CCNA NAT and DHCP Questions

58 questions · NAT and DHCP · All types, answers revealed

1
Drag & Dropmedium

Drag and drop the steps of DHCP snooping and dynamic ARP inspection flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping builds a binding table used by DAI. The switch validates DHCP messages, creates bindings, then intercepts ARP packets and compares them against the binding table to prevent spoofing.

2
Multi-Selecthard

Which two statements about DHCP snooping are true? (Choose two.)

Select 2 answers
A.DHCP snooping treats all ports as untrusted by default, except those explicitly configured as trusted.
B.The ip dhcp snooping trust command is applied on ports connected to DHCP clients.
C.DHCP snooping builds a binding database that maps client MAC addresses, IP addresses, VLAN, and port information.
D.DHCP snooping can be configured globally without enabling it on specific VLANs.
E.DHCP snooping drops all DHCP packets that contain option 82 information from untrusted ports.
AnswersA, C

Correct because DHCP snooping defaults all ports to untrusted to prevent rogue DHCP server attacks; only trusted ports (usually uplink to legitimate DHCP server) are configured.

Why this answer

This question tests detailed knowledge of DHCP snooping operation and configuration, including trusted/untrusted ports and option 82.

3
MCQmedium

A network engineer runs the following command on Router R7: R7# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- create: 03/01/2025 09:00:00, use: 03/01/2025 09:05:00 timeout: never, flags: static --- 192.0.2.11 10.0.0.11 --- --- create: 03/01/2025 09:00:00, use: 03/01/2025 09:06:00 timeout: never, flags: static Based on this output, what can be concluded?

A.These translations will expire after a configurable timeout.
B.The translations are dynamic and will be removed after idle timeout.
C.The router is performing PAT for these addresses.
D.The translations are static and will remain until manually removed.
AnswerD

Static NAT entries with timeout 'never' persist indefinitely.

Why this answer

The verbose output shows static NAT entries with 'timeout: never' and 'flags: static'. These translations will not time out and are manually configured.

4
Drag & Dropmedium

Drag and drop the steps of NAT overload (PAT) packet translation process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PAT translates private source IPs to a public IP with unique port numbers. The host sends a packet, the router creates a translation entry, replaces the source IP and port, forwards the packet, and reverses the process on the return.

5
MCQmedium

Consider the following configuration snippet: ``` interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/2 ip address 203.0.113.1 255.255.255.0 ip nat outside ! ip nat inside source list 1 interface GigabitEthernet0/2 overload access-list 1 permit 192.168.1.0 0.0.0.255 ``` What is the effect of this configuration?

A.It translates all traffic from 192.168.1.0/24 to the IP address 203.0.113.1, using port address translation.
B.It performs static NAT for each host in 192.168.1.0/24 to a unique IP in the 203.0.113.0/24 network.
C.It translates only traffic from 192.168.1.1 to the outside interface IP.
D.The configuration is invalid because 'ip nat inside' and 'ip nat outside' are on the wrong interfaces.
AnswerA

Correct. The 'overload' keyword enables PAT, and the interface IP is used as the translated address.

Why this answer

The configuration enables dynamic NAT with overload (PAT) for the 192.168.1.0/24 network, translating source addresses to the IP of the outside interface.

6
Drag & Dropmedium

Drag and drop the steps of stateless DHCPv6 address assignment steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Stateless DHCPv6 uses SLAAC for the address and DHCPv6 for additional parameters. The host first sends an RS to discover routers. The router replies with an RA containing the prefix and flags indicating stateless DHCPv6.

The host generates its own IPv6 address using SLAAC. It then sends an Information-Request to the DHCPv6 server. The server replies with options like DNS and domain name.

7
Drag & Dropmedium

Drag and drop the steps of NAT64 IPv6-to-IPv4 translation flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NAT64 allows IPv6-only hosts to reach IPv4 servers. The IPv6 host sends a packet to a synthesized IPv6 address representing the IPv4 destination. The NAT64 router receives the packet and extracts the embedded IPv4 destination address.

It translates the packet header from IPv6 to IPv4, including source and destination addresses. The translated IPv4 packet is forwarded to the IPv4 network. When the reply comes back, the router performs reverse translation and sends the IPv6 packet to the host.

8
Drag & Dropmedium

Drag and drop the steps of DHCP snooping and dynamic ARP inspection flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping first builds a binding table by monitoring DHCP messages. The switch validates DHCP server messages on trusted ports and discards rogue offers. For DAI, the switch intercepts ARP packets and checks the sender MAC and IP against the DHCP snooping binding table.

If the ARP packet matches, it is forwarded; otherwise, it is dropped.

9
MCQmedium

A network engineer runs the following command on Router R2: R2# debug ip dhcp server events *Mar 1 00:05:23.123: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 on interface GigabitEthernet0/1 *Mar 1 00:05:23.124: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 (10.0.0.2) *Mar 1 00:05:23.125: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 *Mar 1 00:05:23.126: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d30.3030.302e.3030.3030.2e30.3030.312d.4574.30 (10.0.0.2) Based on this debug output, what can be concluded?

A.The DHCP server failed to allocate an IP address to the client.
B.The client is using DHCPv6 because of the long client ID.
C.The DHCP server successfully assigned IP address 10.0.0.2 to the client.
D.The DHCP server is configured with a pool that excludes 10.0.0.2.
AnswerC

The DHCPACK sent with address 10.0.0.2 confirms successful assignment.

Why this answer

The debug shows a successful DHCP four-message exchange (DISCOVER, OFFER, REQUEST, ACK) with the client receiving IP address 10.0.0.2. The client ID is a long hex string derived from the client's MAC address.

10
Multi-Selecteasy

Which two statements about DHCP client configuration on a Cisco router are true? (Choose two.)

Select 2 answers
A.The ip address dhcp command on an interface enables the router to obtain an IP address from a DHCP server.
B.The router will automatically install a default route if the DHCP server provides the default gateway option.
C.The ip helper-address command is used to configure the router as a DHCP client on an interface.
D.The router can be configured to request a specific IP address using the dhcp client request ip-address command.
E.The dhcp client hostname command allows the router to send a hostname option in the DHCP discover message.
AnswersA, B

Correct because this command configures the interface as a DHCP client to request an address.

Why this answer

A Cisco router interface can obtain an IP address via DHCP using the ip address dhcp command. The router can also request a specific hostname using the dhcp client hostname command. The default route is automatically installed if the DHCP server provides a default gateway option.

The ip helper-address command is used to forward DHCP broadcasts, not to obtain an address. The ip dhcp client request command can be used to request specific options, but the default route is installed automatically.

11
MCQhard

A network engineer is configuring NAT on a Cisco router to allow internal hosts to access the internet. The engineer uses the command ip nat inside source static tcp 192.168.1.10 80 203.0.113.1 80. After testing, external users can access the internal web server using the public IP. However, internal hosts cannot access the web server using the public IP. What is the most likely cause?

A.The router does not have NAT hairpinning enabled, so internal traffic to the public IP is not translated.
B.The static NAT entry is missing the extendable keyword.
C.The internal hosts have a route to the public IP via the router's outside interface.
D.The access list used for NAT is blocking internal traffic.
AnswerA

Correct because by default, Cisco routers do not perform NAT for traffic that enters and leaves the same interface (inside-to-inside). This requires the ip nat enable route-map or similar configuration.

Why this answer

This is a classic NAT hairpinning issue. When an internal host tries to reach the public IP of the server, the router may not support or be configured for NAT reflection (hairpinning), so the packet is not translated correctly.

12
MCQhard

A network engineer is troubleshooting a NAT issue where an internal host cannot establish an SSH session to a remote server on the internet. The engineer checks the NAT translations on the border router and sees that the translation for the host's source IP is present. However, the SSH session times out. The engineer also notices that the remote server's IP is not in the NAT translation table. What is the most likely cause?

A.The router is performing NAT only for the source IP, but the return traffic is taking a different path that does not go through the NAT router.
B.The SSH server is blocking connections from the public IP address.
C.The NAT overload is causing port conflicts for SSH.
D.The access list used for NAT is denying the SSH traffic.
AnswerA

Correct because if the return traffic does not pass through the same NAT router, the router will not create an inbound translation entry, and the packet will not be translated back to the private IP.

Why this answer

For a successful NAT session, both the outbound and inbound translations must be present. If only the outbound translation exists, the return traffic is not being translated back correctly, possibly due to asymmetric routing or a missing route.

13
Drag & Dropmedium

Drag and drop the steps of stateless DHCPv6 address assignment steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Stateless DHCPv6 uses SLAAC for addressing and DHCPv6 for additional parameters. The host sends an RS, receives an RA with the O flag, then sends an Information-Request and receives a Reply with options like DNS.

14
MCQmedium

Given this NAT configuration: ``` interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 198.51.100.1 255.255.255.0 ip nat outside ! ip nat inside source static 10.0.0.5 198.51.100.5 ``` What is the purpose of this configuration?

A.It translates all traffic from 10.0.0.0/24 to 198.51.100.0/24 using PAT.
B.It creates a one-to-one mapping between 10.0.0.5 and 198.51.100.5, allowing inbound and outbound traffic.
C.It translates only outbound traffic from 10.0.0.5 to 198.51.100.5.
D.The configuration is incomplete; it needs an access-list.
AnswerB

Correct. Static NAT provides a fixed mapping for both directions.

Why this answer

This configures static NAT, mapping a single inside host to a specific outside address.

15
MCQhard

A network engineer runs the following command on Router R9: R9# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.20:1234 10.0.0.20:1234 203.0.113.1:53 203.0.113.1:53 tcp 192.0.2.20:5678 10.0.0.20:5678 198.51.100.1:80 198.51.100.1:80 --- 192.0.2.21 10.0.0.21 --- --- Based on this output, what can be concluded?

A.All translations are dynamic.
B.The router is using both static NAT and PAT simultaneously.
C.The router is configured with a single NAT pool.
D.The inside global address 192.0.2.20 is used for both static and dynamic translations.
AnswerB

Static NAT for 10.0.0.21 and PAT for 10.0.0.20 are both active.

Why this answer

The output shows a mix of dynamic PAT translations (with ports) and a static NAT entry (no protocol/port). The static entry maps 10.0.0.21 to 192.0.2.21, while PAT is used for 10.0.0.20.

16
Multi-Selectmedium

Which two statements about NAT configuration on Cisco IOS-XE are true? (Choose two.)

Select 2 answers
A.NAT overload (PAT) allows multiple internal hosts to share a single public IP address by using unique source port numbers.
B.The ip nat inside source list 1 pool POOL overload command enables dynamic NAT without port translation.
C.A static NAT entry is created using the ip nat inside source static 192.168.1.10 203.0.113.10 command.
D.The ip nat outside command is applied to the internal interface to mark it as the source of NAT translations.
E.Dynamic NAT without overload translates multiple inside addresses to a single outside address using port numbers.
AnswersA, C

Correct because PAT uses port multiplexing to distinguish sessions from different internal hosts sharing one global IP.

Why this answer

NAT overload (PAT) translates multiple inside local addresses to a single inside global address using port numbers. The ip nat inside source list command with the overload keyword enables this. The ip nat inside source static command creates a one-to-one mapping, not many-to-one.

Dynamic NAT without overload uses a pool of global addresses one-to-one. The ip nat outside command is applied to the external interface, not inside. NAT can translate source addresses for traffic leaving the inside network.

17
MCQhard

A network engineer runs the following command on Router R8: R8# show ip dhcp server statistics Memory usage: 12345 Address pools: 2 Database agents: 0 Automatic bindings: 10 Manual bindings: 2 Expired bindings: 1 Malformed messages: 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 100 DHCPREQUEST 95 DHCPDECLINE 1 DHCPRELEASE 2 DHCPINFORM 0 Based on this output, what can be concluded?

A.The DHCP server has received more DHCPDISCOVER messages than DHCPREQUEST messages, indicating some clients did not proceed to request.
B.The DHCP server has 12 active leases.
C.The DHCP server rejected 5 DHCPDISCOVER messages.
D.The DHCP server has 2 manual bindings that are static reservations.
AnswerA

100 DISCOVER vs 95 REQUEST shows 5 clients did not send REQUEST.

Why this answer

The statistics show 100 DISCOVERs and 95 REQUESTs, indicating some clients did not complete the process. There is 1 DECLINE, meaning a client detected an address conflict. The server has 10 automatic and 2 manual bindings.

18
Multi-Selecthard

Which three statements about NAT64 and NPTv6 are true? (Choose three.)

Select 3 answers
A.NAT64 translates IPv6 packets to IPv4 packets and vice versa, allowing IPv6-only clients to access IPv4 servers.
B.NPTv6 (Network Prefix Translation) translates the IPv6 prefix of a packet while preserving the host portion of the address.
C.NAT64 requires a DNS64 server to synthesize AAAA records from A records for IPv6 clients.
D.NPTv6 provides port address translation similar to PAT in IPv4 NAT.
E.Both NAT64 and NPTv6 require stateful inspection of all traffic flows.
AnswersA, B, C

Correct because NAT64 performs protocol translation between IPv6 and IPv4, enabling communication between IPv6-only and IPv4-only hosts.

Why this answer

This question tests understanding of IPv6 transition mechanisms, specifically NAT64 and NPTv6, including their differences and use cases.

19
MCQmedium

A network engineer is troubleshooting a DHCP issue on a Cisco router configured as a DHCP server for a VLAN. Clients in the VLAN are able to obtain IP addresses from the DHCP server, but they are not receiving the correct DNS server address. The engineer checks the DHCP pool configuration and sees the dns-server command is configured with the correct IP address. What is the most likely cause of the problem?

A.The DHCP pool is not associated with the correct VLAN interface using the network command.
B.The DNS server is unreachable from the DHCP server.
C.The ip dhcp excluded-address command is blocking the DNS server IP.
D.The DHCP client is configured with a static DNS server address.
AnswerA

Correct because if the network command in the DHCP pool does not match the subnet of the VLAN, the DHCP server may assign addresses but not apply the pool-specific options like DNS.

Why this answer

The DHCP server configuration appears correct, but the clients are not receiving the DNS server address. This often happens when the DHCP server is not the default gateway and DHCP relay is involved, or when the DHCP pool is not bound to the correct interface.

20
Multi-Selectmedium

Which three statements about DHCP relay are true? (Choose three.)

Select 3 answers
A.The ip helper-address command is used on a router interface to forward DHCP broadcasts to a DHCP server on a different subnet.
B.DHCP relay changes the source IP address of the DHCP packet to the IP address of the relay agent's outgoing interface.
C.The ip helper-address command forwards only DHCP traffic by default.
D.DHCP relay inserts the gateway IP address (giaddr) field in the DHCP packet to indicate the subnet of the client.
E.DHCP relay is required only when the DHCP server is on the same VLAN as the client.
AnswersA, B, D

Correct because ip helper-address converts DHCP broadcast to unicast and forwards it to the specified server.

Why this answer

This question tests understanding of DHCP relay operation, including the use of ip helper-address, UDP port forwarding, and configuration requirements.

21
MCQeasy

A network engineer is configuring NAT on a Cisco router to allow internal hosts to access the internet. The engineer uses the command ip nat inside source list 100 interface GigabitEthernet0/0 overload, where access list 100 permits only the 10.0.0.0/8 network. After testing, hosts in the 10.0.0.0/8 network can access the internet, but hosts in the 172.16.0.0/16 network cannot. The engineer verifies that the 172.16.0.0/16 hosts have connectivity to the router. What is the most likely cause?

A.The access list 100 does not permit the 172.16.0.0/16 network.
B.The router's interface GigabitEthernet0/0 is not configured with ip nat outside.
C.The 172.16.0.0/16 hosts have a default gateway pointing to a different router.
D.The NAT pool is exhausted for the 172.16.0.0/16 network.
AnswerA

Correct because the NAT configuration only translates traffic that matches the access list; hosts not in the list are not translated.

Why this answer

The access list used in the NAT command determines which inside local addresses are eligible for translation. If the access list does not include the 172.16.0.0/16 network, those hosts will not be translated and will not be able to reach the internet.

22
Matchingmedium

Drag and drop each DHCP option on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides vendor-specific information such as TFTP server address

Identifies the vendor class of the DHCP client

Carries relay agent information for DHCP snooping

Specifies the TFTP server name

Specifies the TFTP server IP address for Cisco phones

Why these pairings

Option 43 provides vendor-specific info; Option 60 identifies vendor class; Option 82 is relay agent information.

23
MCQhard

A network engineer runs the following command on Router R5: R5# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.20:1234 10.0.0.20:1234 203.0.113.1:53 203.0.113.1:53 tcp 192.0.2.20:5678 10.0.0.20:5678 198.51.100.1:80 198.51.100.1:80 Based on this output, what can be concluded?

A.The router is configured with static NAT for two internal hosts.
B.The router is performing Port Address Translation (PAT) for multiple sessions from the same internal host.
C.The router is performing destination NAT.
D.The inside local address 10.0.0.20 is using two different global addresses.
AnswerB

Same inside global IP with different ports indicates PAT.

Why this answer

The output shows two translations using the same inside global address (192.0.2.20) but different ports, which is characteristic of PAT. One translation is UDP (DNS) and one is TCP (HTTP).

24
MCQhard

A network engineer is configuring NAT overload (PAT) on a Cisco router to allow multiple internal hosts to share a single public IP address. The engineer uses the command ip nat inside source list 1 interface GigabitEthernet0/0 overload. After testing, internal hosts can access the internet, but some applications fail intermittently. The engineer suspects a NAT issue. What is the most likely cause?

A.The access list 1 is too permissive and includes the public IP address of the router.
B.The NAT translation table is filling up due to a large number of concurrent sessions, causing new translations to be denied.
C.The router is not configured with ip nat inside on the internal interface.
D.The overload keyword is misspelled or not supported on this IOS version.
AnswerB

Correct because PAT has a limited number of available port numbers (approximately 65,000 per public IP), and if many sessions are active, the table can become full, dropping new connections.

Why this answer

PAT uses port numbers to multiplex multiple sessions over a single public IP. If the port range is exhausted or if the NAT translation table is full, new sessions will fail.

25
Multi-Selecthard

Which three statements about DHCP snooping are true? (Choose three.)

Select 3 answers
A.DHCP snooping builds a binding database by examining DHCPACK messages received on trusted ports.
B.Ports connected to DHCP servers should be configured as trusted ports to allow server messages.
C.The ip dhcp snooping limit rate command is used to restrict the number of DHCP packets per second on trusted ports.
D.DHCP snooping can insert Option 82 information into DHCP requests received on untrusted ports.
E.DHCP snooping prevents rogue DHCP server attacks by blocking all DHCP server messages on trusted ports.
AnswersA, B, D

Correct because the switch populates the DHCP snooping binding table using the client information from DHCPACK packets.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages. It builds a binding database from DHCPACK messages. Trusted ports are typically uplinks to DHCP servers.

The rate limit is applied on untrusted ports to prevent DHCP starvation. Option 82 (relay agent information) is inserted by the switch on untrusted ports. DHCP snooping does not prevent rogue DHCP servers on trusted ports, as those are allowed by default.

26
Matchingmedium

Drag and drop each NAT terminology on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The IP address of a host as seen from the internal network

The translated public IP address of an internal host

The IP address of a remote host as seen from the inside network

The actual public IP address of a remote host

The device behind the NAT that initiates traffic

Why these pairings

Inside local is the private IP of a host inside the network. Inside global is the public IP assigned to that host. Outside local is the private IP of a remote host as seen from inside.

Outside global is the public IP of the remote host. Inside host is the device being translated.

27
Multi-Selectmedium

Which three statements about NAT traversal and translation are true? (Choose three.)

Select 3 answers
A.IPsec NAT traversal uses UDP encapsulation on port 4500 to allow ESP traffic to pass through a NAT device.
B.The ip nat outside source command translates the source IP address of packets arriving on the outside interface.
C.NAT can translate both source and destination IP addresses in the same packet for different translation rules.
D.NAT automatically translates IP addresses embedded in application-layer payloads such as FTP or SIP.
E.The ip nat inside destination command translates the destination MAC address of packets entering the inside interface.
AnswersA, B, C

Correct because NAT-T encapsulates ESP in UDP port 4500 to avoid issues with NAT modifying the IP header.

Why this answer

NAT traversal for IPsec uses UDP encapsulation (4500) to allow ESP through NAT devices. NAT can translate both source and destination addresses simultaneously in different scenarios. The ip nat outside source command translates source addresses of packets entering the outside interface.

NAT can cause issues with applications that embed IP addresses in payload (e.g., FTP, SIP). NAT does not translate MAC addresses, only IP and port information. The ip nat inside destination command translates destination addresses of packets entering the inside interface.

28
Drag & Dropmedium

Drag and drop the steps of DHCP snooping operation on a Cisco switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping begins by enabling the feature globally with 'ip dhcp snooping'. Then, the feature is enabled on specific VLANs. Trusted interfaces (typically uplinks to DHCP servers) are configured with 'ip dhcp snooping trust'.

The switch then intercepts DHCP messages, building the DHCP snooping binding database from valid server responses. Finally, any DHCP server messages received on untrusted interfaces are dropped to prevent rogue server attacks.

29
MCQeasy

A network engineer is configuring a Cisco router to act as a DHCP server for a branch office. The engineer creates a DHCP pool for the 192.168.1.0/24 subnet and configures the default-router, dns-server, and domain-name options. However, clients are able to obtain IP addresses but cannot ping the default gateway. The engineer verifies that the router's interface IP is 192.168.1.1. What is the most likely cause?

A.The router's interface is not configured with an IP address in the 192.168.1.0/24 subnet.
B.The DHCP pool is missing the lease command.
C.The router's interface is administratively down.
D.The ip dhcp excluded-address command is blocking the default gateway IP.
AnswerA

Correct because if the router interface is not in the same subnet, the clients will have a default gateway that is unreachable.

Why this answer

The DHCP server assigns the default gateway, but if the router's interface is not in the same subnet as the pool or if the interface is down, clients cannot reach it.

30
MCQeasy

Which type of NAT translates multiple inside addresses to a single outside address using different port numbers?

A.Static NAT
B.Dynamic NAT
C.Port Address Translation (PAT)
D.Policy NAT
AnswerC

Correct. PAT uses port numbers to multiplex multiple inside addresses to a single outside address.

Why this answer

PAT (Port Address Translation) allows many inside hosts to share one outside IP by differentiating sessions via port numbers.

31
MCQmedium

Review the following DHCP relay configuration: ``` interface Vlan10 ip address 192.168.10.1 255.255.255.0 ip helper-address 172.16.1.100 ``` What is the effect of the 'ip helper-address' command?

A.It forwards DHCP requests from VLAN 10 to the DHCP server at 172.16.1.100.
B.It configures the router as a DHCP server for VLAN 10.
C.It translates the source IP of DHCP requests to 192.168.10.1.
D.It blocks DHCP traffic from VLAN 10.
AnswerA

Correct. The helper address relays DHCP broadcasts to the server.

Why this answer

The command forwards DHCP broadcasts (and other UDP broadcasts by default) to the specified server.

32
Drag & Dropmedium

Drag and drop the steps of the DHCP DORA process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The DHCP DORA process begins with the client broadcasting a Discover message to locate a DHCP server. The server responds with an Offer message containing an IP address and configuration parameters. The client then sends a Request message to formally request the offered IP address.

Finally, the server sends an Acknowledge message to confirm the lease and provide the configuration.

33
Drag & Dropmedium

Drag and drop the steps of configuring Dynamic NAT on a Cisco IOS router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Dynamic NAT configuration starts by defining the pool of global IP addresses using 'ip nat pool'. Next, an access list is created to identify the inside local addresses that will be translated. The NAT source list is then configured to associate the ACL with the pool.

After that, the inside and outside interfaces are designated with 'ip nat inside' and 'ip nat outside'. Finally, translation is verified with 'show ip nat translations'.

34
MCQmedium

A network engineer runs the following command on Router R6: R6# show ip dhcp conflict IP address Detection method Detection time VRF 10.0.0.10 Ping Mar 01 2025 10:00 AM default 10.0.0.15 Gratuitous ARP Mar 01 2025 10:05 AM default Based on this output, what can be concluded?

A.The DHCP server has successfully assigned these addresses to clients.
B.The addresses 10.0.0.10 and 10.0.0.15 are unavailable for DHCP assignment.
C.The DHCP server uses only ping to detect conflicts.
D.The conflicts were caused by the DHCP server itself.
AnswerB

Conflicted addresses are excluded from the pool until the conflict is cleared.

Why this answer

The output shows two IP address conflicts detected by the DHCP server. One was detected via ping, the other via gratuitous ARP. These addresses are marked as conflicted and will not be assigned until resolved.

35
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- Based on this output, what can be concluded?

A.Dynamic NAT is configured with a pool of addresses.
B.Static NAT is configured for two internal hosts.
C.PAT is translating multiple internal addresses to a single global address.
D.NAT is not operational because no outside local addresses are shown.
AnswerB

The absence of protocol and the presence of inside global/local pairs indicate static NAT.

Why this answer

The output shows two static NAT translations with no protocol, indicating they are configured as static NAT entries. The inside global addresses are mapped one-to-one to inside local addresses. No dynamic translations are present.

36
MCQmedium

Analyze this NAT configuration: ``` ip nat pool GLOBAL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 ip nat inside source list 1 pool GLOBAL overload access-list 1 permit 192.168.1.0 0.0.0.255 ``` Which statement is correct?

A.Traffic from 192.168.1.0/24 is translated to addresses in the range 203.0.113.10-20, using PAT.
B.Each host in 192.168.1.0/24 gets a unique IP from the pool without port translation.
C.The pool must include the outside interface IP address.
D.Access-list 1 is used to filter inbound traffic.
AnswerA

Correct. The pool provides the translated addresses, and overload enables PAT.

Why this answer

This is dynamic NAT with overload (PAT) using a pool of addresses.

37
Drag & Dropmedium

Drag and drop the steps of NAT64 IPv6-to-IPv4 translation flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NAT64 translates IPv6 packets to IPv4. The IPv6 host sends a packet to a synthetic IPv6 address, the router extracts the embedded IPv4 destination, creates a NAT64 binding, translates headers, and forwards the IPv4 packet.

38
MCQmedium

Examine this DHCP configuration: ``` service dhcp ip dhcp pool POOL2 network 10.20.20.0 255.255.255.0 default-router 10.20.20.1 lease infinite ``` What is the effect of the 'lease infinite' command?

A.Clients will receive an infinite lease and never need to renew.
B.The lease time is set to the default value of 1 day.
C.Clients will be unable to obtain an IP address because infinite is invalid.
D.The router will ignore the lease command and use the default.
AnswerA

Correct. Infinite lease means the IP address is valid indefinitely.

Why this answer

The lease infinite command sets the DHCP lease time to never expire.

39
MCQmedium

A network engineer is configuring a Cisco router as a DHCP relay agent to forward DHCP requests from a client VLAN to a centralized DHCP server located in a different subnet. The engineer configures the ip helper-address command on the VLAN interface. However, clients in the VLAN are not receiving IP addresses. The DHCP server is reachable from the router. What is the most likely cause?

A.The ip helper-address command is applied on the wrong interface (e.g., the interface facing the DHCP server).
B.The DHCP server is not configured with a scope for the client subnet.
C.The router does not have a return route to the client subnet, so the DHCP server's reply is dropped.
D.The DHCP client is using DHCPv6 instead of DHCPv4.
AnswerC

Correct because the DHCP server sends the reply to the relay agent (router), which then forwards it as a broadcast to the client. If the router cannot reach the client subnet, the reply is lost.

Why this answer

The ip helper-address command forwards DHCP broadcasts as unicasts to the specified server. If the DHCP server receives the request but the reply cannot be routed back to the client, the client will not get an address. This often happens when the router does not have a route back to the client subnet.

40
Matchingmedium

Drag and drop each NAT type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps one private IP to one public IP permanently

Maps private IPs to a pool of public IPs on a first-come basis

Maps multiple private IPs to a single public IP using port numbers

Cisco term for PAT with a single public IP address

Translates IPv6 addresses to IPv4 addresses for interoperation

Why these pairings

Static NAT maps a private IP to a fixed public IP. Dynamic NAT uses a pool of public IPs. PAT (Port Address Translation) maps multiple private IPs to one public IP using unique port numbers.

Overload is another name for PAT. The fifth term 'NAT64' translates IPv6 to IPv4.

41
Matchingmedium

Drag and drop each DHCP message on the left to its matching flow order position on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

First message sent by client to locate a DHCP server

Second message sent by server with an offered IP address

Third message sent by client to accept the offered IP

Fourth message sent by server to confirm the lease

Message sent by server to reject a client's request

Why these pairings

The DHCP DORA process: Discover (client broadcasts), Offer (server unicasts), Request (client broadcasts), Acknowledge (server unicasts). DHCPNAK is sent by server to reject a request, and DHCPDECLINE is sent by client if it detects an address conflict.

42
MCQeasy

What is the default lease time for a DHCP pool in Cisco IOS?

A.1 day
B.12 hours
C.2 days
D.Infinite
AnswerA

Correct. The default lease is 1 day.

Why this answer

The default DHCP lease time on Cisco IOS is 1 day (24 hours).

43
MCQmedium

A network engineer runs the following command on Router R4: R4# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.0.0.10 0063.6973.636f.2d30. Mar 01 2025 12:00 PM Automatic 3030.302e.3030.3030. 2e30.3030.312d.4574. 30 10.0.0.11 0063.6973.636f.2d30. Mar 01 2025 12:05 PM Automatic 3030.302e.3030.3030. 2e30.3030.312d.4574. 31 Based on this output, what can be concluded?

A.Both clients have static DHCP reservations.
B.The DHCP server has two active leases.
C.The DHCP server is out of addresses.
D.The clients are using DHCPv6.
AnswerB

Two bindings are listed, both with future lease expiration times.

Why this answer

The output shows two DHCP bindings with automatic type, meaning they were dynamically assigned. The client-ID is a hex string representing the client identifier. Lease expiration times are shown.

44
Multi-Selectmedium

Which two statements about NAT configuration on Cisco IOS routers are true? (Choose two.)

Select 2 answers
A.The ip nat inside source list command translates traffic from the inside interface to the outside interface.
B.Static NAT requires both ip nat inside and ip nat outside commands on the same interface.
C.The ip nat outside source list command translates the source IP of packets entering the inside interface.
D.Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis.
E.NAT overload (PAT) uses a single public IP address by mapping multiple inside hosts to different TCP/UDP ports.
AnswersA, D

Correct because ip nat inside source list translates packets sourced from the inside network when they exit the outside interface.

Why this answer

This question tests understanding of NAT configuration fundamentals, including inside/outside interface roles and NAT types.

45
Matchingmedium

Drag and drop each DHCP option on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries vendor-specific suboptions for device provisioning

Identifies the vendor class of the DHCP client

Adds relay agent information (e.g., circuit ID, remote ID)

Provides TFTP server IP address for IP phones

Supplies a single TFTP server hostname or IP address

Why these pairings

Option 43 provides vendor-specific info (e.g., for APs). Option 60 identifies the vendor class. Option 82 is the relay agent information option.

Option 150 gives TFTP server address for phones. Option 66 provides a single TFTP server hostname.

46
Matchingmedium

Drag and drop each DHCP message on the left to its correct order in the DORA process on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client broadcasts to find DHCP servers

Server offers an IP address to the client

Client requests the offered IP address

Server acknowledges and assigns the IP address

Server denies the client's request

Why these pairings

The DORA process is Discover, Offer, Request, Acknowledge.

47
Drag & Dropmedium

Drag and drop the steps of DHCP failover configuration between primary and standby into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP failover requires both servers to be configured with the same scope and failover parameters. First, configure the primary server with the failover peer name and IP address of the standby. Then, configure the standby server with the same peer name and the primary's IP.

Enable the failover on the primary, which starts the negotiation. The standby then enters partner-down state until it synchronizes. Finally, both servers become active and share lease information.

48
Matchingmedium

Drag and drop each DHCPv6 mode on the left to its matching address assignment method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DHCPv6 server assigns IPv6 addresses and other parameters

DHCPv6 server provides only options (e.g., DNS), addresses via SLAAC

Host generates its own IPv6 address using router advertisements

DHCPv6 prefix delegation for assigning subnets

Router Advertisement used in SLAAC to convey prefix and other info

Why these pairings

Stateful DHCPv6 assigns addresses from a server; stateless DHCPv6 provides other config info but uses SLAAC for addressing; SLAAC uses router advertisements for address autoconfiguration.

49
Matchingmedium

Drag and drop each NAT terminology on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The IP address of the host as seen from inside the network

The translated IP address of the host as seen from outside the network

The IP address of the remote host as seen from inside the network

The IP address of the remote host as seen from outside the network

A range of public IP addresses used for dynamic translation

Why these pairings

Inside local is the private IP of the host; inside global is the public IP after translation; outside local is the private IP of the remote host; outside global is the public IP of the remote host.

50
MCQmedium

A network engineer is troubleshooting a DHCP issue where a client is not receiving an IP address from a Cisco router configured as a DHCP server. The engineer checks the DHCP pool configuration and sees that the network command is configured with the correct subnet. The engineer also verifies that the ip dhcp excluded-address command is not blocking any addresses. However, the client's DHCP discover message is not reaching the router. What is the most likely cause?

A.The router's interface is configured with the no ip forward-protocol udp bootps command.
B.The router's interface is not in the same VLAN as the client, and no ip helper-address is configured.
C.The DHCP pool is configured with the wrong default-router option.
D.The router's DHCP server is disabled globally with the no service dhcp command.
AnswerB

Correct because if the router is not directly connected to the client's VLAN, the DHCP broadcast will not reach the router unless a DHCP relay (ip helper-address) is configured on the client's VLAN interface.

Why this answer

DHCP uses broadcast messages. If the router's interface is not configured to receive broadcasts (e.g., due to a switched network with VLANs), the DHCP server may not see the client's request. However, the most common issue is that the interface is not configured with the ip dhcp server command or the interface is in a different VLAN without a helper address.

51
MCQhard

A network engineer runs the following command on Router R3: R3# show ip nat statistics Total active translations: 5 (0 static, 5 dynamic; 5 extended) Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 1234 Misses: 5 CEF Translated packets: 1200, CEF Punted packets: 34 Expired translations: 10 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 203.0.113.1 203.0.113.10 netmask 255.255.255.240 refcount 5 Based on this output, what can be concluded?

A.The NAT pool has exhausted all available addresses.
B.The NAT translations are all static.
C.The router is performing Port Address Translation (PAT).
D.The inside interface is GigabitEthernet0/0.
AnswerC

The translations are 'extended', which indicates PAT is being used.

Why this answer

The statistics show 5 active dynamic translations, all extended (PAT). The pool POOL1 has 10 addresses, but only 5 are currently used. The misses indicate packets that triggered new translations.

52
Drag & Dropmedium

Drag and drop the steps of NAT overload (PAT) packet translation process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The PAT process begins with a host sending a packet with a private source IP and port. The router creates a NAT entry mapping the private address and port to the outside global address and a unique port. It then translates the source IP and port in the packet.

When the reply arrives, the router looks up the NAT table to find the original mapping. Finally, it translates the destination back to the private IP and port and forwards the packet to the host.

53
MCQmedium

Examine this DHCP configuration: ``` ip dhcp pool POOL1 network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 8.8.8.8 lease 0 12 ! ip dhcp excluded-address 10.10.10.1 10.10.10.10 ``` Which statement is true?

A.DHCP clients will receive a lease for 12 hours.
B.The router will assign IP addresses from 10.10.10.1 to 10.10.10.254.
C.The default lease is used because the lease command is incomplete.
D.The DNS server is set to 8.8.8.8, but clients will ignore it.
AnswerA

Correct. The lease command specifies 0 days, 12 hours.

Why this answer

The configuration defines a DHCP pool with a lease of 12 hours (0 days, 12 hours) and excludes the first 10 addresses.

54
MCQmedium

What is the purpose of the 'ip nat inside source list' command in Cisco IOS?

A.It defines the inside interface for NAT.
B.It identifies the traffic to be translated and the translation method.
C.It filters inbound traffic before NAT is applied.
D.It configures the router as a DHCP server.
AnswerB

Correct. The command ties an access-list to a NAT pool or interface for translation.

Why this answer

This command specifies which inside source addresses (matched by an access-list) are to be translated using NAT.

55
Drag & Dropmedium

Drag and drop the steps of DHCP failover configuration between primary and standby into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP failover uses a primary-standby relationship. Configure the primary server first with a failover peer, then the standby with the same peer name and IP, and finally enable the pool on both. The servers negotiate roles and start lease synchronization.

56
Matchingmedium

Drag and drop each DHCPv6 mode on the left to its matching address assignment method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server assigns both IPv6 address and configuration parameters

Server provides only configuration parameters; address from SLAAC

Host generates its own IPv6 address using Router Advertisement prefix and EUI-64

Delegates an IPv6 prefix to a downstream router

Security feature that blocks unauthorized Router Advertisements

Why these pairings

Stateful DHCPv6 assigns both IPv6 address and other parameters. Stateless DHCPv6 provides only parameters (DNS, domain), while addresses come from SLAAC. SLAAC uses Router Advertisements for prefix and EUI-64.

DHCPv6-PD delegates prefixes. RA Guard prevents rogue RAs.

57
Matchingmedium

Drag and drop each NAT type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a single inside local address to a single inside global address

Maps inside local addresses to a pool of inside global addresses

Maps multiple inside local addresses to a single inside global address using port numbers

Another term for NAT overload

Translates private IP addresses to public IP addresses

Why these pairings

Static NAT maps a private IP to a fixed public IP; dynamic NAT uses a pool of public IPs; overload (PAT) maps multiple private IPs to a single public IP using port numbers; PAT is synonymous with overload.

58
MCQmedium

A network engineer is configuring a Cisco router to provide internet access to a small office using a single public IP address assigned by the ISP. The engineer wants to allow internal hosts to initiate connections to the internet, but also needs to make a web server on the internal network reachable from the internet. The engineer configures a standard access list for NAT and an ip nat inside source list command. However, external users cannot reach the internal web server. What is the most likely cause?

A.The access list used for NAT does not permit the web server's IP address.
B.The engineer forgot to add the ip nat inside source static command for the web server.
C.The ip nat inside and ip nat outside commands are applied on the wrong interfaces.
D.The global configuration mode is missing the ip nat pool command.
AnswerB

Correct because a static NAT entry is required to map the public IP to the internal web server's private IP, allowing inbound connections.

Why this answer

The scenario requires both dynamic NAT (for outbound traffic) and static NAT (for inbound access to the web server). Using only a dynamic NAT configuration with an access list will not provide a permanent mapping for the web server.

Ready to test yourself?

Try a timed practice session using only NAT and DHCP questions.