CCNA Security Questions

75 of 95 questions · Page 1/2 · Security · Answers revealed

1
MCQhard

A data center network uses Cisco Nexus 9000 switches running NX-OS. The operations team notices that the CPU utilization on the supervisor module spikes intermittently, causing BGP session flaps. Analysis shows that the CPU spikes coincide with traceroute probes from external networks, which generate ICMP TTL exceeded messages that are process-switched. The engineer must implement a solution to protect the control plane without affecting normal ICMP functionality. The goal is to rate-limit ICMP traffic to a maximum of 1000 packets per second with a burst of 200 bytes, while allowing other control plane traffic without restriction. Which configuration should be applied?

A.Use the 'hardware rate-limiter' feature to limit ICMP globally.
B.class-map type control-plane match-any COPP-ICMP match access-group name ICMP-ACL policy-map type control-plane COPP class COPP-ICMP police rate 1000 pps burst 200 control-plane service-policy input COPP
C.Apply a QoS policy on the management interface to drop excess ICMP.
D.class-map type control-plane match-all COPP-ICMP match protocol icmp policy-map type control-plane COPP class COPP-ICMP police 1000 pps 200 byte burst control-plane service-policy type control-plane COPP
AnswerD

Correct syntax: using type control-plane class-map and policy-map, with police in pps and burst in bytes.

Why this answer

Option D is correct because it uses a Control Plane Policing (CoPP) policy with a class-map that matches ICMP protocol traffic in the control plane, then applies a police rate of 1000 pps with a 200-byte burst. This configuration rate-limits ICMP TTL-exceeded messages that are process-switched, protecting the supervisor CPU from spikes while allowing other control plane traffic unrestricted. The 'service-policy type control-plane' command applies the policy to the control plane, which is the proper method for NX-OS CoPP.

Exam trap

Cisco often tests the distinction between applying a policy-map with 'service-policy input' (which is for interface QoS) versus 'service-policy type control-plane' (which is for CoPP), and the correct police syntax including the 'byte' keyword for burst size.

How to eliminate wrong answers

Option A is wrong because 'hardware rate-limiter' is a legacy feature on some Cisco platforms that limits traffic in hardware, but it does not provide the granularity of matching ICMP protocol specifically and may affect all ICMP or other traffic; it is not the recommended CoPP approach for NX-OS. Option B is wrong because the police command syntax is incorrect: it uses 'police rate 1000 pps burst 200' without the 'byte' keyword, and the class-map uses 'match access-group name' which matches based on an ACL rather than the protocol directly, potentially missing ICMP TTL-exceeded messages that are not captured by the ACL; also, the policy-map is applied with 'service-policy input' instead of 'service-policy type control-plane', which is the correct NX-OS syntax for CoPP. Option C is wrong because applying a QoS policy on the management interface only affects traffic entering via that interface, not the control plane traffic from data interfaces; it would not protect the supervisor from ICMP TTL-exceeded messages arriving from external networks through data ports.

2
Multi-Selecteasy

Which TWO methods are used to secure management plane access on Cisco Nexus 9000 series switches?

Select 2 answers
A.SNMPv3
B.CoPP
C.SSH
D.AAA
E.VRF
AnswersC, D

SSH encrypts management traffic, securing remote access.

Why this answer

SSH provides encrypted remote access, and AAA provides authentication and authorization for management users. SNMPv3 is for monitoring, CoPP protects the control plane, and VRF is for data plane segmentation.

3
MCQmedium

A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?

A.The ACL entries are in the wrong order.
B.The ACL is applied to the wrong interface.
C.The 'permit ip any any' entry causes all traffic to be permitted before inspection.
D.The ACL is applied outbound instead of inbound.
AnswerB

Ethernet1/1 is a management interface; production traffic likely uses other interfaces.

Why this answer

Option B is correct because if the ACL is applied to the wrong interface, traffic never traverses that interface, so the ACL counters remain at 0. ACLs must be applied to the interface where traffic enters (inbound) or exits (outbound) the device; applying to an interface that does not carry the relevant traffic results in no matches.

Exam trap

Cisco often tests the misconception that ACL counters being 0 is always due to a missing 'permit ip any any' or wrong entry order, but the real trap is that the ACL may simply not be processing any traffic because it is applied to the wrong interface or direction.

How to eliminate wrong answers

Option A is wrong because the order of ACL entries affects which traffic is matched, but it does not cause all counters to be 0; even a misordered ACL would still match some traffic (e.g., a deny entry before a permit would still show matches for the deny). Option C is wrong because a 'permit ip any any' entry at the end of an ACL permits all unmatched traffic, but it would still match traffic and increment its own counter, not cause all counters to be 0. Option D is wrong because applying the ACL outbound instead of inbound would still match traffic exiting the interface; counters would increment if traffic flows out that interface, so 0 matches indicates no traffic is being evaluated, not a direction mismatch.

4
Matchingmedium

Match each Cisco data center security feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Packet filtering based on IP/port criteria

Limits MAC addresses per switchport

Prevents rogue DHCP server attacks

Validates ARP packets to prevent spoofing

Filters traffic based on IP/MAC binding

Why these pairings

These security features protect the data center network from Layer 2 attacks.

5
MCQmedium

An organization is deploying Cisco ISE for 802.1X authentication on Cisco Nexus switches. Some endpoints fail authentication and fall back to the MAB. The security policy requires that endpoints failing both 802.1X and MAB be placed in a restricted VLAN. Which configuration is needed on the switch port?

A.authentication order dot1x mab
B.dot1x timeout tx-period 30
C.authentication failed action authorize vlan 999
D.authentication event server dead action authorize vlan 999
AnswerC

This command places the port into the specified VLAN (restricted) after authentication failure.

Why this answer

Option C is correct because the 'authentication failed action authorize vlan 999' command configures the switch port to place endpoints that fail both 802.1X and MAB into a restricted VLAN (VLAN 999). This directly meets the security policy requirement for endpoints that cannot authenticate via either method.

Exam trap

The trap here is confusing 'authentication failed action' (which handles authentication failure) with 'authentication event server dead action' (which handles server unavailability), leading candidates to pick Option D when the scenario explicitly describes endpoints failing authentication, not a server outage.

How to eliminate wrong answers

Option A is wrong because 'authentication order dot1x mab' only sets the sequence of authentication methods (802.1X first, then MAB), but does not define what happens when both fail. Option B is wrong because 'dot1x timeout tx-period 30' adjusts the interval between EAP-Request/Identity retransmissions, which affects authentication timing but not the fallback action for failed authentication. Option D is wrong because 'authentication event server dead action authorize vlan 999' handles the scenario when the RADIUS server is unreachable, not when authentication itself fails; this would place endpoints in VLAN 999 even if they could authenticate successfully, violating the policy.

6
MCQhard

An attacker attempts to spoof a legitimate client's IP address to intercept traffic. DHCP snooping is enabled. Which feature prevents this spoofing by validating source IP in data packets?

A.Port security
B.IP Source Guard
C.Dynamic ARP Inspection
D.DHCP Snooping binding database
AnswerB

IPSG validates source IP in data packets using the DHCP snooping binding table.

Why this answer

IP Source Guard (IPSG) uses the DHCP snooping binding database to validate the source IP address in data packets received on untrusted ports. If a packet's source IP does not match an entry in the binding table, IPSG drops the packet, preventing IP spoofing attacks.

Exam trap

Cisco often tests the distinction between features that validate IP addresses (IPSG) versus those that validate ARP (DAI) or MAC addresses (port security), leading candidates to confuse DAI as the answer for IP spoofing prevention.

How to eliminate wrong answers

Option A is wrong because port security limits MAC addresses on a switch port but does not inspect or validate the source IP address in Layer 3 packets. Option C is wrong because Dynamic ARP Inspection (DAI) validates ARP packets (IP-to-MAC bindings), not the source IP in data packets. Option D is wrong because the DHCP snooping binding database is a table of legitimate DHCP leases; it is not a feature that actively validates source IPs in data packets—IPSG uses this database to perform that validation.

7
MCQeasy

An engineer is configuring AAA authentication on a Cisco MDS 9000 series switch. The goal is to authenticate users via RADIUS first, then local as a fallback. Which command sequence should be used?

A.aaa authentication login default group radius local
B.aaa authentication login default local radius
C.aaa authentication login default radius local
D.aaa authentication login console radius local
AnswerA

Correct syntax: 'default' login method, 'group' keyword, radius then local fallback.

Why this answer

Option A is correct because the 'aaa authentication login default group radius local' command configures the switch to first attempt RADIUS authentication for all login methods (default), and if the RADIUS server is unreachable or returns an error (not a rejection), it falls back to the local user database. This matches the requirement of RADIUS first with local fallback.

Exam trap

Cisco often tests the distinction between 'default' (applies to all login methods) and specific method names like 'console' or 'ssh', and the requirement to use the 'group' keyword before the server group name, causing candidates to omit 'group' or choose a method-specific keyword incorrectly.

How to eliminate wrong answers

Option B is wrong because it places 'local' before 'radius', which would cause the switch to attempt local authentication first, not RADIUS first as required. Option C is wrong because it omits the 'group' keyword, which is required to specify a RADIUS server group; without 'group', the command is syntactically incorrect on Cisco MDS switches. Option D is wrong because it specifies 'console' instead of 'default', limiting the authentication method list to console logins only, rather than applying to all login methods (SSH, Telnet, console, etc.) as required.

8
MCQhard

In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?

A.Verify that no higher-priority contract is overriding; if not, the issue is elsewhere.
B.Set the contract to 'allow any' between the EPGs to bypass filtering.
C.Create a second contract from App to Web with the same filter, and apply it to App as consumer and Web as provider.
D.Modify the existing filter to allow TCP 8080 from App to Web as well.
AnswerC

This adds the reverse direction explicitly, allowing return traffic.

Why this answer

In Cisco ACI, contracts are unidirectional by default. Even though the filter permits TCP 8080 from Web to App, the return traffic from App to Web is not implicitly allowed because ACI does not perform stateful inspection for TCP connections; it relies on explicit contract rules for each direction. Option C correctly creates a second contract from App (consumer) to Web (provider) with the same filter, allowing the bidirectional communication required for the application's stateful TCP session without over-permitting.

Exam trap

Cisco often tests the misconception that ACI contracts are stateful like a firewall, leading candidates to assume return traffic is automatically allowed; the trap here is that ACI requires explicit contracts for each direction, even for TCP connections.

How to eliminate wrong answers

Option A is wrong because the issue is not about contract priority; the filter is correctly applied and no override is needed—the fundamental problem is the lack of a return direction contract. Option B is wrong because setting the contract to 'allow any' would bypass all security filtering, violating the principle of least privilege and unnecessarily exposing the EPGs. Option D is wrong because modifying the existing filter to allow TCP 8080 from App to Web would still not create a contract in the reverse direction; filters are applied per contract direction, and without a contract from App to Web, the filter change has no effect.

9
MCQhard

Refer to the exhibit. A server connected to Ethernet1/1 is experiencing intermittent connectivity. The server sends BPDUs, causing the switch to place the port into a blocking state. Which configuration change should be made to prevent this while maintaining rapid convergence?

A.Add 'spanning-tree guard loop' to the interface.
B.Remove the 'spanning-tree port type edge trunk' command and configure 'spanning-tree port type normal'.
C.Add 'spanning-tree bpdufilter enable' on the interface.
D.Change the port type to 'spanning-tree port type network trunk'.
AnswerC

BPDU filter on an edge port prevents the switch from sending/receiving BPDUs, maintaining edge status.

Why this answer

Option C is correct because enabling BPDU filter on the interface prevents the switch from processing BPDUs received from the server, which stops the port from being placed into a blocking state due to BPDU reception. This maintains rapid convergence because the port remains configured as an edge port (spanning-tree port type edge trunk), allowing it to transition directly to forwarding without spanning-tree negotiation.

Exam trap

Cisco often tests the distinction between BPDU guard and BPDU filter, where candidates mistakenly choose BPDU guard (which errdisables the port) instead of BPDU filter (which silently ignores BPDUs) when the goal is to maintain connectivity while preventing spanning-tree disruption.

How to eliminate wrong answers

Option A is wrong because 'spanning-tree guard loop' is not a valid command; the correct command is 'spanning-tree guard loopguard', which prevents alternate or root ports from becoming designated in the absence of BPDUs, but does not address BPDUs received from a server causing blocking. Option B is wrong because removing 'spanning-tree port type edge trunk' and configuring 'spanning-tree port type normal' would cause the port to participate in spanning-tree convergence, potentially leading to blocking states and slower convergence, not solving the issue of BPDUs from the server. Option D is wrong because 'spanning-tree port type network trunk' is used for ports connected to other switches (network-facing) and would cause the port to participate in spanning-tree, likely resulting in blocking when BPDUs are received from the server, and it does not prevent the issue.

10
MCQeasy

A network engineer is implementing port security on a Cisco Nexus 9000 switch to limit the number of MAC addresses learned on a single access port. The switchport is configured as follows: interface Ethernet 1/2 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky After connecting two authorized devices, a third unauthorized device is connected, causing the port to enter the err-disabled state. The engineer needs to restore connectivity for the two authorized devices as quickly as possible, while maintaining the security posture. What is the best practice to recover the port automatically in the future?

A.Manually shut down and then no shutdown the interface to recover from err-disabled state.
B.Remove port-security configuration entirely to prevent future err-disables.
C.Configure 'errdisable recovery cause psecure-violation' to automatically recover the port after the configured interval.
D.Increase the maximum MAC address limit to 3 to accommodate the third device.
AnswerC

This automatically brings the port out of errdisabled state after a timer, maintaining security while enabling quick recovery.

Why this answer

Option C is correct because the 'errdisable recovery cause psecure-violation' command enables automatic recovery from the err-disabled state caused by a port-security violation. This allows the port to come back up after a default or configured interval (typically 300 seconds) without manual intervention, restoring connectivity for the two authorized devices while maintaining the security posture of limiting MAC addresses to two.

Exam trap

Cisco often tests the distinction between manual recovery (shut/no shut) and automatic recovery (errdisable recovery), and the trap here is that candidates may choose manual recovery as 'quickest' without realizing the question asks for automatic future recovery, or they may incorrectly think increasing the MAC limit is a valid security compromise.

How to eliminate wrong answers

Option A is wrong because manually shutting down and then no shutting the interface is a manual recovery method, not an automatic one, and does not address the requirement to recover the port automatically in the future. Option B is wrong because removing port-security configuration entirely eliminates the security posture, which contradicts the requirement to maintain security while restoring connectivity. Option D is wrong because increasing the maximum MAC address limit to 3 would allow the unauthorized device, violating the security policy and not maintaining the intended security posture.

11
MCQhard

A company uses Cisco ISE for 802.1X authentication on data center edge switches. After a recent upgrade, some endpoints that previously authenticated successfully now fail. The ISE logs show the endpoint is in the wrong authorization profile. What is the most likely cause?

A.The switch port is in multi-authentication mode
B.The switch has incorrect RADIUS shared secret
C.The endpoint posture assessment is failing
D.The ISE policy is using a different identity source
AnswerC

Posture assessment can change the authorization result, assigning a restricted profile if requirements aren't met.

Why this answer

Option C is correct because a failing posture assessment can cause ISE to apply a different authorization profile (e.g., a quarantine or remediation profile) instead of the expected one, even though the endpoint previously authenticated successfully. Posture checks occur after 802.1X authentication and can change the authorization result based on endpoint compliance, which aligns with the symptom of the endpoint being in the wrong profile after an upgrade.

Exam trap

The trap here is that candidates often confuse authentication success with authorization success, overlooking that posture assessment is a separate step that can override the initial authorization profile, especially after an upgrade that changes posture requirements.

How to eliminate wrong answers

Option A is wrong because multi-authentication mode allows multiple endpoints on a single port with individual authentication, but it does not cause an endpoint to be placed in the wrong authorization profile; it affects how many devices can authenticate, not which profile is applied. Option B is wrong because an incorrect RADIUS shared secret would cause authentication failures (Access-Reject) or no response, not a successful authentication with the wrong authorization profile; the logs show the endpoint is in the wrong profile, not failing authentication. Option D is wrong because using a different identity source would typically result in authentication failure (if the endpoint is not found) or a different identity group, but the logs indicate the endpoint is in the wrong authorization profile, not that authentication succeeded with a different identity; the identity source affects who is authenticated, not the authorization profile directly.

12
MCQhard

Refer to the exhibit. A web server in VLAN 10 with IP 10.0.0.5 is experiencing connectivity issues. Clients from subnet 10.0.0.0/24 can access the server, but clients from other subnets cannot. What is the most likely cause?

A.The ACL is missing a permit for return traffic
B.The server's default gateway is incorrect
C.The ACL denies all traffic from other subnets
D.The ACL permits HTTP only from the local subnet
AnswerC

The ACL only permits traffic from 10.0.0.0/24; all other traffic is implicitly denied.

Why this answer

The exhibit shows an ACL applied to the VLAN 10 SVI that permits HTTP traffic only from the 10.0.0.0/24 subnet. Since clients from other subnets are denied, the ACL is explicitly blocking all traffic from those subnets, which matches option C. This is the most likely cause because the server is reachable from the local subnet but not from elsewhere, indicating a filtering issue rather than a routing or gateway problem.

Exam trap

Cisco often tests the concept that an ACL with a single permit statement implicitly denies all other traffic, and candidates may mistakenly think the issue is a missing return traffic permit or a default gateway problem instead of recognizing the ACL's implicit deny behavior.

How to eliminate wrong answers

Option A is wrong because the ACL is configured with an implicit deny at the end, but the issue is not about missing return traffic; the ACL explicitly permits only HTTP from the local subnet, so return traffic for permitted sessions would be allowed by the stateful nature of the ACL (if reflexive or with established keyword) or by the permit statement itself. Option B is wrong because if the server's default gateway were incorrect, clients from the local subnet (10.0.0.0/24) would also fail to reach the server, as they rely on the same gateway for Layer 3 forwarding. Option D is wrong because it describes the actual behavior but is not the root cause; the ACL permits HTTP only from the local subnet, which is the mechanism causing the issue, but the question asks for the most likely cause, which is that the ACL denies all traffic from other subnets (the implicit deny after the permit statement).

13
Multi-Selecteasy

Which TWO of the following are required components for a Cisco ACI contract to allow communication between EPGs?

Select 2 answers
A.A filter that specifies the traffic parameters.
B.A subject that defines the filter.
C.A tenant.
D.A QoS class.
E.A VRF.
AnswersA, B

Filter defines allowed traffic.

Why this answer

Option A is correct because a filter in Cisco ACI defines the specific traffic parameters—such as IP protocol, source/destination ports, and EtherType—that are permitted or denied between EPGs. Without a filter, the contract has no criteria to match traffic, so communication cannot be allowed. Option B is correct because a subject binds one or more filters to a contract and specifies the direction (consumer-to-provider or bidirectional) in which the filter is applied, making it an essential component for the contract to function.

Exam trap

Cisco often tests the misconception that a tenant or VRF is a required component of a contract, when in fact the contract only requires a filter and a subject to define the traffic rules, while tenants and VRFs are separate constructs that provide logical isolation and routing context.

14
MCQeasy

An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?

A.Enable DHCP snooping on the management VLAN.
B.Enable port security on the management interface.
C.Configure AAA to require two-factor authentication.
D.Configure a management CoPP policy to rate-limit and permit only specific source IPs.
AnswerD

CoPP can filter management traffic to the switch.

Why this answer

Option D is correct because a management Control Plane Policing (CoPP) policy on a Cisco Nexus 9000 switch allows the engineer to explicitly permit or deny traffic destined to the management interface based on source IP addresses. CoPP applies QoS policies to control plane traffic, effectively restricting management plane access by rate-limiting or dropping packets from unauthorized sources before they reach the CPU.

Exam trap

Cisco often tests the distinction between data-plane security features (DHCP snooping, port security) and control-plane security mechanisms (CoPP), leading candidates to mistakenly choose a Layer 2 feature for a management plane access restriction question.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a Layer 2 security feature that filters untrusted DHCP messages and builds a binding database to prevent rogue DHCP servers; it does not restrict access to the management interface based on source IP. Option B is wrong because port security limits the number of MAC addresses allowed on a switchport and prevents MAC flooding attacks, but it operates at Layer 2 and cannot filter management plane access based on source IP addresses. Option C is wrong because AAA with two-factor authentication controls user authentication and authorization after a connection is established, but it does not restrict which source IPs can initiate a connection to the management interface.

15
Multi-Selectmedium

Which TWO of these are best practices for securing the Cisco ACI fabric?

Select 2 answers
A.Use security domains to control RBAC.
B.Use in-band management for APIC connectivity.
C.Enable certificate-based authentication for APIC access.
D.Leave default passwords for fabric discovery.
E.Place APIC controllers in a DMZ.
AnswersA, C

Security domains isolate tenant administration.

Why this answer

Security domains in Cisco ACI provide role-based access control (RBAC) by partitioning the fabric into logical groups, allowing administrators to restrict user permissions to specific tenants, EPGs, or policies. This is a core best practice to enforce least-privilege access and prevent unauthorized configuration changes across the fabric.

Exam trap

Cisco often tests the misconception that in-band management is acceptable for APIC connectivity, but the correct practice is to use out-of-band management to keep APIC traffic separate from the data plane and reduce attack surface.

16
MCQhard

During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?

A.VACLs only filter traffic between VLANs, not within the same VLAN.
B.The VACL requires Layer 3 inspection to be enabled.
C.The switch does not support hardware VACL processing.
D.Spanning-tree is bypassing the VACL for PortFast ports.
AnswerA

VACLs filter inter-VLAN traffic; intra-VLAN traffic is not affected.

Why this answer

VLAN ACLs (VACLs) operate at Layer 2 and filter traffic entering or leaving a VLAN, but they only apply to traffic that crosses VLAN boundaries (i.e., inter-VLAN routing). Traffic between two ports within the same VLAN is bridged at Layer 2 and never traverses the VACL enforcement point, so the ACL entries have no effect on intra-VLAN communication. This is a fundamental design limitation of VACLs on Cisco Nexus switches.

Exam trap

Cisco often tests the misconception that VACLs filter all traffic within a VLAN, when in fact they only apply to traffic crossing VLAN boundaries, leading candidates to overlook the intra-VLAN limitation.

How to eliminate wrong answers

Option B is wrong because VACLs do not require Layer 3 inspection; they are applied at Layer 2 and filter based on MAC addresses, IP addresses, or other fields without needing routing or Layer 3 forwarding. Option C is wrong because the Cisco Nexus 9000 series fully supports hardware-based VACL processing using TCAM, and this is not a limitation that would cause the described behavior. Option D is wrong because Spanning Tree Protocol (STP) and PortFast do not bypass VACLs; PortFast only accelerates the transition to forwarding state and does not affect ACL enforcement.

17
Multi-Selectmedium

Which TWO security features rely on the DHCP snooping binding table? (Select exactly 2)

Select 2 answers
A.Port Security
B.IP Source Guard
C.Private VLANs
D.Dynamic ARP Inspection
E.MACsec
AnswersB, D

IP Source Guard uses the DHCP snooping binding to permit only valid IP/MAC addresses.

Why this answer

IP Source Guard (IPSG) uses the DHCP snooping binding table to validate the source IP address of packets received on untrusted ports. It drops any packet whose source IP does not match an entry in the binding table, preventing IP spoofing attacks. Dynamic ARP Inspection (DAI) also relies on the DHCP snooping binding table to validate ARP packets, ensuring that the sender MAC and IP addresses match a legitimate binding, thereby blocking ARP poisoning attacks.

Exam trap

Cisco often tests the dependency of IP Source Guard and Dynamic ARP Inspection on the DHCP snooping binding table, and the trap here is that candidates confuse Port Security or MACsec as features that also rely on DHCP snooping, when in fact they operate independently.

18
MCQhard

A data center architect is designing security for a Cisco ACI fabric that must comply with PCI DSS. The requirement is to encrypt all traffic between EPGs within the same tenant. Which solution should be used?

A.Enable port security on the leaf switch interfaces.
B.Use a contract with the 'encrypt' flag enabled between the EPGs.
C.Create separate VRFs for each EPG and route traffic through a firewall.
D.Configure a site-to-site VPN between the leaf switches.
AnswerB

ACI contracts support encryption enforcement using MACsec or IPsec.

Why this answer

Option B is correct because Cisco ACI supports encryption of traffic between EPGs within the same tenant using a contract with the 'encrypt' flag enabled. This leverages the ACI fabric's built-in capability to apply AES-based encryption (e.g., AES-256-GCM) at the leaf switch level, ensuring data confidentiality for PCI DSS compliance without requiring external devices or complex routing changes.

Exam trap

The trap here is that candidates may assume encryption requires an external firewall or VPN, but Cisco ACI natively supports contract-based encryption using MACsec, which is the correct and simplest solution for intra-tenant EPG traffic encryption.

How to eliminate wrong answers

Option A is wrong because port security on leaf switch interfaces controls MAC address flooding and prevents MAC spoofing, but it does not provide any encryption of traffic between EPGs. Option C is wrong because creating separate VRFs and routing through a firewall adds complexity and potential latency, but it does not inherently encrypt traffic within the ACI fabric; encryption would require additional VPN or IPsec configuration on the firewall, which is not a native ACI solution. Option D is wrong because a site-to-site VPN between leaf switches is not a supported or practical configuration in ACI; VPNs are designed for inter-site or remote connectivity, not for intra-fabric EPG-to-EPG traffic encryption.

19
MCQeasy

Refer to the exhibit. The TACACS+ server at 10.1.1.1 is unreachable. What will happen when a user tries to authenticate to the switch using SSH?

A.Authentication will use the local user database as a fallback.
B.Authentication will be denied immediately.
C.Authentication will be attempted against the TACACS+ server repeatedly until timeout.
D.Authentication will be attempted against the TACACS+ server without fallback because 'fallback-to-local' is not configured.
AnswerA

The 'local' keyword provides fallback.

Why this answer

When the TACACS+ server at 10.1.1.1 is unreachable, the switch will fall back to the local user database for authentication because the 'fallback-to-local' feature is enabled by default in Cisco IOS/IOS-XE for TACACS+ configurations. This behavior ensures that administrative access is not completely blocked if the remote AAA server becomes unavailable, allowing authentication against locally configured usernames and passwords.

Exam trap

Cisco often tests the misconception that 'fallback-to-local' must be explicitly configured for TACACS+ fallback to work, when in reality the fallback is determined by the order of methods in the AAA authentication command, and 'local' as a subsequent method provides the fallback automatically.

How to eliminate wrong answers

Option B is wrong because authentication is not denied immediately; Cisco switches are designed to attempt fallback mechanisms to maintain availability. Option C is wrong because the switch does not repeatedly attempt TACACS+ authentication until timeout; instead, it will fail over to the local database after a single failed attempt or after the server is marked dead. Option D is wrong because 'fallback-to-local' is enabled by default for TACACS+ in Cisco IOS/IOS-XE, so even without explicit configuration, the switch will use the local database as a fallback when the TACACS+ server is unreachable.

20
Multi-Selecthard

Which three actions can be taken when a port security violation occurs? (Choose three.)

Select 3 answers
A.Shutdown
B.Restrict
C.Protect
D.Errdisable recovery
E.Log
AnswersA, B, C

Disables the port in errdisable state.

Why this answer

When a port security violation occurs, the switch can be configured to take one of three actions: shutdown, restrict, or protect. The shutdown action (A) immediately disables the port and places it in an errdisable state, which is the default behavior. This is correct because it provides the most secure response by completely blocking traffic from the violating MAC address.

Exam trap

Cisco often tests the distinction that errdisable recovery is a recovery mechanism, not a violation action, and that logging is a behavior of restrict, not a separate configurable action.

21
MCQhard

An ACI fabric administrator wants to enable microsegmentation for workloads in a Virtual Routing and Forwarding (VRF) instance. The security policy must allow communication between two endpoints based on their EPG (Endpoint Group) membership, regardless of IP address. Which construct must be used?

A.Contract with filter and subject
B.vzAny
C.VRF
D.Bridge Domain (BD)
AnswerA

Contracts in ACI define allowed traffic between EPGs based on filters.

Why this answer

A contract with a filter and subject is required to enable microsegmentation in ACI because it defines the explicit rules for communication between EPGs. The contract specifies which EPGs can talk to each other, the filter defines the L4/L7 parameters (e.g., protocol, ports), and the subject binds the filter to the contract, allowing policy enforcement regardless of IP address. This is the only construct that supports EPG-based security policies for intra-VRF microsegmentation.

Exam trap

Cisco often tests the misconception that vzAny or the VRF itself can replace a contract for EPG-to-EPG microsegmentation, but the trap is that vzAny is a global policy object and the VRF is only a routing context—neither provides the granular, EPG-specific permit/deny rules that a contract with filter and subject enforces.

How to eliminate wrong answers

Option B (vzAny) is wrong because vzAny is a special object that represents all endpoints in a VRF, used to apply contracts to all EPGs at once, but it does not enable microsegmentation between specific EPGs based on their membership; it is a shortcut for global policy, not a granular EPG-to-EPG rule. Option C (VRF) is wrong because a VRF is a Layer 3 routing and forwarding domain that isolates traffic at the network layer, but it does not contain security policy constructs; contracts and EPGs are applied within a VRF, not by the VRF itself. Option D (Bridge Domain) is wrong because a Bridge Domain defines a Layer 2 forwarding boundary and subnet configuration, but it has no role in security policy enforcement; microsegmentation is a Layer 3+ policy function handled by contracts, not BDs.

22
MCQeasy

A data center switch has DHCP snooping enabled globally. Which of the following is a best practice to ensure DHCP server legitimacy?

A.Configure the port connected to the DHCP server as trusted
B.Disable DHCP snooping on the DHCP server VLAN
C.Set the DHCP server IP address in the binding database
D.Enable DHCP snooping on all VLANs
AnswerA

Trusted ports are allowed to forward DHCP server messages, preventing rogue servers.

Why this answer

Configuring the port connected to the DHCP server as trusted is a best practice because DHCP snooping treats all ports as untrusted by default. Only trusted ports are allowed to forward DHCP server messages (OFFER, ACK, NAK), preventing rogue DHCP server attacks. This ensures that only the legitimate DHCP server can assign IP addresses, maintaining network integrity.

Exam trap

Cisco often tests the misconception that enabling DHCP snooping globally or on all VLANs is sufficient for server legitimacy, when the actual requirement is to explicitly configure the server-facing port as trusted.

How to eliminate wrong answers

Option B is wrong because disabling DHCP snooping on the DHCP server VLAN would remove all protection against rogue DHCP servers in that VLAN, defeating the purpose of the feature. Option C is wrong because the binding database is used to store DHCP client lease information (MAC-to-IP bindings), not to designate the DHCP server's IP address; the server is identified by trusted port configuration. Option D is wrong because while enabling DHCP snooping on all VLANs is a common practice, it does not by itself ensure DHCP server legitimacy; the critical step is marking the server-facing port as trusted.

23
MCQmedium

Refer to the exhibit. The interface showed a security violation 15 seconds ago and has a violation count of 5. What would happen if a frame with source MAC 0011.2233.4477 arrived now?

A.The frame will be dropped but the port remains up.
B.The port will be placed into errdisable state.
C.The frame will be allowed because sticky MACs are learned dynamically.
D.The frame will be dropped and the violation counter will increment, but the port stays up.
AnswerB

A violation in 'shutdown' mode causes the port to shut down (errdisable).

Why this answer

The correct answer is B because the port security violation mode is configured as 'shutdown' (the default), and the violation count has reached 5, which exceeds the allowed maximum of 1 (the default). When a security violation occurs and the port is in shutdown mode, the port immediately transitions to the errdisable state, blocking all traffic. Since the frame with source MAC 0011.2233.4477 is not the allowed MAC (0011.2233.4455), it triggers a violation, and the port is placed into errdisable state, as indicated by the violation counter incrementing to 5.

Exam trap

Cisco often tests the default violation mode (shutdown) and the fact that the port enters errdisable state immediately upon the first violation, not after multiple violations, and that the violation counter increments even after the port is down, which can confuse candidates into thinking the port remains up.

How to eliminate wrong answers

Option A is wrong because the port is not configured in 'restrict' or 'protect' violation mode; it is in 'shutdown' mode (default), which causes the port to enter errdisable state, not remain up. Option C is wrong because sticky MAC learning does not allow a new MAC address when the maximum MAC count is already reached (1 in this case); sticky MACs are learned dynamically but still enforce the maximum limit, and the frame would be dropped with a violation. Option D is wrong because while the frame would be dropped and the violation counter would increment, the port would not stay up; in 'shutdown' mode, the port is placed into errdisable state after the violation, not left operational.

24
Multi-Selecthard

Which TWO statements about Cisco TrustSec in a data center are true?

Select 2 answers
A.TrustSec can replace 802.1X authentication in the data center.
B.SGTs are 32-bit values assigned to users or devices.
C.SXP (SGT Exchange Protocol) is used to propagate SGTs across network devices that do not support inline tagging.
D.TrustSec is primarily designed for wireless networks.
E.TrustSec uses Security Group Tags (SGTs) to enforce access control policies.
AnswersC, E

SXP allows SGT propagation without hardware support.

Why this answer

Option C is correct because SXP (SGT Exchange Protocol) is specifically designed to propagate Security Group Tag (SGT) information between network devices that do not support hardware-based inline tagging (e.g., older switches or routers). SXP allows these devices to participate in TrustSec policy enforcement by exchanging SGT-to-IP bindings over TCP, enabling consistent access control across heterogeneous environments.

Exam trap

Cisco often tests the distinction between SGT size (16-bit vs 32-bit) and the role of SXP as a propagation mechanism for non-inline devices, leading candidates to confuse SGT values with other metadata or assume TrustSec replaces authentication protocols like 802.1X.

25
MCQmedium

A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?

A.permit ip any any deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
B.permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 permit ip any any deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
C.permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 permit ip any any
D.deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 permit ip any any
AnswerC

Correct order: permit specific, deny source, permit rest.

Why this answer

Option C is correct because ACLs are processed top-down, and the first match wins. The explicit permit for SSH from the jump host (10.10.1.100) must come before the deny for the entire 10.10.0.0/16 range to ensure the exception is honored. The final permit ip any any allows all other non-management traffic, which is necessary to avoid dropping legitimate traffic on the management interface.

Exam trap

The trap here is that candidates often place the deny rule first, forgetting that ACLs are first-match and that the exception for the jump host must be evaluated before the broader deny rule.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' at the top would match all traffic first, including the management traffic that should be denied, making the subsequent deny and permit entries irrelevant. Option B is wrong because the 'permit ip any any' in the middle would match all traffic before the deny rule, again bypassing the intended restriction. Option D is wrong because the 'deny ip 10.10.0.0/16 to 192.168.1.0/24' is placed first, which would block SSH from the jump host (10.10.1.100) before the permit rule for that host is evaluated, violating the requirement to allow SSH from the jump host.

26
MCQmedium

An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?

A.Configure the VLANs as part of the EPG static binding without a pool.
B.Create separate VLAN pools per tenant, each containing the required VLANs.
C.Create one VLAN pool per physical domain and assign tenants to that domain.
D.Create a global VLAN pool with all VLANs and assign it to all tenants.
AnswerB

Each tenant gets its own VLAN pool, allowing reuse.

Why this answer

Option B is correct because in Cisco ACI, VLAN pools are scoped to a physical domain, and overlapping VLANs across tenants require separate VLAN pools per tenant. Each tenant's EPG is statically bound to its own VLAN pool, ensuring isolation and preventing VLAN conflicts. This design aligns with ACI's multi-tenant architecture where VLAN IDs must be unique within a domain but can be reused across different domains.

Exam trap

Cisco often tests the misconception that a single VLAN pool can be shared across tenants with overlapping VLANs, but in reality, VLAN pools are domain-scoped and overlapping IDs require separate pools to maintain isolation.

How to eliminate wrong answers

Option A is wrong because EPG static binding without a pool does not support overlapping VLANs; static bindings still require a VLAN pool for encapsulation and cannot bypass the pool's scope. Option C is wrong because creating one VLAN pool per physical domain and assigning multiple tenants to that domain would cause VLAN ID conflicts if the same VLAN is used across tenants, as the pool is shared. Option D is wrong because a global VLAN pool assigned to all tenants would force all tenants to use unique VLAN IDs, preventing overlapping VLANs and violating the requirement.

27
MCQhard

An engineer is troubleshooting a DHCP issue in a data center VLAN. Clients are unable to obtain IP addresses from the DHCP server. The switch has DHCP snooping enabled on the VLAN, and the DHCP server is connected to a trusted port. The clients are on untrusted ports. Which additional security feature is most likely causing the problem if the DHCP server is on a different subnet and the switch is not configured as a DHCP relay?

A.DHCP snooping with no IP helper address configured
B.Dynamic ARP Inspection (DAI)
C.Control Plane Policing (CoPP) dropping DHCP packets
D.Port security with maximum MAC limit
AnswerA

DHCP snooping on untrusted ports drops DHCPOFFER from outside the subnet unless relay is set up.

Why this answer

When the DHCP server resides on a different subnet and the switch lacks an IP helper address (ip helper-address) configuration, DHCP snooping will not forward the DHCP broadcast from the client to the server. DHCP snooping relies on the switch to relay DHCP packets across subnets; without the helper address, the broadcast is dropped at the VLAN interface, preventing clients from obtaining IP addresses.

Exam trap

Cisco often tests the misconception that DHCP snooping alone handles cross-subnet DHCP, when in fact it requires an IP helper address or a dedicated DHCP relay agent to forward broadcasts between subnets.

How to eliminate wrong answers

Option B is wrong because Dynamic ARP Inspection (DAI) validates ARP packets based on DHCP snooping bindings, but it does not affect DHCP packet forwarding between subnets; it only prevents ARP spoofing. Option C is wrong because Control Plane Policing (CoPP) protects the control plane from excessive traffic, but it is not a common cause of DHCP failure in this scenario unless misconfigured to rate-limit DHCP packets, which is less likely than the missing relay. Option D is wrong because port security with a maximum MAC limit restricts the number of MAC addresses on a port, but it does not block DHCP broadcasts or prevent relay across subnets.

28
MCQhard

A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?

A.Assign the 'read-only' role to the user within the tenant.
B.Create a separate VRF for each tenant and assign admin to that VRF.
C.Create a security domain for each tenant and assign the 'tenant-admin' role to the user within that domain.
D.Assign the 'tenant-admin' role to the user globally.
AnswerC

Security domains limit the scope of roles to specific tenants.

Why this answer

Option C is correct because Cisco ACI uses security domains to enforce Role-Based Access Control (RBAC) boundaries. By creating a security domain for each tenant and assigning the 'tenant-admin' role to a user within that domain, the tenant admin is restricted to managing only the objects (e.g., EPGs, contracts, policies) that belong to that specific tenant. This ensures isolation of tenant traffic management in a multi-tenant environment without granting global or cross-tenant privileges.

Exam trap

Cisco often tests the distinction between network-level segmentation (e.g., VRFs) and administrative-level isolation (e.g., security domains), and the trap here is that candidates mistakenly choose VRF-based isolation for RBAC, not realizing that VRFs only separate data plane traffic, not management access.

How to eliminate wrong answers

Option A is wrong because the 'read-only' role only permits viewing objects, not managing them, so it fails to meet the requirement for a tenant admin to manage their own tenant's objects. Option B is wrong because VRFs (Virtual Routing and Forwarding) are used for network segmentation of traffic, not for RBAC or administrative access control; assigning an admin to a VRF does not restrict their ability to manage objects outside that VRF. Option D is wrong because assigning the 'tenant-admin' role globally grants the user administrative privileges across all tenants, violating the requirement to isolate tenant traffic management to a single tenant.

29
MCQhard

A Nexus 7000 switch is experiencing high CPU utilization due to control plane traffic. The engineer notices that many packets are being punted to the CPU from the data plane, particularly ARP packets. After examining the CoPP configuration, the engineer sees that the 'arp' class-map is matched in a policy-map with a police rate of 1000 pps and a conform-action of 'transmit'. The current ARP rate is 2000 pps. What is the immediate impact?

A.All ARP packets are transmitted normally because the conform-action is 'transmit'.
B.Approximately half of the ARP packets are dropped, reducing CPU load but potentially causing reachability issues.
C.The switch applies an ACL to drop all ARP packets.
D.Packets are marked down and transmitted.
AnswerB

With 2000 pps against 1000 pps limit, half are dropped.

Why this answer

The CoPP policy is configured with a police rate of 1000 pps for ARP packets, but the current ARP rate is 2000 pps. Since the rate exceeds the policer, the conform-action 'transmit' only applies to packets within the rate; excess packets are dropped by default (drop action is implicit when no exceed-action is specified). This results in approximately half of the ARP packets being dropped, which reduces CPU load but can cause ARP resolution failures and reachability issues.

Exam trap

Cisco often tests the implicit default action for excess traffic in CoPP policers—candidates mistakenly assume that only the conform-action matters and that all traffic is transmitted, overlooking that the exceed-action defaults to 'drop' when not explicitly configured.

How to eliminate wrong answers

Option A is wrong because the conform-action 'transmit' only applies to packets that conform to the police rate (1000 pps); packets exceeding the rate are dropped, not transmitted normally. Option C is wrong because CoPP does not apply ACLs to drop packets; it uses a policer within a policy-map to rate-limit traffic, and no ACL is automatically applied to drop all ARP packets. Option D is wrong because the policy-map does not specify a 'markdown' action (such as 'set-dscp' or 'set-cos') or a 'transmit' action for exceed traffic; the default behavior for excess packets is to drop them, not mark and transmit.

30
MCQmedium

A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration: ip access-list VACL-FILTER 10 permit ip any any ... vlan access-map VACL-MAP 10 match ip address VACL-FILTER action forward vlan filter VACL-MAP vlan-list 10 What is the most likely reason for the connectivity failure?

A.The access-list permits all, so the VACL should work; perhaps the access-map is missing a default action.
B.The 'vlan filter' command is applied to VLAN 10 only, but the access-map is misconfigured.
C.The VACL is applied only to VLAN 10, so traffic from VLAN 20 to VLAN 10 is not filtered, but this should not cause a failure.
D.The VACL does not apply to traffic routed through the SVI; a Router ACL (RACL) must be used instead.
AnswerD

Correct. VACLs are only for Layer 2 bridging. For inter-VLAN routing, apply a RACL on the SVI interface.

Why this answer

VACLs filter traffic at the ingress of a VLAN, but they only apply to traffic that is bridged within the same VLAN. When traffic is routed between VLANs (inter-VLAN routing), it passes through the SVI (Switch Virtual Interface), and VACLs do not inspect routed traffic. To filter inter-VLAN routed traffic, a Router ACL (RACL) must be applied to the SVI.

Since the hosts in VLAN 10 cannot ping VLAN 20, the VACL on VLAN 10 is not blocking the traffic; rather, the traffic is being routed and is not subject to the VACL, so the failure is likely due to a missing or misconfigured RACL or routing issue.

Exam trap

The trap here is that candidates assume VACLs can filter all traffic within a VLAN, including traffic that is routed to another VLAN, but Cisco specifically tests that VACLs only apply to bridged traffic, not to traffic that is routed through an SVI.

How to eliminate wrong answers

Option A is wrong because the access-map does have a default action (the implicit deny at the end of the access-map sequence), and the permit all entry would forward traffic, so the VACL itself is not misconfigured; the issue is that VACLs do not apply to routed traffic. Option B is wrong because applying the filter to VLAN 10 only is correct for filtering traffic entering VLAN 10, but the problem is that inter-VLAN routed traffic bypasses VACL inspection entirely. Option C is wrong because while it correctly notes that traffic from VLAN 20 to VLAN 10 is not filtered by this VACL, the statement that 'this should not cause a failure' is misleading; the actual failure is due to the VACL not applying to routed traffic in either direction, not a one-way filtering issue.

31
Multi-Selectmedium

Which THREE security features are commonly used on Cisco Nexus switches to prevent DHCP-based attacks? (Choose three.)

Select 3 answers
A.Control Plane Policing (CoPP)
B.DHCP snooping
C.Port security
D.IP Source Guard
E.Dynamic ARP Inspection (DAI)
AnswersB, D, E

DHCP snooping filters untrusted DHCP messages.

Why this answer

DHCP snooping is a security feature that acts as a firewall between untrusted hosts and DHCP servers. It filters DHCP messages by validating DHCP packets received on untrusted ports, dropping those that are invalid (e.g., DHCP server messages from a client port), and building a DHCP snooping binding database that maps client MAC addresses, IP addresses, VLAN, and port information. This database is then used by other features like IP Source Guard and Dynamic ARP Inspection to prevent IP spoofing and ARP poisoning attacks.

Exam trap

Cisco often tests the distinction between features that directly prevent DHCP-based attacks (DHCP snooping, IP Source Guard, DAI) versus general security features like CoPP or Port security, which address different attack vectors and do not inspect DHCP protocol messages.

32
MCQeasy

An engineer wants to prevent unauthorized devices from connecting to access ports. Which port security violation mode will disable the port and generate a syslog message?

A.protect
B.shutdown
C.restrict
D.shutdown vlan
AnswerB

Shutdown disables the port and logs the violation.

Why this answer

The 'shutdown' violation mode is the only port security mode that both disables the port (placing it in an err-disabled state) and generates a syslog message when a violation occurs. This mode immediately shuts down the interface upon detecting an unauthorized MAC address, providing both a clear security alert and a physical disconnection of the offending device.

Exam trap

Cisco often tests the distinction between 'shutdown' and 'shutdown vlan' modes, where candidates mistakenly think 'shutdown vlan' disables the entire port, but it only disables the specific VLAN on that port, leaving other VLANs operational.

How to eliminate wrong answers

Option A is wrong because 'protect' mode drops packets from unauthorized MAC addresses but does not disable the port or generate a syslog message, silently discarding traffic. Option C is wrong because 'restrict' mode drops packets from unauthorized MAC addresses and generates a syslog message, but it does not disable the port; the port remains operational. Option D is wrong because 'shutdown vlan' mode disables only the offending VLAN on the port (placing it in an err-disabled state) and generates a syslog message, but it does not shut down the entire physical port, which is required by the question's condition of disabling the port.

33
MCQmedium

Refer to the exhibit. A client connected to Ethernet1/2 cannot obtain an IP address via DHCP. What is the most likely cause?

A.The DHCP snooping information option is disabled
B.The DHCP server is on a different VLAN
C.The DHCP snooping trust configuration is missing on the server port
D.IP source guard is enabled on the client port
AnswerC

Without trust, DHCP server messages are dropped on the untrusted port.

Why this answer

The client cannot obtain an IP address via DHCP because the DHCP server port (Ethernet1/1) is not configured as a DHCP snooping trusted port. By default, all ports are untrusted, and DHCP snooping drops all DHCP server responses (OFFER, ACK) received on untrusted ports. Configuring the port connecting to the DHCP server as trusted is required to allow these messages to reach the client.

Exam trap

Cisco often tests the default untrusted state of all ports in DHCP snooping, leading candidates to overlook that the server port must be explicitly trusted, even when the server is on the same VLAN or reachable.

How to eliminate wrong answers

Option A is wrong because disabling the DHCP snooping information option (option 82) would only affect the insertion or removal of relay agent information, not the basic forwarding of DHCP messages; DHCP snooping still operates and drops server responses on untrusted ports. Option B is wrong because a DHCP server on a different VLAN is a common and valid deployment; DHCP snooping does not require the server to be on the same VLAN, and the issue is about trust, not VLAN placement. Option D is wrong because IP source guard (IPSG) filters traffic based on IP-to-MAC bindings after a client obtains an IP address, but it does not prevent the initial DHCP exchange; the client cannot even get an IP address due to DHCP snooping dropping server responses.

34
MCQeasy

A data center network engineer wants to encrypt all traffic between two top-of-rack (ToR) switches that are connected via a direct link. The encryption should be transparent to upper-layer protocols and operate at Layer 2. Which technology should be used?

A.MACsec (802.1AE)
B.IPsec VPN
C.MKA (MACsec Key Agreement)
D.TLS/SSL
AnswerA

MACsec encrypts at Layer 2, ideal for direct links.

Why this answer

MACsec (802.1AE) is the correct choice because it provides hop-by-hop encryption at Layer 2, encrypting the entire Ethernet frame (excluding the source/destination MAC and VLAN tag) to secure traffic between two directly connected switches. It operates transparently to upper-layer protocols (Layer 3 and above) and requires no IP-level configuration, making it ideal for encrypting a direct link between ToR switches.

Exam trap

Cisco often tests the distinction between the encryption protocol (MACsec/802.1AE) and its key management protocol (MKA), leading candidates to mistakenly select MKA as the encryption technology.

How to eliminate wrong answers

Option B (IPsec VPN) is wrong because it operates at Layer 3 (network layer) and requires IP routing, which adds overhead and is not transparent to upper-layer protocols; it is designed for site-to-site or remote-access VPNs, not for direct Layer 2 link encryption. Option C (MKA - MACsec Key Agreement) is wrong because MKA is the key management protocol used to establish and maintain MACsec keys (as defined in 802.1X-2010), not the encryption technology itself; it is a component of MACsec, not a standalone encryption solution. Option D (TLS/SSL) is wrong because it operates at Layer 4 (transport layer) and is used to encrypt application-layer traffic (e.g., HTTPS), not Layer 2 frames; it requires TCP sessions and is not suitable for transparent link encryption between switches.

35
MCQhard

A network administrator is configuring copp (Control Plane Policing) on a Cisco Nexus 9300 to protect the control plane from high-rate traffic. After applying the policy, the switch becomes unresponsive to SSH sessions, but ICMP still works. What is the most likely misconfiguration?

A.The control plane rate limit is set too low because the switch has many interfaces.
B.CoPP is not supported on the Nexus 9300 platform.
C.The default action of the policy-map is to drop traffic not explicitly matched.
D.In the class-map for SSH, the 'match' statement is incorrectly configured, causing SSH traffic to fall under a drop class.
AnswerD

If SSH traffic is not matched or falls into a drop class, SSH would be blocked.

Why this answer

Option D is correct because if the class-map for SSH traffic uses an incorrect match statement (e.g., matching on the wrong protocol or port), SSH packets will not be classified into the intended permit class. Instead, they fall through to a default drop class in the policy-map, causing SSH sessions to fail while ICMP (which may be matched by a different class or the default permit action) still works. CoPP relies on precise class-map matching; a misconfiguration here directly explains the selective loss of SSH access.

Exam trap

Cisco often tests the nuance that CoPP policy-maps have an implicit 'permit' default unless a 'class class-default' with a drop action is explicitly configured, leading candidates to incorrectly assume a default drop is the cause when the real issue is a misclassification in the class-map.

How to eliminate wrong answers

Option A is wrong because a low rate limit would affect all control-plane traffic, not just SSH; ICMP would also be impacted, and the symptom is SSH failure with ICMP working. Option B is wrong because CoPP is fully supported on Nexus 9300 switches running NX-OS, and this is a standard feature for control-plane protection. Option C is wrong because the default action in a CoPP policy-map is to permit traffic not explicitly matched (unless a 'class class-default' with a drop action is configured); a default drop would affect all unmatched traffic, including ICMP, which contradicts the symptom that ICMP still works.

36
MCQhard

A network engineer is troubleshooting CoPP drops on a Cisco Nexus 9000 switch. The 'show control-plane' output indicates that packets are being dropped due to 'CoPP' on the 'default' control-plane class. Which action is most likely to resolve the issue without affecting routing protocol stability?

A.Disable CoPP globally to allow all control-plane traffic.
B.Increase the policer rate for the 'default' class in the CoPP policy.
C.Modify the class-map to reclassify the dropped packets to a higher priority class.
D.Increase the ingress buffer size on the control-plane interface.
AnswerB

Raising the policer rate allows more packets to pass, reducing drops.

Why this answer

The 'default' class in a CoPP policy catches all control-plane traffic not explicitly matched by higher-priority classes. Drops in this class indicate that the aggregate policer rate for unmatched traffic is too low. Increasing the policer rate for the 'default' class allows more legitimate control-plane packets (e.g., ARP, BFD, or management traffic) to pass without impacting the dedicated policers for critical protocols like OSPF or BGP, thus preserving routing stability.

Exam trap

Cisco often tests the misconception that all CoPP drops indicate a need to reclassify traffic to a higher priority class, when in fact the 'default' class drop is a classic sign of an undersized catch-all policer that simply needs a rate adjustment.

How to eliminate wrong answers

Option A is wrong because disabling CoPP globally removes all control-plane protection, exposing the CPU to DoS attacks and potentially causing routing instability from excessive traffic. Option C is wrong because reclassifying dropped packets to a higher priority class would bypass the intended CoPP hierarchy, potentially starving critical protocol traffic and violating the principle of least privilege. Option D is wrong because the control-plane interface does not have a configurable ingress buffer; buffer tuning applies to data-plane interfaces, not to the control-plane policing mechanism.

37
MCQmedium

Refer to the exhibit. An administrator connects a new server to Ethernet1/1 and the port immediately goes into errdisable state. The previous device was connected to that port. What is the most likely cause?

A.The new server has a different MAC address than the sticky MAC
B.The port security violation mode is set to protect
C.The port security maximum MAC addresses is set too high
D.The port is configured as a trunk
AnswerA

Sticky MAC learned the previous server's MAC; new server's MAC is different, causing a violation and port shutdown.

Why this answer

The port immediately entering errdisable state upon connecting a new server indicates a port security violation. When port security is enabled with sticky MAC addresses, the switch dynamically learns and 'sticks' the MAC address of the first connected device to the running configuration. Connecting a device with a different MAC address triggers a security violation, and if the violation mode is 'shutdown' (the default), the port is placed into errdisable state.

This matches the scenario where the previous device's MAC was learned as sticky, and the new server's MAC differs.

Exam trap

Cisco often tests the misconception that any port security violation immediately causes errdisable, but the trap here is that only the 'shutdown' and 'restrict' modes can lead to errdisable (restrict does not errdisable but logs and drops), while 'protect' silently drops traffic without disabling the port.

How to eliminate wrong answers

Option B is wrong because the 'protect' violation mode drops packets from unknown MAC addresses but does not place the port into errdisable state; it simply discards traffic without disabling the port. Option C is wrong because setting the maximum MAC addresses too high would allow more MAC addresses than intended, but it would not cause an immediate errdisable state upon connecting a new device; a violation occurs only when the limit is exceeded, not when a single new MAC appears. Option D is wrong because configuring the port as a trunk does not inherently cause errdisable; trunk ports can carry multiple VLANs and are not directly related to port security violations unless combined with other features like DTP misconfiguration.

38
MCQmedium

A Cisco ACI fabric administrator wants to implement microsegmentation using Cisco Group-Based Policy (GBP) in a network that hosts virtual machines and bare-metal servers. Which component must be used to enforce microsegmentation policies for bare-metal servers?

A.Application Policy Infrastructure Controller (APIC)
B.Virtual Switch (e.g., Cisco AVS)
C.External firewall appliance
D.Leaf switch
AnswerD

Leaf switches enforce microsegmentation for bare-metal servers via PCAM.

Why this answer

In Cisco ACI, microsegmentation for bare-metal servers is enforced at the leaf switch using Cisco Group-Based Policy (GBP). Unlike virtual machines that rely on a virtual switch (e.g., Cisco AVS) to apply policies, bare-metal servers connect directly to the leaf switch via physical interfaces. The leaf switch uses the opflex protocol to receive policy definitions from the APIC and applies them at the port level, enabling microsegmentation without requiring a hypervisor or virtual switch.

Exam trap

Cisco often tests the misconception that microsegmentation policies are enforced by the APIC or a virtual switch, but the trap here is that for bare-metal servers, the leaf switch is the enforcement point because there is no hypervisor to host a virtual switch.

How to eliminate wrong answers

Option A is wrong because the APIC is the centralized controller that defines and manages policies, but it does not enforce them at the data plane; enforcement occurs on the leaf switches. Option B is wrong because a virtual switch (e.g., Cisco AVS) is used for microsegmentation of virtual machines, not for bare-metal servers, which lack a hypervisor and thus cannot leverage a virtual switch. Option C is wrong because an external firewall appliance is not a native component of ACI microsegmentation; ACI uses its own policy enforcement at the leaf switch, and relying on an external firewall would introduce latency and complexity, defeating the purpose of GBP.

39
MCQmedium

An organization uses VXLAN EVPN for network segmentation. Which component provides per-tenant isolation of control plane traffic?

A.VLAN
B.VNI
C.VXLAN tunnel
D.VRF
AnswerD

VRF creates separate routing instances for each tenant, isolating control plane traffic.

Why this answer

In VXLAN EVPN, per-tenant isolation of control plane traffic is achieved through the use of VRFs (Virtual Routing and Forwarding instances). Each tenant is assigned a unique VRF, which maintains its own separate routing table and forwarding decisions, ensuring that control plane information (such as MAC/IP routes advertised via MP-BGP EVPN) is isolated between tenants. This is distinct from data plane isolation, which is provided by VXLAN Network Identifiers (VNIs).

Exam trap

Cisco often tests the distinction between data plane isolation (VNI) and control plane isolation (VRF), leading candidates to mistakenly choose VNI because it is the most visible segmentation identifier in VXLAN.

How to eliminate wrong answers

Option A is wrong because VLANs operate at Layer 2 and provide broadcast domain isolation within a physical network, but they do not isolate control plane traffic in a VXLAN EVPN overlay; VLANs are mapped to VNIs for data plane segmentation. Option B is wrong because a VNI (VXLAN Network Identifier) is used to identify and isolate data plane traffic (VXLAN segments) at Layer 2, not the control plane; control plane isolation requires separate routing contexts. Option C is wrong because a VXLAN tunnel is simply the encapsulation mechanism that carries VXLAN packets between VTEPs; it does not provide any per-tenant isolation of control plane signaling or routing information.

40
MCQmedium

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

A.Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Use vzAny for both EPGs.
B.Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Assign web_EPG as provider and app_EPG as consumer.
C.Create a contract with subject 'web_to_app' and apply filter 'tcp_8080' with direction 'both'. Assign web_EPG as provider and app_EPG as consumer.
D.Create a contract with subject 'web_to_app' and apply filter 'ip'. Assign web_EPG as provider and app_EPG as consumer.
AnswerC

Correct: provider sends traffic to consumer; filter permits TCP 8080; direction both allows response.

Why this answer

Option C is correct because in Cisco ACI, contracts define the rules for communication between EPGs. The provider EPG offers a service, and the consumer EPG accesses it. By setting the filter direction to 'both', the contract enforces bidirectional traffic on TCP port 8080, which is necessary for web-to-application communication (e.g., HTTP responses).

This configuration ensures that only traffic matching the filter is permitted, while all other traffic is implicitly denied by ACI's default deny behavior.

Exam trap

The trap here is that candidates assume the default filter direction (consumer to provider) is sufficient for bidirectional TCP communication, but Cisco tests the understanding that the 'both' direction is required for return traffic in ACI contracts.

How to eliminate wrong answers

Option A is wrong because vzAny is a special object representing all EPGs, not a specific EPG assignment; using vzAny for both EPGs would apply the contract to all traffic, violating the micro-segmentation requirement. Option B is wrong because it assigns web_EPG as provider and app_EPG as consumer, but the filter direction is not specified; by default, ACI applies the filter only from consumer to provider, which would block return traffic from app_EPG to web_EPG, breaking the bidirectional communication needed for TCP port 8080. Option D is wrong because the filter 'ip' permits all IP traffic, which is too permissive and does not restrict traffic to TCP port 8080, failing the requirement to deny all other traffic.

41
Multi-Selectmedium

Which THREE methods can be used to propagate Cisco TrustSec Security Group Tags (SGTs) across a network? (Choose three.)

Select 3 answers
A.VXLAN with group-based policy
B.SXP (SGT Exchange Protocol)
C.802.1Q tag (inline tagging)
D.CDP (Cisco Discovery Protocol)
E.LLDP
AnswersA, B, C

VXLAN can carry SGTs in the Group Policy ID (GPI) field.

Why this answer

VXLAN with group-based policy (GBP) is a valid method for propagating SGTs because it embeds the SGT into the VXLAN Group Policy ID (GPID) field within the VXLAN header. This allows the SGT to be carried across an overlay network, enabling scalable, policy-based segmentation in a fabric environment without requiring inline tagging or SXP.

Exam trap

Cisco often tests the distinction between discovery protocols (CDP/LLDP) and actual SGT propagation mechanisms; the trap here is assuming that any Cisco proprietary protocol can carry SGTs, when in fact only SXP, inline tagging, and VXLAN GBP are valid.

42
Multi-Selecthard

Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?

Select 3 answers
A.Enable control plane policing (CoPP) to rate-limit control plane traffic.
B.Configure management access lists to restrict SSH/SNMP access.
C.Disable unused services such as HTTP/HTTPS server.
D.Enable Bidirectional Forwarding Detection (BFD) on all interfaces.
E.Implement routing protocol authentication (e.g., OSPF MD5).
AnswersA, B, C

CoPP protects the control plane from DoS attacks.

Why this answer

Control plane policing (CoPP) is a valid method to secure the control plane on a Cisco Nexus 9000 switch. CoPP uses a policy map applied to the control plane to rate-limit or drop traffic destined to the supervisor module, protecting the CPU from excessive or malicious traffic. This is a direct control plane security mechanism defined in Cisco NX-OS.

Exam trap

Cisco often tests the distinction between control plane security (CoPP, management ACLs, disabling services) and other security features like BFD or routing authentication, which protect different planes or functions.

43
MCQeasy

An engineer needs to implement port security on a Cisco Nexus 1000v virtual switch to prevent MAC flooding attacks. The requirement is to allow only the first MAC address learned on the port. Which command sequence accomplishes this?

A.interface ethernet 1/1 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict
B.interface ethernet 1/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown
C.interface ethernet 1/1 switchport port-security switchport port-security maximum 10 switchport port-security violation protect
D.interface ethernet 1/1 switchport port-security manual switchport port-security mac-address 0000.1111.2222
AnswerB

This sets the maximum MAC addresses to 1 and violation action to shutdown.

Why this answer

Option B is correct because the command sequence sets the maximum number of MAC addresses to 1, which ensures only the first learned MAC address is allowed on the port. The 'violation shutdown' action disables the port if a violation occurs, effectively preventing MAC flooding attacks by stopping any additional MAC addresses from being learned.

Exam trap

Cisco often tests the distinction between 'violation protect' (silently drops unknown traffic) and 'violation shutdown' (disables the port), and candidates may mistakenly choose 'protect' thinking it is sufficient, but only 'shutdown' fully prevents MAC flooding by stopping all traffic on the port.

How to eliminate wrong answers

Option A is wrong because it sets the maximum to 2, allowing two MAC addresses instead of the required one, and uses 'restrict' which only drops traffic from unknown MACs without disabling the port. Option C is wrong because it sets the maximum to 10, allowing multiple MAC addresses, and uses 'protect' which silently drops unknown traffic but does not prevent the port from learning multiple MACs. Option D is wrong because 'switchport port-security manual' is not a valid command on Cisco Nexus switches; the correct command is 'switchport port-security mac-address sticky' or a static MAC assignment, and it does not enforce the 'first learned' behavior.

44
Multi-Selectmedium

Which TWO security features are used to prevent MAC address flooding attacks on a Cisco Nexus switch? (Choose two.)

Select 2 answers
A.Port Security
B.IP Source Guard
C.Control Plane Policing
D.DHCP Snooping
E.BPDU Guard
AnswersA, D

Port Security limits the number of MAC addresses per port.

Why this answer

Port Security (A) is correct because it limits the number of MAC addresses allowed on a switch port, preventing MAC flooding attacks by dropping frames from unknown source MACs once the limit is exceeded. DHCP Snooping (D) is correct because it builds a trusted database of IP-to-MAC bindings from DHCP messages, which can be used to validate traffic and prevent MAC spoofing that often accompanies flooding attacks.

Exam trap

Cisco often tests the distinction between features that directly prevent MAC flooding (Port Security, DHCP Snooping) versus features that mitigate related spoofing attacks (IP Source Guard, Dynamic ARP Inspection), leading candidates to mistakenly select IP Source Guard.

45
MCQeasy

A network engineer is configuring DHCP snooping on a Cisco Nexus 9000 switch to prevent rogue DHCP server attacks. The switch connects to the legitimate DHCP server on Ethernet 1/1. Clients are connected to ports Ethernet 1/2 through 1/24. The engineer enables DHCP snooping globally and on VLAN 10, but clients are unable to obtain IP addresses from the DHCP server. Other connectivity between clients and the server works (e.g., static IPs). What is the most likely cause and solution?

A.Disable DHCP snooping as it is not needed in this topology.
B.Configure a static DHCP binding for each client on the switch.
C.Ethernet 1/1 is untrusted by default. Configure it as trusted with 'ip dhcp snooping trust' and verify DHCP snooping is enabled on VLAN 10.
D.Add 'ip dhcp snooping information option' on Ethernet 1/1 to allow DHCP option 82.
AnswerC

Correct. DHCP snooping requires the port towards the trusted server to be set as trusted to allow server messages.

Why this answer

By default, all interfaces on a Cisco Nexus 9000 switch are untrusted for DHCP snooping. The legitimate DHCP server is connected to Ethernet 1/1, which must be explicitly configured as trusted using the 'ip dhcp snooping trust' interface command. Without this, the switch discards DHCP server messages (OFFER, ACK) received on that port, preventing clients from obtaining IP addresses even though DHCP snooping is enabled globally and on VLAN 10.

Exam trap

Cisco often tests the default untrusted state of all interfaces in DHCP snooping, leading candidates to assume that enabling snooping globally and on a VLAN is sufficient without configuring trust on the server-facing port.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a necessary security feature to block rogue DHCP servers; disabling it would leave the network vulnerable and does not address the misconfiguration. Option B is wrong because static DHCP bindings are used for IP Source Guard or to map client MAC addresses to IP addresses, not to allow DHCP server messages through an untrusted port. Option D is wrong because the 'ip dhcp snooping information option' (DHCP option 82) is used to insert relay agent information and is not required for basic DHCP snooping trust; it is typically used in DHCP relay scenarios, not for directly connected servers.

46
MCQhard

Refer to the exhibit. The configuration is intended to provide Layer 2 isolation within VLAN 100 while allowing the promiscuous port (Ethernet 1/1) to communicate with all ports in the community VLAN. However, hosts in VLAN 100 cannot communicate with each other. What is the most likely misconfiguration?

A.The SVI interface needs 'ip address' to be removed.
B.The SVI interface should have 'private-vlan mapping' to the primary VLAN, not the community VLAN.
C.The 'switchport private-vlan association trunk' command on Ethernet 1/1 is incorrect; it should be 'switchport private-vlan association mapping' or similar.
D.The command 'no ip redirects' should not be applied to the SVI.
AnswerC

The association command syntax is likely wrong; it should map the secondary VLAN to the promiscuous port.

Why this answer

The command 'switchport private-vlan association trunk' is invalid for configuring a promiscuous port in a private VLAN. The correct command is 'switchport private-vlan mapping primary-vlan-id secondary-vlan-id' to map the promiscuous port to the primary VLAN and the secondary community VLAN. Without this correct mapping, the promiscuous port cannot forward traffic to hosts in the community VLAN, causing Layer 2 isolation to fail.

Exam trap

Cisco often tests the distinction between 'private-vlan association' (used on trunk ports) and 'private-vlan mapping' (used on promiscuous or host ports), leading candidates to confuse the two commands and misapply them.

How to eliminate wrong answers

Option A is wrong because removing the IP address from the SVI would break Layer 3 routing for VLAN 100, which is not required for Layer 2 isolation; the SVI IP is needed for management or routing, and its presence does not affect private VLAN behavior. Option B is wrong because the 'private-vlan mapping' on the SVI should map the primary VLAN to the secondary community VLAN (e.g., 'private-vlan mapping 100 200'), not the community VLAN to the primary; the given syntax is correct in intent, but the issue is on the promiscuous port, not the SVI. Option D is wrong because 'no ip redirects' is a security feature that disables ICMP redirects and does not impact private VLAN isolation or host-to-host communication within a community VLAN.

47
Drag & Dropmedium

Order the steps to upgrade the software on a Cisco Nexus switch using ISSU.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ISSU requires image copy, boot variable, compatibility check, upgrade command, and reload.

48
MCQhard

Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?

A.Both ICMP and class-default traffic that exceed their rates
B.ICMP traffic that exceeds 1000 bps
C.class-default traffic that exceeds 20000 bps
D.OSPF traffic that exceeds 5000 bps
AnswerB

The ICMP class drops packets that exceed the police rate.

Why this answer

Option B is correct because the CoPP policy explicitly defines a class-map for ICMP traffic with a police rate of 1000 bps. Any ICMP traffic exceeding this rate is dropped due to the 'drop' action in the police command. The other classes (OSPF and class-default) have higher rates and are not as constrained, making ICMP the most likely to be dropped when exceeded.

Exam trap

Cisco often tests the misconception that all traffic exceeding its policed rate is equally likely to be dropped, but the trap here is that the lowest policed rate (ICMP at 1000 bps) is the most restrictive and thus the most likely to be exceeded and dropped, not the higher-rate classes.

How to eliminate wrong answers

Option A is wrong because the class-default traffic is policed at 20000 bps, which is a much higher rate than ICMP's 1000 bps, so class-default is less likely to be dropped unless it significantly exceeds its rate; ICMP is the primary concern. Option C is wrong because class-default traffic has a police rate of 20000 bps, which is 20 times higher than ICMP's rate, making it less likely to be dropped under typical traffic loads. Option D is wrong because OSPF traffic is policed at 5000 bps, which is 5 times higher than ICMP's rate, and OSPF control traffic is typically low-volume, so it is not the most likely to be dropped.

49
MCQmedium

Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches: feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30 interface ethernet 1/1 macsec policy MACSEC_POLICY However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?

A.Both switches must have the same MACsec profile name.
B.The interface must be put in a 'macsec' mode with 'switchport macsec'.
C.The MACsec key chain must be created and referenced in the macsec policy, and the MKA policy must be applied to the interface with 'macsec mka policy'.
D.The 'feature macsec' command is not enabled, so MACsec is not operational.
AnswerC

Correct. A key chain must be defined and linked to the policy, and the MKA policy must be explicitly applied under the interface.

Why this answer

Option C is correct because MACsec on Cisco Nexus 9000 switches requires a key chain to be defined and explicitly referenced within the MACsec policy. Without the 'key-chain' command under the 'macsec policy', the pre-shared key (CAK) is not available for MKA (MACsec Key Agreement) to derive session keys. Additionally, the MKA policy must be applied to the interface using 'macsec mka policy' to enable the key agreement protocol; simply enabling MACsec on the interface without these steps leaves the link unsecured, causing MACsec frames to be dropped.

Exam trap

Cisco often tests the requirement that a key chain must be explicitly referenced in the MACsec policy and that an MKA policy must be applied to the interface, tricking candidates into thinking that simply enabling MACsec on the interface with a policy is sufficient.

How to eliminate wrong answers

Option A is wrong because the MACsec profile name does not need to match on both switches; only the key chain parameters (e.g., key string) must match for MKA to succeed. Option B is wrong because 'switchport macsec' is not a valid command on Nexus 9000; the interface is placed into MACsec mode by applying the MACsec policy directly with 'macsec policy' under the interface. Option D is wrong because 'feature macsec' is correctly enabled in the configuration, so MACsec is operational at the feature level; the failure is due to missing key chain and MKA policy application, not the feature being disabled.

50
Multi-Selecthard

Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)

Select 3 answers
A.Uses SGTs to enforce policy
B.Requires Cisco ISE
C.Operates at Layer 2
D.Uses CTS auth-proxy
E.Requires MACsec encryption
AnswersA, C, D

SGTs are central to TrustSec for classifying and enforcing access policies.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to enforce access control policies based on user, device, or workload identity rather than IP addresses. SGTs are assigned during authentication and carried in Ethernet frames (via Cisco Meta Data or inline tagging) to allow scalable, identity-based policy enforcement throughout the network.

Exam trap

Cisco often tests the misconception that TrustSec requires ISE or MACsec, but the core characteristics are SGT-based policy enforcement, Layer 2 operation, and the CTS auth-proxy mechanism for legacy device support.

51
MCQmedium

A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?

A.DHCP snooping must be disabled on the VLAN.
B.DHCP snooping must be enabled on the VLAN and the port must be untrusted.
C.All clients must use DHCP; static IPs are not supported.
D.Dynamic ARP Inspection must be enabled first.
AnswerB

IP Source Guard uses the DHCP snooping binding table on untrusted ports.

Why this answer

IP Source Guard uses a binding table created by DHCP snooping to validate the source IP address of packets received on a port. For IP Source Guard to work, DHCP snooping must be enabled on the VLAN, and the client-facing port must be configured as an untrusted port so that DHCP snooping can populate the binding table with valid DHCP lease information. Without this binding table, IP Source Guard has no source IP-to-MAC mapping to enforce.

Exam trap

Cisco often tests the dependency between IP Source Guard and DHCP snooping, specifically that DHCP snooping must be enabled on the VLAN and the port must be untrusted, leading candidates to incorrectly assume DHCP snooping must be disabled or that static IPs are unsupported.

How to eliminate wrong answers

Option A is wrong because DHCP snooping must be enabled on the VLAN to build the IP-to-MAC binding table that IP Source Guard relies on; disabling DHCP snooping would leave the binding table empty, causing IP Source Guard to drop all traffic. Option C is wrong because IP Source Guard supports static IP assignments if a static binding is manually configured using the 'ip source binding' command; it does not require all clients to use DHCP. Option D is wrong because Dynamic ARP Inspection (DAI) is a separate security feature that also depends on DHCP snooping, but IP Source Guard does not require DAI to be enabled first; both features can operate independently as long as DHCP snooping is active.

52
MCQeasy

A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?

A.Apply the VACL to a Layer 3 interface using 'ip access-group'.
B.Apply the VACL to a physical port using 'mac access-group'.
C.Define a VLAN access-map and then apply it under the VLAN configuration.
D.Use the 'vlan filter' command in global configuration mode.
AnswerD

'vlan filter' applies the VACL to a specific VLAN.

Why this answer

Option D is correct because VACLs on Cisco Nexus 9000 switches are applied using the 'vlan filter' command in global configuration mode, which references a VLAN access-map. This command binds the access-map to a specific VLAN, enabling Layer 2 traffic filtering between VLANs without requiring a Layer 3 interface.

Exam trap

Cisco often tests the distinction between applying an ACL to an interface versus applying a VACL to a VLAN, and the trap here is that candidates mistakenly think a VLAN access-map is applied directly under the VLAN configuration (like 'vlan 10' mode) rather than using the global 'vlan filter' command.

How to eliminate wrong answers

Option A is wrong because 'ip access-group' applies an IP ACL to a Layer 3 interface (SVI or routed port), not a VACL, and VACLs are not applied to Layer 3 interfaces. Option B is wrong because 'mac access-group' applies a MAC ACL to a physical port for Layer 2 traffic filtering on that port, not to a VLAN for inter-VLAN filtering. Option C is wrong because while defining a VLAN access-map is a necessary step, it must be applied using the 'vlan filter' command in global configuration mode, not under the VLAN configuration (the 'vlan' config mode does not support applying access-maps directly).

53
Multi-Selecteasy

Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)

Select 2 answers
A.IP Source Guard
B.Private VLANs
C.Dynamic ARP Inspection
D.Port Security
E.DHCP Snooping
AnswersC, E

DAI intercepts and validates ARP packets.

Why this answer

Dynamic ARP Inspection (DAI) is correct because it validates ARP packets by checking them against the DHCP snooping binding database, ensuring that only legitimate ARP replies and requests are forwarded. This prevents ARP spoofing attacks where an attacker sends falsified ARP messages to associate their MAC address with the IP address of a legitimate device.

Exam trap

Cisco often tests the distinction between features that validate ARP packets (DAI) versus features that validate IP packets (IP Source Guard) or limit MAC addresses (Port Security), causing candidates to confuse the scope of each security mechanism.

54
MCQhard

In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?

A.The subject action is set to deny
B.The L3Out and the EPG are in different VRFs
C.The filter uses the wrong direction
D.The contract is applied to the consumer EPG instead of the provider
AnswerB

ACI contracts only work within the same VRF. If the L3Out is in a different VRF, route leaking is required.

Why this answer

Option B is correct because in Cisco ACI, communication between an EPG and an external network via a Layer 3 Outside requires both to be in the same VRF. If the EPG and the L3Out are in different VRFs, the contract cannot be enforced, and traffic will fail even if the contract allows HTTP. The VRF provides the routing and policy enforcement boundary for the contract.

Exam trap

Cisco often tests the misconception that a contract alone is sufficient for inter-VRF communication, but in ACI, contracts are VRF-scoped and cannot bridge different VRFs without additional configuration like a VRF route leak or a shared service contract.

How to eliminate wrong answers

Option A is wrong because if the subject action were set to deny, the contract would explicitly block HTTP traffic, but the question states the contract allows HTTP, so the action is not deny. Option C is wrong because the filter direction (e.g., from consumer to provider) is correctly configured in the contract; the issue is not about direction but about VRF mismatch preventing any policy application. Option D is wrong because applying the contract to the consumer EPG instead of the provider is a valid configuration; the consumer EPG typically consumes the contract, and the provider EPG provides the service, so this would not cause a failure if the contract is correctly applied to the consumer.

55
MCQeasy

Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?

A.VLAN Access Control Lists (VACLs)
B.Control Plane Policing (CoPP)
C.EtherChannel load balancing
D.Switched Port Analyzer (SPAN)
AnswerB

CoPP rate-limits control plane packets.

Why this answer

Control Plane Policing (CoPP) is the correct mechanism because it directly filters and rate-limits control plane traffic, such as BGP updates, before it reaches the CPU of a Nexus 9000 switch. By applying a CoPP policy, you can protect the CPU from being overwhelmed by excessive BGP updates, ensuring stability and preventing denial-of-service conditions.

Exam trap

Cisco often tests the distinction between data plane and control plane mechanisms, and the trap here is that candidates may confuse VACLs (data plane filtering) with CoPP (control plane policing), assuming any ACL can protect the CPU.

How to eliminate wrong answers

Option A is wrong because VLAN Access Control Lists (VACLs) filter traffic within the data plane at the VLAN level, not the control plane, and cannot rate-limit BGP updates destined to the CPU. Option C is wrong because EtherChannel load balancing distributes data traffic across aggregated links to improve bandwidth and redundancy, but it has no mechanism to police or limit control plane traffic like BGP updates. Option D is wrong because Switched Port Analyzer (SPAN) is used for port mirroring traffic to a monitoring device for analysis, not for filtering or rate-limiting control plane packets to the CPU.

56
MCQmedium

A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?

A.The contract is configured only on the provider EPG, but the consumer EPG is not consuming the contract.
B.The contract is applied to the wrong VRF.
C.The filter direction is set to both, but the contract is using an incorrect filter.
D.The endpoints are in different VMM domains.
AnswerA

The consumer EPG must also consume the contract; otherwise, traffic is denied.

Why this answer

The most likely cause is that the contract is configured on the provider EPG but the consumer EPG is not configured to consume it. In Cisco ACI, a contract must be explicitly provided by one EPG and consumed by another for traffic to be permitted. If the consumer EPG does not have the contract applied, the contract will not be enforced, and traffic will be dropped even if the contract configuration appears correct.

The contract statistics showing no permitted packets confirm that the contract is not being applied to the traffic flow.

Exam trap

Cisco often tests the misconception that configuring a contract on the provider EPG alone is enough to permit traffic, when in fact the consumer EPG must also explicitly consume the contract for the policy to take effect.

How to eliminate wrong answers

Option B is wrong because applying a contract to the wrong VRF would prevent any communication between EPGs in different VRFs, but the contract statistics would show no packets at all, and the administrator would likely notice the VRF mismatch during configuration review. Option C is wrong because an incorrect filter direction or filter would still result in some packets being counted in contract statistics (e.g., denied packets), but the question states no packets have been permitted, indicating the contract itself is not being consumed. Option D is wrong because endpoints in different VMM domains can still communicate if the EPGs are in the same VRF and a contract is properly configured; VMM domain mismatch affects endpoint discovery and policy enforcement but does not directly cause contract statistics to show zero permitted packets.

57
Multi-Selecteasy

Which two statements are true about Cisco TrustSec? (Choose two.)

Select 2 answers
A.It requires a Cisco ISE policy server
B.It requires 802.1X authentication
C.It provides encryption at Layer 2
D.It uses VLANs for segmentation
E.It uses SGTs for access control
AnswersA, E

ISE is the policy server that defines and distributes SGT-based policies.

Why this answer

Cisco TrustSec relies on a Cisco ISE policy server to define and enforce security policies based on Security Group Tags (SGTs). ISE acts as the centralized policy decision point, dynamically assigning SGTs to authenticated endpoints and distributing the SGT-to-IP bindings to network devices via SXP or inline tagging.

Exam trap

Cisco often tests the misconception that TrustSec requires 802.1X or provides mandatory encryption, when in fact 802.1X is just one of several authentication methods and encryption (MACsec) is an optional enhancement.

58
Multi-Selecthard

Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)

Select 2 answers
A.TrustSec requires MACsec encryption on all links to function.
B.Cisco ISE can dynamically assign SGTs to endpoints during authentication.
C.TrustSec uses Security Group Tags (SGTs) to enforce access control policies.
D.SGTs are assigned based on the source IP address of the traffic.
E.TrustSec policies are enforced at Layer 3 only.
AnswersB, C

ISE assigns SGTs as part of policy after authentication.

Why this answer

Cisco ISE can dynamically assign Security Group Tags (SGTs) to endpoints during authentication via 802.1X or MAB, enabling role-based access control. This is a core TrustSec feature where the SGT is propagated to the network infrastructure to enforce policies.

Exam trap

Cisco often tests the misconception that TrustSec requires MACsec or IP-based tagging, when in fact SGTs are identity-based and MACsec is optional; candidates may also incorrectly assume TrustSec is Layer 3 only, ignoring its Layer 2 enforcement capabilities.

59
MCQhard

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

A.Enable dynamic ARP inspection on all VLANs.
B.Enable IP source guard on all access ports.
C.Enable DHCP snooping globally and configure uplink ports as trusted.
D.Enable MAC port security on all access ports.
AnswerC

DHCP snooping filters DHCP offers from untrusted ports.

Why this answer

DHCP snooping is the correct defense against rogue DHCP servers because it filters DHCP messages on untrusted ports and allows only DHCP replies from trusted uplink ports. By enabling DHCP snooping globally and configuring uplink ports as trusted, the switch will drop DHCPOFFER and DHCPACK messages received on access ports, preventing a rogue server from handing out malicious IP configurations.

Exam trap

Cisco often tests the distinction between DHCP snooping (which blocks rogue DHCP servers) and DAI or IPSG (which rely on DHCP snooping but address different threats), leading candidates to confuse the security feature with its prerequisite.

How to eliminate wrong answers

Option A is wrong because dynamic ARP inspection (DAI) validates ARP packets based on DHCP snooping bindings, but it does not directly prevent a rogue DHCP server from sending DHCP offers. Option B is wrong because IP source guard (IPSG) filters IP traffic based on the DHCP snooping binding table, but it does not block DHCP server messages; it only prevents IP spoofing on data traffic. Option D is wrong because MAC port security limits the number of MAC addresses per port and prevents MAC flooding, but it has no mechanism to detect or block unauthorized DHCP servers.

60
MCQeasy

A data center engineer is configuring 802.1X authentication on Cisco Nexus switches for wired endpoints. The requirement is to allow traffic on the port even if no EAPOL packet is received from the endpoint (e.g., a printer). Which authentication method should be used?

A.MAC Authentication Bypass (MAB)
B.802.1X using RADIUS server
C.Port security with sticky MAC addresses
D.Local authentication with a predefined list of users
AnswerA

MAB uses the device's MAC address to authenticate against the RADIUS server if no EAPOL is received.

Why this answer

MAC Authentication Bypass (MAB) is the correct method because it allows a port to authenticate endpoints that do not send EAPOL frames, such as printers or other legacy devices. When no EAPOL is received within a configurable timeout, the switch falls back to using the source MAC address of the first frame as the authentication credential, sending it to the RADIUS server for verification. This satisfies the requirement to permit traffic even without 802.1X supplicant capability.

Exam trap

Cisco often tests the distinction between authentication methods that require EAPOL (802.1X) and those that do not (MAB), and the trap here is that candidates confuse port security or local authentication with network access control, failing to recognize that MAB is the specific fallback for non-EAPOL endpoints.

How to eliminate wrong answers

Option B is wrong because 802.1X using a RADIUS server requires the endpoint to send EAPOL frames to initiate authentication; if no EAPOL is received, the port remains unauthorized and blocks traffic. Option C is wrong because port security with sticky MAC addresses is a Layer 2 access control mechanism that limits the number of learned MAC addresses but does not integrate with RADIUS-based authentication or handle the absence of EAPOL. Option D is wrong because local authentication with a predefined list of users is used for device administration (e.g., SSH or console login), not for port-based network access control of wired endpoints.

61
MCQmedium

A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?

A.The EPGs are not in the same bridge domain; they must be in the same bridge domain to communicate.
B.The VRF of tenant A and tenant B must have route leaking configured to allow inter-VRF routing.
C.The contract is not marked as 'shared' between tenants; a shared contract must be created and both EPGs must be in the same VRF or use a shared VRF.
D.The filter for HTTPS must also include the source port range 49152-65535 for ephemeral ports.
AnswerC

ACI requires shared contracts for cross-tenant communication, and the EPGs must be in the same VRF or use a shared VRF.

Why this answer

In Cisco ACI, contracts are local to a VRF by default. For inter-tenant communication where each tenant has its own VRF, the contract must be explicitly marked as 'shared' and both EPGs must either be in the same VRF or use a shared VRF that allows cross-VRF policy enforcement. Without this, the contract filter is not applied across VRFs, causing traffic to be dropped even though the contract and filter are correctly configured.

Exam trap

Cisco often tests the misconception that contracts work across VRFs by default, when in fact they require explicit sharing configuration, leading candidates to overlook the 'shared contract' requirement.

How to eliminate wrong answers

Option A is wrong because EPGs do not need to be in the same bridge domain to communicate; ACI uses contracts to enable communication across different bridge domains and even across VRFs when properly configured. Option B is wrong because route leaking is not required for inter-VRF communication in ACI; contracts with a shared VRF handle the routing and policy enforcement between VRFs without explicit route leaking. Option D is wrong because the filter for HTTPS only needs to specify the destination port (tcp dstPort 443); source ports are ephemeral and automatically allowed by ACI's stateful nature, so specifying a source port range is unnecessary and would not cause traffic drops.

62
Multi-Selecteasy

Which THREE are best practices for securing a data center network? (Choose three.)

Select 3 answers
A.Apply device hardening, such as disabling unused services.
B.Use encryption (e.g., MACsec, IPsec) for sensitive traffic.
C.Implement role-based access control (RBAC) for management access.
D.Disable logging to reduce CPU load.
E.Use default SNMP community strings for simplicity.
AnswersA, B, C

Hardening reduces attack surface.

Why this answer

Device hardening, such as disabling unused services, is a fundamental best practice for securing a data center network. By reducing the attack surface, you eliminate potential entry points for exploits, which is a core principle of Cisco's secure network design. This aligns with the Cisco Nexus and IOS-XE hardening guidelines, where services like HTTP, Telnet, or CDP are disabled to prevent unauthorized access or reconnaissance.

Exam trap

Cisco often tests the concept that security best practices must never sacrifice security for performance or convenience, so traps like 'disable logging' or 'use default strings' are designed to lure candidates who prioritize operational simplicity over security.

63
MCQmedium

Refer to the exhibit. What is the effect of this configuration on traffic in VLAN 10?

A.Telnet traffic is permitted; all other traffic is denied.
B.All traffic is denied except telnet.
C.Telnet traffic is denied; all other traffic is permitted.
D.All traffic is permitted.
AnswerC

Correct: first sequence drops telnet, second forwards all else.

Why this answer

The VACL first matches telnet traffic and drops it. The second sequence forwards all other traffic. Thus, only telnet is denied; all other traffic is permitted.

64
MCQmedium

A company uses Cisco TrustSec in its data center to enforce segmentation. Servers in VLAN 10 (Finance) should only communicate with servers in VLAN 20 (ERP) via an application gateway. Which TrustSec component is used to assign a Security Group Tag (SGT) to traffic from the Finance servers?

A.Identity Services Engine (ISE) as the authentication and policy server
B.MACsec encryption on the links
C.802.1X port-based authentication
D.VLAN ACL (VACL) on the switch
AnswerA

ISE assigns SGTs based on user or device identity.

Why this answer

In Cisco TrustSec, the Identity Services Engine (ISE) acts as the authentication and policy server that assigns Security Group Tags (SGTs) to endpoints or traffic based on identity and policy. ISE uses 802.1X, MAB, or web authentication to identify the Finance servers and then dynamically assigns the appropriate SGT, which is then used for segmentation enforcement.

Exam trap

Cisco often tests the distinction between the authentication mechanism (802.1X) and the policy server (ISE) that actually assigns the SGT, leading candidates to mistakenly select 802.1X as the component that assigns the tag.

How to eliminate wrong answers

Option B is wrong because MACsec provides link-layer encryption and integrity, not SGT assignment; it is used to secure TrustSec links after SGTs are already assigned. Option C is wrong because 802.1X is an authentication method that can be used by ISE to identify endpoints, but it does not directly assign SGTs—ISE is the component that maps the authenticated identity to an SGT. Option D is wrong because VLAN ACLs (VACLs) filter traffic based on Layer 2/3/4 fields, not SGTs; they are not part of the TrustSec SGT assignment process.

65
MCQeasy

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

A.Create a contract between EPGs with appropriate filters.
B.Use a tenant to separate the EPGs logically.
C.Configure a VRF to isolate traffic between EPGs.
D.Define a bridge domain with L2 policies.
AnswerA

Contracts in ACI define allowed communication with filters for specific protocols/ports.

Why this answer

In Cisco ACI, contracts are the primary mechanism for enforcing policy-based communication between EPGs. By creating a contract between the web and app EPGs with a filter that permits HTTP (TCP/80), and another contract between management and web EPGs with a filter that denies SSH (TCP/22), the architect can precisely meet both requirements. Contracts allow granular control over which protocols and ports are allowed or denied, making them the correct construct for this access control scenario.

Exam trap

Cisco often tests the misconception that VRFs or bridge domains alone can provide security isolation, but in ACI, traffic filtering is always enforced via contracts, regardless of VRF or BD boundaries.

How to eliminate wrong answers

Option B is wrong because tenants are used for administrative and policy isolation between different customers or organizations, not for defining traffic rules between EPGs within the same tenant. Option C is wrong because VRFs (private L3 contexts) provide routing and forwarding isolation but do not enforce security policies like permitting or denying specific application traffic; contracts are still needed within a VRF. Option D is wrong because bridge domains define Layer 2 forwarding boundaries and subnets, not access control policies; they do not filter traffic based on protocols or ports.

66
MCQmedium

A network administrator configures DHCP snooping on a Nexus 9000 switch. The legitimate DHCP server is connected to Ethernet 1/1. An unauthorized DHCP server is detected on Ethernet 1/2. Which action should be taken to prevent the unauthorized server from offering IP addresses?

A.Enable the DHCP snooping information option
B.Set Ethernet 1/2 as a trusted port
C.Disable DHCP snooping globally
D.Set Ethernet 1/1 as a trusted port
AnswerD

The DHCP server port must be trusted to permit DHCP server messages such as OFFER and ACK.

Why this answer

Option D is correct because DHCP snooping uses the concept of trusted and untrusted ports. By default, all ports are untrusted. Setting Ethernet 1/1, where the legitimate DHCP server is connected, as a trusted port allows DHCP server messages (OFFER, ACK, etc.) from that port to be forwarded.

All other ports, including Ethernet 1/2, remain untrusted, so any DHCP server messages received on them are dropped, effectively blocking the unauthorized DHCP server.

Exam trap

Cisco often tests the common misconception that you must set the port connected to the unauthorized server as untrusted (which is the default) rather than explicitly setting the legitimate server's port as trusted, leading candidates to incorrectly select option B or C.

How to eliminate wrong answers

Option A is wrong because enabling the DHCP snooping information option (option 82) inserts circuit-id and remote-id information into DHCP packets, but it does not control which ports are allowed to send DHCP server messages; it is used for DHCP relay and security auditing, not for blocking unauthorized servers. Option B is wrong because setting Ethernet 1/2 as a trusted port would allow the unauthorized DHCP server's messages to be forwarded, which is the opposite of the desired action. Option C is wrong because disabling DHCP snooping globally would remove all protection, allowing both legitimate and unauthorized DHCP servers to operate freely, which does not prevent the unauthorized server from offering IP addresses.

67
Multi-Selecthard

Which TWO statements are true about Control Plane Policing (CoPP) on a Cisco Nexus 9000 switch? (Choose two.)

Select 2 answers
A.CoPP can be used to limit the rate of ICMP unreachable messages.
B.CoPP automatically drops all unknown unicast traffic.
C.CoPP is configured using the 'control-plane' sub-mode with policy-maps.
D.CoPP applies only to traffic destined to the switch management IP.
E.CoPP can be used to prioritize OSPF traffic over SSH.
AnswersA, C

ICMP unreachable messages can be rate-limited with CoPP to prevent DoS.

Why this answer

Option A is correct because CoPP can rate-limit control-plane traffic such as ICMP unreachable messages. By applying a policy-map in the 'control-plane' sub-mode, you can define class-maps that match specific control-plane protocols (e.g., ICMP) and then police their rate to prevent CPU overload from floods of such packets.

Exam trap

Cisco often tests the misconception that CoPP is only for management IP traffic or that it can prioritize traffic, when in fact it is a policing mechanism for all control-plane traffic and does not provide prioritization.

68
MCQeasy

An engineer notices that AAA authentication using RADIUS is failing, and the RADIUS server logs show no incoming authentication requests. Which of the following is the most likely cause?

A.The device has not been configured with any RADIUS server host
B.The device is using TACACS+ instead of RADIUS
C.The RADIUS server is not reachable due to a firewall
D.The RADIUS shared secret is incorrect
AnswerA

Without a configured server host, no RADIUS requests are generated, so no logs appear.

Why this answer

If the RADIUS server logs show no incoming authentication requests, the issue is that the device is not sending any traffic to the server. This occurs when no RADIUS server host is configured on the device, meaning the device has no IP address or hostname to which it can send authentication packets. Without a configured server host, the device will not attempt any RADIUS communication, resulting in zero requests reaching the server.

Exam trap

Cisco often tests the distinction between configuration errors that prevent packet generation (like missing server host) versus errors that cause packet rejection or timeout (like wrong secret or firewall), and the trap here is assuming that any authentication failure must involve network-level issues rather than a missing fundamental configuration element.

How to eliminate wrong answers

Option B is wrong because if the device were using TACACS+ instead of RADIUS, the RADIUS server would still not see requests, but the device would be sending TACACS+ traffic to a different server or port, and the question states RADIUS authentication is failing, implying RADIUS is configured but not working. Option C is wrong because if the RADIUS server were unreachable due to a firewall, the device would still send authentication requests (which would be dropped), and the server logs would show incoming requests that are blocked or not responded to, not zero requests. Option D is wrong because an incorrect shared secret would cause authentication failures (e.g., Access-Reject or no response), but the device would still send RADIUS Access-Request packets to the server, which would appear in the server logs.

69
MCQhard

Two data center switches are connected via a fiber link. They need to encrypt all traffic at Layer 2. Which configuration is required on both switches to establish MACsec?

A.Configure the interface as a trunk
B.Enable MACsec and configure a pre-shared key or CA
C.Enable IPsec on the interface
D.Enable 802.1X on the interface
AnswerB

MACsec must be enabled and a security key configured (PSK or CA) to establish secure links.

Why this answer

MACsec (IEEE 802.1AE) provides hop-by-hop Layer 2 encryption between directly connected switches. To establish a MACsec session, both switches must enable MACsec on the interface and either configure a pre-shared key (PSK) or use a CA (Connectivity Association) key agreement protocol like MKA (MACsec Key Agreement, IEEE 802.1X-2010). This ensures all Ethernet frames are encrypted at the data link layer.

Exam trap

Cisco often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and candidates mistakenly choose IPsec because they associate 'encryption' with IPsec, forgetting that MACsec is the correct solution for Layer 2 traffic.

How to eliminate wrong answers

Option A is wrong because configuring the interface as a trunk (802.1Q) is unrelated to encryption; trunking allows multiple VLANs but does not provide any security or encryption. Option C is wrong because IPsec operates at Layer 3 (Network layer) and is used for encrypting IP packets, not Layer 2 Ethernet frames; MACsec is the correct Layer 2 encryption protocol. Option D is wrong because 802.1X is a port-based network access control (NAC) protocol used for authentication, not encryption; while 802.1X can be used in conjunction with MKA for key exchange, simply enabling 802.1X does not enable MACsec encryption.

70
MCQhard

Two Nexus switches are configured for MACsec using MKA. The link between them is up, but MKA does not establish. Which issue is most likely?

A.Different MTU sizes
B.Mismatched cipher suites
C.Switches are in different VLANs
D.Mismatched MKA key strings
AnswerB

MACsec requires the same cipher suite on both ends for MKA to succeed.

Why this answer

MKA (MACsec Key Agreement) requires both endpoints to agree on a cipher suite during the CAK (Connectivity Association Key) exchange. If the cipher suites are mismatched (e.g., one switch uses GCM-AES-128 and the other uses GCM-AES-256), the MKA negotiation will fail, and the link will remain up but unsecured. This is the most common cause of MKA not establishing on an otherwise functional Layer 2 link.

Exam trap

Cisco often tests the distinction between MKA not establishing (cipher suite mismatch) versus MKA establishing but failing authentication (key string mismatch), leading candidates to incorrectly choose the key string option when the question specifically says 'does not establish'.

How to eliminate wrong answers

Option A is wrong because different MTU sizes can cause fragmentation or packet drops at Layer 2, but MKA control frames are small and MTU mismatch does not prevent MKA from establishing; the link would still be up and MKA would attempt to negotiate. Option C is wrong because MKA operates at Layer 2 and is not dependent on VLAN membership; switches in different VLANs can still communicate via trunk links, and MKA frames are tagged appropriately. Option D is wrong because mismatched MKA key strings (pre-shared keys) would cause MKA to fail at the authentication step, but the question states MKA does not establish at all; a key string mismatch typically results in MKA being established but then failing to authenticate, not a complete failure to establish the protocol.

71
MCQhard

An organization is deploying Cisco Nexus 9000 switches with NX-OS and needs to prevent ARP spoofing attacks. The network engineer enables Dynamic ARP Inspection (DAI) on all VLANs. However, some legitimate hosts are unable to obtain IP addresses via DHCP. What is the most likely reason?

A.The ARP rate limit on the port is too low, causing all ARP requests to be dropped.
B.IP Source Guard is enabled and is blocking ARP packets.
C.DHCP snooping is not enabled, so DAI lacks the DHCP snooping binding table.
D.An ARP ACL is not configured to allow static IP bindings.
AnswerC

DAI validates ARP against DHCP snooping database; without it, DAI drops all ARP on untrusted ports.

Why this answer

DAI relies on the DHCP snooping binding table to validate ARP packets. Without DHCP snooping enabled, the binding table is empty, so DAI cannot determine which ARP packets are legitimate, causing it to drop all ARP packets, including DHCP discovery and request messages. This prevents hosts from obtaining IP addresses via DHCP.

Exam trap

Cisco often tests the dependency of DAI on DHCP snooping, and the trap here is that candidates assume DAI can function independently without understanding that it requires the DHCP snooping binding table for validation.

How to eliminate wrong answers

Option A is wrong because the ARP rate limit on the port would cause excessive ARP packets to be dropped, not all ARP requests, and it would not specifically prevent DHCP address acquisition. Option B is wrong because IP Source Guard blocks IP traffic based on the DHCP snooping binding table, not ARP packets directly; it does not interfere with ARP unless combined with DAI. Option D is wrong because an ARP ACL is used to permit or deny ARP packets for static IP hosts, but it is not required for DHCP-based hosts; the core issue is the missing DHCP snooping binding table.

72
MCQeasy

Refer to the exhibit. Two Nexus switches are connected via Ethernet1/1. MKA does not initiate. What is the issue?

A.The interface is not administratively up
B.The policy is not applied to the interface
C.The cipher-suite is not supported
D.The MACsec key chain is missing
AnswerB

The interface must have 'macsec policy MACSEC' to associate the policy.

Why this answer

The exhibit shows that the MACsec policy is defined but not applied to interface Ethernet1/1. Without applying the policy using the `macsec policy` command under the interface configuration, MKA (MACsec Key Agreement) cannot initiate because the switch does not know which security policy to enforce on that link.

Exam trap

Cisco often tests the distinction between defining a MACsec policy globally and applying it to an interface, knowing that candidates may assume a defined policy is automatically active on all interfaces.

How to eliminate wrong answers

Option A is wrong because the interface is administratively up (state is 'up/up'), so the issue is not administrative shutdown. Option C is wrong because the cipher-suite 'GCM-AES-128' is a standard and supported cipher for MACsec on Nexus switches; unsupported ciphers would cause a configuration rejection, not a silent MKA failure. Option D is wrong because MACsec key chains are used for pre-shared key authentication but are not required for MKA initiation; MKA can use a fallback key or EAP-based authentication, and the absence of a key chain would not prevent MKA from starting.

73
MCQmedium

A data center switch is experiencing high CPU due to excessive BGP updates. Which action can mitigate this without affecting legitimate BGP traffic?

A.Apply a CoPP policy that rate-limits BGP traffic
B.Apply a CoPP policy that drops all BGP traffic
C.Disable BGP route filtering
D.Increase BGP timers globally
AnswerA

CoPP can rate-limit specific control plane protocols, protecting CPU while allowing legitimate BGP updates.

Why this answer

Control Plane Policing (CoPP) protects the control plane by rate-limiting specific traffic classes. Applying a CoPP policy that rate-limits BGP traffic (option A) reduces CPU load from excessive BGP updates while still allowing legitimate BGP sessions to function, as the rate-limit only drops packets exceeding a configured threshold. This preserves BGP neighbor reachability and route exchange, unlike dropping all BGP traffic.

Exam trap

Cisco often tests the distinction between 'rate-limit' and 'drop' in CoPP policies, where candidates mistakenly choose to drop all BGP traffic (option B) thinking it solves the CPU issue, but this breaks routing entirely.

How to eliminate wrong answers

Option B is wrong because dropping all BGP traffic would terminate all BGP sessions, causing complete loss of routing updates and potentially isolating the router. Option C is wrong because disabling BGP route filtering would increase the number of BGP updates processed, worsening the CPU issue by allowing all routes without any filtering. Option D is wrong because increasing BGP timers globally (e.g., keepalive and hold timers) reduces the frequency of updates but does not mitigate a flood of updates from external sources; it may also cause neighbor timeouts if timers are set too high.

74
MCQeasy

Refer to the exhibit. A DHCP server is connected to Ethernet1/1 and a client in VLAN 10 is connected to Ethernet1/2. The client obtains an IP address. Which statement is best supported?

A.The DHCP server is in VLAN 20
B.The DHCP client is using a static IP address
C.The DHCP server port is trusted for all VLANs
D.The DHCP client MAC address is not verified
AnswerC

The 'ip dhcp snooping trust' command on the interface makes it trusted for all snooped VLANs.

Why this answer

Option C is correct because when a DHCP server is connected to a switch port and clients in different VLANs (like VLAN 10) obtain IP addresses, the switch must trust the DHCP server port for all VLANs. This is typically achieved by configuring the port as a DHCP snooping trusted port or by using an IP helper address on the VLAN interface. Without trust, DHCP snooping would drop server responses on untrusted ports, preventing the client from obtaining an address.

Exam trap

Cisco often tests the misconception that a DHCP server must be in the same VLAN as the client, when in fact a trusted port or IP helper address allows cross-VLAN DHCP communication.

How to eliminate wrong answers

Option A is wrong because the DHCP server is connected to Ethernet1/1, which is not necessarily in VLAN 20; the client in VLAN 10 obtains an IP address, implying the server can communicate with VLAN 10, likely via an IP helper address or trunk, not that the server itself is in VLAN 20. Option B is wrong because the client obtains an IP address via DHCP, which contradicts the use of a static IP address; a static IP would not require DHCP. Option D is wrong because the DHCP client MAC address is verified by DHCP snooping by default on untrusted ports; the fact that the client obtains an IP address suggests the MAC address is verified and not spoofed, or the port is trusted.

75
Multi-Selectmedium

Which two mechanisms are used by Dynamic ARP Inspection to prevent ARP spoofing? (Choose two.)

Select 2 answers
A.DHCP snooping binding table
B.ARP access lists
C.Port security
D.ARP rate limiting
E.ARP inspection VLAN configuration
AnswersA, B

DAI compares ARP packet MAC-IP pair with the binding table to detect spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets by comparing the sender MAC and IP addresses against the DHCP snooping binding table. If an ARP packet's MAC-IP binding does not match an entry in the binding table, DAI drops the packet, preventing ARP spoofing attacks. Additionally, DAI can use ARP access lists (ARP ACLs) to statically define valid MAC-IP bindings for hosts that do not use DHCP, providing an alternative validation mechanism.

Exam trap

The trap here is that candidates often confuse the enabling configuration (ARP inspection VLAN configuration) with the actual validation mechanism, or they mistakenly think port security or rate limiting directly prevent ARP spoofing, when in fact they serve different security purposes.

Page 1 of 2 · 95 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.