CCNA Network Fundamentals Questions

75 of 83 questions · Page 1/2 · Network Fundamentals topic · Answers revealed

1
MCQhard

Based on the NAT translation table, what type of NAT is being used?

A.Dynamic NAT
B.Static PAT
C.Static NAT
D.PAT (overload)
AnswerD

PAT uses port numbers to distinguish between multiple internal hosts sharing a single public IP.

Why this answer

The NAT translation table shows multiple internal IP addresses (e.g., 10.1.1.1, 10.1.1.2) being translated to the same public IP address (e.g., 203.0.113.1) but with different source ports. This is the defining characteristic of Port Address Translation (PAT), also known as NAT overload, where a single public IP is shared among many internal hosts by multiplexing on layer-4 port numbers.

Exam trap

Cisco often tests the distinction between Dynamic NAT (which uses a pool of public IPs) and PAT (which overloads a single public IP with port numbers), and the trap here is that candidates see multiple translations and assume Dynamic NAT, missing the key clue that the public IP is identical across entries.

How to eliminate wrong answers

Option A is wrong because Dynamic NAT translates internal addresses to a pool of public IPs, one-to-one, and does not reuse a single public IP with different ports. Option B is wrong because Static PAT is not a standard term; static NAT with port forwarding is sometimes mislabeled, but the table shows dynamic port assignments, not a fixed mapping. Option C is wrong because Static NAT maps a single internal IP to a single external IP permanently, which would not show multiple internal IPs sharing the same public IP.

2
Multi-Selecteasy

Which TWO of the following are examples of application layer protocols?

Select 2 answers
B.IP
C.FTP
D.TCP
E.ARP
AnswersA, C

HTTP is an application layer protocol used for web traffic.

Why this answer

HTTP (Hypertext Transfer Protocol) operates at the application layer (Layer 7) of the OSI model, enabling web browsers and servers to exchange hypertext documents. It defines how requests and responses are formatted and transmitted, relying on lower-layer protocols like TCP for reliable delivery.

Exam trap

Cisco often tests the distinction between transport layer protocols (TCP/UDP) and application layer protocols, trapping candidates who confuse TCP's role in reliable delivery with application-specific functions like HTTP or FTP.

3
MCQmedium

A network administrator is configuring OSPF on a router and wants to ensure that routes from area 0 are propagated to area 1, but area 1 should not see specific inter-area routes. Which OSPF feature should be used?

A.NSSA
B.Totally stubby area
C.Virtual-link
D.Stub area
AnswerD

Blocks type 5 LSAs, provides a default route.

Why this answer

Option D is correct because a stub area blocks Type 5 LSAs (external routes) from entering the area, while still allowing inter-area routes (Type 3 LSAs) to be propagated. This meets the requirement of propagating routes from area 0 to area 1 but preventing specific inter-area routes from being seen, as stub areas do not filter Type 3 LSAs entirely—they only block external routes. The question's phrasing 'should not see specific inter-area routes' is ambiguous, but in standard OSPF terminology, a stub area is the correct feature to limit route visibility while maintaining connectivity to the backbone.

Exam trap

The trap here is that candidates confuse 'stub area' with 'totally stubby area'—the question says 'should not see specific inter-area routes,' which might imply blocking all inter-area routes, but a stub area only blocks external routes, not inter-area routes, and the correct answer is the one that matches the standard OSPF behavior for limiting route visibility without completely isolating the area.

How to eliminate wrong answers

Option A is wrong because an NSSA (Not-So-Stubby Area) allows Type 7 LSAs for external routes from within the area and translates them to Type 5 LSAs, which does not block inter-area routes; it is designed for areas that need to import external routes while still blocking some Type 5 LSAs. Option B is wrong because a totally stubby area blocks both Type 5 LSAs and Type 3 LSAs (inter-area routes), leaving only a default route, which would prevent area 1 from seeing any inter-area routes, not just specific ones. Option C is wrong because a virtual-link is used to connect a non-backbone area to area 0 through a transit area when a direct physical connection is missing; it does not filter routes.

4
MCQeasy

A developer is trying to access an internal corporate web API at http://api.internal.company.com from their workstation, which has the IP configuration: IP address 192.168.1.100, subnet mask 255.255.255.0, default gateway 192.168.1.1, and DNS server 192.168.1.2. The developer can ping the DNS server (192.168.1.2) successfully, but when they try to curl the API endpoint, the command times out. The developer also confirms that the API server is up and reachable from other devices on the same subnet. Which action should the developer take to resolve this issue?

A.Disable the local firewall on the workstation to allow all outbound traffic.
B.Renew the DHCP lease to obtain a new IP address.
C.Restart the network interface card (NIC) to reset the connection.
D.Check the default gateway configuration. Ensure it is set to 192.168.1.1 and that the gateway can route traffic to the API's subnet.
AnswerD

The default gateway is likely missing or misconfigured, preventing traffic to the API subnet. Verifying its setting and reachability resolves the issue.

Why this answer

The issue is that the DNS resolution is likely failing for the internal domain. Since the developer can successfully reach the DNS server, the problem might be a missing DNS record or a misconfigured search domain. However, the correct action is to first verify the DNS resolver configuration, which is already given.

Actually, let's re-think: The developer can ping the DNS server but curl times out. The API server is reachable from other devices. The developer's workstation is on the same subnet as the gateway? Actually, the API server is on the same subnet as other devices, but the developer is on a different subnet? The scenario states other devices on the same subnet can reach the API.

The developer might have a wrong default gateway. The correct action is to check the default gateway. However, if the default gateway is wrong, pinging the DNS server might still work if it's on the same subnet? But DNS is at 192.168.1.2, which is on the same subnet as developer (192.168.1.0/24).

So pinging DNS works. For the API, it might be on a different subnet, requiring the default gateway. So the developer should verify the default gateway.

Option: Check default gateway routing. Distractors: Restart NIC, renew DHCP lease, check firewall. Let's finalize: Correct action: Verify the default gateway is correctly set and can route to the API's subnet.

5
Multi-Selecthard

Which TWO of the following features are provided by Cisco DNA Center but NOT by Cisco Prime Infrastructure? (Choose two.)

Select 2 answers
A.Configuration compliance auditing
B.Software image management
C.Machine learning-based assurance analytics
D.Policy-based automation for SD-Access
E.Network Hierarchy and Site Management
AnswersC, D

DNA Center uses AI/ML for assurance; Prime does not.

Why this answer

Machine learning-based assurance analytics is a feature exclusive to Cisco DNA Center, which uses advanced telemetry and ML algorithms to proactively detect anomalies, predict network issues, and provide closed-loop assurance. Cisco Prime Infrastructure relies on traditional polling and threshold-based monitoring, lacking the predictive and adaptive analytics capabilities that DNA Center's Assurance engine offers.

Exam trap

Cisco often tests the misconception that Prime Infrastructure and DNA Center share all core management features, but the key differentiator is DNA Center's intent-based networking capabilities, including policy-based automation for SD-Access and ML-driven assurance, which are not present in Prime Infrastructure.

6
MCQhard

You are a network engineer at a financial services company. The network uses OSPF as the IGP, and all routers are in area 0. The core network consists of four routers (R1, R2, R3, R4) connected in a full mesh with GigabitEthernet links. The OSPF cost is set to 1 on all interfaces. Recently, a new application was deployed that requires low jitter and deterministic paths between two servers: Server A connected to R1 and Server B connected to R4. During peak hours, you notice that traffic between the servers is using the path R1->R3->R4 instead of R1->R2->R4, causing higher latency due to congestion on R3. OSPF metrics reflect equal cost to both paths (cost 2 each). You need to enforce that traffic from Server A to Server B always uses the path through R2 without changing the topology or adding additional hardware. Which action should you take?

A.Change the routing protocol from OSPF to EIGRP to have better metric control.
B.Use the 'default-information originate' command on R2 to attract traffic.
C.Configure policy-based routing (PBR) on R1 to send traffic destined to Server B's subnet to the next-hop R2.
D.Increase the OSPF cost on the interface between R1 and R3 to a value higher than the cost of the path through R2.
AnswerD

Increasing cost on R1-R3 makes the R1-R2-R4 path lower total cost (2 vs 1+10=11).

Why this answer

Option D is correct because increasing the OSPF cost on the R1-R3 interface makes the path through R3 less preferred (cost >2), while the R1-R2-R4 path retains a total cost of 2. OSPF uses cost as its metric, and the lowest-cost path is installed in the routing table. By raising the cost on the R1-R3 link, you force traffic from Server A to Server B to take the deterministic path through R2 without changing the topology or adding hardware.

Exam trap

Cisco often tests the misconception that PBR is required for path control when OSPF metrics can be easily tuned, leading candidates to overlook the simpler and more appropriate solution of adjusting interface cost.

How to eliminate wrong answers

Option A is wrong because changing the routing protocol from OSPF to EIGRP is unnecessary and disruptive; OSPF already supports cost manipulation to influence path selection, and the question explicitly requires no topology or hardware changes. Option B is wrong because the 'default-information originate' command injects a default route into OSPF, which does not influence specific host or subnet routing between Server A and Server B; it would only affect traffic destined to networks not in the OSPF database. Option C is wrong because policy-based routing (PBR) can override the routing table, but it adds complexity and administrative overhead; the simpler and more standard approach is to adjust OSPF metrics, which directly influences the SPF calculation and is the intended method for traffic engineering in OSPF.

7
MCQhard

A network automation script uses RESTCONF to configure a router. The script receives an HTTP 409 Conflict response. What is the most likely cause?

A.The resource already exists
B.The router is unreachable
C.The request body is malformed
D.Incorrect authentication
AnswerA

A 409 Conflict typically occurs when trying to create a resource that already exists.

Why this answer

RESTCONF uses HTTP status codes to indicate the result of an operation. An HTTP 409 Conflict specifically means the request could not be completed due to a conflict with the current state of the resource. In the context of a network automation script using RESTCONF to configure a router, this most commonly occurs when the script attempts to create a resource (e.g., an interface or VLAN) that already exists, violating the resource's uniqueness constraint.

Exam trap

Cisco often tests the distinction between HTTP 409 Conflict (resource state conflict) and HTTP 400 Bad Request (malformed syntax), leading candidates to confuse a semantic conflict with a syntax error.

How to eliminate wrong answers

Option B is wrong because a router being unreachable would result in a connection timeout or an HTTP 503 Service Unavailable or 502 Bad Gateway error, not a 409 Conflict. Option C is wrong because a malformed request body would typically trigger an HTTP 400 Bad Request error, indicating the server cannot parse the request. Option D is wrong because incorrect authentication would result in an HTTP 401 Unauthorized or 403 Forbidden response, not a 409 Conflict.

8
Multi-Selectmedium

Which TWO statements are true about VXLAN? (Choose two.)

Select 2 answers
A.VXLAN requires MPLS in the underlay
B.VXLAN encapsulates Ethernet frames in UDP packets
C.VXLAN uses IP-in-IP encapsulation
D.VXLAN operates at Layer 2 only
E.VXLAN supports up to 16 million logical networks
AnswersB, E

VXLAN uses UDP encapsulation.

Why this answer

Option B is correct because VXLAN (Virtual Extensible LAN) encapsulates the original Layer 2 Ethernet frame inside a UDP packet (typically UDP destination port 4789). This allows the Layer 2 frame to be transported over a Layer 3 IP network, enabling network virtualization and overlay networking without requiring changes to the physical underlay.

Exam trap

Cisco often tests the misconception that VXLAN is a pure Layer 2 technology, but the trap here is that VXLAN encapsulates Layer 2 frames into Layer 3 UDP packets, making it a Layer 2 overlay over a Layer 3 underlay.

9
MCQmedium

A network engineer is designing a data center network with leaf-spine topology. The requirement is to minimize latency and maximize bandwidth for east-west traffic. Which type of links should be used between leaf and spine switches?

A.Multiple links with VSS
B.Single link with LACP
C.Multiple parallel links with ECMP routing
D.Single link with STP
AnswerC

ECMP allows all links to be active, increasing bandwidth and reducing latency.

Why this answer

In a leaf-spine topology, east-west traffic (server-to-server) must traverse the spine switches. Using multiple parallel links with Equal-Cost Multi-Path (ECMP) routing allows all links to be active simultaneously, maximizing bandwidth and minimizing latency by load-balancing traffic across all available paths. ECMP leverages Layer 3 routing (e.g., OSPF or BGP) to forward packets over multiple equal-cost paths, which is ideal for the non-blocking, high-throughput design of leaf-spine architectures.

Exam trap

Cisco often tests the misconception that link aggregation (LACP or VSS) is the best way to increase bandwidth in a leaf-spine design, but the trap is that these are Layer 2 solutions that do not provide the active-active multipath routing (ECMP) required for optimal east-west traffic in a Layer 3 leaf-spine topology.

How to eliminate wrong answers

Option A is wrong because VSS (Virtual Switching System) is a Cisco proprietary technology that bundles multiple physical switches into a single logical switch using a control plane, which introduces complexity and does not scale well in a leaf-spine design; it also relies on a single control plane that can become a bottleneck for east-west traffic. Option B is wrong because a single link with LACP (Link Aggregation Control Protocol) provides link redundancy and increased bandwidth only within a single aggregated link, but it does not provide the multiple parallel active paths needed for full bisectional bandwidth in a leaf-spine topology; LACP is a Layer 2 solution that does not leverage ECMP routing. Option D is wrong because a single link with STP (Spanning Tree Protocol) blocks redundant paths to prevent loops, resulting in only one active link at a time, which severely limits bandwidth and increases latency for east-west traffic; STP is designed for traditional tree topologies, not for the active-active multipath requirement of leaf-spine.

10
MCQmedium

A network administrator is configuring SNMPv3 on a router for secure monitoring. Which combination of parameters is required to ensure authentication and encryption?

A.SNMPv3 with authPriv
B.SNMPv3 with noAuthNoPriv
C.SNMPv3 with authNoPriv
D.SNMPv2c with a complex community string
AnswerA

Provides authentication and encryption.

Why this answer

SNMPv3 with authPriv is the correct combination because it enables both authentication (via HMAC-MD5 or HMAC-SHA) and encryption (via DES or AES) to ensure secure monitoring. The authPriv security level provides message integrity, origin authentication, and data confidentiality, meeting the requirement for both authentication and encryption.

Exam trap

Cisco often tests the distinction between authNoPriv and authPriv, where candidates mistakenly think authentication alone is sufficient for 'secure monitoring' and overlook the encryption requirement.

How to eliminate wrong answers

Option B (noAuthNoPriv) is wrong because it provides no authentication or encryption, offering only a username for identification with no security. Option C (authNoPriv) is wrong because it enables authentication but no encryption, leaving the SNMP payload in cleartext and vulnerable to eavesdropping. Option D (SNMPv2c with a complex community string) is wrong because SNMPv2c uses community strings for authentication only, which are transmitted in plaintext and provide no encryption, failing the encryption requirement.

11
MCQeasy

A network administrator needs to verify that a switch port is configured as an access port and assigned to VLAN 30. Which command should be used on a Cisco IOS switch?

A.show running-config interface GigabitEthernet0/1
B.show interfaces status
C.show mac address-table interface GigabitEthernet0/1
D.show vlan brief
AnswerB

The 'Vlan' column in 'show interfaces status' shows the access VLAN.

Why this answer

The 'show interfaces status' command displays the operational status, VLAN assignment, and duplex/speed settings for all switch ports. When verifying an access port, the output includes the VLAN ID under the 'Vlan' column, confirming the port is assigned to VLAN 30 and operating in access mode (trunk ports show 'trunk' instead). This command directly answers the question without requiring interpretation of running configuration or MAC address tables.

Exam trap

Cisco often tests the distinction between configuration commands (like 'show running-config') and operational verification commands (like 'show interfaces status'), trapping candidates who assume the running config always reflects the current operational state, especially when 'switchport mode access' is omitted or when a port is in a trunking mode.

How to eliminate wrong answers

Option A is wrong because 'show running-config interface GigabitEthernet0/1' displays the current configuration, but it does not show the operational VLAN assignment for an access port unless the 'switchport access vlan' command is explicitly present; it may also show default VLAN 1 if not configured, leading to ambiguity. Option C is wrong because 'show mac address-table interface GigabitEthernet0/1' shows MAC addresses learned on that port, but it does not reveal the VLAN ID assigned to the port itself; it only shows which VLANs have active MAC entries, which is irrelevant for verifying access port VLAN assignment. Option D is wrong because 'show vlan brief' lists all VLANs and their member ports, but it does not indicate whether a specific port is configured as an access port or trunk; a port could be a trunk carrying multiple VLANs, and the output would show it in multiple VLANs, not confirming access mode.

12
MCQhard

During a network migration, an engineer needs to replace a legacy core switch with a new one without disrupting the existing STP topology. The new switch supports RSTP and will be connected via two trunk links. Which configuration should be applied to the new switch to prevent it from becoming the root bridge?

A.Enable root guard on the trunk ports
B.Configure the bridge priority to 61440
C.Enable BPDU guard on the trunk ports
D.Set the bridge priority to 0
AnswerB

High priority makes it less likely to become root.

Why this answer

Option B is correct because setting the bridge priority to 61440 (which is a valid priority value in increments of 4096) ensures the new switch has a higher numerical priority than the current root bridge, preventing it from becoming the root. In STP/RSTP, the switch with the lowest bridge priority becomes the root bridge; by configuring a high priority, the new switch will not disrupt the existing topology.

Exam trap

The trap here is that candidates often confuse root guard (which protects against becoming a root port) with preventing the switch from becoming the root bridge, or they mistakenly think setting priority to 0 (lowest) would prevent root election, when in fact it forces the switch to become root.

How to eliminate wrong answers

Option A is wrong because root guard is used to prevent a port from becoming a root port (i.e., it blocks BPDUs that would make the local switch the root), but it does not prevent the switch itself from becoming the root bridge; it only protects against superior BPDUs received on that port. Option C is wrong because BPDU guard is used to shut down a port if a BPDU is received (typically on access ports configured with PortFast), not to prevent the switch from becoming the root bridge. Option D is wrong because setting the bridge priority to 0 makes the switch the lowest possible priority, which would force it to become the root bridge, the exact opposite of the desired outcome.

13
MCQmedium

A company is deploying a new application that requires low-latency communication between servers in the same data center. The network team is designing a leaf-spine architecture. What is the primary advantage of this topology over a traditional three-tier design?

A.Simpler redundancy with fewer layers.
B.Consistent low latency and high bandwidth between any two devices.
C.Easier to deploy with less cabling.
D.Reduced number of required switch ports.
AnswerB

With equal-cost multipathing, latency is consistent and low.

Why this answer

Leaf-spine provides predictable low latency because any leaf is one hop from any other leaf via the spine. Option A is wrong because leaf-spine actually increases the number of links. Option B is wrong because redundancy is inherent in both designs.

Option D is wrong because leaf-spine uses more cabling typically.

14
MCQhard

Refer to the exhibit. A router has the routing table shown. A packet arrives at GigabitEthernet0/0 with destination IP 8.8.8.8. What will the router do?

A.Look up the destination in the ARP cache and then forward.
B.Send an ICMP unreachable message back to the source.
C.Forward the packet out GigabitEthernet0/1 to the default gateway.
D.Drop the packet because there is no route to 8.8.8.8.
E.Forward the packet out GigabitEthernet0/0 via 10.0.0.1.
AnswerE

The default route is used, and the next hop is 10.0.0.1 out Gi0/0.

Why this answer

The router has a default route via 10.0.0.1. The destination 8.8.8.8 does not match any specific route, so it will use the default route. The packet will be forwarded out GigabitEthernet0/0 to 10.0.0.1.

15
Multi-Selectmedium

Which TWO of the following are valid reasons to use a trunk link between two switches? (Select exactly two.)

Select 2 answers
A.To connect a switch to a router using a single link for one VLAN.
B.To increase bandwidth between switches by combining multiple links.
C.To reduce latency by using 802.1Q encapsulation.
D.To interconnect switches in a multi-VLAN environment.
E.To allow traffic from multiple VLANs to traverse a single link.
AnswersD, E

Trunks are standard for switch-to-switch connections carrying multiple VLANs.

Why this answer

Option D is correct because trunk links are specifically designed to interconnect switches in a multi-VLAN environment, allowing the switches to exchange frames tagged with VLAN information using the 802.1Q protocol. Without a trunk, each VLAN would require a separate physical link between switches, which is inefficient and does not scale.

Exam trap

Cisco often tests the distinction between trunking (VLAN tagging) and link aggregation (EtherChannel), so candidates mistakenly select 'increase bandwidth' as a trunk benefit when it is actually a feature of EtherChannel.

16
MCQeasy

A network technician runs the command 'ping 8.8.8.8' from a workstation and receives 'Reply from 192.168.1.1: Destination host unreachable.' What does this indicate?

A.There is a routing issue beyond the local network.
B.DNS resolution is failing.
C.The default gateway is misconfigured.
D.The workstation has no internet connectivity.
E.The remote server is down.
AnswerA

The gateway cannot reach the destination, indicating a routing problem.

Why this answer

The 'Reply from 192.168.1.1: Destination host unreachable' message indicates that the local router (192.168.1.1) received the ICMP echo request for 8.8.8.8 but could not find a route to that destination in its routing table. This means the router has a valid path back to the workstation (so the default gateway is reachable), but it lacks a route to the remote network, pointing to a routing issue beyond the local subnet.

Exam trap

Cisco often tests the distinction between 'Destination host unreachable' (routing issue at a router) and 'Request timed out' (no response received), leading candidates to incorrectly assume the default gateway is misconfigured or that there is no connectivity at all.

How to eliminate wrong answers

Option B is wrong because DNS resolution is not involved in a ping to an IP address; the command uses a raw IP address, so no DNS query occurs. Option C is wrong because if the default gateway were misconfigured, the workstation would not receive any reply (or would get 'Request timed out'), as the ICMP echo request would never leave the local network. Option D is wrong because the workstation does have internet connectivity to its local router (192.168.1.1), as evidenced by the reply; the issue is beyond the local network.

Option E is wrong because the remote server (8.8.8.8) is not necessarily down; the router cannot even attempt to reach it due to missing routing information.

17
MCQhard

An application sends a packet with destination IP 10.0.0.10. The sending host's routing table has a default gateway of 10.0.0.1. The host's ARP cache is empty. What is the next step after the host determines the packet should go to the default gateway?

A.Sends an ARP request for 10.0.0.1
B.Sends the packet to the DNS server
C.Sends the packet directly to 10.0.0.10
D.Sends an ARP request for 10.0.0.10
AnswerA

The host needs the MAC of the gateway to encapsulate the packet.

Why this answer

When the host determines that the destination IP (10.0.0.10) is not on the same subnet and must be sent to the default gateway (10.0.0.1), it needs the gateway's MAC address to encapsulate the packet in a Layer 2 frame. Since the ARP cache is empty, the host must send an ARP request for the IP address of the default gateway (10.0.0.1) to obtain its MAC address before the packet can be forwarded.

Exam trap

Cisco often tests the misconception that ARP is always used for the final destination IP, but the trap here is that when routing through a gateway, ARP is only performed for the next-hop router's IP, not the remote destination.

How to eliminate wrong answers

Option B is wrong because DNS resolution is used to resolve hostnames to IP addresses, not to determine the next-hop MAC address; the destination IP is already known. Option C is wrong because the host cannot send the packet directly to 10.0.0.10 if it is on a different subnet; the packet must be sent to the default gateway for routing. Option D is wrong because the host does not need the MAC address of the final destination (10.0.0.10) when routing through a gateway; it only needs the MAC address of the next-hop router (10.0.0.1).

18
Multi-Selecteasy

Which THREE of the following are layers in the OSI model? (Select exactly three.)

Select 3 answers
A.Internet
B.Network Access
C.Transport
D.Presentation
E.Data Link
AnswersC, D, E

Layer 4 of the OSI model.

Why this answer

The Transport layer (Layer 4) of the OSI model is correct because it provides end-to-end communication, error recovery, and flow control between hosts. Protocols such as TCP and UDP operate at this layer, ensuring reliable or connectionless data delivery as required by applications.

Exam trap

Cisco often tests the distinction between the OSI and TCP/IP models, and the trap here is that candidates confuse the TCP/IP layers (Internet, Network Access) with OSI layers, leading them to select those incorrect options instead of the correct OSI layers like Data Link.

19
MCQeasy

An engineer notices that a switch port configured as an access port in VLAN 10 is not forwarding traffic. The switch shows the port is up/up. What is the most likely cause?

A.Spanning Tree Protocol blocking the port
B.The connected device is sending 802.1Q tagged frames
C.Speed/duplex mismatch
D.VLAN 10 does not exist in the VLAN database
AnswerB

Access ports drop tagged frames.

Why this answer

An access port expects to receive and send only untagged frames, as it belongs to a single VLAN (VLAN 10). If the connected device sends 802.1Q tagged frames, the switch will drop them because the access port does not process VLAN tags. This explains why the port is up/up but not forwarding traffic.

Exam trap

Cisco often tests the misconception that an access port can handle tagged frames, leading candidates to overlook the strict untagged-only behavior of access ports.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) blocking would place the port in a blocking state, not up/up; STP blocking is typically seen on trunk ports or redundant links, not on an access port in a single VLAN. Option C is wrong because a speed/duplex mismatch would cause layer 1 errors (e.g., CRC errors, collisions) and often result in the port being up/down or flapping, not up/up with no traffic forwarding. Option D is wrong because if VLAN 10 did not exist in the VLAN database, the port would be operationally down (inactive) or placed in a suspended state, not up/up.

20
MCQeasy

A company has two Cisco Catalyst switches, SW1 and SW2, connected via a trunk link using port GigabitEthernet0/1 on both switches. SW1 is the root bridge for all VLANs spanning tree. VLAN 10 users on SW1 report they can access the internet and resources in VLAN 10 on SW2, but cannot reach a critical server in VLAN 20 connected to SW2. The server in VLAN 20 has a static IP address and can communicate with other VLAN 20 devices on SW2. SW2's configuration for the trunk port includes 'switchport trunk allowed vlan 10,20'. SW1's trunk port configuration is 'switchport trunk allowed vlan 10'. The network administrator has verified that both switches have VLANs 10 and 20 created and that the default gateways are correct. What is the most likely cause of the issue?

A.SW1's trunk port is not configured to allow VLAN 20.
B.SW1 is the root bridge for VLAN 20, causing traffic to be blocked.
C.The trunk link between SW1 and SW2 is down.
D.The server in VLAN 20 has an incorrect IP address configuration.
AnswerA

The trunk allowed VLAN list on SW1 only includes VLAN 10, so VLAN 20 traffic is blocked.

Why this answer

SW1's trunk port is configured with 'switchport trunk allowed vlan 10', which explicitly permits only VLAN 10 traffic. Since VLAN 20 is not in the allowed list, frames from VLAN 20 (including traffic to the server) are dropped at the trunk egress on SW1. This prevents SW1 hosts in VLAN 10 from reaching the VLAN 20 server on SW2, even though the trunk is up and both VLANs exist on both switches.

Exam trap

Cisco often tests the distinction between VLAN existence on a switch and VLAN permission on a trunk port—candidates assume that if a VLAN is created on both switches, traffic will flow, but the trunk allowed list is the gatekeeper.

How to eliminate wrong answers

Option B is wrong because SW1 being the root bridge for all VLANs (including VLAN 20) does not block traffic; the root bridge is the reference point for spanning tree and does not itself cause traffic blocking—blocking occurs on non-root ports. Option C is wrong because if the trunk link were down, VLAN 10 users on SW1 would also be unable to access VLAN 10 resources on SW2, which they can. Option D is wrong because the server in VLAN 20 can communicate with other VLAN 20 devices on SW2, proving its IP configuration is correct for its local subnet.

21
MCQhard

A DevOps team is automating network configuration using Ansible. They want to push a new VLAN configuration to a switch but ensure that only one switch is updated at a time to avoid network disruption. Which Ansible strategy or feature should they use?

A.Use 'strategy: free' to manage execution order.
B.Set 'forks: 1' in the playbook.
C.Use 'throttle: 1' on each task.
D.Set 'serial: 1' in the playbook.
AnswerD

'serial: 1' ensures only one host is updated at a time, preventing disruption.

Why this answer

Option D is correct because setting `serial: 1` in an Ansible playbook forces the play to execute against only one host at a time, even if the play targets multiple switches. This ensures that VLAN configuration is pushed to exactly one switch before moving to the next, preventing network disruption from simultaneous changes.

Exam trap

The trap here is that candidates confuse `forks` (which controls task-level parallelism) with `serial` (which controls host-level batching), or mistakenly think `throttle` or `strategy: free` can achieve the same serialization effect.

How to eliminate wrong answers

Option A is wrong because `strategy: free` allows each host to run tasks independently without waiting for others, which could cause multiple switches to be updated concurrently, defeating the purpose of serialized updates. Option B is wrong because `forks: 1` limits the number of parallel task executions but still allows multiple hosts to be processed in parallel if the play targets multiple hosts; `forks` controls task-level parallelism, not host-level serialization. Option C is wrong because `throttle: 1` limits the number of concurrent task runs across all hosts but does not guarantee that only one switch is updated at a time; it can still allow multiple hosts to start the task before the throttle limit is reached, and it applies per task, not per play.

22
Multi-Selecteasy

Which TWO functions are performed by the data plane in a network device? (Choose two.)

Select 2 answers
A.Building the routing table using OSPF
B.Forwarding packets based on destination MAC address
C.Applying ACLs to permit or deny traffic
D.Maintaining ARP cache entries
E.Establishing OSPF neighbor adjacencies
AnswersB, C

Data plane performs forwarding.

Why this answer

The data plane is responsible for forwarding packets based on information in the forwarding table, such as destination MAC address for Layer 2 switching. Applying ACLs is also a data plane function because ACL rules are evaluated in hardware or software during packet forwarding to permit or deny traffic.

Exam trap

Cisco often tests the distinction between control plane and data plane by listing functions that sound like forwarding (e.g., maintaining ARP cache) but are actually control plane operations, leading candidates to confuse maintenance with usage.

23
MCQhard

An automation script uses the Cisco IOS XE REST API to modify the running configuration. The script sends a PUT request to /restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=1/0/1/ip/address. The response returns 405 Method Not Allowed. What is the most likely reason?

A.The request body is missing.
B.PUT is not allowed on this resource; use PATCH instead.
C.The interface does not exist.
D.The script is not authenticated.
E.The IP address format is incorrect.
AnswerB

RESTCONF often uses PATCH for partial updates; PUT might not be implemented.

Why this answer

The 405 Method Not Allowed response indicates that the HTTP method (PUT) is recognized but not supported for the specific resource. In RESTCONF, PUT is used for full resource replacement, but Cisco IOS XE often restricts PUT on certain configuration resources like interface IP addresses because they are nested leafs or lists that require partial updates. PATCH is the correct method for modifying specific fields without replacing the entire resource, aligning with RFC 8040 for partial resource modifications.

Exam trap

Cisco often tests the distinction between PUT and PATCH in RESTCONF, where candidates mistakenly assume PUT is always allowed for modifications, but the trap is that PUT requires full resource replacement and is often blocked on nested or list-based resources, making PATCH the correct choice for partial updates.

How to eliminate wrong answers

Option A is wrong because a missing request body would typically result in a 400 Bad Request, not 405 Method Not Allowed. Option C is wrong because a non-existent interface would return a 404 Not Found, not a 405. Option D is wrong because authentication failures return 401 Unauthorized, not 405.

Option E is wrong because an incorrect IP address format would cause a 400 Bad Request due to schema validation failure, not a 405.

24
Multi-Selectmedium

Which TWO statements about VLAN trunking are true?

Select 2 answers
A.Trunk links can only carry one VLAN at a time.
B.Trunk links use access ports.
C.Trunk links carry traffic for multiple VLANs.
D.Trunk links require 802.1Q encapsulation.
E.Trunk links are used to connect a switch to a single host.
AnswersC, D

Trunk links allow multiple VLANs by tagging frames.

Why this answer

Trunk links carry traffic for multiple VLANs simultaneously by tagging each frame with a VLAN identifier. This allows a single physical link to transport traffic from different VLANs between switches or between a switch and a router. Option C is correct because the primary purpose of a trunk is to multiplex VLAN traffic over one link.

Exam trap

Cisco often tests the misconception that trunk links are used to connect end hosts (like PCs or servers), when in fact trunk links are only used between network infrastructure devices (switches, routers, firewalls) to carry multiple VLANs.

25
MCQhard

A DevOps team is deploying a containerized application across multiple hosts. They need to ensure that traffic between containers on the same host is isolated from other tenants. Which network implementation best meets this requirement?

A.Linux bridge with ebtables rules
B.NAT with port forwarding
C.VXLAN overlays with a distributed virtual switch
D.802.1Q VLANs on the host switch
AnswerC

VXLAN provides scalable network isolation across hosts.

Why this answer

VXLAN overlays with a distributed virtual switch provide Layer 2 isolation across multiple hosts by encapsulating Ethernet frames in UDP packets (RFC 7348). This creates independent virtual networks (VXLAN segments) that can span hosts, ensuring traffic between containers on the same host is isolated from other tenants without relying on physical network topology.

Exam trap

Cisco often tests the misconception that VLANs (802.1Q) are sufficient for multi-host container isolation, but the trap is that VLANs are limited to a single broadcast domain and cannot scale across hosts without complex trunking, whereas VXLAN overlays are designed for multi-tenant, multi-host environments.

How to eliminate wrong answers

Option A is wrong because Linux bridge with ebtables rules operates at Layer 2 but does not provide multi-host isolation natively; it requires complex manual rules and lacks the scalability and tenant separation of overlay networks. Option B is wrong because NAT with port forwarding is a Layer 3/4 mechanism for translating IP addresses and ports, not for isolating container traffic at Layer 2; it breaks direct container-to-container communication and introduces single points of failure. Option D is wrong because 802.1Q VLANs on the host switch are limited to a single physical switch or require trunking across switches, and they cannot provide isolated Layer 2 segments across multiple hosts without extensive VLAN management and are limited to 4094 VLANs.

26
MCQmedium

A network administrator is asked to reduce the size of the routing table on a core router. The router currently has many /24 routes learned via BGP. Which technique will most effectively reduce the number of routes without losing reachability to all subnets?

A.Implement route summarization on the BGP neighbor.
B.Replace BGP with static routes.
C.Remove all BGP learned routes and use only OSPF.
D.Configure a default route to the upstream provider.
AnswerA

Summarization reduces the number of prefixes advertised and installed.

Why this answer

Route summarization (aggregation) combines multiple specific routes into a larger prefix. Option A is wrong because static routes are not dynamic and don't reduce BGP table. Option B is wrong because default route only covers traffic not in table, but you lose granularity.

Option C is wrong because removing BGP altogether loses routes.

27
MCQhard

A network engineer is configuring EtherChannel between two switches. The switches are connected via four links. The engineer wants to load balance traffic based on source and destination IP addresses. Which configuration command should be used on Cisco IOS?

A.port-channel load-balance src-ip
B.port-channel load-balance dst-ip
C.port-channel load-balance src-dst-mac
D.port-channel load-balance src-dst-ip
AnswerD

Uses both source and destination IP.

Why this answer

The command 'port-channel load-balance src-dst-ip' sets the load-balancing method to use both source and destination IP addresses. Option A is wrong because it sets only source IP. Option C is wrong because it sets only destination IP.

Option D is wrong because it sets src-dst-mac, not IP.

28
Multi-Selectmedium

Which THREE of the following are valid JSON data types? (Choose three.)

Select 3 answers
A.String
B.Number
C.Function
D.Array
E.Date
AnswersA, B, D

Strings are enclosed in double quotes.

Why this answer

JSON (JavaScript Object Notation) is a lightweight data-interchange format that supports only a fixed set of data types as defined by RFC 7159. String is a valid JSON type because it must be enclosed in double quotes and can contain Unicode characters. Number is valid as it includes integers and floating-point values without quotes, following the numeric grammar in the JSON specification.

Exam trap

Cisco often tests the misconception that JSON supports JavaScript-specific types like Function or Date, but JSON is a language-independent format with only six defined types per RFC 7159.

29
MCQmedium

A company uses a /24 subnet for its office LAN. The network must accommodate 30 hosts per VLAN. Which subnet mask would be most efficient for each VLAN while minimizing wasted IP addresses?

A.255.255.255.224
B.255.255.255.240
C.255.255.255.0
D.255.255.255.128
E.255.255.255.192
AnswerA

This is /27, provides 30 usable hosts, exactly meeting the requirement.

Why this answer

A /27 subnet mask (255.255.255.224) provides 32 total addresses per subnet, with 30 usable host addresses (2^5 - 2 = 30). This exactly meets the requirement of 30 hosts per VLAN without wasting IP addresses, as any larger subnet would leave unused addresses.

Exam trap

Cisco often tests the misconception that the subnet mask must match the exact number of hosts without accounting for the network and broadcast addresses, leading candidates to choose a mask that provides exactly 30 total addresses (like /27) but forget that 2 addresses are reserved.

How to eliminate wrong answers

Option B (255.255.255.240) is wrong because it provides only 14 usable hosts per subnet (2^4 - 2 = 14), which is insufficient for 30 hosts. Option C (255.255.255.0) is wrong because it provides 254 usable hosts, which is far more than needed and wastes IP addresses. Option D (255.255.255.128) is wrong because it provides 126 usable hosts, also wasteful for 30 hosts.

Option E (255.255.255.192) is wrong because it provides 62 usable hosts, which is more than required and inefficient.

30
MCQeasy

A network engineer is configuring a new switch and needs to ensure that frames from VLAN 10 and VLAN 20 are isolated on the same trunk link to another switch. Which IEEE standard should be configured on the trunk interfaces?

A.802.3
B.802.11
C.802.1Q
AnswerC

802.1Q is the IEEE standard for VLAN tagging on trunk links.

Why this answer

C is correct because 802.1Q is the IEEE standard that defines VLAN tagging, allowing multiple VLANs (such as VLAN 10 and VLAN 20) to be carried over a single trunk link while maintaining isolation between them. By inserting a 4-byte VLAN tag into the Ethernet frame, 802.1Q enables the receiving switch to identify which VLAN a frame belongs to, ensuring traffic from different VLANs remains separate.

Exam trap

Cisco often tests the distinction between 802.1Q (VLAN tagging) and 802.1X (authentication), so the trap here is confusing a trunking protocol with a security protocol, leading candidates to pick 802.1X when the question is about VLAN isolation on a trunk.

How to eliminate wrong answers

Option A is wrong because 802.3 is the IEEE standard for Ethernet (CSMA/CD) and defines physical layer and MAC sublayer specifications, not VLAN tagging or trunking. Option B is wrong because 802.11 is the IEEE standard for wireless LAN (Wi-Fi) and is unrelated to wired switch trunk links or VLAN isolation. Option D is wrong because 802.1X is the IEEE standard for port-based network access control (authentication), not for VLAN tagging or trunking.

31
Multi-Selecteasy

A network administrator is deploying a new application that requires high availability and load balancing across multiple servers. The servers are connected to a pair of switches that use StackWise virtual technology. The application team requests that the servers be configured with NIC teaming in active-active mode. Which two requirements must be met for this configuration to work correctly? (Choose two.)

Select 2 answers
A.The two switches must be part of a single stack or virtual switch fabric.
B.Spanning-tree PortFast must be enabled on the switch ports connected to the servers.
C.Both NIC team members must be configured in the same VLAN.
D.The NIC team must use LACP for load balancing.
E.Both NIC team members should connect to the same switch module for consistency.
AnswersA, C

This allows the NIC team to see the two switches as one logical switch and use both links simultaneously.

Why this answer

Option A is correct because StackWise virtual technology logically combines two physical switches into a single control plane, allowing NIC teaming in active-active mode to treat the pair as one logical switch. This ensures that both NIC team members can forward traffic simultaneously without loops, as the stack provides a unified Layer 2 topology and prevents MAC flapping between the two switches.

Exam trap

Cisco often tests the misconception that NIC teaming requires LACP or that PortFast is necessary for active-active operation, but the real key is that the switches must be part of a single logical fabric to avoid loops and MAC flapping.

32
MCQeasy

An engineer needs to identify which hosts are reachable in a 10.0.0.0/24 network using an automated script that does not require any credentials on the target devices. Which protocol is best suited for this task?

B.CDP
D.ARP
AnswerA

ICMP echo requests are unauthenticated and can be used to check reachability.

Why this answer

ICMP (Internet Control Message Protocol) is the correct choice because it provides the Echo Request and Echo Reply messages (commonly used by the 'ping' command) that can determine host reachability without requiring any authentication or credentials on the target devices. This makes ICMP ideal for an automated script that needs to probe a 10.0.0.0/24 network for live hosts, as it operates at the network layer and only requires IP connectivity.

Exam trap

Cisco often tests the distinction between protocols that require credentials (SNMP) and those that do not (ICMP), and the trap here is that candidates may choose ARP thinking it can discover hosts without credentials, but ARP only works on the local subnet and does not confirm IP-level reachability across a routed network.

How to eliminate wrong answers

Option B (CDP) is wrong because Cisco Discovery Protocol is a proprietary Layer 2 protocol used to discover directly connected Cisco devices and their capabilities; it requires the target devices to be Cisco devices with CDP enabled and does not test reachability via IP, nor does it work across routers or subnets. Option C (SNMP) is wrong because Simple Network Management Protocol requires credentials (community strings or SNMPv3 authentication) to query managed devices, and the question explicitly states no credentials are allowed. Option D (ARP) is wrong because Address Resolution Protocol resolves IP addresses to MAC addresses on a local broadcast domain; it can only detect hosts on the same subnet and requires an ARP request to be sent, but it does not confirm end-to-end reachability beyond Layer 2 and is not suitable for a /24 network that may span multiple Layer 2 segments.

33
MCQeasy

A network engineer needs to allow HTTPS traffic from the internet to an internal web server. Which type of firewall rule should be applied on the perimeter firewall?

A.Routing protocol configuration
B.Outbound ACL on the inside interface
C.Inbound ACL on the outside interface
D.Static NAT configuration
AnswerC

An inbound ACL on the outside interface permits incoming HTTPS traffic to the web server.

Why this answer

An inbound ACL on the outside interface allows traffic from internet to internal. Option A is wrong because outbound ACL controls traffic leaving the network. Option C is wrong because NAT handles translation, not filtering.

Option D is wrong because routing is not access control.

34
MCQhard

A company has a three-tier data center architecture with access, aggregation, and core layers. The network team is migrating to a leaf-spine architecture to support increasing east-west traffic. The current network uses STP for loop prevention, and the team wants to eliminate STP in the new design. They plan to use VXLAN overlays with BGP EVPN for control plane. During a pilot deployment, the team notices that some legacy servers that rely on traditional VLANs are not reachable across the new fabric. The servers are connected to access switches that are part of the leaf layer. The access switches are configured as VXLAN tunnel endpoints (VTEPs) but the legacy servers are still using traditional VLANs. The team needs to ensure connectivity between the legacy VLAN-based servers and the new VXLAN-based network. What is the best approach to integrate these legacy servers without changing their configuration?

A.Create a separate VRF for legacy VLANs and redistribute into BGP EVPN
B.Implement a Layer 2 gateway (L2GW) on the leaf switches to bridge VLANs to VXLAN using IRB
C.Configure the same VLAN on all leaf switches and use VXLAN to stretch the VLAN across the fabric
D.Reconfigure the legacy servers to use VXLAN encapsulation
AnswerB

IRB provides seamless bridging between VLAN and VXLAN.

Why this answer

Option B is correct because an Integrated Routing and Bridging (IRB) interface on the leaf switch acts as a Layer 2 gateway (L2GW), bridging the legacy VLAN to a VXLAN segment. This allows the legacy server, which still uses traditional VLAN tagging, to communicate with the VXLAN-based fabric without any configuration changes on the server. The IRB interface performs the VLAN-to-VXLAN mapping and handles ARP suppression, enabling seamless integration.

Exam trap

The trap here is that candidates often confuse Layer 2 stretching (Option C) with a Layer 2 gateway, not realizing that stretching VLANs across the fabric would reintroduce STP dependencies and does not provide the necessary gateway function for legacy VLAN-based devices.

How to eliminate wrong answers

Option A is wrong because creating a separate VRF for legacy VLANs and redistributing into BGP EVPN does not solve the Layer 2 connectivity issue; VRFs are for Layer 3 isolation, not for bridging VLANs to VXLAN. Option C is wrong because configuring the same VLAN on all leaf switches and using VXLAN to stretch the VLAN across the fabric would require the legacy servers to be in the same broadcast domain, which defeats the purpose of eliminating STP and does not address the need for a gateway between VLAN and VXLAN. Option D is wrong because reconfiguring the legacy servers to use VXLAN encapsulation would require changing their configuration, which the team explicitly wants to avoid.

35
MCQhard

A DevOps engineer is automating network device configuration using Ansible. The playbook must retrieve the MAC address table from a Cisco switch. Which protocol should the engineer use to fetch this data?

A.SSH with CLI scraping
B.HTTPS with Web UI
D.NETCONF
AnswerE

SNMP is a standard protocol for retrieving MIB data like MAC tables.

Why this answer

The MAC address table is accessible via SNMP (MIB). REST API is not native on older switches; NETCONF can be used but is more complex for this task. CLI scraping is not recommended.

Ansible can use SNMP to gather information.

36
Multi-Selectmedium

Which THREE are characteristics of OSPF? (Choose three.)

Select 3 answers
A.It is a distance-vector routing protocol
B.It uses cost as the metric
C.It uses hop count as the metric
D.It is a link-state routing protocol
E.It supports Variable-Length Subnet Mask (VLSM)
AnswersB, D, E

Cost is derived from bandwidth.

Why this answer

OSPF uses cost as its metric, which is derived from the bandwidth of the interface (calculated as 10^8 / bandwidth in bps by default). This allows OSPF to select the most efficient path based on link speed rather than a simple hop count, making it suitable for larger, more complex networks.

Exam trap

Cisco often tests the distinction between OSPF (link-state, cost metric) and RIP (distance-vector, hop count metric), so the trap here is confusing OSPF's cost with RIP's hop count or assuming OSPF is distance-vector due to its routing behavior.

37
MCQeasy

Refer to the exhibit. A PC is connected to interface GigabitEthernet0/1 on a Cisco switch. The PC is in VLAN 10. What is the purpose of the 'spanning-tree portfast' command on this interface?

A.It disables STP on the interface.
B.It prevents the interface from entering blocking state.
C.It allows the interface to transition directly to forwarding state.
D.It enables BPDU guard on the interface.
E.It enables Rapid Spanning Tree on the interface.
AnswerC

PortFast eliminates the learning/listening delays.

Why this answer

PortFast brings the interface to forwarding state immediately, bypassing STP listening and learning states. This speeds up access port convergence.

38
MCQmedium

You are deploying a new data center network using Cisco Nexus switches. The design uses Virtual Port Channel (vPC) to provide redundancy and increased bandwidth to servers with dual-homed NICs. The two vPC peer switches are NX1 and NX2, and they are connected via a peer-link. The servers are configured with active/standby NIC teaming. After the deployment, you notice that some ARP requests from servers are not being responded to, leading to connectivity issues. Analysis shows that when a server sends an ARP request for its default gateway (which is a virtual IP on the vPC), only one of the peer switches responds, but the response does not reach the server intermittently. The vPC is correctly configured, and the peer-gateway feature is enabled. What is the most likely cause?

A.The virtual gateway IP is misconfigured with HSRP, causing split-brain.
B.STP is blocking the vPC peer-link, preventing ARP responses.
C.The server's MAC address is not pinned to the correct vPC member port.
D.The server's NIC teaming is sending ARP requests to the standby switch, which forwards them over the peer-link, and the peer-gateway feature does not respond to ARP requests received over the peer-link.
AnswerD

Peer-gateway only responds to ARP on vPC member ports, not on peer-link.

Why this answer

If peer-gateway is enabled, each vPC peer can respond to ARP for the virtual gateway IP. However, if the ARP request is sent via the peer-link (because the server's NIC is active on one switch but the request may be flooded), the response might be blocked by the peer-link's native VLAN mismatch or STP issues. Option A is correct: The peer-gateway feature works only for packets received on a vPC member port, not on the peer-link.

So if the server's NIC teaming sends traffic to the standby switch first, that switch may receive the ARP request on a vPC member port and respond, but if the request goes over the peer-link, the peer switch may not respond or the response may be dropped. Option B is wrong because vPC does not use STP on member ports. Option C is wrong because HSRP is not used with vPC peer-gateway.

Option D is wrong because the issue is not about MAC pinning.

39
MCQhard

A network administrator is troubleshooting BGP path selection for a route received from two different ISPs. The routes have the same local preference and AS-path length, but one route has a shorter MED value. Which route will be preferred?

A.The route with the most specific prefix length
B.The route from the ISP with the higher bandwidth
C.The route with the lower MED
D.The route with the higher local preference
AnswerC

Lower MED is preferred.

Why this answer

In BGP path selection, when routes have the same local preference and AS-path length, the next tiebreaker is the Multi-Exit Discriminator (MED) value. A lower MED value is preferred because it indicates a more desirable entry point into the neighboring AS. Therefore, the route with the shorter MED will be selected.

Exam trap

Cisco often tests the order of BGP path selection steps, and the trap here is that candidates may confuse MED with local preference or AS-path length, or incorrectly think that prefix length or bandwidth plays a role in BGP best-path selection.

How to eliminate wrong answers

Option A is wrong because prefix length (most specific route) is not a BGP path selection attribute; it is used in the routing table for longest-prefix match, not for BGP best-path decision. Option B is wrong because bandwidth is not a standard BGP attribute and is not considered in the BGP path selection algorithm; BGP relies on configured metrics like MED, not physical link speed. Option D is wrong because the question states both routes have the same local preference, so this attribute cannot differentiate them; higher local preference would only matter if they were different.

40
MCQeasy

A company is designing a new branch network. They want to segment traffic into separate broadcast domains to improve security and reduce broadcast traffic. Which technology should be used to achieve this?

B.Subnetting
D.VLANs
AnswerD

VLANs create separate broadcast domains.

Why this answer

VLANs create separate Layer 2 broadcast domains, isolating traffic between groups. Subnetting (Option A) is a Layer 3 concept but does not create broadcast domains; it works with VLANs. STP (Option B) prevents loops.

EtherChannel (Option D) bundles links.

41
Multi-Selecthard

Which TWO are components of a REST API request? (Choose two.)

Select 2 answers
A.URI
B.Status code
C.Payload
D.HTTP method
E.Query string
AnswersA, D

Identifies the resource.

Why this answer

A REST API request includes an HTTP method (verb) like GET or POST (B) and a URI (Uniform Resource Identifier) that identifies the resource (D). Payload (A) is only for some methods like POST. Query string (C) is part of the URI.

Status code (E) is in the response, not request.

42
MCQmedium

An engineer needs to transfer a router configuration file to a server in the same network using a simple protocol that does not require authentication. Which protocol is best?

A.SCP
C.FTP
AnswerB

TFTP has no authentication and is simple to implement.

Why this answer

TFTP (Trivial File Transfer Protocol) is the best choice because it is a lightweight, connectionless protocol that operates over UDP (port 69) and does not require any authentication or user credentials. It is commonly used for transferring router configuration files and IOS images in local network environments where simplicity and speed are prioritized over security.

Exam trap

Cisco often tests the distinction between TFTP and SCP, where candidates mistakenly choose SCP because it is secure, overlooking the explicit requirement for a protocol that does not require authentication.

How to eliminate wrong answers

Option A (SCP) is wrong because it relies on SSH for authentication and encryption, requiring credentials and adding overhead that is unnecessary for a simple, unauthenticated transfer. Option C (FTP) is wrong because it typically requires username/password authentication and uses TCP, making it more complex and less suitable for a no-authentication requirement. Option D (HTTP) is wrong because while it can be used without authentication, it is designed for web content transfer and often involves more overhead (TCP-based) and is not the standard protocol for router configuration file transfers in a local network.

43
MCQhard

A developer is building a chat application that requires low-latency communication, and occasional packet loss is acceptable. Which transport protocol should the developer choose?

A.UDP
B.RTP
C.QUIC
D.TCP
AnswerA

UDP is connectionless and low-latency; packet loss is acceptable in this scenario.

Why this answer

UDP is the correct choice because it provides low-latency, connectionless communication without retransmission or congestion control, making it ideal for real-time chat applications where occasional packet loss is acceptable. Unlike TCP, UDP does not require a handshake or acknowledgment, minimizing delay and overhead.

Exam trap

Cisco often tests the distinction between transport protocols and application-layer protocols, so candidates may confuse RTP (which is not a transport protocol) with UDP, or assume QUIC is a transport protocol when it is actually an application-layer protocol built on UDP.

How to eliminate wrong answers

Option B (RTP) is wrong because RTP is an application-layer protocol that typically runs over UDP to deliver real-time media, but it is not a transport protocol itself; the question asks for a transport protocol. Option C (QUIC) is wrong because QUIC, while offering lower latency than TCP, is built on top of UDP and includes reliability and congestion control features that are unnecessary when packet loss is acceptable, and it is not a pure transport protocol in the OSI model. Option D (TCP) is wrong because TCP's reliability mechanisms (retransmission, flow control, congestion avoidance) introduce latency and overhead that conflict with the requirement for low-latency communication, and its connection-oriented nature is unsuitable when occasional packet loss is acceptable.

44
MCQmedium

Refer to the exhibit. A switch has the VLAN configuration shown. If a device is connected to interface Gi0/3 and another to Gi0/5, can they communicate if the switch is not configured with any inter-VLAN routing?

A.Yes, if the default gateway is configured on each device.
B.No, because VLAN 20 is not active on those ports.
C.No, because they are in different VLANs and no routing is configured.
D.Yes, if the devices have IP addresses in the same subnet.
E.Yes, because all ports are on the same switch.
AnswerC

VLANs isolate traffic; inter-VLAN requires layer 3 routing.

Why this answer

Option C is correct because devices in different VLANs (VLAN 10 and VLAN 20) are on separate Layer 2 broadcast domains. Without inter-VLAN routing (either a Layer 3 switch with IP routing enabled or an external router), traffic cannot cross VLAN boundaries, even if the devices share the same physical switch. The switch forwards frames only within the same VLAN unless routing is explicitly configured.

Exam trap

The trap here is that candidates assume all ports on the same switch can communicate by default, overlooking that VLANs create isolated Layer 2 domains that require routing to interconnect.

How to eliminate wrong answers

Option A is wrong because configuring a default gateway on each device only enables them to send traffic to a router; it does not enable the switch to route between VLANs. Option B is wrong because the exhibit shows VLAN 20 is active on Gi0/5 (access VLAN 20), so the port is correctly assigned; the issue is not inactivity but the VLAN mismatch. Option D is wrong because the devices are in different VLANs and thus belong to different subnets by design; even if they had IP addresses in the same subnet, the switch would still isolate them at Layer 2 because VLANs enforce separate broadcast domains.

Option E is wrong because being on the same switch does not imply Layer 3 connectivity; the switch forwards frames only within the same VLAN unless routing is configured.

45
Multi-Selectmedium

A network engineer needs to create a new subnet that can support at least 50 usable host addresses for a development environment. Which TWO subnet masks would meet this requirement? (Choose two.)

Select 2 answers
A.255.255.255.224 (/27)
B.255.255.255.128 (/25)
C.255.255.255.192 (/26)
D.255.255.255.248 (/29)
E.255.255.255.240 (/28)
AnswersB, C

Correct. /25 provides 2^(32-25)-2 = 126 usable host addresses, which is more than 50.

Why this answer

Subnet masks /25 and /26 provide 126 and 62 usable host addresses respectively, both exceeding the requirement of 50. /27 provides only 30 usable addresses, /28 provides 14, and /29 provides 6, all insufficient.

46
MCQmedium

You manage a network that uses a mix of Cisco IOS and IOS-XE devices. The company wants to implement network automation using RESTCONF and YANG. You have configured RESTCONF on a branch router running IOS-XE 16.12. You can successfully retrieve the interface configuration using a GET request from a Python script. However, when you try to modify the description of an interface using a PATCH request, you receive a 405 Method Not Allowed error. The script uses basic authentication over HTTPS. The URL is correct, and the YANG data payload is valid. What is the most likely reason for the failure?

A.The RESTCONF service on the router is not enabled for write operations.
B.The YANG payload must be in XML format instead of JSON.
C.Basic authentication is not supported for PATCH requests.
D.The PATCH request must target the entire configuration data store, not a specific interface.
AnswerA

The 'restconf' capability may be read-only; you need to enable the 'restconf' agent with write support.

Why this answer

RESTCONF on IOS-XE may require specific HTTP methods to be enabled. By default, only GET is allowed; PATCH and PUT require explicit configuration or the 'restconf' capability advertisement. Option A is correct because the router may not have the 'restconf' capability with write support.

Option B is wrong because basic authentication is supported. Option C is wrong because the URL is for the interface, not the whole configuration. Option D is wrong because YANG is valid.

47
Multi-Selectmedium

A network engineer is troubleshooting an issue where hosts in VLAN 100 cannot reach a server at 10.1.1.100. The switch interfaces are configured as access ports in VLAN 100, and the default gateway is 10.1.1.1. The engineer checks the switch and finds that the ARP table does not contain the server's MAC address. Which two actions should the engineer take to resolve the issue? (Choose two.)

Select 2 answers
A.Ping the server's IP address from the switch management interface.
B.Ping the default gateway from a host in VLAN 100.
C.Check the ARP table on the default gateway router.
D.Check the MAC address table on the switch for the server's MAC.
E.Verify that the switch port connected to the server is in VLAN 100.
AnswersC, E

The hosts need to resolve the server's MAC, not the gateway's. The issue is on the switch or host side.

Why this answer

Option E is correct because if the switch port connected to the server is not in VLAN 100, the server will be in a different broadcast domain and will not receive ARP requests from hosts in VLAN 100. This would cause the ARP table on the switch to lack the server's MAC address, as the switch cannot learn it through normal Layer 2 flooding within the VLAN.

Exam trap

Cisco often tests the distinction between the MAC address table (Layer 2 forwarding) and the ARP table (Layer 3 resolution), leading candidates to incorrectly choose checking the MAC address table when the real issue is VLAN membership affecting ARP propagation.

48
MCQmedium

During a network outage, a technician notices that hosts in VLAN 10 cannot reach the default gateway at 192.168.10.1, but hosts in VLAN 20 can. The switch interfaces are up, and the router is configured with subinterfaces. What is the most likely cause?

A.The trunk link is administratively down.
B.The switchport trunk native VLAN is mismatched.
C.The router subinterface for VLAN 10 is down or misconfigured.
D.The router does not have an IP address configured.
AnswerC

A down or misconfigured subinterface prevents routing for that VLAN.

Why this answer

The router subinterface for VLAN 10 is down or misconfigured. Since hosts in VLAN 10 cannot reach the default gateway but hosts in VLAN 20 can, the issue is isolated to VLAN 10. The router uses subinterfaces to route between VLANs via a trunk link; if the subinterface for VLAN 10 is down (e.g., no 'no shutdown' command) or misconfigured (e.g., wrong VLAN ID or encapsulation), it will not process traffic for that VLAN, while other subinterfaces remain functional.

Exam trap

Cisco often tests the misconception that a trunk link issue or native VLAN mismatch would affect all VLANs equally, when in fact a subinterface-specific problem (like being administratively down or misconfigured) can isolate a single VLAN.

How to eliminate wrong answers

Option A is wrong because if the trunk link were administratively down, all VLANs (including VLAN 20) would be affected, not just VLAN 10. Option B is wrong because a native VLAN mismatch on a trunk would cause issues for untagged traffic (typically VLAN 1) or potential spanning-tree problems, but it would not selectively break only VLAN 10 while VLAN 20 works. Option D is wrong because the router does have IP addresses configured (as implied by the default gateway 192.168.10.1 for VLAN 10 and presumably another for VLAN 20), and the problem is specific to VLAN 10, not a global lack of IP configuration.

49
MCQmedium

A developer is writing an application that needs to send a large amount of data reliably over a network. Which transport layer protocol should the developer use?

AnswerA

TCP ensures reliable data transfer through acknowledgments and retransmissions.

Why this answer

TCP (Transmission Control Protocol) is the correct choice because it provides reliable, connection-oriented data delivery with acknowledgments, retransmission, and sequencing. This ensures that large amounts of data are transmitted without loss or corruption, which is critical for applications requiring data integrity.

Exam trap

Cisco often tests the distinction between transport-layer protocols (TCP vs. UDP) and higher-layer protocols (HTTP), so the trap here is that candidates might choose HTTP because it is commonly used for data transfer, forgetting that it is not a transport-layer protocol.

How to eliminate wrong answers

Option B (ICMP) is wrong because ICMP is a network-layer protocol used for error reporting and diagnostics (e.g., ping), not for reliable data transport. Option C (HTTP) is wrong because HTTP is an application-layer protocol that relies on TCP for reliable transport; it is not a transport-layer protocol itself. Option D (UDP) is wrong because UDP is connectionless and does not guarantee delivery, ordering, or retransmission, making it unsuitable for reliable large-data transfers.

50
MCQmedium

A company has multiple subnets. A device in subnet 192.168.1.0/24 needs to communicate with a device in subnet 192.168.2.0/24. What is required for this communication?

A.A DNS server
B.A VLAN
C.A bridge
D.A router or Layer 3 switch
AnswerD

A router or Layer 3 switch can forward packets between different subnets.

Why this answer

Devices in different subnets (192.168.1.0/24 and 192.168.2.0/24) are on separate Layer 3 networks. To forward packets between these subnets, a router or Layer 3 switch is required to perform IP routing, using the destination IP address to determine the next hop. Without a Layer 3 device, the frames cannot leave the local broadcast domain.

Exam trap

Cisco often tests the misconception that a VLAN alone enables communication between subnets, but VLANs only isolate traffic at Layer 2; a Layer 3 device is always needed to route between different subnets.

How to eliminate wrong answers

Option A is wrong because a DNS server resolves hostnames to IP addresses but does not forward packets between subnets; routing is a Layer 3 function, not a naming service. Option B is wrong because a VLAN segments a single switch into multiple broadcast domains at Layer 2, but it does not route between subnets; inter-VLAN communication still requires a Layer 3 device. Option C is wrong because a bridge operates at Layer 2 to connect two network segments within the same subnet, forwarding frames based on MAC addresses; it cannot route between different IP subnets.

51
MCQhard

Refer to the exhibit. A switch is configured with the shown trunk port. After connecting the uplink, the switch logs show repeated 'errdisable' state transitions on this port. The core switch is configured with the same allowed VLAN list. Which configuration change is most likely to resolve the issue?

A.Change the switchport mode to dynamic desirable.
B.Add VLAN 1 to the allowed VLAN list.
C.Remove the spanning-tree portfast trunk command from the interface.
D.Add the spanning-tree bpduguard enable command to the interface.
AnswerC

Portfast trunk is designed for host-facing trunks (e.g., to servers) and can cause STP issues when connecting to another switch.

Why this answer

The 'errdisable' state transitions on a trunk port are typically caused by a spanning-tree BPDU guard violation when PortFast is enabled. The 'spanning-tree portfast trunk' command enables PortFast on the trunk, which bypasses the normal listening/learning states and can cause the port to be placed into errdisable state if a BPDU is received from the core switch. Removing this command allows the trunk port to participate in standard spanning-tree convergence, preventing the repeated errdisable transitions.

Exam trap

Cisco often tests the misconception that 'spanning-tree portfast trunk' is safe for trunk ports, but the trap is that PortFast combined with BPDU guard (even if not explicitly configured, but enabled globally) causes errdisable when BPDUs are received, so the fix is to remove PortFast from the trunk.

How to eliminate wrong answers

Option A is wrong because changing the switchport mode to 'dynamic desirable' does not address the errdisable issue; it only affects DTP negotiation and could cause trunking misalignment. Option B is wrong because VLAN 1 is already the native VLAN and is implicitly allowed on trunk ports; adding it to the allowed VLAN list is redundant and does not resolve errdisable transitions. Option D is wrong because adding 'spanning-tree bpduguard enable' would actually worsen the problem by explicitly enabling BPDU guard, which is the mechanism causing the errdisable state when a BPDU is received on a PortFast-enabled port.

52
MCQeasy

Which IPv6 address type is equivalent to a private IPv4 address?

A.Multicast
B.Global unicast
D.Unique local
AnswerD

Unique local addresses are private and not globally routable.

Why this answer

Unique local addresses (ULA) in IPv6, defined in RFC 4193, are the equivalent of private IPv4 addresses (RFC 1918) because they are intended for local communication within a site or organization and are not routable on the global internet. They use the prefix fc00::/7, with the L bit set to 1 (fd00::/8) for locally assigned addresses, ensuring uniqueness within a site without requiring global registration.

Exam trap

Cisco often tests the distinction between link-local and unique local addresses, trapping candidates who confuse link-local (fe80::/10) with private IPv4 because both are non-routable, but link-local is strictly single-link and not site-wide like private IPv4.

How to eliminate wrong answers

Option A is wrong because multicast addresses (ff00::/8) are used for one-to-many communication to a group of interfaces, not for private, site-local addressing like private IPv4. Option B is wrong because global unicast addresses (2000::/3) are globally routable and unique on the internet, analogous to public IPv4 addresses, not private ones. Option C is wrong because link-local addresses (fe80::/10) are automatically configured and only valid on a single network link, never routed, making them more similar to APIPA (169.254.x.x) in IPv4 rather than private addresses like 10.0.0.0/8.

53
MCQeasy

A network administrator needs to assign IP addresses to 50 hosts in a subnet. Which subnet mask provides the minimum required number of usable addresses while minimizing waste?

A.255.255.255.192 (/26)
B.255.255.255.224 (/27)
C.255.255.255.240 (/28)
D.255.255.255.128 (/25)
AnswerA

62 usable, sufficient and minimal waste.

Why this answer

A /26 subnet mask (255.255.255.192) provides 64 total addresses per subnet, of which 62 are usable (2^6 - 2 = 62). This is the smallest power-of-two block that can accommodate 50 hosts, minimizing waste while meeting the requirement.

Exam trap

Cisco often tests the distinction between 'total addresses' and 'usable addresses' — candidates mistakenly count the total 64 addresses as usable, forgetting to subtract the network and broadcast addresses, or they choose a mask that provides exactly 50 total addresses (which is impossible since host bits must be a power of 2).

How to eliminate wrong answers

Option B (255.255.255.224, /27) is wrong because it provides only 30 usable addresses (2^5 - 2 = 30), which is insufficient for 50 hosts. Option C (255.255.255.240, /28) is wrong because it provides only 14 usable addresses (2^4 - 2 = 14), far below the requirement. Option D (255.255.255.128, /25) is wrong because while it provides 126 usable addresses (2^7 - 2 = 126), it wastes 76 addresses, failing the 'minimizing waste' criterion.

54
MCQeasy

What does a TTL of 128 indicate about the destination host?

A.It is a network switch
B.It is a Cisco router
C.It is a Windows host
D.It is a Linux host
AnswerC

Windows uses a default TTL of 128.

Why this answer

The Time-to-Live (TTL) value in an IP packet is decremented by each router that forwards the packet. When a host receives a packet, the remaining TTL value can indicate the operating system of the source that sent it. Windows operating systems typically set the initial TTL to 128, so a TTL of 128 in a received packet strongly suggests the destination host (the sender of that packet) is a Windows host.

Exam trap

Cisco often tests the common misconception that TTL values are set by routers or switches, rather than by the originating host's operating system, leading candidates to incorrectly associate a TTL of 128 with a specific network device instead of a Windows host.

How to eliminate wrong answers

Option A is wrong because network switches operate at Layer 2 and do not decrement or set TTL values in IP headers; TTL is a Layer 3 concept. Option B is wrong because Cisco routers, like most routers, set the initial TTL to 255 (or sometimes 64), not 128. Option D is wrong because Linux hosts typically set the initial TTL to 64, not 128.

56
Multi-Selecthard

Which THREE of the following are valid methods to automatically assign IP addresses to network hosts?

Select 3 answers
A.Static assignment
D.BOOTP
E.DNS
AnswersB, C, D

Stateless Address Autoconfiguration is used in IPv6 for automatic addressing.

Why this answer

SLAAC (Stateless Address Autoconfiguration) is a valid method for automatically assigning IPv6 addresses to network hosts. It uses ICMPv6 Router Advertisement (RA) messages to provide a prefix, and the host generates its own interface identifier (often based on EUI-64 or privacy extensions) to form a complete IPv6 address without a central server.

Exam trap

Cisco often tests the distinction between automatic address assignment methods (SLAAC, DHCP, BOOTP) and services that operate at higher layers (DNS) or manual configuration (static), leading candidates to incorrectly include static or DNS as automatic assignment methods.

57
Multi-Selectmedium

Which TWO of the following are common causes of VLAN connectivity issues?

Select 2 answers
A.VLAN not created on all switches
B.Mismatched subnet masks on access ports
C.Incorrect default gateway
D.Mismatched VLAN IDs on trunk ports
E.STP blocking port
AnswersA, D

If a VLAN is missing on a switch, ports assigned to that VLAN will be down.

Why this answer

Option A is correct because VLANs must exist in the VLAN database of every switch that needs to forward traffic for that VLAN. If a VLAN is not created on a switch, interfaces assigned to that VLAN will be in an inactive or error-disabled state, and the switch will not forward frames for that VLAN across trunk links. This is a common misconfiguration when adding a new VLAN to a network without propagating it to all switches.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 issues, so candidates mistakenly select subnet mask or default gateway problems as VLAN connectivity issues when those are actually routing or host configuration problems.

58
MCQhard

A network engineer is configuring a Cisco switch to support LLDP-MED for VoIP phones. Which command is required to enable LLDP globally on the switch?

A.lldp transmit
B.cdp run
C.lldp run
D.lldp enable
E.lldp med
AnswerC

This enables LLDP globally on Cisco IOS switches.

Why this answer

The command 'lldp run' is required to enable LLDP globally on a Cisco switch. LLDP is disabled by default on most Cisco switches, and 'lldp run' activates the protocol at the global configuration level, allowing LLDP-MED (which extends LLDP for VoIP and other endpoint devices) to function. Without this global enablement, LLDP frames are not transmitted or received, even if per-interface commands like 'lldp transmit' or 'lldp receive' are configured.

Exam trap

Cisco often tests the distinction between global and interface-level LLDP commands, and the trap here is that candidates confuse 'lldp run' (global enable) with 'lldp enable' (a nonexistent command) or assume that 'lldp transmit' alone is sufficient to start LLDP.

How to eliminate wrong answers

Option A is wrong because 'lldp transmit' is an interface-level command that enables LLDP transmission on a specific interface, but it does not enable LLDP globally; the global 'lldp run' must be issued first. Option B is wrong because 'cdp run' enables Cisco Discovery Protocol (CDP), not LLDP; CDP is Cisco-proprietary and does not support LLDP-MED, which is an IEEE 802.1AB standard. Option D is wrong because 'lldp enable' is not a valid Cisco IOS command; the correct global command is 'lldp run', and the interface-level command is 'lldp transmit' or 'lldp receive'.

Option E is wrong because 'lldp med' is a subcommand used under LLDP configuration to enable LLDP-MED TLV support, but it does not enable LLDP itself; LLDP must already be running globally via 'lldp run'.

59
MCQmedium

A network engineer is troubleshooting slow connectivity between two sites connected via a WAN link. The engineer suspects packet loss due to collisions. Which interface counter should be examined to confirm this?

A.Runts
B.CRC errors
C.Output errors
D.Giants
AnswerB

CRC errors indicate frame checksum failures often caused by collisions.

Why this answer

CRC (Cyclic Redundancy Check) errors indicate that frames received on an interface have failed the integrity check, which is often caused by physical-layer issues such as collisions, faulty cabling, or signal degradation. In the context of a WAN link, collisions are not typical (since full-duplex is standard), but if the link is misconfigured as half-duplex, collisions can occur and will manifest as CRC errors. Thus, examining the CRC errors counter is the correct way to confirm packet loss due to collisions.

Exam trap

Cisco often tests the misconception that collisions are directly indicated by 'runts' or 'output errors', but the correct indicator for collision-induced corruption is the CRC errors counter, especially when the link is suspected of operating in half-duplex mode.

How to eliminate wrong answers

Option A is wrong because runts are frames smaller than the minimum 64-byte size (for Ethernet) and are typically caused by collisions or underruns, but they are not the direct counter for confirming collisions; CRC errors are more definitive. Option C is wrong because output errors encompass a variety of issues such as buffer failures, underruns, and late collisions, but they are not specific to collisions themselves and can be misleading. Option D is wrong because giants are frames larger than the maximum 1518-byte size (for standard Ethernet) and are usually caused by misconfigured NICs or software issues, not collisions.

60
Multi-Selecteasy

Which TWO of the following are functions of the transport layer in the OSI model? (Choose two.)

Select 2 answers
A.Segmentation and reassembly of data.
B.Providing reliable data transfer with acknowledgements.
C.Adding a trailer for error detection.
D.Encrypting data for secure transmission.
E.Determining the best path to a destination.
AnswersA, B

Transport layer segments data and reassembles it at the destination.

Why this answer

Segmentation and reassembly of data is a core function of the transport layer. The transport layer (e.g., TCP) takes data from the session layer, breaks it into smaller segments (segmentation), assigns sequence numbers, and then reassembles these segments in the correct order at the destination. This allows large data streams to be transmitted efficiently over the network layer, which has a maximum transmission unit (MTU) size.

Exam trap

Cisco often tests the distinction between transport layer functions (segmentation, reliability) and data link layer functions (error detection via trailer), so candidates mistakenly assign trailer-based error detection to the transport layer instead of the data link layer.

61
MCQhard

A network automation engineer is using a Python script with the requests library to configure VLAN 100 on a Cisco Catalyst 9300 switch via the REST API. The script sends a PUT request to https://switch-ip/restconf/data/Cisco-IOS-XE-native:native/vlan. The response returns a 201 Created, but subsequent checks show VLAN 100 is not present in the running configuration. The switch's management interface is in VLAN 99 with IP 10.10.99.10/24, and the engineer's workstation is on a different subnet (10.10.88.0/24). The switch has the following relevant configuration: ip default-gateway 10.10.99.1, and a route for 10.10.88.0/24 via 10.10.99.1. The engineer also verified that the REST API credentials are correct and that the switch's HTTP server is enabled. Which action should the engineer take to resolve the issue?

A.Resend the PUT request with the VLAN configuration nested under 'Cisco-IOS-XE-native:native/vlan' in YANG format.
B.Reboot the switch to force the candidate configuration to become active.
C.Send a commit operation to the RESTCONF API using the 'cisco-ia:commit' RPC to apply the candidate datastore changes.
D.Check the MTU on the switch's management interface to ensure it can accept the configuration payload.
AnswerC

On Cisco IOS-XE devices, configuration changes via RESTCONF are staged in the candidate datastore and must be explicitly committed. This is the likely missing step.

Why this answer

The 201 Created response indicates the REST API request was accepted, but the VLAN is not appearing in the running config. This suggests the configuration was written to the candidate datastore but not committed. Cisco's RESTCONF requires a commit operation after editing the candidate datastore.

To commit changes, a PATCH or POST request to the 'ietf-restconf:operations' with 'cisco-ia:commit' is needed. Alternatively, the switch might be using 'immediate' mode, but the default is 'candidate'. Checking the 'default-operation' setting would help, but the most direct correct action is to commit the changes.

Distractors: checking MTU, resending the request with different data, or restarting the switch.

62
MCQeasy

You are troubleshooting connectivity for a remote branch office. The branch router (BR) connects to the head office router (HQ) via a point-to-point T1 link. The HQ router is also connected to the internet via a separate interface. Users at the branch can access the internet but cannot reach servers at the head office (subnet 10.10.10.0/24). You run 'show ip route' on BR and see a default route pointing to HQ's IP address, but no specific route for 10.10.10.0/24. The HQ router has a connected route for that subnet. On HQ, you see that the interface towards BR is up/up, and you can ping the BR's interface IP. What is the most likely cause of the issue?

A.The HQ router does not have a route for the branch's local subnet.
B.An ACL on the HQ router is blocking traffic from the branch subnet.
C.The default route on BR is not pointing to the correct next-hop.
D.The T1 link is experiencing errors causing packet loss.
AnswerA

Without a return route, traffic from branch to HQ can leave but replies are dropped.

Why this answer

The branch router (BR) has a default route pointing to the HQ router, which allows outbound traffic to the internet. However, for traffic from the branch to reach the HQ subnet (10.10.10.0/24), the HQ router must have a return route to the branch's local subnet. Without this specific route, the HQ router will drop packets destined for the branch because it does not know how to reach that network, even though the T1 link is up and the BR can ping the HQ interface.

This is a classic asymmetric routing issue where the forward path works but the return path fails.

Exam trap

Cisco often tests the concept that a default route on the branch router is sufficient for outbound traffic, but candidates forget that the head office router also needs a route back to the branch's subnet for return traffic to succeed.

How to eliminate wrong answers

Option B is wrong because an ACL blocking traffic from the branch subnet would typically prevent the initial outbound traffic from the branch, but users at the branch can already access the internet, indicating no such ACL is blocking general traffic; additionally, the ping from HQ to BR succeeds, suggesting no ACL is blocking ICMP. Option C is wrong because the default route on BR is correctly pointing to HQ's IP address, as evidenced by the branch's ability to reach the internet through HQ. Option D is wrong because the T1 link is up/up and the ping from HQ to BR is successful, which rules out significant link errors or packet loss that would affect connectivity.

63
MCQmedium

An application developer is designing a microservice that communicates over HTTP. The service must guarantee that the request is processed exactly once. Which HTTP method should be used to ensure idempotency?

A.PUT
B.PATCH
C.GET
D.DELETE
E.POST
AnswerA

PUT is idempotent; repeating the request yields the same result.

Why this answer

Idempotent methods like PUT, DELETE, GET, and HEAD can be retried without side effects. POST is not idempotent. The requirement 'exactly once' implies idempotency.

PUT is the best choice for creating/updating resources.

64
Multi-Selecteasy

Which TWO are benefits of using VLANs in a network? (Choose two.)

Select 2 answers
A.Reducing the size of broadcast domains
B.Simplifying Layer 3 routing
C.Improving network security by isolating traffic
D.Reducing the number of collision domains
E.Guaranteeing faster routing performance
AnswersA, C

VLANs segment the network into smaller broadcast domains.

Why this answer

VLANs reduce the size of broadcast domains (A) and improve security by isolating traffic (C). They do not reduce the number of collision domains (B) – collision domains are reduced by switches, not VLANs. VLANs do not simplify Layer 3 routing (D) – they often require routing between VLANs.

They do not guarantee faster routing (E).

65
Matchingmedium

Match each Cisco platform to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Intent-based networking management

Cloud-managed network administration

Collaboration and messaging integration

Unified infrastructure management

Application performance monitoring

Why these pairings

These are key Cisco platforms relevant to the exam.

66
MCQmedium

A company has a DHCP server that assigns IP addresses from a scope of 192.168.10.0/24. A new device receives IP 192.168.10.100/24 but cannot access the internet. The default gateway is 192.168.10.1. What is the most likely issue?

A.DNS server is unreachable.
B.The DHCP scope is exhausted.
C.The device has a duplicate IP address.
D.The default gateway is not reachable from the device.
E.The device's subnet mask is incorrect.
AnswerD

This is the most direct cause: if the gateway is down or not on the same VLAN, traffic cannot exit.

Why this answer

The device received a valid IP address (192.168.10.100/24) and subnet mask from the DHCP server, but it cannot access the internet. Since the default gateway is 192.168.10.1, the most likely cause is that the device cannot reach the gateway, which is required to route traffic outside the local subnet. Without connectivity to the default gateway, the device cannot forward packets to external networks, even though its IP configuration is otherwise correct.

Exam trap

Cisco often tests the concept that a valid IP address and subnet mask do not guarantee internet access; the default gateway must be reachable, and candidates may mistakenly blame DNS or DHCP exhaustion when the real issue is Layer 3 connectivity to the gateway.

How to eliminate wrong answers

Option A is wrong because the question does not mention any DNS-related symptoms (e.g., name resolution failures), and a DNS server being unreachable would prevent domain name resolution but not necessarily all internet access (IP-based access could still work). Option B is wrong because the device successfully received IP 192.168.10.100, which is within the /24 scope, indicating the DHCP scope is not exhausted. Option C is wrong because a duplicate IP address would typically cause an address conflict error or connectivity issues for both devices, but the question does not describe such symptoms, and the device received a valid lease.

Option E is wrong because the device was assigned a /24 subnet mask (255.255.255.0) via DHCP, which is correct for the 192.168.10.0/24 network, so the mask is not the issue.

67
MCQhard

An organization uses Cisco ISE for network access control. A user reports inability to access the network. The switch port shows the authenticator state as 'connecting'. What does this indicate?

A.The client is in the process of 802.1X authentication
B.The client has successfully authenticated
C.The port is in a held state due to multiple failures
D.Authentication has failed
AnswerA

'Connecting' means authentication is ongoing.

Why this answer

In Cisco ISE and 802.1X, the authenticator state 'connecting' indicates that the switch (authenticator) has detected a new client on the port and has initiated the 802.1X authentication process. This state means the port is actively sending EAP-Request/Identity frames and waiting for the client to respond, so the client is in the process of authentication, not yet authenticated or failed.

Exam trap

Cisco often tests the distinction between the 'connecting' state (meaning the process is ongoing) and the 'authenticated' or 'failed' states, so candidates mistakenly think 'connecting' implies a problem or failure rather than normal progress.

How to eliminate wrong answers

Option B is wrong because 'connecting' is a transitional state; successful authentication would show the port in the 'authenticated' state, not 'connecting'. Option C is wrong because a held state due to multiple failures is represented by the 'held' or 'auth_fail' state, not 'connecting'. Option D is wrong because authentication failure results in the port moving to a 'failed' or 'unauthorized' state, not remaining in 'connecting'.

68
Drag & Dropmedium

Drag and drop the steps to configure a Cisco switch for remote management (SSH) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSH requires a hostname, RSA keys, local authentication, and VTY line configuration.

69
MCQeasy

An engineer wants to verify that a switch port is configured as an access port in VLAN 10. Which command provides this information?

A.show running-config interface
B.show interfaces status
C.show ip interface brief
D.show vlan brief
AnswerA

This displays the running configuration of the interface, including switchport settings.

Why this answer

The `show running-config interface` command displays the current operational configuration of a specific interface, including whether it is configured as an access port and which VLAN it is assigned to. For a switch port in VLAN 10, the output will show `switchport mode access` and `switchport access vlan 10`, directly confirming the desired configuration.

Exam trap

Cisco often tests the distinction between commands that show operational status (like `show interfaces status`) versus those that show configuration (like `show running-config interface`), leading candidates to pick a command that only shows interface state rather than the actual VLAN assignment and port mode.

How to eliminate wrong answers

Option B is wrong because `show interfaces status` shows the administrative and operational status of interfaces (e.g., up/down, speed, duplex) but does not display the VLAN assignment or port mode configuration. Option C is wrong because `show ip interface brief` lists IP addresses and interface status for Layer 3 interfaces, not Layer 2 switch port VLAN details. Option D is wrong because `show vlan brief` lists all VLANs and their member ports, but it does not show the port mode (access vs. trunk) or confirm that a specific port is configured as an access port in VLAN 10.

70
MCQeasy

A network administrator is troubleshooting a connectivity issue. A PC with IP address 192.168.1.10/24 cannot ping a server at 192.168.1.20/24. Both are on the same VLAN and connected to the same switch. What is the most likely cause of the issue?

A.The ARP cache on the PC needs to be cleared.
B.The subnet mask on the PC is incorrect.
C.The switch port is in the wrong VLAN.
D.The server has a firewall blocking ICMP echo requests.
E.The default gateway is misconfigured on the PC.
AnswerD

A firewall can block ping, which is a common troubleshooting scenario.

Why this answer

Since both devices are on the same subnet, a firewall on either device blocking ICMP is a common cause. Incorrect subnet mask would cause them to be on different subnets, but they have /24, so that is correct. ARP cache issue could be resolved, but not most likely.

Default gateway is not needed for same subnet communication.

71
MCQhard

Based on the routing table, what type of OSPF route is the default route (0.0.0.0/0)?

A.OSPF inter-area route
B.OSPF NSSA external type 1 route
C.OSPF intra-area route
D.OSPF external type 2 route
AnswerD

O*E2 indicates external type 2 default.

Why this answer

The default route (0.0.0.0/0) in OSPF is typically redistributed from another routing protocol or statically configured and then advertised into OSPF. When a default route is injected via the 'default-information originate' command, it is advertised as an OSPF external type 2 (E2) route by default, meaning the metric does not change as it traverses OSPF areas. This matches option D.

Exam trap

Cisco often tests the misconception that a default route in OSPF is always an intra-area or inter-area route, when in fact it is an external route injected via redistribution or the 'default-information originate' command, and candidates confuse the route type with the LSA type.

How to eliminate wrong answers

Option A is wrong because an OSPF inter-area route (O IA) is a route learned from another area via an Area Border Router (ABR), but a default route is not learned as an inter-area route unless it is specifically originated as a type 3 LSA summary, which is not the default behavior. Option B is wrong because an OSPF NSSA external type 1 route (N1) is used in Not-So-Stubby Areas (NSSA) for redistributed routes, but the default route in a standard OSPF configuration is not an NSSA route unless the area is configured as NSSA and the default route is explicitly generated as type 1. Option C is wrong because an OSPF intra-area route (O) is a route within the same area learned via type 1 or type 2 LSAs, but the default route is not an intra-area route as it is not part of the area's internal topology.

72
MCQhard

Refer to the exhibit. Both switches are configured with EtherChannel. Which statement is true about VLAN traffic across the trunk?

A.VLAN 150 traffic is allowed across the trunk.
B.VLAN 50 traffic is blocked across the trunk.
C.VLAN 200 traffic is allowed across the trunk.
D.VLAN 100 traffic is allowed across the trunk.
AnswerD

VLAN 100 is allowed on both switches (1-100 on A, 100-199 on B).

Why this answer

The correct answer is D because the exhibit shows that VLAN 100 is configured on both switches and is included in the allowed VLAN list on the trunk. EtherChannel does not affect VLAN filtering; the trunk's allowed VLAN list determines which VLANs can traverse the link. Since VLAN 100 is explicitly permitted, its traffic is allowed across the trunk.

Exam trap

Cisco often tests the misconception that EtherChannel overrides or bypasses VLAN trunk filtering, but in reality, the allowed VLAN list on the port-channel interface still controls which VLANs are permitted across the aggregated link.

How to eliminate wrong answers

Option A is wrong because VLAN 150 is not shown in the allowed VLAN list on either switch, so it is implicitly denied on the trunk. Option B is wrong because VLAN 50 is listed in the allowed VLAN list on both switches, so its traffic is permitted, not blocked. Option C is wrong because VLAN 200 is not present in the allowed VLAN list on either switch, meaning it is not allowed across the trunk.

73
MCQeasy

A developer needs to send a diagnostic request to a network device to verify if it supports a specific MIB object. Which protocol and operation should be used?

A.ICMP ping
B.HTTP GET
C.SNMP SET
D.NETCONF get-config
E.SNMP GET
AnswerE

GET retrieves the value of a MIB object.

Why this answer

SNMP GET is the correct operation to retrieve the value of a specific MIB object from a network device. It sends a diagnostic request to verify if the device supports that object by checking whether a valid response is returned. This is the standard SNMP operation for reading a single managed object's value.

Exam trap

Cisco often tests the distinction between SNMP GET (read) and SNMP SET (write), and candidates may confuse them or think SET can verify support, but SET only modifies values and requires the object to already exist.

How to eliminate wrong answers

Option A is wrong because ICMP ping is used for basic reachability testing and does not interact with MIB objects or SNMP. Option B is wrong because HTTP GET is used for web-based APIs or RESTCONF, not for querying SNMP MIB objects. Option C is wrong because SNMP SET is used to modify the value of a MIB object, not to read or verify its existence.

Option D is wrong because NETCONF get-config retrieves device configuration data, not MIB objects, and uses YANG data models instead of SNMP.

74
MCQmedium

A user reports that they can ping the IP address of the default gateway but cannot ping a server on a different subnet. The administrator checks the ARP table on the user's PC and sees an incomplete entry for the server's IP. What is the most likely cause?

A.There is an IP address conflict on the network.
B.Spanning Tree Protocol is blocking the port on the switch.
C.The PC is not configured with a default gateway.
D.A firewall is blocking ICMP packets between subnets.
AnswerC

Without a default gateway, the PC tries to ARP for the server directly.

Why this answer

The user can ping the default gateway, confirming that the PC has local connectivity and a correctly configured IP address and subnet mask. However, the incomplete ARP entry for the server's IP indicates that the PC cannot resolve the server's MAC address, which is required to send frames to a different subnet. Without a default gateway configured, the PC will not send ARP requests for remote hosts to the router; instead, it will attempt to ARP for the server directly, which fails because the server is on a different broadcast domain.

Exam trap

Cisco often tests the distinction between Layer 2 (ARP) and Layer 3 (routing) failures, and the trap here is that candidates assume a firewall or STP is blocking traffic, when the real issue is the PC's lack of a default gateway preventing it from even attempting to reach the remote subnet via ARP for the router.

How to eliminate wrong answers

Option A is wrong because an IP address conflict would typically cause intermittent connectivity or duplicate IP warnings, not a specific incomplete ARP entry for a remote server while local connectivity works. Option B is wrong because Spanning Tree Protocol (STP) blocking a switch port would prevent all traffic through that port, including pings to the default gateway, which the user can still reach. Option D is wrong because a firewall blocking ICMP between subnets would cause ping failures but would not result in an incomplete ARP entry on the PC; ARP operates at Layer 2 and is not affected by Layer 3 firewalls.

75
MCQmedium

A university campus network uses Cisco switches with 802.1X for wired authentication. Recently, users in a dormitory report intermittent connectivity: they can connect initially but are disconnected after a few minutes. The network team checks the switch logs and sees messages like 'Authentication failure for MAC address xxxx.xxxx.xxxx on port GigabitEthernet1/0/5' but the users claim they are using valid credentials. The same users can connect from other ports without issues. The port configuration for Gi1/0/5 is: switchport mode access, authentication port-control auto, dot1x pae authenticator, authentication periodic, authentication timer reauthenticate 3600. The team suspects a misconfiguration. What is the most likely cause of the intermittent disconnections?

A.The port is a trunk port but configured as access, causing VLAN mismatch
B.The port is configured in multi-auth host mode, causing conflicts
C.The 'authentication periodic' command forces reauthentication every 3600 seconds, and the client fails to reauthenticate
D.The switch is using MAC authentication bypass (MAB) as a fallback, which fails for some devices
AnswerC

Periodic reauthentication can cause disconnections if client fails.

Why this answer

The 'authentication periodic' command enables periodic reauthentication, and the 'authentication timer reauthenticate 3600' sets the interval to 3600 seconds (1 hour). However, the logs show authentication failures occurring much sooner than 3600 seconds, indicating that the client is failing reauthentication attempts triggered by other events (e.g., a new supplicant attempt or a reauthentication due to a port state change). The intermittent disconnections are caused by the client failing to reauthenticate when the switch initiates a new authentication exchange, likely due to a mismatch in EAP method or credential caching issues.

Exam trap

Cisco often tests the subtle behavior of 'authentication periodic' and 'authentication timer reauthenticate' — candidates mistakenly think the timer is the only trigger for reauthentication, but the switch can also reauthenticate due to link state changes or new supplicant attempts, and a failure during any reauthentication causes immediate disconnection.

How to eliminate wrong answers

Option A is wrong because the port is configured as 'switchport mode access', which is correct for an end-user device; a trunk port would not be used for a dormitory user, and VLAN mismatch would cause persistent connectivity failure, not intermittent disconnections. Option B is wrong because 'multi-auth host mode' allows multiple devices on a single port, but the logs show a single MAC address failing authentication, and the port configuration does not include 'authentication host-mode multi-auth', so this is not the issue. Option D is wrong because MAC authentication bypass (MAB) is a fallback method used when 802.1X fails, but the logs explicitly show 'Authentication failure' for 802.1X, not MAB; MAB would appear as a separate log entry and would not cause intermittent disconnections if the client initially authenticates successfully.

Page 1 of 2 · 83 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Fundamentals questions.