CCNA Syslog Questions

34 questions · Syslog topic · All types, answers revealed

1
Multi-Selectmedium

Which two statements accurately describe Syslog in a Cisco network environment?

Select 2 answers
A.Syslog can send device event messages to a centralized logging server.
B.Syslog is primarily used to assign IP addresses to hosts.
C.Syslog messages become easier to correlate when device clocks are synchronized.
D.Syslog automatically prevents switching loops.
E.Syslog replaces the need for any monitoring system.
AnswersA, C

This is correct because centralized message collection is one of Syslog’s main purposes.

Why this answer

Syslog is used to centralize device event messages such as warnings, errors, and informational entries. In plain language, it gives administrators one place to review what devices are reporting rather than checking each device individually. This makes troubleshooting and incident review easier, especially in larger environments. Syslog does not replace time synchronization, but it becomes much more useful when paired with NTP so timestamps are consistent.

A common trap is to assume Syslog is a routing protocol or a DHCP-like service. It is neither. It is about event reporting and centralized logging.

Exam trap

A common exam trap is confusing Syslog with DHCP or STP functions. Some candidates mistakenly believe Syslog assigns IP addresses or prevents switching loops because these are common network management tasks. However, Syslog’s sole purpose is to report and log device events.

Misunderstanding this can lead to selecting incorrect answers that describe DHCP’s or STP’s roles. Another trap is overlooking the importance of synchronized clocks for meaningful log correlation, which can cause candidates to underestimate why consistent timestamps matter in Syslog environments.

Why the other options are wrong

B

This option is incorrect because Syslog does not assign IP addresses; DHCP is the protocol responsible for IP address allocation in Cisco networks.

D

This option is incorrect because Syslog does not prevent switching loops; this function is handled by Spanning Tree Protocol (STP).

E

This option is incorrect because Syslog complements but does not replace broader network monitoring systems that provide additional analysis and alerting capabilities.

2
PBQhard

You are connected to R1, a branch router that must synchronize time with the NTP server at 198.51.100.1 (reachable via G0/0) and send critical syslog messages (severity 0-4) to the logging server at 203.0.113.10. The current configuration has NTP pointing to a wrong server and syslog set to debug level, flooding the server. Correct the NTP server, set the NTP source interface to Loopback0 (10.10.10.1/32), and adjust the syslog trap level so that only emergencies through warnings are logged.

Hints

  • Remove the incorrect NTP server before adding the correct one.
  • Use the 'ntp source' command to specify the Loopback interface.
  • The logging trap level 'warnings' corresponds to severity 4.
A.ntp server 198.51.100.1 source Loopback0; logging trap warnings
B.ntp server 198.51.100.1 source G0/0; logging trap errors
C.ntp server 192.0.2.1 source Loopback0; logging trap warnings
D.ntp server 198.51.100.1 source Loopback0; logging trap debugging
AnswerA
solution
! R1
no ntp server 192.0.2.1
ntp server 198.51.100.1
ntp source Loopback0
no logging trap debugging
logging trap warnings

Why this answer

The NTP server was misconfigured to 192.0.2.1, which is unreachable, leaving the router at stratum 16. The correct NTP server is 198.51.100.1, so the ntp server command must be updated. The source interface should be Loopback0 for reachability consistency.

The syslog trap level was set to debugging (level 7), which sends all messages; it should be changed to warnings (level 4) to filter only severity 0-4. Verification includes checking NTP synchronization and syslog configuration.

Exam trap

Watch out for two separate configuration items: NTP and syslog. Ensure you update both the NTP server IP and source interface, and set the correct syslog trap level. Common traps include forgetting to change the NTP server IP, using the wrong source interface, or setting the wrong syslog severity level.

Why the other options are wrong

B

The source interface must be Loopback0 for consistency, and the trap level should be warnings (4) to include warnings.

C

The NTP server address must be updated to 198.51.100.1; 192.0.2.1 is the misconfigured server.

D

The trap level should be warnings (4), not debugging (7). Debugging sends all messages, flooding the server.

3
MCQhard

A network engineer notices that the system clock on a Cisco IOS-XE router is incorrect, causing syslog timestamps to be unreliable. The router is configured as an NTP client to synchronize with a remote NTP server at 192.168.1.10. However, the show ntp status command indicates the clock is unsynchronized. What is the most likely cause of this issue?

A.The NTP server is using TCP instead of UDP for NTP communication.
B.The router cannot reach the NTP server due to a missing route or firewall blocking UDP port 123.
C.The NTP server has a higher stratum level than the router's local clock, so the router ignores it.
D.NTP authentication is misconfigured on the router.
AnswerB

The reach value of 0 indicates no NTP packets have been received, typically due to connectivity issues or ACL/firewall blocking UDP 123.

Why this answer

NTP operates over UDP port 123. If the router cannot reach the NTP server at 192.168.1.10 due to a missing route or a firewall blocking UDP 123, the NTP client will remain unsynchronized, as indicated by the 'show ntp status' command showing the clock as unsynchronized. This is the most common cause of NTP synchronization failure in a network.

Exam trap

Cisco often tests the misconception that NTP uses TCP or that authentication is the primary cause of synchronization failure, when in fact the most common issue is simple network reachability or firewall blocking of UDP port 123.

Why the other options are wrong

C

The NTP server having a higher stratum level than the local clock does not prevent synchronization outright; the router will still attempt to sync if the server is reachable and authenticates, so this is not the most likely cause.

4
PBQhard

You are connected to R1 via the console. The network operations center (NOC) has asked you to configure R1 as an NTP client of the NTP server at 192.0.2.10 (reachable via VLAN 100, SVI 192.168.1.1/24). They also need all system messages of level 'debug' (level 7) and higher forwarded to the syslog server at 203.0.113.50. The current configuration shows that NTP is not working (stratum 16) and syslog is only sending critical and higher messages. Fix both issues.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR2R1switchNTP serverSyslog server

Hints

  • Check the source IP of NTP packets; the server may require a specific source address.
  • NTP synchronization fails if the router does not have a route to the NTP server; verify connectivity.
  • The logging trap level controls which severity messages are sent; 'critical' only sends levels 0-2.
A.Configure 'ntp source Vlan100' and 'logging trap debugging'.
B.Configure 'ntp server 192.0.2.10' and 'logging trap 7'.
C.Configure 'ntp source Vlan100' and 'logging trap warnings'.
D.Configure 'ntp update-calendar' and 'logging trap informational'.
AnswerA
solution
! R1
ntp source Vlan100
logging trap debugging

Why this answer

The NTP client is not synchronizing because there is no source interface specified; the NTP packets may be sourced from an unexpected interface and the server may ignore them. The solution is to configure 'ntp source Vlan100' to ensure NTP packets use the correct source IP. Additionally, the syslog trap level is set to 'critical', which filters out messages with severity lower than critical (like warnings, errors, etc.).

The NOC requires all messages up to debug level; therefore, change the logging trap level to 'debugging' with 'logging trap debugging'.

Exam trap

Do not confuse the NTP server command with the source interface command. The server command specifies the server, but the source interface ensures the correct source IP. For syslog, remember that 'debugging' is the keyword for the lowest severity level; using 'warnings' or 'informational' will exclude debug messages.

Why the other options are wrong

B

The specific factual error: 'logging trap 7' is not a valid Cisco IOS command; the correct command uses the keyword 'debugging'. Also, the NTP server command alone does not fix the source interface issue.

C

The specific factual error: 'logging trap warnings' only sends messages with severity 0-4, missing severity 5-7 (notifications, informational, debug).

D

The specific factual error: 'ntp update-calendar' is not needed for NTP synchronization; the source interface is the key missing piece. 'logging trap informational' does not include debug messages.

5
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IOS-XE device as an NTP client and ensure its syslog messages are sent to a remote server with correct timestamps.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config, then set the NTP server, configure syslog destination and source interface, and finally verify both services.

Exam trap

A common trap is to configure syslog before NTP, but NTP should be set first so that syslog messages have correct timestamps. Also, candidates may forget that global config mode must be entered before any configuration commands.

6
Matchingmedium

Drag and drop the syslog severity levels on the left to their corresponding names and meanings on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Emergency – system is unusable

Alert – immediate action needed

Critical – critical condition

Error – error condition

Warning – warning condition

Why these pairings

Syslog severity levels: 0 (emergency), 1 (alert), 2 (critical), 3 (error), 4 (warning), 5 (notification). Levels 6 and 7 are informational and debugging.

Exam trap

The exam often tests the order of syslog severity levels. Remember that lower numbers mean higher severity. A common trap is confusing the descriptions for Emergency, Alert, and Critical.

Memorize the top four: 0 Emergency, 1 Alert, 2 Critical, 3 Error.

7
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an IOS-XE device as an NTP client and set up syslog reporting of NTP events to a remote log server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global configuration mode. Then configure the NTP server to define the time source. Next, configure the logging host to specify the remote syslog server.

After that, enable logging of NTP events so that NTP-related syslog messages are generated and sent to the configured host. Finally, verify the configuration. Option B is wrong because configuring the logging host before the NTP server would attempt to send logs before time synchronization is set up, and the NTP server must be configured first to generate NTP events.

Option C is incorrect because enabling NTP event logging before configuring both the NTP server and the logging host means there is no NTP server to generate events and no logging destination to send them to. Option D is wrong because enabling logging of NTP events before configuring the logging host would cause generated messages to be dropped if the logging host is not yet set; the logging host must be configured before enabling NTP event logging.

Exam trap

The trap is that candidates may confuse the order of enabling NTP event logging and configuring the logging host. Remember: configure the logging host before enabling NTP event logging, and always configure the NTP server first.

8
PBQmedium

You are connected to R1 via console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The network administrator needs to monitor R1's system messages. Configure R1 to send syslog messages with severity level 5 (notifications) and above to the syslog server at 10.0.0.2. Also, ensure that logging is enabled and that messages include the timestamp and source interface.

Hints

  • Use 'logging host' to specify the syslog server.
  • Set the severity with 'logging trap' using the severity name or number.
  • Configure the source interface with 'logging source-interface'.
A.logging on logging trap notifications logging source-interface GigabitEthernet0/0 logging host 10.0.0.2 service timestamps log datetime
B.logging on logging trap informational logging source-interface GigabitEthernet0/1 logging host 10.0.0.2 service timestamps log datetime
C.logging on logging trap 5 logging source-interface GigabitEthernet0/0 logging 10.0.0.2 service timestamps
D.logging on logging trap notifications logging source-interface GigabitEthernet0/1 logging host 10.0.0.2 service timestamps debug datetime
AnswerA
solution
! R1
logging host 10.0.0.2
logging trap notifications
logging source-interface GigabitEthernet0/0
logging on
service timestamps log datetime msec

Why this answer

The logging commands enable syslog output. 'logging trap notifications' sets severity to 5 (notifications). 'logging source-interface' ensures syslog messages originate from a consistent IP. 'service timestamps' adds time information to log entries for easier troubleshooting.

Exam trap

Pay close attention to the exact syntax of commands: 'logging host' vs 'logging', 'service timestamps log' vs 'service timestamps debug'. Also, remember that the source interface should be the one closest to the syslog server, not necessarily the LAN interface. Severity levels: emergencies (0) to debugging (7); notifications is level 5.

Why the other options are wrong

B

The specific factual error: The trap level is set too low (informational instead of notifications), and the source interface is incorrect.

C

The specific factual error: The logging host command is missing the 'host' keyword, and the timestamps command is incomplete.

D

The specific factual error: The timestamps command applies to debug messages instead of log messages, and the source interface is wrong.

9
MCQmedium

Why is NTP especially valuable when a network uses centralized Syslog servers?

A.Because synchronized clocks make log timestamps easier to correlate across devices
B.Because NTP converts Syslog into a routing protocol
C.Because NTP automatically creates DHCP pools
D.Because NTP eliminates the need for a Syslog server
AnswerA

This is correct because NTP improves the usefulness of centralized logs by aligning time.

Why this answer

NTP is especially valuable because centralized logs are much easier to interpret when device clocks are synchronized. In plain language, if multiple routers and switches send messages to one logging server but each device believes a different time, the event sequence becomes confusing. NTP helps align those clocks so the timestamps in the logs are consistent and the team can reconstruct incidents more accurately.

This is a practical operations concept rather than a syntax question. Syslog solves the collection problem, and NTP solves the time-correlation problem. Together they make logs more useful than either one alone. That is why the best answer focuses on timestamp consistency rather than on routing, VLAN, or NAT behavior.

Exam trap

A common exam trap is selecting an answer that incorrectly attributes routing or DHCP functions to NTP, such as thinking NTP converts Syslog into a routing protocol or automatically creates DHCP pools. These options confuse NTP’s fundamental role in time synchronization with unrelated network services. Another trap is assuming NTP eliminates the need for a Syslog server, which is false because NTP only provides accurate timestamps; it does not collect or store logs.

Understanding that NTP’s value lies in timestamp consistency, not in changing or replacing other protocols, is critical to avoid these mistakes.

Why the other options are wrong

B

Incorrect because NTP does not convert Syslog into a routing protocol; NTP’s function is strictly time synchronization, unrelated to routing protocols.

C

Incorrect because NTP does not create DHCP pools; DHCP pool creation is unrelated to time synchronization and is managed by DHCP services.

D

Incorrect because NTP does not eliminate the need for a Syslog server; it complements Syslog by providing accurate timestamps but does not replace log collection.

10
PBQmedium

You are connected to R1 via the console. R1 is an NTP client that should synchronize its clock with NTP server 192.168.1.100. The timezone is UTC-5 (Eastern Standard Time). Configure NTP on R1 so that it becomes an NTP client. Additionally, configure the router to log NTP synchronization status messages to the console and buffer logging using the numeric severity level 6 (informational).

Network Topology
G0/0192.168.1.1/24LANR1NTP server

Hints

  • Use ntp server command to point to the NTP server.
  • Logging level 6 corresponds to informational.
  • Buffered and console logging commands are separate.
A.ntp server 192.168.1.100 logging console informational logging buffered informational
B.ntp peer 192.168.1.100 logging console 6 logging buffered 6
C.ntp server 192.168.1.100 logging console 6 logging buffered 6
D.ntp server 192.168.1.100 logging console informational logging buffered 6
AnswerC
solution
! R1
ntp server 192.168.1.100
logging buffered 6
logging console 6

Why this answer

The correct NTP client command is 'ntp server 192.168.1.100', not 'ntp peer'. The logging commands must use the numeric level 6 to match the requirement. 'logging console 6' and 'logging buffered 6' achieve this; keyword 'informational' is technically valid but does not follow the explicit numeric specification. Mixing numeric and keyword is also incorrect under the given requirement.

Exam trap

Candidates often overlook the explicit requirement to use the numeric severity level and may choose options with the keyword 'informational', which are technically valid but do not meet the specified condition.

Why the other options are wrong

A

Uses the keyword 'informational' instead of the required numeric level 6.

B

Uses 'ntp peer' instead of 'ntp server', and uses numeric levels but the primary command is wrong.

D

Mixes numeric and keyword severity levels; must use numeric 6 for both console and buffer.

11
MCQmedium

Why is NTP especially valuable when a company uses a centralized Syslog server?

A.It synchronizes device clocks so centralized log timestamps can be correlated accurately.
B.It assigns the Syslog server its IP address.
C.It replaces the need for Syslog entirely.
D.It encrypts all Syslog messages automatically.
AnswerA

This is correct because time alignment improves the usefulness of centralized logs.

Why this answer

NTP is especially valuable because it aligns device clocks, which makes centralized log timestamps much easier to interpret. In practical terms, if devices disagree on time, the combined log stream becomes harder to trust and correlate. NTP improves the timeline accuracy of operational and security analysis.

This is why NTP and Syslog are often discussed together. One centralizes events, and the other makes those events easier to line up correctly.

Exam trap

A common exam trap is to confuse NTP’s role with other network functions such as IP addressing or encryption. Some candidates incorrectly think NTP assigns IP addresses to devices or encrypts Syslog messages. This misunderstanding leads to selecting options that describe unrelated functions.

NTP’s sole purpose is to synchronize clocks across devices, enabling accurate timestamping of logs. Misinterpreting this can cause candidates to overlook the critical importance of time alignment in centralized logging environments, which is the core reason NTP is valuable when using a centralized Syslog server.

Why the other options are wrong

B

Incorrect because NTP does not assign IP addresses; IP addressing is handled by DHCP or manual configuration, not time synchronization protocols.

C

Incorrect because NTP does not replace Syslog; NTP provides time synchronization, while Syslog collects and centralizes log messages from devices.

D

Incorrect because NTP does not encrypt Syslog messages; encryption requires separate protocols such as TLS or IPsec, not time synchronization services.

12
Multi-Selecteasy

Which two statements correctly describe syslog severity levels?

Select 2 answers
A.Level 0 is the most severe
B.Level 7 is debugging
C.Higher numbers always mean more critical issues
D.Severity levels are used only by NTP
E.Syslog has only four severity levels
AnswersA, B

Emergency is the highest severity.

Why this answer

Syslog uses numbered severity levels where lower numbers indicate more critical events. Level 0 (Emergency) is the most severe, and Level 7 (Debugging) is the least. Option D is incorrect because severity levels are a syslog function, not specific to NTP.

Option E is wrong because syslog defines eight severity levels (0–7), not four.

Exam trap

A common mistake is assuming that higher syslog severity numbers mean more critical issues, but the opposite is true—lower numbers indicate higher severity.

Why the other options are wrong

D

Severity levels are a fundamental part of the syslog protocol and are not limited to or used only by NTP.

E

Syslog defines eight severity levels (0 through 7), not four.

13
MCQhard

Refer to the exhibit. A network engineer is troubleshooting an issue where syslog messages at severity 6 (informational) and severity 7 (debugging) are not being sent to the syslog server at 192.168.100.50, even though the device appears to generate these messages locally. Based on the exhibit, what is the most likely cause?

A.The logging buffer is full, preventing new informational and debug messages from being sent to the syslog server.
B.The syslog server IP address 192.168.100.50 is unreachable from the router.
C.The trap logging level is set to errors (severity 3), filtering out informational and debug messages.
D.Console logging is disabled, so only severity 3 and lower messages appear.
AnswerC

The 'Trap logging: level errors (3)' line in the exhibit explicitly limits syslog messages sent to the syslog server to severity 0–3. Informational (6) and debug (7) are higher in numeric value (less severe) and are dropped by this filter.

Why this answer

The exhibit shows 'Trap logging: level errors (3)'. This filter level means only syslog messages with severity 0 (emergency) through 3 (errors) are forwarded to the syslog server. Severity 6 (informational) and 7 (debugging) are above this threshold and are therefore excluded.

The log buffer, however, is set to 'debugging' level, so those messages appear locally but are not sent to the server.

Exam trap

The presence of informational and debug messages in the local buffer (like %SYS-6-CLOCKUPDATE and %SYS-7-DEBUG) might mislead candidates into thinking the server connection is faulty or that the buffer is the issue. In reality, the trap logging level (errors) filters them out before transmission.

Why the other options are wrong

A

Candidates may associate local buffer behavior with remote logging, but the buffer is just local storage, independent of trap forwarding.

B

A reachability problem would affect all severities equally, not selectively filter only informational and debug messages.

D

Candidates may confuse console and trap logging, but each destination has its own independent severity level.

14
PBQhard

You are connected to R1, a branch router connected to a central NTP server at 203.0.113.10 and a syslog server at 198.51.100.20. Configure R1 as an NTP client using its Loopback0 interface (192.168.1.1/32) as the source, and ensure syslog messages of severity 'informational' and above are sent to the syslog server. Currently, R1 shows 'Clock is unsynchronized, stratum 16'. Identify and fix the NTP issue, then apply the syslog configuration.

Network Topology
G0/010.0.0.2/30linkR1R2

Hints

  • NTP shows stratum 16 and uses a local pseudo-clock — the server is configured but not used.
  • Check if the NTP source interface is set to a reachable IP.
  • Syslog is only sending warnings and above — change the trap level to allow informational.
A.Configure 'ntp source Loopback0' and 'logging trap informational'.
B.Configure 'ntp server 203.0.113.10 source Loopback0' and 'logging trap warnings'.
C.Configure 'ntp source Loopback0' and 'logging trap debugging'.
D.Configure 'ntp source Loopback0' and 'logging host 198.51.100.20' without changing the trap level.
AnswerA
solution
! R1
configure terminal
ntp source Loopback0
logging trap informational
end
write memory

Why this answer

The NTP client was configured but the source interface was not specified, causing the router to use a default source that may not be reachable. Additionally, the syslog trap level was set to 'warnings' (severity 4), which filters out informational (severity 6) messages. To fix: configure 'ntp source Loopback0' to use a consistent source IP, and change 'logging trap informational' to allow all messages severity 6 and above.

Exam trap

Trap: Candidates may confuse the 'ntp server' command syntax with the global 'ntp source' command, or assume the default syslog trap level already includes informational messages. Remember: NTP source is set globally, and syslog trap levels must be explicitly configured to match the required severity.

Why the other options are wrong

B

The specific factual error: The 'ntp server' command does not have a 'source' parameter; source is set globally. Also, 'logging trap warnings' does not meet the requirement to send informational messages.

C

The specific factual error: 'logging trap debugging' sends all messages, including debugging (severity 7), which is unnecessary and can cause excessive log traffic. The requirement is for informational and above, which is severity 6, not 7.

D

The specific factual error: The default trap level may not be 'informational'; it is often 'warnings' or 'debugging' depending on the IOS version. The requirement to send informational messages necessitates explicit configuration of 'logging trap informational'.

15
Matchingmedium

Drag and drop the syslog severity levels and NTP concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Emergency: system is unusable

Debugging: detailed debug messages

Reference clock (e.g., atomic clock or GPS)

Unsynchronized or maximum usable stratum

Configures an IOS-XE device as an NTP client

Displays NTP synchronization state and stratum

Why these pairings

Syslog severity levels range from 0 (Emergency) to 7 (Debug), with 0 being the most critical. NTP stratum indicates clock accuracy: stratum 0 is the reference clock, stratum 1 is directly connected to a reference, and so on up to stratum 15, which is the maximum usable synchronized stratum. Stratum 16 means the device is unsynchronized.

The ntp server command configures a device as a client, and show ntp status displays synchronization state and current stratum.

Exam trap

Be careful not to confuse the severity order of syslog levels: lower numbers (0) are more severe, higher numbers (7) are less severe. Also, remember that NTP stratum numbers work inversely to accuracy: lower stratum numbers indicate higher accuracy, with Stratum 0 being the most accurate reference clock.

16
MCQhard

After a hub was connected to interface Gi0/10, the interface immediately entered errdisable state. The following syslog message was generated: '%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred on interface Gi0/10.' What is the strongest explanation for why Gi0/10 shut down?

A.Port security detected more MAC addresses than allowed on the interface.
B.The interface received a superior BPDU and became the root port.
C.The hub forced the interface to become a routed port.
D.DHCP snooping always shuts a port when a hub is attached.
AnswerA

This is correct because the configuration allows only one secure MAC and the violation message confirms the policy breach.

Why this answer

The strongest explanation is a port-security violation caused by the switch seeing more secure MAC addresses than the interface allows. In practical terms, a hub or unmanaged device can cause multiple end hosts to appear behind one access port. If the interface is configured with a maximum of one secure MAC address, additional learned MACs trigger the violation action.

This is a realistic access-layer security scenario because the port does not fail randomly. It fails because the observed behavior violates the configured policy.

Exam trap

Remember that port security specifically deals with MAC address limits, not broadcast storms or spanning-tree issues.

Why the other options are wrong

B

The exhibit shows a port-security violation message, not an STP topology change. A superior BPDU would cause a root port election, not a port shutdown due to security policy.

C

Connecting a hub does not change the interface type; a switchport remains a Layer 2 interface unless explicitly configured with 'no switchport'. The exhibit shows a Layer 2 security violation, not a routed port conversion.

D

DHCP snooping does not automatically shut down a port when a hub is attached; it filters DHCP messages and can disable ports only if a DHCP server is detected on an untrusted port. The exhibit clearly shows a port-security violation message.

17
MCQmedium

Why is NTP especially useful when devices send logs to a centralized Syslog server?

A.It helps align device clocks so centralized log timestamps can be correlated more accurately.
B.It assigns the Syslog server an IP address.
C.It replaces the need for a Syslog server.
D.It encrypts every Syslog message automatically.
AnswerA

This is correct because consistent time improves the usefulness of centralized logs.

Why this answer

NTP is especially useful because synchronized clocks make the log timestamps more meaningful and easier to correlate. In plain language, if each device thinks the current time is different, the sequence of events in the centralized log becomes confusing. NTP helps align time across devices so the logs tell a more accurate story.

This is an operational best practice. Syslog collects the messages, and NTP makes their timing consistent. The correct answer is the one focused on timestamp correlation.

Exam trap

Avoid confusing NTP's function with security or data optimization features; focus on its role in time synchronization.

Why the other options are wrong

B

NTP is a protocol for clock synchronization, not for IP address assignment. IP addresses are assigned via DHCP or static configuration, and NTP operates at the application layer to synchronize time over the network. Therefore, NTP does not assign IP addresses to any device, including Syslog servers.

C

NTP and Syslog serve entirely different purposes. NTP synchronizes clocks, while Syslog is a protocol for sending log messages to a centralized server. NTP cannot replace Syslog because it does not collect, store, or forward log messages.

Both are often used together but are independent services.

D

NTP does not provide encryption for Syslog messages or any other data. NTP is solely responsible for time synchronization and does not include security features like encryption. Syslog messages are typically sent in clear text unless additional security measures like TLS or SSH are implemented.

18
MCQmedium

Which syslog severity is more critical: level 2 or level 5?

A.Level 5
B.Level 2
C.They are equal
D.It depends on platform model
AnswerB

Correct. Lower number means higher urgency.

Why this answer

In syslog, lower numeric values indicate higher severity. Level 2 is therefore more critical than level 5.

Exam trap

Remember, in syslog, lower numbers mean higher severity. Don't confuse this with other systems where higher numbers might indicate higher priority.

Why the other options are wrong

A

Level 5 (notice) is less critical than level 2 (critical) because in syslog, lower numbers indicate higher severity. Level 5 is closer to informational messages, while level 2 indicates a critical condition that requires immediate action.

C

Syslog severity levels are strictly ordered from 0 (most critical) to 7 (least critical). Level 2 and level 5 are distinct values with different meanings, so they are not equal in severity.

D

The syslog severity level numbering is standardized across all platforms that implement syslog (RFC 5424). The ordering from 0 (emergency) to 7 (debugging) is consistent regardless of the device vendor or model.

19
PBQhard

You are connected to R1. Configure NTP client so that R1 synchronizes with the NTP server at 198.51.100.10, using its Loopback0 (10.0.0.1/32) as the source interface. Also configure syslog to send messages of severity 5 (notifications) and above to 192.0.2.20. The current configuration shows a misconfigured NTP server address and an incorrect logging trap level. Verify with 'show ntp status' (stratum should not be 16) and 'show logging'.

Hints

  • Check the NTP server address in running-config — it might point to a wrong IP.
  • Verify that the source interface for NTP is configured; otherwise R1 may use an unreachable interface.
  • The logging trap level is set too high (debugging) — change it to notifications (level 5) to filter out lower severity messages.
A.ntp server 198.51.100.10 source Loopback0 logging trap notifications
B.ntp server 198.51.100.10 source Loopback0 logging trap 4
C.ntp server 198.51.100.10 logging trap notifications
D.ntp server 203.0.113.5 source Loopback0 logging trap 7
AnswerA
solution
! R1
configure terminal
no ntp server 203.0.113.5
ntp server 198.51.100.10
ntp source Loopback0
no logging trap debugging
logging trap notifications
end
write memory

Why this answer

The misconfigured NTP server address (203.0.113.5) and the debug-level logging trap (7) must be corrected to meet requirements. The correct commands are 'ntp server 198.51.100.10 source Loopback0' to use the specified server and Loopback0 as source, and 'logging trap notifications' (severity 5) to send only notifications and more severe messages. Option B is wrong because 'logging trap 4' sets the trap level to warning, which would not forward notifications.

Option C misses the source interface, and Option D uses the wrong NTP server and an overly verbose trap level.

Exam trap

Candidates often confuse the numeric severity levels with the keyword equivalents for logging trap. Also, they may forget to specify the source interface for NTP, assuming the router will use the loopback automatically. Always verify that the NTP source interface is explicitly configured when required.

Why the other options are wrong

B

logging trap 4 sets the severity to warning (4), so it does not include notifications (5).

C

The missing source interface causes NTP to use an incorrect source address, likely resulting in unsynchronized status.

D

The NTP server address is incorrect and 'logging trap 7' sends all debug messages instead of limiting to notifications and above.

20
Multi-Selectmedium

Which two statements accurately describe why NTP and Syslog are often configured together?

Select 2 answers
A.Syslog provides event visibility, while NTP helps keep timestamps consistent across devices.
B.Consistent time improves the usefulness of centralized logs and event correlation.
C.NTP replaces the need for any event logging.
D.Syslog automatically assigns the NTP server address to all devices.
E.Both services can be used only on routers, not switches.
AnswersA, B

This is correct because the two services complement each other operationally.

Why this answer

NTP and Syslog are often configured together because logs become much more useful when the device clocks are aligned. In practical terms, Syslog provides the event messages, while NTP helps ensure that the timestamps on those messages are consistent across the environment. That makes troubleshooting and incident analysis more reliable.

This is a very practical operations concept and comes up often in real troubleshooting workflows.

Exam trap

A common exam trap is selecting the option that NTP replaces the need for event logging or that Syslog automatically configures NTP server addresses. Candidates might confuse time synchronization with logging functionality, but NTP only provides accurate time, not event data. Similarly, Syslog collects logs but does not manage NTP settings.

Misunderstanding these roles can lead to incorrect answers, as the two services complement each other but serve distinct purposes in network management.

Why the other options are wrong

C

This option is incorrect because NTP only synchronizes time and does not replace the need for event logging, which is handled by Syslog or other logging mechanisms.

D

This option is incorrect because Syslog does not configure NTP server addresses or manage time synchronization; these are separate configuration tasks.

E

This option is incorrect because both NTP and Syslog are widely used on various network devices, including routers and switches, not limited to routers alone.

21
PBQhard

You are connected to R1. Configure NTP client to synchronize with the NTP server at 203.0.113.10, using the loopback0 interface (192.168.1.1/32) as the source. Also configure syslog to send messages of severity level 5 (notifications) and below to the syslog server at 198.51.100.20. Currently, NTP shows stratum 16 (unsynchronized) and important syslog messages are being missed.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2Syslog server 198.51.100.20 via R2

Hints

  • NTP uses the source IP address of outgoing packets; ensure the NTP server can reach your source IP.
  • Syslog trap levels are hierarchical; 'informational' includes all messages. 'notifications' excludes debug and informational.
  • Use 'show ntp associations' to see if the server is reachable and its stratum.
A.ntp server 203.0.113.10 source Loopback0 logging trap notifications
B.ntp server 203.0.113.10 source Loopback0 logging trap informational
C.ntp server 203.0.113.10 logging trap notifications
D.ntp server 203.0.113.10 source Loopback0 logging trap debugging
AnswerA
solution
! R1
configure terminal
ntp source Loopback0
logging trap notifications
end
copy running-config startup-config

Why this answer

The NTP client is not synchronizing because the source interface is not specified; by default, the router uses the outgoing interface IP which may not be reachable by the NTP server for replies. Adding 'ntp source Loopback0' ensures NTP packets have a consistent source IP. The syslog trap level was set to 'informational' (level 6), which includes too many messages; to capture only notifications (level 5) and below (i.e., severity 0–5), change the trap level to 'notifications' using 'logging trap notifications'.

This filters out lower-severity messages while retaining those that are notifications or more critical.

Exam trap

Watch out for two common traps: 1) Forgetting to specify the NTP source interface when the router has multiple interfaces, leading to synchronization failure. 2) Confusing syslog severity levels: 'informational' (level 6) does NOT include 'notifications' (level 5); you need 'notifications' to capture level 5 and above. Always remember that lower severity numbers mean higher importance.

Why the other options are wrong

B

The trap level 'informational' captures messages of severity 6 and lower, but notifications are severity 5, which is higher and thus not included.

C

The NTP source interface must be explicitly set to ensure the server can reply to the correct IP; omitting it can lead to unsynchronized state.

D

The debugging level includes all severities, which is too broad; the requirement is to capture only notifications (level 5) and above, which requires 'notifications' level.

22
Matchingmedium

Drag and drop the syslog and NTP items on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert: immediate action needed

Notification: normal but significant condition

Reference clock (e.g., atomic clock or GPS)

NTP client synchronized to a stratum 1 server

Configures the device as an NTP client

Displays syslog messages in the buffer

Why these pairings

These pairings match syslog and NTP items to their correct descriptions.

Exam trap

Watch out for mixing up syslog severity levels (0-7) and their descriptions. Also, ensure you are matching the correct category (syslog vs NTP) to the description provided.

23
Drag & Dropmedium

Drag and drop the following steps into the correct order to sequence NTP stratum hierarchy and configure an IOS-XE NTP client with syslog message processing from event to log server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

NTP time flows from lower stratum numbers (most accurate) to higher stratum numbers. The correct order is Stratum 0 (atomic clock) → Stratum 1 (primary server) → Stratum 2 (secondary server). After configuring the NTP client and enabling logging, syslog messages are accurately timestamped with the synchronized time.

Exam trap

Do not confuse the direction of stratum numbers: lower stratum number means higher accuracy. Also, remember that NTP configuration must precede logging to ensure accurate timestamps.

24
MCQmedium

Which port-security violation mode drops frames from unauthorized MAC addresses but keeps the interface up and does not send an SNMP trap or syslog message?

A.protect
B.restrict
C.shutdown
D.shutdown vlan
AnswerA

Correct. Protect is the quietest enforcement mode.

Why this answer

Protect silently drops frames from unauthorized sources while leaving the interface up. Restrict also drops frames but increments the violation counter and can generate notifications.

Exam trap

Be careful not to confuse Protect with Restrict, as both drop frames but only Restrict sends notifications.

Why the other options are wrong

B

The 'restrict' mode allows frames from unauthorized MAC addresses to be dropped while sending SNMP traps and syslog messages, which contradicts the requirement of keeping the interface up without notifications.

C

The 'shutdown' mode disables the interface when a violation occurs, which is contrary to the requirement of keeping the interface up. It also does not align with the need to drop frames without sending SNMP traps or syslog messages.

D

The 'shutdown vlan' mode disables the entire VLAN when a violation occurs, which is not aligned with the requirement to keep the interface up. This option also typically sends SNMP traps or syslog messages, which contradicts the question's criteria.

25
MCQeasy

Which Syslog severity level represents an emergency condition, the most critical level?

A.0
B.3
C.5
D.7
AnswerA

Emergency is severity level 0.

Why this answer

Syslog severity 0 is Emergency, the highest severity. The levels then increase numerically as urgency decreases, with 7 being Debugging.

Exam trap

A frequent exam trap is mistaking severity level 3 (Error) or level 5 (Notification) as the most critical syslog severity. Candidates may assume that higher numbers mean higher severity, but in syslog, lower numbers indicate higher urgency. Confusing these levels can lead to incorrect answers because level 0 (Emergency) is the only severity that signals a system-wide failure requiring immediate action.

Misreading the severity scale order or relying on the textual description without recalling the numeric hierarchy often causes this mistake.

Why the other options are wrong

B

Option B incorrectly identifies severity level 3 as Emergency; level 3 actually represents Error, which is serious but less critical than Emergency (0).

C

Option C incorrectly identifies severity level 5 as Emergency; level 5 is Notification, which indicates normal but significant conditions, not emergencies.

D

Option D incorrectly identifies severity level 7 as Emergency; level 7 is Debugging, the lowest severity level used for detailed troubleshooting information.

26
PBQhard

You are connected to R1 via the console. R1 is a router acting as an NTP client to an external NTP server at 203.0.113.10. The NTP source interface must be Loopback0 (192.0.2.1/32). Additionally, configure R1 to send syslog messages of severity 'critical' and higher to a syslog server at 198.51.100.50. Currently, R1 shows 'Clock is unsynchronized, stratum 16'. Verify that NTP synchronizes and that only critical syslog messages are sent. The existing running configuration already has some NTP and syslog commands that need correction.

Network Topology
203.0.113.10198.51.100.50NetworkR1NTP ServerSyslog Server

Hints

  • The NTP source interface is not set; the router may be using an unreachable interface.
  • Check the logging trap level; it is currently set to 'debugging', which sends all messages.
  • Use 'ntp source' followed by the loopback interface name.
A.Configure 'ntp source Loopback0' and 'logging trap critical'
B.Configure 'ntp server 203.0.113.10 source Loopback0' and 'logging trap 2'
C.Configure 'ntp source Loopback0' and 'logging trap 7'
D.Configure 'ntp server 203.0.113.10' and 'logging host 198.51.100.50'
AnswerA
solution
! R1
ntp source Loopback0
logging trap critical

Why this answer

The NTP client was not synchronizing because the NTP source interface was not specified; the router uses the outgoing interface which may not be reachable or consistent. The 'ntp source Loopback0' command ensures NTP packets use a stable, routable IP address. For syslog, the logging trap was set to 'debugging', which sends all messages (severity 7).

The requirement is to send only 'critical' (severity 2) and higher. The command 'logging trap critical' changes the filter. After both fixes, 'show ntp status' should show synchronized, stratum <16, and 'show logging' should show 'level critical' for trap logging.

Exam trap

Be careful: NTP source interface is configured with a separate 'ntp source' command, not as a parameter of 'ntp server'. Also, remember syslog severity levels: lower numbers are more severe (0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=informational, 7=debugging). 'logging trap critical' is equivalent to 'logging trap 2'.

Why the other options are wrong

B

The NTP command syntax is incorrect; 'ntp server' does not accept a 'source' parameter. The correct approach is a separate 'ntp source' command.

C

The logging trap level 7 corresponds to debugging, which is the most verbose level. The requirement is for critical (severity 2) and higher, so this would send too many messages.

D

The commands listed are already configured and do not fix the synchronization issue or the syslog filtering. The NTP source interface is missing, and the logging trap level is still debugging.

27
Multi-Selectmedium

Which TWO statements correctly describe NTP stratum levels and syslog severity levels in a Cisco IOS-XE environment?

Select 2 answers
A.An NTP stratum value of 1 indicates a higher accuracy than a stratum value of 3.
B.A syslog severity level of 5 (notice) is more severe than a level of 4 (warning).
C.The 'ntp server' command under global configuration configures the device as an NTP client.
D.Syslog severity level 0 (emergency) indicates a normal operational message.
E.NTP stratum 0 is assigned to devices that are directly connected to an authoritative time source.
AnswersA, C

Stratum 1 is directly synchronized to a stratum 0 reference clock (like GPS), while stratum 3 is two hops away, making stratum 1 more accurate.

Why this answer

Option A is correct because a lower NTP stratum number indicates higher accuracy; stratum 1 is directly synchronized to a precise reference clock (e.g., GPS) and is thus more accurate than stratum 3, which is two hops away. Option C is correct because the 'ntp server' command configures a device to synchronize its clock to a specified NTP server, making it an NTP client. Option B is incorrect: syslog severity level 4 (warning) is more severe than level 5 (notice) because lower severity numbers indicate higher severity.

Option D is incorrect: severity level 0 (emergency) is the most severe level, indicating a system-wide critical event, not a normal operational message. Option E is incorrect: NTP stratum 0 is assigned to an authoritative time source itself (e.g., atomic clock), not to devices directly connected to it; devices connected to stratum 0 sources are stratum 1.

Exam trap

Candidates often mistakenly equate lower syslog severity numbers with lower importance, not realizing that a smaller number means a higher severity; similarly, they may think higher NTP stratum numbers mean higher accuracy.

Why the other options are wrong

B

Syslog severity levels use inverse numbering: level 4 (warning) is more severe than level 5 (notice), so the statement is false.

D

Syslog level 0 (emergency) is the highest severity, indicating a catastrophic system failure, not a normal operational message.

E

NTP stratum 0 is the reference clock itself; devices synchronized directly to it are stratum 1, not stratum 0.

28
Multi-Selectmedium

A network operations team wants centralized logging from routers and switches and also wants meaningful severity filtering. Which two statements about syslog are correct?

Select 2 answers
A.Devices can send log messages to a remote syslog server for central storage
B.Severity levels allow filtering based on how serious an event is
C.Syslog is used to assign IP addresses dynamically to endpoints
D.Syslog entries replace SNMP counters for interface statistics
AnswersA, B

Centralization helps with monitoring, retention, and incident response.

Why this answer

Syslog provides centralized event reporting by allowing devices to send log messages to a remote server (option A is correct). Severity levels enable filtering based on event seriousness (option B is correct). Option C is incorrect because syslog does not assign IP addresses dynamically—that is the role of DHCP.

Option D is incorrect because syslog logs events and does not replace SNMP counters, which remain the primary method for collecting interface statistics.

Exam trap

Be careful not to confuse syslog's use of UDP with TCP, and remember that syslog can send to multiple servers.

Why the other options are wrong

C

Syslog is not used for IP address assignment; that function is performed by DHCP.

D

Syslog does not replace SNMP counters for interface statistics; SNMP remains the primary method for collecting such data.

29
PBQhard

You are connected to R1 via console. The NTP server 198.51.100.10 is already configured on R1, but R1 is not synchronizing because the NTP packets are sourced from the wrong interface. Configure R1 to source NTP packets from its loopback0 interface (IP 10.0.0.1/32). Additionally, configure syslog logging to the remote server 203.0.113.5, ensuring that only messages at severity 'notifications' (level 5) and above are sent. The current configuration shows that syslog is sending all messages (including debug-level) to the server, wasting bandwidth. Fix both issues.

Network Topology
G0/0:192.0.2.2/30linkG0/0:192.0.2.2/30R2R1NTP server

Hints

  • NTP packets must have a consistent source IP that the server can reach; check the source interface.
  • The 'logging trap' command controls which severity levels are sent to the syslog server.
  • Use 'show ntp status' and 'show ntp associations' to confirm synchronization; use 'show logging' to verify the trap level.
A.Configure 'ntp source Loopback0' and 'logging trap notifications'.
B.Configure 'ntp server 198.51.100.10 source Loopback0' and 'logging trap warnings'.
C.Configure 'ntp source Loopback0' and 'logging trap debugging'.
D.Configure 'ntp server 198.51.100.10' and 'logging trap notifications'.
AnswerA
solution
! R1
configure terminal
ntp source Loopback0
logging trap notifications
end
write memory

Why this answer

The NTP client is not synchronizing because the NTP packets are not sourced from an interface that the server can reach and reply to; the default source is the outgoing interface, but the server sees a different source IP. The `ntp server 198.51.100.10` command is already configured (not shown), so you only need to specify the source interface with `ntp source Loopback0`. Also, the syslog trap level is set to 'debugging', which sends all messages; change it to 'notifications' to filter out lower-severity messages.

After these changes, verify with 'show ntp status' (should show stratum less than 16 and 'synchronized') and 'show ntp associations' (should show a reach count > 0 and a valid ref clock). Check syslog with 'show logging' to confirm trap level is 'notifications'.

Exam trap

Cisco often tests the difference between 'ntp server' and 'ntp source' — remember that 'ntp source' is a global command that sets the source for all NTP packets. Also, syslog severity levels are often confused; know that 'debugging' (7) is the lowest severity and sends everything, while 'notifications' (5) is higher and filters out levels 6 and 7.

Why the other options are wrong

B

The specific factual error: The 'ntp server' command cannot specify a source interface; that is done with 'ntp source'. Additionally, 'warnings' (level 4) is more severe than 'notifications' (level 5), but the requirement is to send only notifications and above, which includes levels 0-5. 'warnings' includes levels 0-4, missing level 5 (notifications).

C

The specific factual error: 'logging trap debugging' sends all syslog messages (levels 0-7), which is the default and does not filter out lower-severity messages. The correct level for notifications and above is 'notifications' (level 5).

D

The specific factual error: The NTP client is not configured to source packets from Loopback0. The 'ntp server' command alone does not set the source interface; an additional 'ntp source' command is required.

30
PBQhard

You are connected to R1. Configure R1 as an NTP client to synchronize with NTP server 203.0.113.10, using its Loopback0 interface (192.168.1.1/32) as the source for NTP packets. Additionally, configure logging to syslog server 192.0.2.100 with a trap level that captures events from level 5 (notice) and above. The current configuration shows that NTP is not synchronized (stratum 16) and only debugging messages are being sent to the syslog server. Correct these issues so that R1 is synchronized and important system messages are logged.

Network Topology
G0/010.0.0.2/30linkG0/010.0.0.2/30R2R1NTP server

Hints

  • Use 'ntp server' command to point to the NTP server IP.
  • Use 'ntp source' to specify the Loopback0 interface as the source.
  • Change the logging trap level from 'debugging' to 'notifications' to filter important messages.
A.ntp server 203.0.113.10 source Loopback0 logging trap notifications
B.ntp server 203.0.113.10 ntp source Loopback0 logging trap notifications
C.ntp server 203.0.113.10 source Loopback0 logging trap debugging
D.ntp server 203.0.113.10 logging host 192.0.2.100 logging trap notifications
AnswerB
solution
! R1
configure terminal
ntp server 203.0.113.10
ntp source Loopback0
logging trap notifications
end

Why this answer

The correct configuration is to add the NTP server with 'ntp server 203.0.113.10' and set the source interface separately with 'ntp source Loopback0'. For syslog, the command 'logging trap notifications' sets the trap level to 5 (notice), ensuring that critical and important messages are logged while excluding debugging output. Option A uses the combined 'ntp server ... source Loopback0' and does not match the separate source configuration required.

Option C keeps logging at debugging level (7), which is too verbose. Option D lacks the NTP source configuration entirely.

Exam trap

Candidates often mistake syslog severity numbers: lower is more severe, so 'logging trap notifications' captures levels 0–5. Also, the NTP source must be configured with a separate 'ntp source Loopback0' command, not just as an inline source on the server command.

Why the other options are wrong

A

Combines the NTP source directly in the server command, but the required configuration uses a separate 'ntp source Loopback0' command.

C

Sets logging trap to debugging (level 7), not the required notifications (level 5).

D

Missing the 'ntp source Loopback0' command, so NTP will not use the Loopback0 interface as source.

31
PBQhard

You are connected to R1 via the console. R1 should synchronize its clock with the NTP server 192.0.2.10 using its loopback0 interface (IP 10.0.0.1) as the source. Additionally, syslog messages of severity 'notification' (level 5) and above must be sent to the syslog server at 198.51.100.20. Currently, R1 shows NTP stratum 16 (unsynchronized) and syslog messages are not being forwarded. Identify and resolve the issues.

Hints

  • Check if a server is configured under 'ntp server'.
  • The current trap level is 'informational' (level 6). Which level includes notifications (level 5)?
  • Use 'show run | section ntp' to see NTP configuration.
A.Add 'ntp server 192.0.2.10' and change 'logging trap informational' to 'logging trap notifications'.
B.Add 'ntp server 192.0.2.10' and change 'logging trap notifications' to 'logging trap informational'.
C.Add 'ntp server 192.0.2.10' and change 'logging trap notifications' to 'logging trap debugging'.
D.Add 'ntp server 192.0.2.10' and change 'logging trap informational' to 'logging trap emergencies'.
AnswerA
solution
! R1
ntp server 192.0.2.10
logging trap notifications

Why this answer

The NTP is unsynchronized because the 'ntp server' command is missing; only 'ntp source' is configured. Add 'ntp server 192.0.2.10' to point to the NTP server. The syslog trap level is set to 'informational' (level 6), which is too low—messages of level 5 (notification) are not sent because the trap level must be equal to or higher severity than the messages to be forwarded.

Change the trap level to 'notifications' (level 5) to ensure level 0-5 messages are forwarded.

Exam trap

Remember that syslog trap levels use lower numbers for higher severity. To forward messages of a given severity, the trap level must be set to that severity or higher (lower number). Also, NTP requires both 'ntp server' and optionally 'ntp source' to specify the source interface.

Why the other options are wrong

B

The trap level should be set to 'notifications' (level 5) or higher severity to forward level 5 messages; 'informational' is lower severity and would not forward level 5 messages.

C

The trap level is currently 'informational' (6), not 'notifications'. Changing to 'debugging' would forward all messages, but the requirement is to forward level 5 and above, which is achieved by setting trap level to 'notifications' (5).

D

Setting the trap level to 'emergencies' would filter out all messages except level 0, so level 5 messages would not be forwarded.

32
MCQhard

A monitoring system already collects Syslog and SNMP data. The network team now wants visibility into which applications or host conversations are driving link utilization. What is the strongest addition?

A.NetFlow
B.Another SSID
D.A larger wildcard mask
AnswerA

This is correct because NetFlow provides detailed flow-level visibility into traffic usage.

Why this answer

The strongest addition is NetFlow because it provides traffic-flow visibility. In practical terms, Syslog and SNMP are useful, but they do not directly answer detailed conversation-level questions such as which hosts, protocols, or flows are consuming the most bandwidth. NetFlow is designed to answer exactly that kind of question.

This is about choosing the right operational tool for the visibility gap.

Exam trap

A frequent exam trap is selecting options like PortFast or adding another SSID, which are unrelated to traffic flow monitoring. PortFast is an STP feature that speeds up port transitions but does not provide any insight into bandwidth usage or application-level traffic. Similarly, adding another SSID only affects wireless network segmentation and does not offer visibility into which hosts or applications consume bandwidth.

Another trap is thinking that changing ACL wildcard masks can help analyze traffic flows, but ACLs only filter traffic and do not provide analytics. Recognizing that only NetFlow delivers detailed flow-level data prevents these common mistakes.

Why the other options are wrong

B

Adding another SSID is incorrect because it only creates a new wireless network segment and does not provide any traffic flow or bandwidth usage information. It does not help identify which applications or hosts are using the link.

C

PortFast is an STP feature that speeds up port transitions on edge ports but does not monitor or analyze traffic flows. It has no relevance to identifying bandwidth usage or application-level visibility.

D

Using a larger wildcard mask in ACLs affects traffic filtering rules but does not provide analytics or visibility into traffic flows. ACLs do not report on bandwidth consumption or application usage.

33
MCQmedium

Exhibit: An engineer wants a device to send only warning messages and more critical events to a syslog server. Which logging level should be configured?

A.logging trap debugging
B.logging trap warnings
C.logging trap notifications
D.logging trap informational
AnswerB

Warnings include warning and all more severe levels.

Why this answer

Syslog severity levels include lower numbers for more severe events. Warning is level 4, so setting logging trap warnings sends level 4, 3, 2, 1, and 0 messages.

Exam trap

A frequent exam trap is selecting 'logging trap debugging' or 'informational' because these options seem to provide comprehensive logging. However, these levels include all messages, even low-priority informational and debug messages, which can overwhelm the syslog server and make it difficult to identify critical issues. Another trap is misunderstanding the syslog severity numbering, assuming higher numbers mean higher severity, when in fact, lower numbers indicate more critical events.

This confusion leads to incorrect trap level configuration and ineffective monitoring.

Why the other options are wrong

A

The option 'logging trap debugging' sets the trap level to 7, which includes all syslog messages from debugging (least severe) up to emergencies (most severe). This floods the syslog server with excessive data, beyond just warnings and critical events, making it unsuitable for the requirement.

C

The option 'logging trap notifications' sets the trap level to 5, which includes notifications and all more severe messages. However, notifications are less severe than warnings, so this setting would include informational messages that are not requested, making it incorrect.

D

The option 'logging trap informational' sets the trap level to 6, which includes informational messages and all more severe messages. This level is less severe than warnings and includes many more messages than requested, so it does not meet the requirement.

34
MCQhard

A network administrator notices that syslog messages from a core router are arriving at the syslog server with timestamps that are hours behind other devices. The router’s NetFlow exports also show incorrect start and end times for flows, making traffic analysis unreliable. The administrator verifies that all router interfaces are up and that the SNMP community strings on the router match the NMS.

A.The logging trap level is set to informational, so only high-severity messages are sent with correct timestamps.
B.The router’s NTP client is configured with an incorrect authentication key.
C.The SNMP v3 user’s privacy password is incorrect, causing the NMS to reject syslog traps.
D.The IP flow cache timeout is set too low, causing NetFlow timestamps to appear skewed.
AnswerB

NTP can use authentication keys to verify server identity. If the client key does not match the server’s key, the router will not trust the time updates and will fail to synchronize. This leaves the router’s clock uncorrected, causing incorrect timestamps in syslog and NetFlow records.

Why this answer

The router's timestamps are incorrect for both syslog messages and NetFlow exports, which points to a system-wide time synchronization issue. NTP (Network Time Protocol) is responsible for maintaining accurate time on network devices, and if the NTP client is configured with an incorrect authentication key, it will fail to synchronize with the NTP server, causing the router's clock to drift. This explains why all time-stamped data (syslog and NetFlow) is consistently behind.

Exam trap

Cisco often tests the distinction between time synchronization issues (NTP) and logging/SNMP configuration issues, so candidates may incorrectly attribute timestamp problems to syslog or SNMP settings rather than the underlying system clock.

Why the other options are wrong

A

Logging trap level controls which severity messages are forwarded, not the accuracy of the timestamps.

C

SNMP v3 misconfiguration impacts SNMP traps, not syslog messages, which are sent independently via a different transport.

D

Cache timeout affects flow export frequency, not the accuracy of the timestamps inside the flow data.

Ready to test yourself?

Try a timed practice session using only Syslog questions.