ip nat inside and the WAN-facing interface as ip nat outside. The exhibit shows those roles reversed, so translations will not occur correctly. The ACL itself is fine for matching the inside subnet.

Exam trap

A frequent exam trap is reversing the NAT inside and outside interface roles. Candidates may see that hosts can initiate traffic to the internet and mistakenly assume NAT is correctly configured. However, if the router’s interfaces are misassigned, return traffic from the internet will not be translated back to the inside hosts, causing connectivity failures.

This trap exploits the partial functionality of NAT where outbound packets appear to succeed but inbound packets fail, leading to confusion during troubleshooting and exam scenarios.

Why the other options are wrong

B

Incorrect. The ACL in NAT configurations is used to identify which inside addresses to translate, not to filter or deny traffic. Denying RFC1918 traffic in the ACL is unnecessary and unrelated to the NAT failure described.

C

Incorrect. Using the outside interface IP address for PAT overload is a standard and supported practice in Cisco NAT configurations. This option does not explain the return traffic failure.

D

Incorrect. The inside subnet should only be configured on the LAN interface. The WAN interface typically uses a different subnet and should not share the inside subnet.

This misconfiguration would cause routing issues but is not the primary cause of NAT return traffic failure here.

319
Multi-Selecthard

Which two statements about AAA on Cisco devices are correct? Choose two.

Select 2 answers
A.Authentication verifies identity
B.Authorization determines what an authenticated user is allowed to do
C.Accounting replaces the need for local usernames entirely
D.AAA can only be used with RADIUS and not TACACS+
AnswersA, B

Authentication answers who the user is.

Why this answer

AAA breaks access control into authentication, authorization, and accounting. TACACS+ is commonly preferred for device administration because it separates all three functions and encrypts the full payload.

Exam trap

A common exam trap is assuming that accounting replaces the need for local usernames or authentication sources. Accounting only logs user activities and does not authenticate or authorize users. Another frequent mistake is believing AAA supports only RADIUS and not TACACS+.

Cisco AAA supports both protocols, with TACACS+ often preferred for device administration due to its full payload encryption and separation of AAA functions. Misunderstanding these roles can lead to incorrect answer choices and confusion during the exam.

Why the other options are wrong

C

Option C is incorrect because accounting only logs user activities and does not replace the need for local usernames or authentication sources on Cisco devices.

D

Option D is incorrect as AAA supports both RADIUS and TACACS+ protocols; it is not limited to RADIUS, and TACACS+ is commonly used for device administration.

320
PBQhard

You are connected to R1, a router acting as a network access server for 802.1X authentication on interface GigabitEthernet0/1. Configure AAA with a RADIUS server at 192.0.2.10 (key 'cisco123') so that the default login authentication uses RADIUS first, then local fallback. Additionally, troubleshoot why a connected supplicant on G0/1 remains in the unauthorized state even though RADIUS is reachable and the supplicant credentials are correct.

Hints

  • Check if AAA is enabled globally.
  • The RADIUS server configuration must include the correct IP address and shared secret.
  • The default authentication list must specify RADIUS first, then local fallback.
A.Enable AAA with 'aaa new-model', configure RADIUS server 'RADIUS_SERVER' with key 'cisco123', and apply 'aaa authentication login default group radius local'.
B.Configure 'aaa authentication login default local' and add the RADIUS server with 'radius-server host 192.0.2.10 key cisco123'.
C.Enable AAA with 'aaa new-model' and configure 'aaa authentication login default group radius' without local fallback.
D.Configure 'aaa new-model', then apply 'dot1x system-auth-control' and 'aaa authentication dot1x default group radius'.
AnswerA
solution
! R1
configure terminal
aaa new-model
radius server RADIUS_SERVER
address ipv4 192.0.2.10 auth-port 1812 acct-port 1813
key cisco123
aaa authentication login default group radius local
end
write memory

Why this answer

The problem is that AAA is not enabled (no aaa new-model) and no RADIUS server is configured; thus the 802.1X authentication fails because the router does not know how to communicate with the RADIUS server. The fix requires enabling AAA with 'aaa new-model', configuring the RADIUS server with 'radius server RADIUS_SERVER' and its key, then applying a default authentication list that uses RADIUS with local fallback via 'aaa authentication login default group radius local'. After these commands, the port should transition to authorized state for valid credentials.

Exam trap

The exam trap is confusing the different AAA authentication types: 'login' for management access (console, SSH, etc.) versus 'dot1x' for port-based network access control. Also, ensure that the RADIUS server is referenced in the authentication list; simply configuring the server does not make it active.

Why the other options are wrong

B

The specific factual error is that the authentication list must include 'group radius' to use RADIUS; 'local' alone bypasses RADIUS.

C

The specific factual error is omitting 'local' from the authentication list, which violates the requirement for fallback.

D

The specific factual error is confusing 'aaa authentication login' with 'aaa authentication dot1x'. They serve different purposes.

321
MCQhard

Dynamic ARP Inspection is most effective at preventing which attack?

A.SYN flood
B.ARP spoofing
C.Route summarization error
D.Rogue DHCP relay
AnswerB

Correct. DAI is designed to stop forged ARP information.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets on a per-interface basis, dropping invalid ARP replies and thus preventing ARP spoofing and poisoning attacks. Option A (SYN flood) is a Layer 4 TCP attack mitigated by TCP flood protection or SYN cookies, not DAI. Option C (route summarization error) is a routing misconfiguration unrelated to ARP security.

Option D (rogue DHCP relay) is prevented by DHCP snooping, which works alongside DAI but DAI itself does not block rogue DHCP relays.

Exam trap

Be careful not to confuse ARP spoofing with other types of spoofing attacks like IP or DNS spoofing.

Why the other options are wrong

A

SYN flood is a Layer 4 TCP attack that is blocked by flood guards, not by DAI.

C

Route summarization error is a routing protocol misconfiguration and is unrelated to ARP packet validation.

D

Rogue DHCP relay is mitigated by DHCP snooping, not by Dynamic ARP Inspection.

322
MCQhard

A network technician applies an extended ACL outbound on the WAN interface Gi0/0 to block traffic from the 10.0.0.0/8 network to internet hosts. After applying the ACL, internal users report they cannot access any web pages because return traffic from internet hosts is being dropped. The technician verifies the ACL entries and finds only statements controlling outbound traffic. What is the most appropriate next action?

A.Add the established keyword to the ACL to permit return traffic for existing sessions.
B.Add a new access-list entry permitting all traffic from internet hosts to the 10.0.0.0/8 network.
C.Remove the outbound ACL and apply a new inbound ACL on the same interface.
D.Replace the ACL with a stateful firewall rule set.
AnswerA

The established keyword allows TCP return traffic that matches sessions originated from the internal network. It is the standard method to handle stateful return traffic with a stateless ACL.

Why this answer

Extended ACLs are stateless; they inspect each packet individually without tracking session state. When an outbound ACL permits outbound traffic from the inside network to the internet, the return traffic is not automatically allowed. The established keyword in a TCP access-list entry matches packets that have the ACK or RST bits set, indicating they belong to an established session.

Adding this keyword to a permit statement for return traffic allows the router to dynamically permit responses to internally initiated connections without opening the network to all inbound traffic. This addresses the transport layer (Layer 4) state required for bidirectional communication.

Exam trap

Many candidates choose to add a specific permit ACE for return traffic (e.g., permitting all traffic from any internet host to the 10.0.0.0/8 network). This option is a trap because it opens a blanket inbound rule that is administratively unscalable and insecure, whereas the established keyword granularly allows only return flows for sessions initiated from the trusted side.

Why the other options are wrong

B

Candidates assume that any missing traffic must be explicitly permitted, but this ignores the need for stateful inspection and leads to an overly permissive rule.

C

Candidates mistakenly think that moving the ACL to inbound direction will inherently permit return traffic because it inspects packets entering the interface, but the ACL still processes each packet individually without keeping state.

D

Candidates may think that only a stateful firewall can handle return traffic, overlooking the established keyword's capability to emulate stateful behavior for TCP traffic on an ACL.

323
MCQhard

A router has this command configured: `ip nat inside source static 192.168.1.50 203.0.113.50`. What is the main effect of this configuration?

A.It creates a permanent one-to-one translation between the inside host and a public address
B.It enables PAT overload for all internal users
C.It blocks inbound access to the inside host permanently
D.It changes the host subnet mask to a public prefix
AnswerA

This is correct because static NAT builds a fixed mapping from one inside local address to one inside global address.

Why this answer

This command creates a static NAT mapping between one inside local address and one inside global address. In plain language, the internal device at 192.168.1.50 will always appear as 203.0.113.50 to the outside world. That fixed relationship is useful when a particular internal host or service must be reachable consistently from outside networks.

This is different from PAT, which shares one public address across many sessions using ports. Static NAT is one-to-one and predictable. It does not dynamically pull from a pool in this syntax. The key idea is permanence: the same inside device is always mapped to the same outside address.

Exam trap

A common exam trap is mistaking static NAT for PAT or dynamic NAT. Candidates may incorrectly assume that the command enables PAT overload, allowing many internal users to share one public IP, but static NAT provides a fixed one-to-one mapping without port translation. Another trap is thinking static NAT blocks inbound traffic; in reality, it enables inbound access to the mapped inside host.

Misunderstanding these differences can lead to selecting incorrect answers about NAT behavior and configuration.

Why the other options are wrong

B

This option is incorrect because PAT overload uses a different command syntax involving 'overload' and allows many internal hosts to share one public IP, which is not the case here.

C

This option is wrong since static NAT does not inherently block inbound access; instead, it enables external hosts to reach the inside host via the mapped public IP.

D

This option is incorrect because NAT translation does not modify the subnet mask of the inside host; it only changes the IP address seen externally.

324
MCQmedium

Which port-security violation mode drops frames from unauthorized MAC addresses but keeps the interface up and does not send an SNMP trap or syslog message?

A.protect
B.restrict
C.shutdown
D.shutdown vlan
AnswerA

Correct. Protect is the quietest enforcement mode.

Why this answer

Protect silently drops frames from unauthorized sources while leaving the interface up. Restrict also drops frames but increments the violation counter and can generate notifications.

Exam trap

Be careful not to confuse Protect with Restrict, as both drop frames but only Restrict sends notifications.

Why the other options are wrong

B

The 'restrict' mode allows frames from unauthorized MAC addresses to be dropped while sending SNMP traps and syslog messages, which contradicts the requirement of keeping the interface up without notifications.

C

The 'shutdown' mode disables the interface when a violation occurs, which is contrary to the requirement of keeping the interface up. It also does not align with the need to drop frames without sending SNMP traps or syslog messages.

D

The 'shutdown vlan' mode disables the entire VLAN when a violation occurs, which is not aligned with the requirement to keep the interface up. This option also typically sends SNMP traps or syslog messages, which contradicts the question's criteria.

325
Matchingmedium

Match each management-plane security item to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted remote administration

Framework for authentication, authorization, and accounting

Centralized event and message visibility

Traffic-filtering mechanism that can restrict management access sources

Why these pairings

SSH provides encrypted remote administration, ensuring confidentiality of management traffic. AAA is a framework that handles authentication, authorization, and accounting for user access. Syslog enables centralized logging and event visibility from network devices.

ACLs can filter traffic and be used to restrict which source IPs are allowed for management access. Each item directly maps to its described purpose without overlapping concepts.

Exam trap

Do not confuse encryption (SSH) with access control (AAA) or traffic filtering (ACLs). SSH is the only option that directly encrypts remote management traffic.

326
Matchingeasy

Match each common IP service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolution of names into IP-related information

Automatic assignment of IP configuration to clients

Synchronization of time across devices

Centralized collection of event and log messages

Why these pairings

DNS maps domain names to IP addresses. DHCP automates IP configuration. NTP synchronizes clocks across network devices.

Syslog collects and stores event messages from network devices for monitoring and troubleshooting.

Exam trap

Be careful not to confuse SSH with Telnet (unencrypted), DNS with DHCP (IP address assignment), or AAA with encryption or logging. Also, remember that NTP is for time synchronization, not file transfer.

327
Multi-Selectmedium

Which three options are true regarding the operation of Dynamic ARP Inspection (DAI) on a Cisco switch? (Choose three.)

Select 3 answers
.DAI validates ARP packets based on the DHCP snooping binding database.
.DAI can be configured to drop ARP packets with invalid MAC-to-IP address bindings.
.DAI is typically enabled on untrusted ports that face end hosts.
.DAI encrypts ARP replies to prevent eavesdropping.
.DAI relies on the MAC address table to validate ARP requests.
.DAI prevents rogue DHCP server attacks by inspecting DHCP offers.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets by intercepting them on untrusted ports and checking the MAC-to-IP address binding against the DHCP snooping binding database. If the binding is invalid or missing, DAI drops the packet, preventing ARP spoofing attacks. This is why all three statements are correct: DAI relies on the DHCP snooping database, drops invalid bindings, and is enabled on untrusted ports facing end hosts.

Exam trap

Cisco often tests the misconception that DAI validates ARP packets using the MAC address table or ARP cache, when in fact it strictly relies on the DHCP snooping binding database.

328
Multi-Selectmedium

Which TWO statements correctly describe the behavior of standard ACLs when applied to an interface?

Select 2 answers
A.Standard ACLs filter traffic based on source and destination IP addresses.
B.Standard ACLs should be placed as close to the destination as possible.
C.Standard ACLs can filter traffic based on protocol type (TCP, UDP, ICMP).
D.Standard ACLs use an implicit deny any statement at the end.
E.Standard ACLs are applied to interfaces in the inbound direction only.
AnswersB, D

Because standard ACLs only filter by source IP, placing them near the destination minimizes the risk of blocking legitimate traffic that should only be filtered near the target.

Why this answer

Standard ACLs filter traffic based solely on the source IP address, not the destination. Because they do not consider destination addresses, placing them as close to the destination as possible prevents them from inadvertently blocking traffic that should reach other parts of the network. This placement ensures that only the intended traffic is filtered at the final hop before the destination.

Exam trap

Cisco often tests the misconception that standard ACLs can filter on destination addresses or protocols, leading candidates to choose option A or C, when in fact standard ACLs only match source IP addresses and always end with an implicit deny any.

Why the other options are wrong

A

This describes the capability of extended ACLs, not standard ACLs.

C

Protocol filtering is a feature of extended ACLs, not standard ACLs.

E

Both inbound and outbound application are possible, though placement depends on the filtering strategy.

329
MCQhard

A technician is troubleshooting an issue where internal hosts can successfully ping internet addresses but cannot establish HTTP sessions. The router is configured with PAT (overload) and uses an access list to define the inside local addresses. Recently, the internal network was renumbered from 192.168.0.0/24 to 10.0.0.0/24. What is the most likely cause?

A.The router's HTTP inspection rule is blocking outbound TCP port 80.
B.The NAT access list still permits 192.168.0.0/24 and does not match the new 10.0.0.0/24 addresses.
C.The outside interface access list is blocking TCP packets from the new 10.0.0.0/24 subnet.
D.The default route has been changed to point to the wrong next-hop address, causing only HTTP packets to be dropped.
AnswerB

Because the ACL that defines inside local addresses for PAT was never updated after renumbering, no dynamic translations are created for HTTP sourced from 10.0.0.0/24.

Why this answer

PAT translates private addresses to a single public IP by matching the source against a NAT access list. The ACL permits only 192.168.0.0/24, so packets from the new 10.0.0.0/24 addresses are not translated. ICMP may still succeed due to an existing static NAT entry for ICMP echo or a separate rule, but HTTP requires new dynamic translations that the ACL blocks.

The other options are plausible but do not align as directly with the recent renumbering and the configured NAT ACL.

Exam trap

Option C (outside interface access list blocking TCP port 80) is tempting because many candidates first suspect ACL-based filtering when one protocol fails and another succeeds. However, the explicit mention of the renumbering and the PAT ACL mismatch makes B the more direct cause.

Why the other options are wrong

A

Candidates may confuse security inspection with NAT translation, assuming that a protocol‑specific inspection is needed for HTTP.

C

Tempting because an ACL could selectively block TCP; however, the question provides context about the renumbering, which directly points to the NAT configuration.

D

Candidates may assume that different protocols might take different paths, but a single default route applies uniformly to all IP traffic.

330
Matchingmedium

Match each operational symptom to the technology most likely associated with investigating it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Syslog

SNMP

NetFlow

NTP

Why these pairings

Syslog is specifically designed to collect device-generated log messages, including warnings and interface state changes, making it the natural tool for reviewing such events. SNMP allows a management station to actively poll device data such as interface counters and operational status, providing real-time statistics and alerts. NetFlow exports flow-level records that detail source, destination, and application conversations, enabling identification of the specific flows consuming bandwidth.

NTP synchronizes the clocks of network devices, ensuring that timestamps in logs, alerts, and flow data are consistent across the network for accurate correlation and troubleshooting.

Exam trap

The trap is that many symptoms can be interrelated, but the question asks for the technology most likely associated with investigating the specific symptom. Focus on the direct cause rather than secondary effects.

331
MCQhard

Based on the exhibit, why is the ACL not meeting the requirement to block only HTTPS traffic to the server?

A.Because the ACL entry is too broad and blocks all IP traffic to the host.
B.Because HTTPS uses UDP, not TCP.
C.Because standard ACLs are required for HTTPS filtering.
D.Because the destination must always be a wildcarded subnet, not a host.
AnswerA

This is correct because `deny ip` blocks far more than only HTTPS.

Why this answer

The ACL fails because it uses 'deny ip' which blocks all IP traffic to the server, not just HTTPS. To block only HTTPS, the ACL should match TCP port 443 with 'deny tcp eq 443'. Option B is wrong because HTTPS uses TCP, not UDP.

Option C is wrong because extended ACLs (not standard) are required to filter by port. Option D is wrong because a host destination is perfectly valid in extended ACLs; a wildcard subnet is not required.

Exam trap

Ensure you understand the difference between blocking specific ports and blocking all traffic. Misconfiguring an ACL by using 'deny ip' instead of 'deny tcp eq 443' is a common mistake.

Why the other options are wrong

B

HTTPS uses TCP, not UDP.

C

Standard ACLs cannot filter by port; extended ACLs are required.

D

Extended ACLs support host destinations; a wildcard subnet is not required for a specific host.

332
Drag & Dropmedium

Drag and drop the following steps into the correct order to plan, configure, and apply an extended ACL that permits only HTTP traffic from the 192.168.1.0/24 network to the server at 10.0.0.100, and then verify the configuration.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Then create the ACL allowing HTTP from the source network to the destination host. Apply it inbound on the appropriate interface.

Save and verify the configuration.

Exam trap

Remember that ACLs are created in global configuration mode, not interface mode. Also, apply ACLs inbound on the interface closest to the source for efficiency. Pay attention to whether the requirement is to permit or deny traffic.

333
MCQmedium

Why is DHCP often preferred over manual addressing on larger user networks?

A.It automates host IP configuration and reduces manual effort and mistakes.
B.It replaces DNS completely.
C.It removes the need for default gateways.
D.It is required by all routing protocols.
AnswerA

This is correct because DHCP improves consistency and reduces administrative overhead.

Why this answer

DHCP is often preferred because it automates host configuration and reduces both manual work and configuration mistakes. In practical terms, it is far easier to let endpoints receive addresses, masks, gateways, and DNS settings automatically than to configure each device by hand.

This improves scale, consistency, and operational efficiency. That is why DHCP is such a common service in enterprise access networks.

Exam trap

A common exam trap is selecting options that confuse DHCP with DNS or routing protocols. Some candidates mistakenly believe DHCP replaces DNS or removes the need for default gateways. However, DHCP only automates IP configuration; it does not perform name resolution like DNS, nor does it eliminate the requirement for a default gateway.

Another trap is assuming routing protocols depend on DHCP, which is incorrect because routing protocols operate independently of IP address assignment methods. Understanding these distinctions is essential to avoid incorrect answers related to IP services in the CCNA exam.

Why the other options are wrong

B

This option is incorrect because DHCP does not replace DNS. DNS is a separate service responsible for name resolution, while DHCP only provides IP configuration parameters including DNS server addresses.

C

This option is wrong because DHCP does not remove the need for default gateways. Hosts still require gateway information to communicate outside their subnet, and DHCP typically provides this information during configuration.

D

This option is incorrect because routing protocols do not depend on DHCP. Routing protocols function independently of IP address assignment methods and do not require DHCP to operate on user networks.

334
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of AAA with RADIUS/TACACS+ and 802.1X port-based authentication on IOS-XE?

Select 2 answers
A.The switch port must be configured as an access port and the command 'authentication port-control auto' must be applied.
B.AAA authentication for 802.1X must be configured using TACACS+ as the protocol of choice.
C.The global command 'aaa new-model' is sufficient to enable 802.1X on all interfaces.
D.RADIUS is the recommended protocol for 802.1X authentication because it supports EAP and is widely used in network access control.
E.802.1X can be configured on a trunk port to authenticate multiple VLANs simultaneously.
AnswersA, D

This is correct because 802.1X requires the port to be an access port and the 'auto' setting places the port in the unauthorized state initially, triggering the authentication process.

Why this answer

Option A is correct because 802.1X requires the switch port to be an access port (not trunk or dynamic) and the 'authentication port-control auto' command enables EAPoL-based authentication. Option D is correct because RADIUS is the recommended protocol for 802.1X; it natively supports EAP extensions and is widely used for network access control, whereas TACACS+ does not support EAP and is more suited for device administration. Option B is false because AAA authentication for 802.1X should use RADIUS, not TACACS+.

Option C is false because 'aaa new-model' only activates the AAA framework; 802.1X requires additional global commands like 'dot1x system-auth-control' and per-interface configuration. Option E is false because 802.1X is typically configured on access ports and cannot be used on trunk ports to authenticate multiple VLANs; the port must be in access mode.

Exam trap

Cisco often tests the misconception that 'aaa new-model' alone enables all AAA features, including 802.1X, when in fact it only activates the AAA framework and separate interface-level commands are required.

Why the other options are wrong

B

TACACS+ encrypts only the password and is designed for device administration, not for 802.1X authentication which requires EAP support—RADIUS is the correct choice.

C

The global command 'aaa new-model' enables the AAA architecture but does not automatically enable 802.1X on interfaces; additional commands like 'dot1x system-auth-control' and per-interface 'authentication port-control auto' are needed.

E

802.1X requires the switch port to be in access mode, not trunk mode; trunk ports do not support 802.1X because multiple VLANs would conflict with the authentication process.

335
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: enter global configuration mode, designate inside and outside interfaces, create the NAT pool, and then enable overload on the pool. Interfaces must be designated first so that NAT translation can identify which interfaces are inside/outside. The pool must exist before you apply overload to it; otherwise the overload command will refer to an undefined pool.

The other options incorrectly place the pool creation or overload instruction before interface designation or in an impossible order.

Exam trap

The exam trap is that candidates often confuse the order of NAT configuration steps. Remember: interfaces first (inside/outside), then pool, then overload. Do not create the pool before designating interfaces, and do not enable overload before the pool exists.

336
Matchingmedium

Match each operational tool to the kind of question it most directly helps answer.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

What events or messages occurred?

What are the counters or current status values?

Which conversations are using the bandwidth?

Are device clocks aligned for accurate timelines?

Why these pairings

Syslog collects and stores log messages from network devices, directly answering 'What events or messages occurred?' SNMP queries device MIBs for counters and status values, answering 'What are the counters or current status values?' NetFlow provides traffic flow records showing source/destination pairs, protocols, and bandwidth usage, answering 'Which conversations are using the bandwidth?' NTP synchronizes clocks across devices, answering 'Are device clocks aligned for accurate timelines?' The tools are standard network management protocols, not specific to any cloud platform.

Exam trap

The trap is confusing the purpose of NetFlow with other monitoring tools like SNMP or IP SLA. NetFlow is specifically for traffic flow data, not device metrics or performance testing.

337
MCQhard

A host has a valid IP address and subnet mask from DHCP but cannot reach remote networks because no gateway was provided. What is the best explanation?

A.The host has no next-hop gateway for traffic destined outside its local subnet.
B.The host cannot use ARP on the local network anymore.
C.The host automatically becomes part of every remote subnet.
D.The host must convert its access port into a trunk.
AnswerA

This is correct because a default gateway is needed for off-subnet traffic.

Why this answer

The best explanation is that the host has no next-hop path for off-subnet traffic. In plain language, the device knows what its own local network looks like, but it does not know where to send packets when the destination is outside that local range. Without a default gateway, remote communication usually fails even though local communication can still work.

This is a core host-configuration concept. The correct answer is the one focused on the absence of a next hop for remote destinations.

Exam trap

A common exam trap is assuming that a host without a default gateway cannot communicate at all. Many candidates mistakenly believe that missing a gateway disables all network communication, but in reality, the host can still communicate with devices on its local subnet using ARP. The trap lies in confusing local subnet communication with remote network access.

The question specifically tests understanding that the lack of a gateway prevents forwarding to remote networks, not local connectivity. Misreading this can lead to selecting incorrect options that focus on ARP or subnet expansion rather than the gateway role.

Why the other options are wrong

B

This option is incorrect because ARP is used for local subnet communication and does not depend on the presence of a default gateway. The host can still use ARP to communicate locally.

C

This option is wrong because a host does not automatically become part of every remote subnet without a gateway. The subnet mask defines the local subnet boundaries, and gateway absence does not change this.

D

This option is unrelated to the problem. Converting an access port to a trunk port affects VLAN tagging on switches but does not impact a host’s ability to have or use a default gateway.

338
MCQeasy

An ACL on R1 contains only these entries: access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443 access-list 101 permit icmp any any What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?

A.It is permitted because the source subnet is allowed.
B.It is denied by the implicit deny.
C.It is translated by NAT before the ACL is checked.
D.It is converted to HTTPS automatically.
AnswerB

The packet does not match either permit entry, so the implicit deny drops it.

Why this answer

HTTP uses TCP port 80, not 443. Because the ACL does not include a permit for that traffic, it is dropped by the implicit deny at the end of the ACL. The ICMP entry is irrelevant because the packet is TCP.

Exam trap

Be careful not to confuse TCP with ICMP or overlook the specific port numbers in ACL entries.

Why the other options are wrong

A

This option is wrong because the ACL only permits TCP traffic on port 443 and ICMP traffic, so an HTTP packet (port 80) from the specified source would be denied by the implicit deny rule at the end of the ACL.

C

This option is wrong because NAT does not occur before ACL evaluation; the ACL is applied directly to the packet as it arrives at the interface. Therefore, the HTTP packet is evaluated against the ACL without any translation taking place.

D

This option is wrong because the ACL does not automatically convert HTTP traffic to HTTPS; it only permits or denies traffic based on the defined rules. The packet from 10.10.10.25 is not permitted by the ACL since it is not targeting port 443.

339
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch as a DHCP relay agent with DHCP snooping, where the DHCP server is located on a remote router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the DHCP server must be properly configured on the router. Next, DHCP snooping is enabled globally on the switch to protect against rogue servers. Then, the specific client VLANs must be added to the snooping database.

After that, the uplink interface to the DHCP server must be trusted to allow legitimate server responses. Finally, the ip helper-address command is placed on the client's SVI to forward DHCP broadcasts to the remote server.

340
PBQhard

You are connected to R1 via console. R1 connects two networks: GigabitEthernet0/0 (10.0.0.1/30) to the ISP, and GigabitEthernet0/1 (172.16.1.1/24) to an internal network. The internal hosts (172.16.1.0/24) need to communicate with a server at 10.0.0.2 (ISP side) using a static NAT mapping. Configure static NAT so that internal host 172.16.1.100 is mapped to public IP 10.0.0.3 (which is not assigned to any interface; assume ISP routes 10.0.0.3 to R1). Also configure a static route to reach 10.0.0.3 via the ISP router (next-hop 10.0.0.2).

Network Topology
G0/1172.16.1.1/24172.16.1.100G0/010.0.0.1/30HostLANR1ISPServer (10.0.0.2,

Hints

  • Static NAT uses 'ip nat inside source static' mapping private to public.
  • Designate inside and outside interfaces correctly.
  • A static route is needed for the public IP because it is not directly connected.
A.ip nat inside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ip route 10.0.0.3 255.255.255.255 10.0.0.2
B.ip nat inside source static 10.0.0.3 172.16.1.100 interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside ip route 10.0.0.3 255.255.255.255 10.0.0.2
C.ip nat inside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside ip route 10.0.0.3 255.255.255.255 10.0.0.2
D.ip nat outside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ip route 10.0.0.3 255.255.255.255 10.0.0.2
AnswerA
solution
! R1
ip nat inside source static 172.16.1.100 10.0.0.3
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside
ip route 10.0.0.3 255.255.255.255 10.0.0.2

Why this answer

Static NAT provides a one-to-one mapping between a private and public IP. The inside/outside interface designations are critical for NAT to function. The static route ensures that return traffic to 10.0.0.3 is routed via the ISP.

Exam trap

Be careful with the order of addresses in the static NAT command: inside local (private) first, then inside global (public). Also, remember that the inside interface is the one facing your internal network, and the outside interface faces the external network. The static route is needed for the public IP that is not directly connected.

Why the other options are wrong

B

The static NAT command syntax is 'ip nat inside source static [inside-local] [inside-global]'. Here, the inside local (private) should be 172.16.1.100 and inside global (public) should be 10.0.0.3. Also, the inside interface is the one facing the internal network (G0/1) and outside is facing the ISP (G0/0).

C

NAT requires that the interface facing the internal network be marked as 'ip nat inside' and the interface facing the external network be marked as 'ip nat outside'. Here, G0/0 connects to the ISP (outside) and G0/1 connects to the internal network (inside).

D

The command 'ip nat outside source static' translates the source address of packets arriving on the outside interface. For translating internal host addresses to a public IP, 'ip nat inside source static' must be used.

341
MCQhard

Refer to the exhibit. An administrator has configured PAT for internal hosts to access the internet, but users report that they cannot reach external websites. The administrator suspects a NAT issue and runs the show ip nat statistics command. What is the most likely cause of the problem?

A.The NAT overload pool is incorrectly configured with the inside interface Gi0/1 instead of the outside interface Gi0/0.
B.The access-list 1 used in the NAT statement is not matching any traffic.
C.CEF switching is disabled, causing all packets to be punted to the process level and NAT to fail.
D.The maximum number of NAT translations has been reached, causing new translations to be denied.
AnswerA

The dynamic mapping line explicitly shows 'interface GigabitEthernet0/1', which is an inside interface according to the output. Overload must be tied to the outside interface.

Why this answer

The Dynamic mappings section reveals an inside source overload entry bound to interface GigabitEthernet0/1, which is listed under Inside interfaces. For PAT to work, the overload rule must use an outside (WAN) interface (here GigabitEthernet0/0), not an inside interface. This misconfiguration causes all translation attempts to fail, reflected in Hits: 0 and Misses: 15042.

Exam trap

Many candidates will suspect a misconfigured access list because Hits are 0 and Misses are high; however, the exhibit directly indicates the wrong interface binding in the dynamic mapping.

Why the other options are wrong

B

Candidates may focus on Hits: 0 and Misses: 15042 as typical of an ACL issue, but the explicit interface binding in the dynamic mapping is the direct evidence of misconfiguration.

C

The high CEF Punted count mirrors the misses, leading some to believe CEF is the problem, but the exhibit does not indicate CEF is disabled.

D

Candidates might assume that a high miss count reflects a full translation table, but the total active translations show 0.

342
Multi-Selectmedium

Which three of the following are characteristics of IP Source Guard on a Cisco switch? (Choose three.)

Select 3 answers
.It filters IP traffic based on the source IP address and the DHCP snooping binding.
.It can be configured with a static IP source binding for hosts with fixed addresses.
.It is typically applied on untrusted access ports to prevent IP spoofing.
.It inspects the destination IP address of all incoming packets.
.It dynamically updates the MAC address table for each detected host.
.It replaces the routing table to enforce security policies.

Why this answer

IP Source Guard (IPSG) filters IP traffic on a per-port basis by validating the source IP address of incoming packets against the DHCP snooping binding database or a manually configured static IP source binding. This prevents IP spoofing attacks by dropping any packet whose source IP does not match a legitimate binding for that port. It is typically enabled on untrusted access ports where DHCP snooping is also active, ensuring that only assigned IP addresses are allowed.

Exam trap

Cisco often tests the distinction between what IP Source Guard inspects (source IP) versus what Dynamic ARP Inspection inspects (ARP packets), leading candidates to confuse the two or think IPSG checks destination addresses.

343
MCQhard

Users can reach an internal server by IP address but not by hostname. What is the most likely cause?

A.Name resolution is failing even though IP connectivity to the server works.
B.The server must be in the wrong VLAN because IP works.
C.The default gateway is missing on the client.
D.A GRE tunnel is required for hostname access.
AnswerA

This is correct because the symptom points directly to a DNS-related problem.

Why this answer

The strongest explanation is a DNS problem rather than a raw IP connectivity problem. In practical terms, successful access by IP address shows that Layer 3 reachability to the server exists. Failure only when using the hostname strongly suggests name resolution is missing, incorrect, or unavailable.

This is a classic symptom-based troubleshooting question. The network path works, but the naming service does not.

Exam trap

A common exam trap is to confuse IP connectivity problems with DNS resolution issues. Candidates often select options related to VLAN misconfigurations or missing default gateways because they assume network path problems cause hostname failures. However, if users can reach the server by IP address, Layer 3 routing and VLAN membership are correct.

The trap is ignoring the DNS layer, which is responsible for translating hostnames. Misinterpreting this leads to incorrect troubleshooting steps and wrong exam answers.

Why the other options are wrong

B

Incorrect because if the server were in the wrong VLAN, users would not be able to reach it by IP address. Successful IP access proves VLAN membership is correct.

C

Incorrect because a missing default gateway would prevent IP connectivity to the server if it were on a different subnet. Since IP access works, the default gateway is present and functional.

D

Incorrect because GRE tunnels are unrelated to hostname resolution. Hostname access depends on DNS, not tunneling protocols like GRE.

344
MCQhard

A packet is larger than the outgoing interface MTU and the DF bit is set in the IPv4 header. What should the router do?

A.Fragment the packet anyway and forward all fragments.
B.Drop the packet and send an ICMP message indicating fragmentation was needed.
C.Clear the DF bit and then fragment the packet.
D.Encapsulate the packet in GRE automatically.
AnswerB

Correct. That behavior supports Path MTU Discovery.

Why this answer

If fragmentation is required but DF is set, the router drops the packet and returns an ICMP unreachable message indicating fragmentation was needed.

Exam trap

A common exam trap is selecting option A, assuming the router will fragment the packet despite the DF bit. Remember, the DF (Don't Fragment) bit explicitly prevents fragmentation. Another trap is option C, thinking the router can clear the DF bit and fragment, which routers do not do.

Option D is unrelated to MTU handling and can mislead if you confuse GRE tunneling with fragmentation behavior.

Why the other options are wrong

A

Incorrect because the DF bit explicitly forbids fragmentation; the router cannot fragment the packet if DF is set.

C

Incorrect because routers do not clear the DF bit to fragment packets; they respect the DF bit as set by the source.

D

Incorrect because GRE encapsulation is unrelated to MTU handling and fragmentation behavior.

345
PBQhard

You are connected to R1. Configure DHCP server on R1 to assign addresses from 192.168.50.0/24 to hosts on VLAN 50, excluding 192.168.50.1-192.168.50.20, with default-router 192.168.50.1 and DNS server 8.8.8.8. On switch SW1, configure DHCP snooping globally and on VLAN 50, and enable trusted ports on the uplink to R1. Then, a host on VLAN 50 reports it received an incorrect IP address; troubleshoot and fix the issue: the wrong helper-address is configured on SW1, the excluded range is too large, and a rogue DHCP server is present on port Fa0/5.

Hints

  • Check the DHCP snooping configuration first — is it enabled and on the correct VLAN?
  • Look at the helper-address: the DHCP server is on the SVI, not on the point-to-point link.
  • The excluded range on R1 is too large; it should only exclude the first 20 addresses.
A.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, correct the excluded range on R1 to 192.168.50.1-192.168.50.20, and change the helper-address on SW1's G0/1 to 192.168.50.1.
B.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 10.0.0.1.
C.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and correct the excluded range on R1 to 192.168.50.1-192.168.50.20.
D.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 192.168.50.1.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp excluded-address 192.168.50.1 192.168.50.20
end
write memory

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 50
interface GigabitEthernet0/1
ip dhcp snooping trust
no ip helper-address 10.0.0.1
ip helper-address 192.168.50.1
interface FastEthernet0/5
shutdown
end
write memory

Why this answer

The host received a wrong IP because a rogue DHCP server on Fa0/5 was responding. First, enable DHCP snooping globally with 'ip dhcp snooping' and on VLAN 50 with 'ip dhcp snooping vlan 50'. Then, trust the uplink port to R1 (G0/1) with 'ip dhcp snooping trust'.

Next, fix the excluded range on R1: change it to exclude only the first 20 addresses (192.168.50.1-192.168.50.20) so that hosts can obtain other addresses. Finally, correct the helper-address on SW1's G0/1: change 'ip helper-address 10.0.0.1' to 'ip helper-address 192.168.50.1' because the DHCP server is on the VLAN 50 SVI, not on the point-to-point link.

Exam trap

This question tests your ability to troubleshoot a multi-faceted DHCP issue. Common traps include: (1) forgetting that DHCP snooping must be enabled both globally and per VLAN, (2) assuming the helper-address should be the router's link IP instead of the server's SVI IP, (3) overlooking the excluded range configuration, and (4) thinking that only one of the issues needs to be fixed. Always verify all components: snooping, trust, helper-address, and pool configuration.

Why the other options are wrong

B

The helper-address must be the IP of the DHCP server, which is the SVI address 192.168.50.1, not the link address 10.0.0.1.

C

The helper-address misconfiguration prevents DHCP requests from being forwarded to the correct server, so fixing only the excluded range is insufficient.

D

The excluded range must be corrected to allow hosts to receive addresses from the pool; otherwise, the DHCP server will not assign addresses.

346
MCQhard

If a host has a valid IP address and subnet mask but no default gateway, what is the most likely result?

A.The host can usually reach only local-subnet destinations and not remote networks.
B.The host cannot use ARP at all.
C.The host automatically joins every subnet in the LAN.
D.The host becomes the default gateway for other devices.
AnswerA

This is correct because the host has no next hop for off-subnet traffic.

Why this answer

The host will normally reach local destinations but fail to reach remote networks. In practical terms, the subnet mask still lets the host identify what is local, but without a default gateway it has no next hop for off-subnet traffic. That means local ARP-based communication can still work, while remote communication usually fails.

This is a core host-configuration concept and a very common certification question. The missing gateway does not break all communication — it breaks off-subnet communication.

Exam trap

A common exam trap is assuming that a host without a default gateway cannot use ARP or communicate at all. This is incorrect because ARP is used for local Layer 2 address resolution and remains functional. Another trap is believing the host automatically joins other subnets or becomes a gateway for others, which does not happen.

The key mistake is confusing local subnet communication with remote network access. The default gateway only affects off-subnet traffic, so the host can still communicate locally but fails to reach remote destinations.

Why the other options are wrong

B

This option is incorrect because ARP is used for local Layer 2 address resolution and remains functional even if the default gateway is missing; the host can still resolve MAC addresses on the local subnet.

C

This option is incorrect because the host’s subnet membership is determined by its IP address and subnet mask, not by the presence or absence of a default gateway; it does not join other subnets automatically.

D

This option is incorrect because a host does not become a default gateway for other devices simply by lacking a configured gateway; routing and gateway roles require explicit configuration on routers.

347
MCQeasy

Which Syslog severity level represents an emergency condition, the most critical level?

A.0
B.3
C.5
D.7
AnswerA

Emergency is severity level 0.

Why this answer

Syslog severity 0 is Emergency, the highest severity. The levels then increase numerically as urgency decreases, with 7 being Debugging.

Exam trap

A frequent exam trap is mistaking severity level 3 (Error) or level 5 (Notification) as the most critical syslog severity. Candidates may assume that higher numbers mean higher severity, but in syslog, lower numbers indicate higher urgency. Confusing these levels can lead to incorrect answers because level 0 (Emergency) is the only severity that signals a system-wide failure requiring immediate action.

Misreading the severity scale order or relying on the textual description without recalling the numeric hierarchy often causes this mistake.

Why the other options are wrong

B

Option B incorrectly identifies severity level 3 as Emergency; level 3 actually represents Error, which is serious but less critical than Emergency (0).

C

Option C incorrectly identifies severity level 5 as Emergency; level 5 is Notification, which indicates normal but significant conditions, not emergencies.

D

Option D incorrectly identifies severity level 7 as Emergency; level 7 is Debugging, the lowest severity level used for detailed troubleshooting information.

348
MCQhard

Users in a branch office can reach internal networks but cannot browse the Internet. The router has a correct default route and PAT is configured. Which missing item is the most likely cause if inside hosts are still using private source addresses on the WAN?

A.A correct ACL or source match identifying inside local addresses for NAT
B.An STP root bridge election on the WAN side
C.A voice VLAN on the branch access switches
D.A loopback interface with a higher IP address
AnswerA

This is correct because PAT needs to know which inside addresses should be translated. Without a correct match, the router can forward traffic but leave the source private.

Why this answer

If inside hosts are still appearing with private source addresses on the WAN side, the most likely missing element is a correct NAT inside source match for the internal subnet. In plain language, the router knows where Internet traffic should go because the default route exists, but it is not actually translating the private addresses before sending the traffic out. That means upstream devices see RFC 1918 private addresses that are not valid on the public Internet and return traffic fails.

This is a common CCNA troubleshooting pattern: routing and NAT are separate functions. A valid default route only tells the router where to send packets. It does not automatically translate them. PAT also depends on a correct ACL or source match identifying which inside addresses should be translated. If that match is missing or wrong, the router forwards the traffic but without performing the necessary translation. That is why the missing or incorrect NAT match is the most likely root cause.

Exam trap

A common exam trap is assuming that configuring a default route and enabling PAT alone guarantees Internet access for inside hosts. Candidates often overlook the necessity of a correct NAT ACL or source match that explicitly identifies which inside local addresses should be translated. Without this ACL, the router forwards packets with private IP addresses unchanged, causing return traffic to fail because upstream devices reject packets with non-routable source addresses.

This mistake leads to the false conclusion that routing or PAT is misconfigured, when the real issue is the missing or incorrect NAT match.

Why the other options are wrong

B

Incorrect because Spanning Tree Protocol (STP) root bridge election affects Layer 2 switching topology, not Layer 3 NAT translation or routing on the WAN interface.

C

Incorrect because voice VLAN configuration on branch access switches does not influence NAT translation or whether private IP addresses are translated on the WAN interface.

D

Incorrect because a loopback interface IP address does not affect PAT translation of inside user traffic; PAT depends on NAT ACLs and routing, not loopback IP addresses.

349
MCQmedium

A client receives an IP address but cannot reach remote networks. Which DHCP option is most likely missing or incorrect?

A.DNS server option
B.Lease time option
D.TFTP server option
AnswerC

Without the correct gateway, off-subnet traffic fails.

Why this answer

The client can obtain an IP address but cannot reach remote networks, which indicates that the DHCP server is not providing the default gateway (option 3). Without a default gateway, the client has no route to destinations outside its local subnet, so traffic to remote networks is dropped. The DHCP server must be configured to supply the router's IP address as the default gateway for clients to forward inter-network traffic.

Exam trap

Cisco often tests the distinction between DHCP options by presenting a symptom like 'can't reach the internet' and expecting candidates to recognize that the default gateway (option 3) is the critical missing piece, not DNS or lease time.

Why the other options are wrong

A

The DNS server option is not critical for basic connectivity to remote networks; it primarily affects name resolution. If a client can obtain an IP address but cannot reach remote networks, the issue is more likely related to the default gateway configuration.

B

The lease time option specifies how long a DHCP lease is valid, but it does not affect the ability to reach remote networks. Therefore, a missing or incorrect lease time would not directly cause connectivity issues.

D

The TFTP server option is not necessary for a client to reach remote networks, as it primarily facilitates file transfers and does not impact routing or network accessibility. Therefore, its absence would not directly cause connectivity issues to remote networks.

350
MCQhard

A company wants unauthorized devices plugged into unused wall ports to have as little chance of gaining access as possible. Which action most directly supports that goal?

A.Administratively disable unused switch ports.
B.Convert every unused port into a trunk.
C.Enable Telnet on unused ports for monitoring.
D.Remove all VLAN assignments from active user ports.
AnswerA

This is correct because unused active ports are unnecessary exposure points.

Why this answer

Administratively shutting down unused switch ports most directly supports the goal because it eliminates the access point entirely. Option B, converting unused ports into trunks, would actually increase risk by potentially allowing VLAN hopping and unauthorized traffic. Option D, removing VLAN assignments from active user ports, does not address unused ports and could disrupt legitimate users by forcing them into the default VLAN.

Disabling unused ports is a simple and effective hardening measure that reduces attack surface.

Exam trap

Don't confuse methods that limit or monitor access with those that completely prevent it. Focus on actions that eliminate the risk entirely.

Why the other options are wrong

B

Converting unused ports into a trunk does not prevent unauthorized access; it actually allows multiple VLANs to be carried over a single link, potentially exposing sensitive data. This action could inadvertently grant access to unauthorized devices if they connect to these trunked ports.

C

Enabling Telnet on unused ports does not prevent unauthorized access; instead, it creates a potential security vulnerability by allowing remote access to those ports. This action could expose the network to unauthorized monitoring or control.

D

Removing VLAN assignments from active user ports does not prevent unauthorized devices from accessing the network; it could disrupt legitimate user access instead. The goal is to secure unused ports, not impact active ones.

351
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an ACL that is not filtering traffic as expected. The engineer runs the show access-lists 110 command and notices that all access control entries (ACEs) show zero matches, even though traffic that should match the permit or deny statements is traversing the network. The engineer then checks the interface configuration. What is the most likely cause?

A.The ACL is applied to the interface in the wrong direction (inbound instead of outbound).
B.The access-list 110 syntax has incorrect subnet masks causing no matches.
C.The ACL 110 is not applied to any interface.
D.The interface GigabitEthernet0/0 is administratively down, preventing ACL processing.
AnswerC

The 'Inbound access list is not set' and 'Outgoing access list is not set' lines in the exhibit directly prove that no ACL has been applied to GigabitEthernet0/0. Since ACL 110 exists but isn't attached to any interface, it never processes traffic and shows zero hit counts.

Why this answer

The exhibit shows 'Inbound access list is not set' and 'Outgoing access list is not set' under GigabitEthernet0/0. This confirms that no access list has been applied to this interface, so access list 110, though defined, is not filtering any traffic. Zero matches are observed because the ACL is never consulted.

Exam trap

Candidates often assume the ACL must be applied somewhere on the router, so they choose 'wrong direction' (inbound vs outbound), but the output clearly shows no ACL is assigned at all.

Why the other options are wrong

A

A common mistake is to try to explain zero matches by directional misapplication without first checking whether an ACL is actually present. The exhibit explicitly shows no ACL is bound.

B

Some candidates fixate on ACL configuration details instead of verifying interface assignment. The output confirms the interface has no ACL, not that an ACL is configured incorrectly.

D

Candidates sometimes misread interface status. This output clearly shows the interface is enabled and up, so a down state is not the issue.

352
MCQhard

Why is administratively shutting down unused switch ports considered a useful hardening measure?

A.It reduces the attack surface by removing unnecessary network entry points.
B.It increases available bandwidth on the switch backplane.
C.It enables 802.1Q trunking on all remaining ports.
D.It forces port security to activate automatically.
AnswerA

This is correct because an unused enabled port is an unnecessary risk that can be eliminated by shutting it down.

Why this answer

Unused active ports create unnecessary opportunity for unauthorized connection. Disabling them reduces the attack surface and makes opportunistic access much harder. Option B is incorrect because administratively shutting down a port does not increase backplane bandwidth; bandwidth is a fixed hardware characteristic.

Option C is incorrect because shutting down ports does not enable 802.1Q trunking; trunking is configured separately. Option D is incorrect because port security must be explicitly enabled; it is not activated automatically by shutting down ports.

Exam trap

Do not confuse port shutdown with network performance improvements or IP address management. Focus on security implications.

Why the other options are wrong

B

This option is incorrect because shutting down unused switch ports does not directly increase available bandwidth; rather, it is a security measure to minimize potential vulnerabilities. Bandwidth on the switch backplane is determined by the overall switch architecture and the active ports' configurations, not by disabling unused ports.

C

This option is wrong because administratively shutting down unused switch ports does not enable 802.1Q trunking; trunking is a configuration that allows multiple VLANs to traverse a single physical link, which is unrelated to the status of unused ports.

D

This option is wrong because administratively shutting down unused switch ports does not automatically activate port security; it is a separate configuration that must be enabled explicitly on the switch.

353
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router and describe the translation process for an outbound packet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Then mark the inside and outside interfaces. Create a pool of global addresses.

Finally, enable PAT with overload to allow multiple inside hosts to share the pool addresses.

Exam trap

Candidates often confuse the order of steps, especially thinking that creating the pool or marking interfaces can be done before entering global configuration mode. Remember: you must always be in global configuration mode before issuing any configuration commands. Also, the global address pool must be created before it can be referenced in the ip nat inside source list overload command.

354
MCQmedium

A host at 192.168.50.10/24 needs to send traffic to 192.168.60.20. Which MAC address will it normally place in the Ethernet destination field for the first frame?

A.The MAC address of the remote host at 192.168.60.20
B.The broadcast MAC address only
C.The MAC address of its configured default gateway
D.Its own source MAC address
AnswerC

This is correct because the default gateway is the local next-hop device for off-subnet traffic.

Why this answer

When a host wants to send traffic to a different IP subnet, it does not send the frame directly to the remote device’s MAC address. In plain language, the host knows the destination IP is off its local network, so it hands the traffic to the local router. That means the Ethernet frame is addressed to the default gateway’s MAC address, while the IP packet inside still carries the final remote IP destination.

A host uses ARP to learn MAC addresses on its own LAN. Since the remote host is not local, the sender does not ARP for the remote host’s MAC. Instead, it ARPs for the gateway interface on the same subnet.

Exam trap

A frequent exam trap is selecting the remote host’s MAC address as the Ethernet destination for off-subnet traffic. This is incorrect because ARP requests cannot resolve MAC addresses beyond the local subnet. Candidates may confuse IP routing with MAC addressing and assume direct frame delivery to the remote device.

The trap lies in overlooking the default gateway’s role as the local next-hop device that receives frames destined for remote IPs. Remember, the host always sends the frame to the gateway’s MAC, not the remote host’s MAC, when the destination is outside the local subnet.

Why the other options are wrong

A

Incorrect because the remote host’s MAC address is not known to the sender and cannot be resolved via ARP across subnets. The host must send to the gateway’s MAC instead.

B

Incorrect because broadcast MAC addresses are used only for ARP requests or broadcast traffic, not for normal unicast data frames to a specific remote IP.

D

Incorrect because a device’s own MAC address is used as the source MAC in frames it sends, never as the destination MAC.

355
MCQmedium

Why is SSH preferred over Telnet for remote device administration?

A.SSH uses less bandwidth because it removes the TCP header
B.SSH encrypts management traffic, while Telnet sends data in clear text
C.SSH works only on console ports, which are more secure
D.SSH does not require user authentication
AnswerB

Correct. Encryption is the key reason SSH is preferred.

Why this answer

SSH protects credentials and management traffic by encrypting the session. Telnet does not provide encryption, so usernames, passwords, and commands can be exposed in transit.

Exam trap

Don't confuse ease of configuration or bandwidth usage with security features. Focus on the encryption aspect of SSH.

Why the other options are wrong

A

This option is incorrect because SSH does not inherently use less bandwidth than Telnet; both protocols utilize TCP, and SSH's encryption actually adds overhead, potentially increasing bandwidth usage.

C

This option is incorrect because SSH can operate over various types of connections, including console ports, but it is not limited to them. Telnet can also be used over console ports, making this statement misleading.

D

This option is incorrect because SSH does require user authentication, typically through passwords or public key authentication, which is essential for secure access. In contrast, Telnet does not enforce strong authentication mechanisms.

356
Multi-Selectmedium

A standard numbered ACL is applied close to the destination, but it is blocking traffic from one host while still allowing all other users on the subnet. Which two facts about standard ACLs are relevant in this design?

Select 2 answers
A.They filter based on source address only
B.They are best placed near the source in most cases
C.They can match TCP and UDP port numbers
D.They automatically create a permit any at the end
AnswersA, B

Standard ACLs do not inspect destination addresses or ports.

Why this answer

Standard ACLs only match the source IP address. For that reason, they are usually placed near the source so they do not block more traffic than intended.

Exam trap

A common exam trap is assuming that standard ACLs can filter traffic based on destination IP addresses or port numbers. Candidates may incorrectly place standard ACLs near the destination to control traffic more granularly, but since standard ACLs only match source IPs, this placement can block unintended hosts. This misunderstanding leads to unexpected network outages or partial connectivity, especially when trying to block a single host but inadvertently affecting others in the subnet.

Recognizing the source-only filtering nature of standard ACLs is essential to avoid this pitfall.

Why the other options are wrong

C

Incorrect. Standard ACLs cannot match TCP or UDP port numbers; this capability belongs to extended ACLs, which provide more granular filtering.

D

Incorrect. ACLs do not automatically create a 'permit any' at the end; instead, they have an implicit deny all statement that blocks any traffic not explicitly permitted.

357
Multi-Selectmedium

Which two statements accurately describe common uses of NTP in network operations?

Select 2 answers
A.It helps align device clocks across the network.
B.It improves the reliability of event timelines and log correlation.
C.It replaces the need for Syslog.
D.It assigns IP addresses to hosts.
E.It provides WLAN encryption.
AnswersA, B

This is correct because clock synchronization is NTP's core role.

Why this answer

NTP is widely used to keep device clocks aligned, which improves the reliability of event timelines and log correlation because timestamps from different systems can be compared meaningfully. NTP does not replace Syslog, assign IP addresses (DHCP), or provide WLAN encryption; those are separate functions. Its sole purpose is time synchronization.

Exam trap

A frequent exam trap is assuming that NTP performs functions beyond time synchronization, such as replacing Syslog or assigning IP addresses. Candidates might incorrectly select options suggesting NTP handles logging or DHCP tasks because these services are all related to network management. However, NTP’s sole purpose is to synchronize device clocks.

Confusing NTP with DHCP or Syslog overlooks their distinct roles and can lead to selecting incorrect answers. Understanding that NTP supports but does not replace logging or address assignment is crucial to avoid this trap.

Why the other options are wrong

C

This option is incorrect because NTP does not replace Syslog; Syslog is responsible for logging events, while NTP only synchronizes time.

D

This option is incorrect because IP address assignment is handled by DHCP, not NTP, which only manages time synchronization.

E

This option is incorrect because NTP has no role in providing WLAN encryption; encryption is managed by wireless security protocols like WPA2 or WPA3.

358
Matchingeasy

Match each service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Resolves hostnames to IP addresses

Provides IP configuration to clients

Synchronizes device time

Collects and exports log messages

Why these pairings

DNS translates domain names into IP addresses, enabling clients to reach servers by name. DHCP automates the assignment of IP addresses, subnet masks, default gateways, and other parameters to clients. NTP synchronizes the clocks of network devices to a common time source.

Syslog collects and exports log messages from network devices to a centralized server for monitoring and troubleshooting.

Exam trap

The exam often tests your ability to differentiate between network services that are commonly confused, such as DNS and DHCP. Remember: DNS resolves names, DHCP assigns IPs. Do not mix up their primary functions.

359
MCQhard

A user reports that they cannot access the company's internal web server at 'intranet.company.local' from their workstation. The workstation can ping the web server's IP address 192.168.10.50 successfully, and other internal services like email (mail.company.local) are reachable. Which DNS record issue is most likely causing this problem?

A.Add a CNAME record that aliases 'intranet.company.local' to 'webserver.company.local'
B.Add an A record mapping 'intranet.company.local' to IP address 192.168.10.50
C.Verify the PTR record for 192.168.10.50 points to 'intranet.company.local'
D.Check the NS records for the 'company.local' zone to ensure proper delegation
AnswerB

The nslookup shows that 'intranet.company.local' does not resolve, while the IP is reachable. Adding an A record directly associates the hostname with the correct IP, fixing the resolution failure.

Why this answer

The workstation can ping the web server's IP address (192.168.10.50), confirming network connectivity and that the server is online. However, the user cannot access the server by its hostname 'intranet.company.local', which indicates a DNS resolution failure. Since other internal services like email are reachable, the DNS zone is functioning, but there is no A record that maps the hostname 'intranet' to its IP address.

Adding an A record for 'intranet.company.local' pointing to 192.168.10.50 will resolve the issue.

Exam trap

Cisco often tests the distinction between forward DNS records (A/AAAA) and reverse DNS records (PTR), and candidates mistakenly choose PTR when the symptom is a forward resolution failure, confusing the direction of the lookup.

Why the other options are wrong

A

The root cause is a missing A record; a CNAME record would not resolve without an A record for the target.

C

PTR records are not used for forward name resolution; the issue is with the forward lookup zone.

D

The zone delegation is working (other records resolve), so NS records are not the cause.

360
MCQhard

A network administrator is troubleshooting connectivity from the 192.168.10.0/24 subnet to the server at 10.10.10.10. Users report that they can reach the server initially, but after a few minutes, connectivity drops and only returns after the interface is cleared. The administrator reviews the router's running configuration and ACL configuration. What is the most likely cause of the intermittent connectivity loss?

A.Remove the 'established' keyword from the ACL to allow initial TCP connections.
B.Apply the ACL inbound on the interface instead of outbound.
C.Add a permit statement for UDP traffic to allow DNS resolution.
D.Change the wildcard mask to 0.0.0.255 to match the subnet more accurately.
AnswerA

The 'established' keyword only permits TCP packets with the ACK or RST bit set, which are responses to established sessions. The initial SYN packet does not have these bits, so it is denied. Removing 'established' allows the TCP three-way handshake to complete.

Why this answer

The 'established' keyword in an ACL permits TCP packets that have the ACK or RST bit set, which are responses to outbound connections. However, it does not permit the initial SYN packet from the client to the server. Since users can reach the server initially (likely due to a temporary permit or stateful inspection elsewhere), but connectivity drops after a few minutes, the issue is that the ACL is blocking the initial SYN packets needed to establish new TCP connections.

Removing the 'established' keyword (or adding a permit for the initial SYN) resolves this by allowing all TCP traffic from the source subnet.

Exam trap

Cisco often tests the misconception that the 'established' keyword permits all TCP traffic, when in fact it only permits packets with the ACK or RST bit set, blocking the initial SYN packet needed to start a new connection.

Why the other options are wrong

B

The direction does not change the fact that the 'established' keyword only permits packets with ACK/RST flags, which excludes the initial SYN.

C

The problem is specifically with TCP connections and ICMP echo-replies, not DNS or UDP.

D

The wildcard mask is already appropriate; the problem lies in the 'established' keyword.

361
MCQeasy

A branch router should automatically learn the IP address of a time source so logs from all devices show matching timestamps. Which service provides that function?

A.DNS
B.NTP
D.NetFlow
AnswerB

NTP synchronizes device clocks.

Why this answer

NTP synchronizes clocks across network devices. When timestamps line up, syslog messages and troubleshooting output become much more useful.

Exam trap

A common exam trap is selecting DNS as the answer because it involves IP addresses and network services, tempting candidates to confuse name resolution with time synchronization. Another trap is choosing TFTP, since it is a network protocol often associated with configuration and file transfers, misleading candidates to think it manages device settings including time. NetFlow might also confuse candidates because it deals with network traffic data, but it does not affect device clocks.

The key is to recognize that only NTP is designed specifically to synchronize time across devices, which is critical for matching timestamps in logs.

Why the other options are wrong

A

DNS resolves hostnames to IP addresses, enabling devices to locate servers and services by name. However, DNS does not synchronize device clocks or manage time, so it cannot ensure matching timestamps in logs.

C

TFTP is a simple protocol used for transferring files such as configurations and IOS images. It does not provide any time synchronization capabilities and cannot ensure matching timestamps in device logs.

D

NetFlow is a network protocol that collects and exports IP traffic flow information for analysis. It does not affect device clocks or time synchronization and thus cannot provide matching timestamps.

362
MCQhard

A switch should automatically disable any access port that receives a BPDU from an attached device. Which feature directly provides that behavior?

AnswerC

BPDU Guard disables an edge port if it receives a BPDU.

Why this answer

BPDU Guard is designed for edge ports that should never see BPDUs. If a BPDU arrives, the port is placed into an err-disabled state to protect the topology. Root Guard and Loop Guard solve different STP problems.

Exam trap

A common exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Candidates may incorrectly select Root Guard because it involves BPDUs and port blocking, but Root Guard only prevents a port from becoming a root port and does not err-disable the port. Loop Guard is often mistaken as it protects against unidirectional link failures but does not disable ports on BPDU receipt.

The key distinction is that BPDU Guard immediately disables the port upon receiving any BPDU, which is the behavior the question describes. Misunderstanding these differences can lead to incorrect answers.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port if superior BPDUs are received, maintaining the root bridge position, but it does not err-disable the port upon BPDU receipt. Therefore, it does not fulfill the requirement to disable access ports that receive BPDUs.

B

Loop Guard protects against unidirectional link failures by preventing a port from transitioning to forwarding state if BPDUs stop arriving on non-designated ports. It does not disable ports upon receiving BPDUs, so it does not meet the behavior described in the question.

D

PortFast is a feature that allows ports to transition quickly to forwarding state, bypassing the usual STP listening and learning states. It does not disable ports upon receiving BPDUs and therefore does not provide the behavior described.

363
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be able to access the internet using PAT (NAT overload) with the outside interface G0/1 IP 203.0.113.1. Additionally, the internal server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is incomplete and contains errors. Identify and fix all issues so that both PAT and static NAT work correctly.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/24LANinsideR1outsideInternet

Hints

  • Check which interfaces are marked as inside/outside — they may be reversed.
  • Look at the ACL used for dynamic NAT — does it match the correct inside subnet?
  • Is the 'overload' keyword present on the ip nat inside source command?
A.Swap ip nat inside/outside on interfaces, add 'overload' to the dynamic NAT rule, and correct ACL 1 to permit 192.168.1.0/24.
B.Change the static NAT inside address to 192.168.1.1 and add 'overload' to the dynamic NAT rule.
C.Remove the static NAT configuration and rely solely on PAT for the server.
D.Add the 'overload' keyword to the dynamic NAT rule and correct ACL 1 to permit 192.168.1.0/24.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit
no ip nat inside source list 1 pool GLOBAL
ip nat inside source list 1 pool GLOBAL overload
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255

Why this answer

The configuration had multiple faults: 1) Inside/outside interfaces were swapped – G0/0 (LAN) should be inside, G0/1 (WAN) should be outside. 2) The PAT command was missing the 'overload' keyword. 3) ACL 1 permitted the wrong subnet (192.168.2.0/24 instead of 192.168.1.0/24). 4) The static NAT configuration was correct, but the interface misconfiguration prevented it from working. Fixes: swap ip nat inside/outside on the interfaces, add 'overload' to the dynamic NAT rule, and correct ACL 1 to permit 192.168.1.0/24.

Exam trap

This question tests your ability to identify multiple simultaneous NAT configuration errors. Common traps include forgetting the 'overload' keyword, misconfiguring ACLs, and swapping inside/outside interfaces. Always verify interface NAT directions first, as they are foundational.

Why the other options are wrong

B

The specific factual error is that the static NAT inside address is already correct; altering it is unnecessary and incorrect.

C

The specific factual error is that static NAT is required for inbound access; PAT alone cannot provide a fixed public-to-private mapping.

D

The specific factual error is that interface NAT direction is fundamental; if inside/outside are reversed, NAT translations will not be applied correctly.

364
MCQhard

An administrator wants to permit HTTP and HTTPS from 10.1.10.0/24 to a web server at 198.51.100.20 and deny everything else from that subnet. Which ACL type is required?

A.Named standard ACL
B.Extended ACL
C.Prefix list
AnswerB

Correct choice.

Why this answer

A standard ACL can match only the source address. To permit specific protocols and ports such as TCP 80 and 443 to a specific destination, the administrator must use an extended ACL.

Exam trap

A frequent exam trap is selecting a standard ACL when the question requires filtering by both source and destination IP addresses plus specific protocols or ports. Standard ACLs only filter by source IP, so they cannot distinguish HTTP or HTTPS traffic to a particular destination. Another trap is confusing prefix lists or MAC access-lists as suitable options; prefix lists filter routes, not traffic by port, and MAC access-lists filter Layer 2 addresses, not Layer 3 or 4 information.

Misunderstanding these differences leads to incorrect ACL type selection and exam failure.

Why the other options are wrong

A

Named standard ACLs filter traffic only by source IP address and cannot filter by destination IP or specific TCP ports like 80 or 443, making them unsuitable for permitting HTTP and HTTPS to a specific server.

C

Prefix lists are used to filter routes based on IP prefixes in routing protocols and cannot filter traffic by protocol or port, so they cannot meet the requirement to permit HTTP and HTTPS traffic specifically.

D

MAC access-lists filter traffic based on Layer 2 MAC addresses and cannot filter by Layer 3 IP addresses or Layer 4 ports, so they cannot selectively permit HTTP and HTTPS traffic to a specific IP address.

365
PBQhard

You are connected to R1. Configure R1 as a DHCP server for VLAN 20 clients (192.168.20.0/24) with DNS server 203.0.113.10 and default gateway 192.168.20.1. On switch SW1, enable DHCP snooping globally and on VLAN 20, configure the uplink to R1 as trusted, and ensure that the DHCP server is reachable via ip helper-address on the VLAN 20 SVI. Currently, clients are not receiving IP addresses because of misconfigurations: the excluded-address range on R1 is too large (excluding the entire subnet), the helper-address on SW1 points to a wrong IP (192.0.2.99), and a rogue DHCP server is connected to port Fa0/3 on SW1. Fix all issues so that clients can get addresses securely.

Hints

  • The excluded-address range is too broad; narrow it to only the gateway and a small reserved range.
  • The helper-address must point to the DHCP server's IP, which is on a different subnet.
  • DHCP snooping must be enabled globally and per VLAN, and the port connecting to the legitimate DHCP server must be trusted.
A.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
B.On R1, remove the excluded-address range entirely; on SW1, configure ip helper-address 192.168.20.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
C.On R1, change the excluded-address range to 192.168.20.1 192.168.20.254; on SW1, configure ip helper-address 192.0.2.99 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
D.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, but do not configure any trusted ports.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.20.0 192.168.20.255
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.2 192.168.20.10

! SW1
ip dhcp snooping
ip dhcp snooping vlan 20
interface FastEthernet0/1
ip dhcp snooping trust
exit
interface Vlan20
no ip helper-address 192.0.2.99
ip helper-address 10.0.0.1

Why this answer

The DHCP server had an excluded-address range covering the entire subnet (192.168.20.0–255), which prevented any IP from being assigned. Fix: change the excluded range to only include the gateway (192.168.20.1) and optionally other reserved addresses. The helper-address on SW1 pointed to 192.0.2.99 (nonexistent) instead of the DHCP server at 10.0.0.1; correct it.

DHCP snooping was disabled; enable it globally and on VLAN 20, then configure the uplink to R1 (port connecting to R1) as trusted and the port connecting the rogue server (Fa0/3) as untrusted (or simply leave it untrusted by default, but the rogue server will be blocked).

Exam trap

A common trap is forgetting that the excluded-address range should only reserve specific addresses, not the whole subnet. Another trap is confusing the helper-address with the default gateway or leaving the incorrect IP. Also, many candidates enable DHCP snooping but forget to configure the trusted port, which breaks legitimate DHCP traffic.

Why the other options are wrong

B

The helper-address must point to the DHCP server, not the default gateway. The excluded-address range should include the gateway to prevent conflicts.

C

The excluded-address range must be limited to reserved addresses only, not the entire usable range. The helper-address must be corrected to 10.0.0.1.

D

DHCP snooping requires the port connected to the legitimate DHCP server to be explicitly trusted; otherwise, all DHCP server messages are discarded.

366
PBQhard

You are connected to R1, a multilayer switch acting as a DNS client for internal name resolution. The network uses a private DNS server at 192.168.1.100. Users report that resolving the hostname 'server01.courseiva.local' fails intermittently. Diagnose and fix the DNS resolution issue by examining the current configuration and using appropriate show commands to verify.

Network Topology
192.168.1.100/24switchR1DNS Server

Hints

  • Check if the DNS server IP is actually present in the running config under 'ip name-server'.
  • Use 'show ip dns' to see if any name servers are configured.
  • The configuration may appear in the running config but not be active due to a missing 'ip name-server' command in the correct order.
A.Re-enter the 'ip name-server 192.168.1.100' command and verify with 'show ip dns'.
B.Configure 'ip domain lookup' to enable DNS resolution on the switch.
C.Change the 'ip domain name' to 'courseiva.local' to match the hostname being resolved.
D.Use 'debug ip dns' to monitor DNS queries and identify the problem.
AnswerA
solution
! R1
configure terminal
ip name-server 192.168.1.100
end
nslookup server01.courseiva.local

Why this answer

The 'ip name-server' command was missing from the configuration, causing the switch to use broadcast DNS queries (to 255.255.255.255) instead of a specific server. Broadcast queries may occasionally succeed if a DNS server on the network answers them, producing the reported intermittent failures. Re-entering the 'ip name-server 192.168.1.100' command forces directed queries, ensuring reliable resolution.

After configuration, a 'ping server01.courseiva.local' will trigger DNS and confirm success if the server is reachable.

Exam trap

Do not confuse 'ip domain lookup' (enables DNS client) with 'ip name-server' (specifies DNS server). A common trap is to assume that enabling DNS lookup is sufficient, but without a configured name-server, the device will use broadcast queries, which often fail in real networks.

Why the other options are wrong

B

The specific factual error is that 'ip domain lookup' enables DNS client functionality but does not specify which DNS server to use. The command is already present, so reconfiguring it does not fix the missing server IP.

C

The specific factual error is that the domain name is already configured correctly; changing it would not address the empty name-server list.

D

The specific factual error is that debugging is a diagnostic tool, not a corrective action. The question asks to 'fix' the issue, not just diagnose it.

367
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to R2 (10.0.0.2/30). Hosts on the LAN (192.168.1.0/24) need DHCP services. The DHCP server is located at 172.16.1.100 on a different subnet reachable via R2. Configure R1 to forward DHCP broadcasts to the DHCP server.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/3010.0.0.2/30link10.0.0.2/30PCsLANR1R2DHCP server

Hints

  • The ip helper-address command is used to forward DHCP broadcasts.
  • Apply it on the interface facing the DHCP clients.
A.ip helper-address 172.16.1.100
B.ip dhcp relay information option
C.ip forward-protocol udp 67
D.ip dhcp-server 172.16.1.100
AnswerA
solution
! R1
interface GigabitEthernet0/1
ip helper-address 172.16.1.100

Why this answer

The ip helper-address command on the LAN interface forwards DHCP broadcast requests to the DHCP server at 172.16.1.100, allowing clients to obtain IP addresses across subnets.

Exam trap

Do not confuse the ip helper-address command with other DHCP-related commands like ip dhcp relay information option or ip forward-protocol. The key is to remember that ip helper-address is the command that actually forwards broadcasts to a specific server.

Why the other options are wrong

B

It is a supporting feature for relay agents, not the primary command to forward DHCP broadcasts.

C

It is a prerequisite but not sufficient; the ip helper-address is still needed to direct the traffic.

D

The command does not exist; it is a fabrication.

368
MCQhard

An operations team wants a monitoring platform to periodically read interface counters and CPU statistics from routers. Which technology is most closely associated with that requirement?

AnswerA

This is correct because SNMP is commonly used for polling counters, status, and device statistics.

Why this answer

SNMP is the best fit for that requirement. In practical terms, periodic reading of counters and statistics is polling-style monitoring, which is one of the classic SNMP use cases. A management system can query devices for interface status, utilization data, and other measurable values over time.

This is different from Syslog, which is event-message oriented, and from NetFlow, which focuses on traffic-flow visibility rather than general device statistics. The question is really about routine monitoring and polling.

Exam trap

A common exam trap is selecting Syslog or NetFlow as the answer because they are also monitoring-related technologies. Syslog is tempting because it deals with messages from devices, but it only reports events and logs rather than polling counters periodically. NetFlow is often confused with SNMP because it provides traffic visibility, but it focuses on flow data, not general device statistics like CPU or interface counters.

Another trap is port security, which is unrelated to monitoring and instead controls MAC address access on switch ports. Recognizing that SNMP uniquely supports periodic polling of device metrics helps avoid these mistakes.

Why the other options are wrong

B

Syslog is incorrect because it focuses on logging event messages and alerts rather than routinely polling device counters or CPU statistics, so it does not meet the periodic monitoring requirement.

C

NetFlow is incorrect because it provides detailed traffic flow analysis and visibility but does not poll general device statistics like CPU usage or interface counters, which are needed here.

D

Port security is incorrect because it is a Layer 2 feature that restricts MAC addresses on switch ports and does not provide any monitoring or polling capabilities for device statistics.

369
MCQhard

A network technician is troubleshooting a router that cannot be accessed via SSH. The router responds to Telnet but SSH attempts return 'connection refused'. The technician confirmed that 'ip ssh version 2' is configured and 'show ip ssh' indicates SSH is enabled. The output of 'show line vty 0 4' shows 'transport input telnet'. What should the technician do next?

A.Generate a new RSA key pair and restart the SSH service.
B.Add the 'transport input ssh' command to the VTY lines.
C.Configure 'ip ssh version 1' to enable backward compatibility.
D.Configure AAA authentication on the VTY lines.
AnswerB

The show line vty output indicates only Telnet is permitted. Adding 'transport input ssh' (or 'transport input all') modifies the VTY configuration to accept both Telnet and SSH, directly fixing the protocol restriction causing the connection refused.

Why this answer

The VTY lines are configured with 'transport input telnet', which explicitly allows only Telnet sessions. SSH is enabled globally, but because it is not listed in the VTY transport input, the router rejects SSH connection attempts. Adding 'transport input ssh' (or 'transport input all') under the VTY lines permits SSH connections without disrupting Telnet, solving the mismatch at the application layer.

Exam trap

Generating a new RSA key pair is a common but incorrect next step because SSH is already enabled and operational; the 'connection refused' message stems from the VTY transport configuration, not from missing or corrupted keys.

Why the other options are wrong

A

Administrators often mistake 'connection refused' for a key issue, but the VTY lines restrict the allowed protocols, not the validity of the keys.

C

Candidates may think a version mismatch causes the refusal, but the VTY transport setting is the actual filter; downgrading security is unnecessary and ineffective.

D

Some technicians equate 'connection refused' with authentication failure and jump to AAA, but in this case the VTY lines never allow the SSH session to reach the authentication stage.

370
Matchingmedium

Match each IP service symptom to the most likely service involved.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS

DHCP

NTP

Syslog

Why these pairings

Hostnames fail but direct IP access works because DNS resolves names to IP addresses; without DNS, name resolution stops while IP connectivity remains intact. Clients not receiving IP configuration automatically indicates a DHCP failure, since DHCP is the service responsible for dynamic address assignment. Log timestamps differing noticeably between devices points to an NTP issue, as NTP synchronizes clocks across the network.

Administrators wanting one place to collect device events rely on Syslog, which centralizes event messages from multiple devices.

Exam trap

Be careful not to confuse symptoms (like packet loss, jitter) with services. The question asks for the 'service involved,' so look for a specific service name (e.g., DNS, SMTP, DHCP) rather than a general network condition.

371
Matchingmedium

Match each technology to the kind of visibility or function it most directly provides.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Device events and log messages

Management data and monitored values

Traffic conversation visibility

Automatic host IP configuration

Why these pairings

Each technology is matched to the primary visibility or function it provides in a security architecture.

Exam trap

The exam trap is confusing the functions of similar-sounding technologies, especially NetFlow vs. SPAN (both deal with traffic) and SNMP vs. Syslog (both deal with monitoring).

Remember: NetFlow = flow records, SPAN = packet copies, SNMP = polling/health, Syslog = logs.

372
Matchingeasy

Match each IP service to the transport protocol and default port it commonly uses in a basic CCNA context.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

UDP 53

UDP 67

UDP 123

UDP 514

Why these pairings

DNS primarily uses UDP port 53 for standard queries due to low overhead; TCP 53 is used for zone transfers but not in basic CCNA context. DHCPv4 server uses UDP port 67 because the protocol relies on broadcasts and does not require a connection-oriented transport. NTP uses UDP port 123 to keep time synchronization lightweight and efficient.

Syslog uses UDP port 514 to send system messages without requiring a session, prioritizing speed over reliability.

Exam trap

Be careful not to confuse FTP control (21) with FTP data (20). Also, remember that DNS primarily uses UDP, not TCP, even though it can use TCP in certain scenarios. HTTP/HTTPS always use TCP in a basic CCNA context; do not be misled by newer protocols like QUIC.

373
Multi-Selectmedium

A network team wants an ACL that permits HTTPS from 10.1.50.0/24 to a web server at 203.0.113.10 and denies all Telnet traffic from that subnet to any destination. Which two ACEs are required?

Select 2 answers
A.permit tcp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443
B.deny tcp 10.1.50.0 0.0.0.255 any eq 23
C.permit udp 10.1.50.0 0.0.0.255 host 203.0.113.10 eq 443
D.deny tcp any 10.1.50.0 0.0.0.255 eq 23
E.permit ip any any
AnswersA, B

This permits HTTPS from that subnet to the specific web server.

Why this answer

To meet the requirement, one ACE must explicitly permit TCP destination port 443 to the web server, and another must deny TCP destination port 23 to any destination. Option C is wrong because HTTPS (port 443) uses TCP, not UDP. Option D reverses source and destination; the deny should apply from 10.1.50.0/24 to any, not from any to that subnet.

Option E permits all IP traffic, which would override the deny for Telnet, making it ineffective.

Exam trap

Be careful to match both the source and destination criteria in ACLs, not just the destination.

Why the other options are wrong

C

HTTPS uses TCP, not UDP, so a UDP permit for port 443 would not match HTTPS traffic.

D

The ACL reverses source and destination; it denies Telnet from any to 10.1.50.0/24, not from 10.1.50.0/24 to any.

E

Permitting all IP traffic would allow Telnet, negating the required deny rule.

374
MCQhard

A router is configured with PAT for inside users. Which symptom most strongly suggests the NAT inside/outside roles are reversed on the interfaces?

A.Outbound traffic still shows private inside source addresses where translated public addresses should appear.
B.The NAT translation table is empty even though internal users are browsing the internet.
C.Internal hosts cannot reach the internet at all.
D.External hosts can connect to internal servers using their private IP addresses.
AnswerA

This is correct because reversed inside/outside roles break the normal PAT translation direction.

Why this answer

When NAT inside/outside roles are reversed, the router applies translation logic in the wrong direction, causing traffic from the inside network to leave the outside interface with untranslated private source addresses. The correct answer (A) directly demonstrates this failure: outbound traffic still shows private IPs where a public address should appear after PAT. The other options describe symptoms that could occur with other NAT misconfigurations but do not strongly indicate reversed roles: an empty translation table (B) suggests no NAT processing at all, possibly due to missing ACL or overload configuration; total lack of internet access (C) may result from many connectivity issues, not specifically reversed interface roles; and external hosts reaching internal servers by private IP (D) points more to a missing or incorrect static NAT rule rather than direction reversal.

Exam trap

A common exam trap is assuming that NAT translation problems are caused by ACL or overload command errors, while overlooking the inside/outside interface roles. Candidates may see private IP addresses in outbound traffic and mistakenly focus on ACL syntax or NAT pool definitions. However, the root cause is often reversed interface roles, which prevent the router from applying PAT correctly.

This trap leads to wasted time troubleshooting unrelated configurations and missing the fundamental NAT directionality requirement.

Why the other options are wrong

B

An empty NAT table indicates no translation is happening at all, which is not the expected outcome of simply reversing inside/outside roles—NAT still processes packets but incorrectly.

C

Complete internet unreachability is a generic connectivity symptom that could be caused by routing, firewall, or other NAT issues, but does not strongly signal a role reversal.

D

External hosts connecting to a private IP without translation is a typical sign of a missing static NAT or PAT rule, not of reversed interface direction assignments.

375
PBQmedium

You are connected to R1 via console. R1 is a router that should restrict SSH access to only the management station at 192.168.1.100. Currently, SSH is enabled but any IP can connect. Configure a standard named ACL called 'SSH_ACL' to permit only the management station, and apply it to the VTY lines to filter incoming SSH connections. Ensure the VTY lines use SSH only (no Telnet). The SSH version should be set to 2.

Network Topology
G0/0192.168.1.1/24192.168.1.100LANR1Management Station

Hints

  • Create a standard ACL that permits only the management host.
  • Apply the ACL to the VTY lines with 'ip access-class'.
  • Use 'transport input ssh' to allow only SSH and 'ip ssh version 2' to enforce SSHv2.
A.R1(config)# ip access-list standard SSH_ACL R1(config-std-nacl)# permit host 192.168.1.100 R1(config-std-nacl)# deny any R1(config-std-nacl)# exit R1(config)# line vty 0 4 R1(config-line)# ip access-class SSH_ACL in R1(config-line)# transport input ssh R1(config)# ip ssh version 2
B.R1(config)# access-list SSH_ACL permit 192.168.1.100 R1(config)# line vty 0 4 R1(config-line)# access-group SSH_ACL in R1(config-line)# transport input ssh R1(config)# ip ssh version 2
C.R1(config)# ip access-list standard SSH_ACL R1(config-std-nacl)# permit 192.168.1.100 R1(config)# line vty 0 4 R1(config-line)# ip access-class SSH_ACL out R1(config-line)# transport input ssh R1(config)# ip ssh version 2
D.R1(config)# access-list SSH_ACL permit 192.168.1.100 R1(config)# line vty 0 4 R1(config-line)# ip access-class SSH_ACL in R1(config-line)# transport input all R1(config)# ip ssh version 2
AnswerA
solution
! R1
ip access-list standard SSH_ACL
permit host 192.168.1.100
deny any
line vty 0 4
ip access-class SSH_ACL in
transport input ssh
ip ssh version 2

Why this answer

The standard ACL restricts inbound connections to the VTY lines. Applying it with 'ip access-class in' filters incoming Telnet/SSH sessions. Setting 'transport input ssh' disables Telnet, and 'ip ssh version 2' ensures secure SSH version 2.

Exam trap

Be careful not to confuse 'access-group' (for interfaces) with 'access-class' (for VTY lines). Also, remember that 'in' on VTY lines filters incoming connections, while 'out' filters outgoing. Always verify the transport input setting to ensure only SSH is allowed.

Why the other options are wrong

B

The command 'access-group' is used on interfaces to filter traffic, not on VTY lines. VTY lines use 'ip access-class' to filter incoming Telnet/SSH sessions.

C

The direction 'out' on VTY lines filters traffic originating from the router (outgoing), not incoming SSH connections. The correct direction is 'in'.

D

The command 'transport input all' permits all protocols, including Telnet, which is insecure. The requirement specifies SSH only, so 'transport input ssh' is needed.

← PreviousPage 5 of 7 · 478 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Services Security questions.