CCNA Infrastructure Security Questions

58 questions · Infrastructure Security topic · All types, answers revealed

1
MCQmedium

Which BGP attribute is used as the first tie-breaker when multiple paths are available and the weight is equal?

A.Local preference
B.AS path length
C.MED
D.Origin code
AnswerA

Correct. After weight, BGP compares local preference (higher is better).

Why this answer

BGP uses the local preference attribute as the second tie-breaker (after weight). Higher local preference is preferred.

2
Drag & Dropmedium

Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP evaluates packets by first classifying them into a class-map, then applying the policy-map to the control plane, which specifies the rate-limit action. The order ensures that classification happens before rate-limiting, and the final step is the action taken when the rate is exceeded.

3
MCQmedium

A network engineer runs the following command on Router R1: R1# show aaa sessions Total sessions since last reset: 10 Session Id: 5 Unique Id: 5 User Name: admin IP Address: 192.168.1.100 Idle Time: 0:00:05 Timeout: 0:10:00 Type: SSH Method: local Session Id: 6 Unique Id: 6 User Name: neteng IP Address: 10.0.0.2 Idle Time: 0:02:30 Timeout: 0:10:00 Type: SSH Method: tacacs+ Based on this output, what can be concluded?

A.Both sessions are authenticated using TACACS+.
B.Session 5 is authenticated locally.
C.Session 6 will be disconnected due to idle timeout.
D.Both sessions are using RADIUS for authentication.
AnswerB

The Method field for session 5 is 'local', indicating local authentication.

Why this answer

The output shows two active AAA sessions. Session 5 is authenticated locally (Method: local), while session 6 uses TACACS+. Both are SSH sessions.

The idle time for session 6 is 2 minutes 30 seconds, which is approaching the timeout of 10 minutes.

4
Drag & Dropmedium

Drag and drop the steps of configuring Control Plane Policing (CoPP) on a Cisco IOS router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP protects the control plane by filtering traffic. First, define an access-list to match the traffic of interest (e.g., SSH, BGP). Second, create a class-map to reference the access-list.

Third, create a policy-map that assigns a police action (rate-limit) to the class. Fourth, apply the policy-map to the control plane in the inbound direction. Finally, verify the policy with show commands to ensure correct operation.

5
MCQmedium

A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?

A.The hosts have static IP addresses, so their MAC-IP bindings are not in the DHCP snooping database.
B.The port connected to the DHCP server should be untrusted for DAI to work correctly.
C.The DHCP server is in a different VLAN, and DAI cannot validate cross-VLAN ARP.
D.DAI is checking the destination MAC address, which does not match the expected value.
AnswerA

Correct because DAI relies on the DHCP snooping binding table; static hosts require an ARP ACL.

Why this answer

DAI validates ARP packets against the DHCP snooping binding table. If a host has a static IP address, its MAC-IP binding is not in the DHCP snooping database, so DAI drops the ARP replies unless an ARP ACL is configured to permit them. Option A is correct because static hosts need an ARP ACL.

Option B is incorrect because the DHCP server port is trusted, but that does not affect host ARP replies. Option C is incorrect because DAI does not require the DHCP server to be in the same VLAN. Option D is incorrect because DAI validates source MAC and IP, not destination.

6
MCQhard

An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?

A.EAP-TLS requires a client certificate, which the Windows clients do not have.
B.EAP-FAST requires a PAC file that the Windows clients do not have.
C.LEAP uses a shared secret that is not configured on the clients.
D.EAP-MD5 does not support mutual authentication, causing the failure.
AnswerA

Correct because EAP-TLS requires client certificates, and PEAP-MSCHAPv2 does not provide them.

Why this answer

EAP-TLS requires a client certificate, while PEAP-MSCHAPv2 uses a username/password inside a TLS tunnel. If ISE is configured to only accept EAP-TLS, clients attempting PEAP will receive an EAP failure. Option A is correct because EAP-TLS is certificate-based and different from PEAP.

Option B is incorrect because EAP-FAST uses a PAC, not certificates. Option C is incorrect because LEAP is deprecated and uses MS-CHAPv2, but it is not the same as PEAP. Option D is incorrect because EAP-MD5 is a simple challenge-response and not typically used in enterprise 802.1X.

7
Multi-Selectmedium

Which two statements about BGP TTL security are true? (Choose two.)

Select 2 answers
A.BGP TTL security uses the Generalized TTL Security Mechanism (GTSM) to validate the TTL of incoming BGP packets.
B.The command 'neighbor <ip> ttl-security hops <hop-count>' is used to enable BGP TTL security on a per-neighbor basis.
C.The default TTL value for eBGP packets is 64.
D.BGP TTL security encrypts the BGP update messages to prevent eavesdropping.
E.BGP TTL security is only applicable to eBGP sessions, not iBGP.
AnswersA, B

Correct because GTSM checks that the TTL is within a valid range based on the configured hop count.

Why this answer

BGP TTL security (GTSM) protects against CPU-based attacks by ensuring incoming BGP packets have a TTL of 255 minus the expected hop count. The neighbor ttl-security hops command is used on Cisco IOS-XE to enable this feature, and it must be configured on both peers to be effective. Option C is incorrect because the default TTL for eBGP is 1, not 64.

Option D is incorrect because GTSM does not encrypt BGP updates. Option E is incorrect because GTSM is supported for both eBGP and iBGP.

8
Multi-Selectmedium

Which three statements about DHCP snooping are true? (Choose three.)

Select 3 answers
A.DHCP snooping is configured on Layer 2 switches to filter DHCP messages on untrusted ports.
B.The DHCP snooping binding table includes the client MAC address, IP address, lease time, VLAN, and port number.
C.Ports connected to DHCP servers should be configured as trusted ports.
D.The DHCP snooping binding database is stored in NVRAM by default.
E.DHCP snooping validates DHCPv6 messages by default when enabled globally.
AnswersA, B, C

Correct because DHCP snooping is a Layer 2 security feature implemented on switches.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a binding database. It is configured on switches, not routers. The DHCP snooping binding table contains the client MAC address, IP address, lease time, VLAN, and port.

Trusted ports are typically uplinks to DHCP servers, while untrusted ports face clients. Option D is incorrect because the DHCP snooping database is stored in the switch's flash memory, not NVRAM. Option E is incorrect because DHCP snooping does not validate DHCPv6 messages by default; it is for DHCPv4 only unless DHCPv6 snooping is separately configured.

9
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 192.168.1.10 --- --- --- 203.0.113.11 192.168.1.11 --- --- tcp 203.0.113.10:1024 192.168.1.10:1024 198.51.100.5:80 198.51.100.5:80 Based on this output, what can be concluded?

A.The router is performing static NAT for two internal hosts.
B.The router is performing dynamic NAT for all translations.
C.The router is performing Port Address Translation (PAT) for all translations.
D.The router is translating outside global addresses to inside local addresses.
AnswerA

The first two entries show a one-to-one mapping between inside local and inside global addresses without any protocol or outside address, which is characteristic of static NAT.

Why this answer

The output shows NAT translations. The first two lines are static NAT entries (no protocol, no outside address). The third line is a dynamic translation for a TCP session.

The inside local addresses are private (192.168.1.x), and inside global addresses are public (203.0.113.x). The outside addresses are public. This is typical for PAT or dynamic NAT.

10
MCQmedium

A network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?

A.The default maximum number of secure MAC addresses is 1, so the second MAC address triggers a violation.
B.The sticky keyword requires the engineer to first manually configure a maximum number of MAC addresses.
C.The violation mode is set to 'restrict' by default, which causes the port to error-disable after one violation.
D.The port security aging type is set to 'absolute' by default, causing the sticky address to expire immediately.
AnswerA

Correct because the default maximum is 1, and sticky learning does not change that.

Why this answer

The sticky command learns MAC addresses dynamically and stores them in the running configuration. By default, the maximum number of secure MAC addresses is 1. When a new device is connected, its MAC address is different, causing a violation.

The default violation mode is 'shutdown', which error-disables the port. Option A is correct because the sticky feature does not change the default maximum count. Option B is incorrect because sticky does not require a specific maximum; it uses the default.

Option C is incorrect because the violation mode is shutdown by default, not restrict. Option D is incorrect because aging is not configured and does not cause this behavior.

11
MCQmedium

Examine the following interface configuration on a Cisco IOS-XE switch: ``` interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky ``` What is the effect of this configuration?

A.The port will dynamically learn MAC addresses, allow up to 2 addresses, and if a third MAC is seen, it will drop the traffic but keep the port up.
B.The port will learn up to 2 MAC addresses and then shut down if a third is seen.
C.The port will allow only 2 MAC addresses and will generate a syslog message but continue forwarding traffic from the third MAC.
D.The port will learn MAC addresses dynamically and convert them to secure MAC addresses, but the maximum is 1 by default.
AnswerA

Correct. 'violation restrict' drops frames from unknown MACs without disabling the port.

Why this answer

This configuration enables port security with sticky MAC learning, allowing up to 2 MAC addresses, and sets the violation mode to restrict (drops offending traffic but does not shut down the port).

12
Drag & Dropmedium

Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IP Source Guard first builds the binding from DHCP snooping, then installs a per-port ACL to permit only the bound IP, applies the ACL to the access port, checks all incoming IP traffic against the ACL, and drops any traffic with a source IP not in the binding.

13
MCQhard

A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?

A.The switch does not have an 'ip helper-address' configured to forward DHCP requests to the server.
B.The interface GigabitEthernet0/1 should be configured as an untrusted port for DHCP snooping.
C.The switch has DHCP snooping rate limiting enabled, which is dropping all DHCP packets.
D.The DHCP server is connected to a port in a different VLAN, and DHCP snooping only works within the same VLAN.
AnswerA

Correct because the DHCP server is in VLAN 10, but clients may be in a different VLAN, requiring a helper address.

Why this answer

DHCP snooping requires the DHCP server port to be trusted. If the server is on a different VLAN than the clients, the switch must also have IP routing enabled or use a DHCP relay. However, the scenario does not mention a relay.

The most likely cause is that the DHCP server is not on the same subnet as the clients, and no IP helper address is configured. Option A is correct because without a helper address, DHCP broadcasts are not forwarded to the server. Option B is incorrect because the trust configuration is correct.

Option C is incorrect because rate limiting is not configured. Option D is incorrect because DHCP snooping does not require a specific VLAN for the server port.

14
Drag & Dropmedium

Drag and drop the steps of Control Plane Policing (CoPP) rate-limit evaluation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

CoPP first classifies traffic using an access list, then matches it to a class map, then applies a policy map with a police action (rate-limit), activates the policy on the control plane, and finally the hardware performs policing.

15
MCQeasy

A network engineer is configuring uRPF (unicast Reverse Path Forwarding) on a Cisco router to prevent spoofed IP traffic. The engineer enables uRPF in strict mode on the ingress interface connected to the internal network. After enabling uRPF, legitimate traffic from internal hosts is being dropped. The engineer checks the routing table and sees that the routes for the internal subnets are present. What is the most likely cause?

A.The return route for the source IP points to a different interface than the one where the packet arrived.
B.uRPF is checking the destination IP address, which is not reachable.
C.The router does not have a default route, so uRPF drops all traffic.
D.uRPF cannot be used with static routes; it requires a dynamic routing protocol.
AnswerA

Correct because strict uRPF requires the source IP to have a route back out the same interface.

Why this answer

uRPF strict mode checks that the source IP address of a packet has a route back to the same interface. If the router has multiple equal-cost paths or if the return route points to a different interface, uRPF drops the packet. Option A is correct because the return path must match the ingress interface.

Option B is incorrect because uRPF does not check the destination. Option C is incorrect because uRPF does not require a default route. Option D is incorrect because uRPF works with static routes.

16
MCQmedium

A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?

A.The police rate of 1 Mbps is too low for the combined SSH and SNMP traffic from the management station.
B.The CoPP policy is applied to the wrong interface, affecting transit traffic instead of control plane traffic.
C.The class-map should match on DSCP values instead of port numbers to be effective.
D.The policy-map should use the 'drop' action instead of 'police' to protect the control plane.
AnswerA

Correct because the police rate is insufficient, causing drops of legitimate control plane traffic.

Why this answer

CoPP polices traffic destined to the control plane. If the police rate is too low, even legitimate traffic can be dropped. The engineer set a 1 Mbps limit for both SSH and SNMP combined.

If the management station generates bursts above this rate, packets are dropped. Option A is correct because the aggregate police rate may be insufficient. Option B is incorrect because CoPP does not affect transit traffic.

Option C is incorrect because the policy is applied to the control plane, not an interface. Option D is incorrect because the class-map matches both protocols, but the issue is the police rate.

17
Drag & Dropmedium

Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF first receives a packet on an interface, then looks up the source IP in the routing table, verifies that the incoming interface matches the best reverse path, and if it matches, forwards the packet; otherwise, it drops the packet.

18
MCQmedium

Examine the following BGP configuration on a Cisco IOS-XE router: ``` router bgp 65000 bgp default local-preference 150 neighbor 10.1.1.1 remote-as 65001 neighbor 10.1.1.1 password cisco123 neighbor 10.1.1.1 route-map SET-MED out ! route-map SET-MED permit 10 set metric 50 ``` What is the effect of the route-map on outbound updates to 10.1.1.1?

A.The MED value of routes advertised to 10.1.1.1 is set to 50.
B.The local preference of routes received from 10.1.1.1 is set to 150.
C.The route-map filters routes; only those with metric 50 are advertised.
D.The password is applied to the BGP session, but the route-map is ignored due to the password.
AnswerA

Correct. The route-map sets the MED attribute to 50.

Why this answer

The route-map SET-MED is applied outbound to neighbor 10.1.1.1. It sets the MED (multi-exit discriminator) to 50 for all routes advertised to that neighbor.

19
MCQmedium

Consider the following IPv6 access-list on a Cisco IOS-XE router: ``` ipv6 access-list PERMIT_ICMP permit icmp any any echo-request permit icmp any any echo-reply deny ipv6 any any ! interface GigabitEthernet0/0 ipv6 traffic-filter PERMIT_ICMP in ``` What is the effect of this configuration?

A.Only IPv6 ping (echo-request and echo-reply) is allowed inbound on Gi0/0; all other IPv6 traffic is dropped.
B.All ICMPv6 traffic is permitted inbound on Gi0/0.
C.The ACL is applied outbound, so it filters traffic leaving Gi0/0.
D.The ACL permits all IPv6 traffic because the deny statement is at the end.
AnswerA

Correct. The ACL permits only those two ICMP types and denies everything else.

Why this answer

The IPv6 ACL permits only ICMP echo-request and echo-reply (ping) and denies all other IPv6 traffic. It is applied inbound on Gi0/0.

20
MCQmedium

A network engineer is configuring a zone-based firewall (ZBF) on a Cisco router to allow traffic from the inside zone to the outside zone while blocking traffic from outside to inside. The engineer creates zones, assigns interfaces, and configures a policy-map with a class-map that matches all traffic from inside to outside. The engineer applies the policy to the zone-pair inside-to-outside. However, traffic from inside to outside is being dropped. What is the most likely reason?

A.The policy-map does not include an 'inspect' or 'pass' action for the matched traffic.
B.The zone-pair should be configured as outside-to-inside instead.
C.The class-map must also match return traffic for the firewall to allow the session.
D.The policy-map is applied to the wrong zone-pair; it should be applied to the inside zone.
AnswerA

Correct because without an explicit action, ZBF drops all traffic.

Why this answer

In ZBF, the policy-map must include an action for the matched traffic. If the class-map matches traffic but the policy-map does not have an 'inspect' or 'pass' action, the default action is to drop. Option A is correct because the engineer likely omitted the action.

Option B is incorrect because the zone-pair is correctly defined. Option C is incorrect because the class-map does not need to match return traffic; inspection handles that. Option D is incorrect because the policy is applied to the correct zone-pair.

21
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1024 1020 10 0 0 02:30:15 5 192.168.1.3 4 65003 500 498 10 0 0 00:15:20 3 10.0.0.2 4 65004 0 0 0 0 0 never Active Based on this output, what can be concluded?

A.All BGP neighbors are fully established.
B.The BGP session to 10.0.0.2 is down due to a TCP connection issue.
C.The BGP session to 192.168.1.3 has been up for 2 hours 30 minutes.
D.The router is receiving prefixes from all neighbors.
AnswerB

The Active state indicates the router is trying to open a TCP connection but has not succeeded.

Why this answer

The output shows BGP neighbors. The first two neighbors are established (up/down time and prefixes received). The third neighbor (10.0.0.2) is in Active state, meaning it is trying to establish a TCP connection but failing.

This could be due to a missing route, ACL blocking, or incorrect configuration.

22
Drag & Dropmedium

Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping first validates DHCP server messages on trusted ports, then creates a binding entry from the DHCPACK, stores the entry with MAC/IP/port/VLAN, updates the table on lease renewal, and finally removes the entry on lease expiry or DHCPRELEASE.

23
Drag & Dropmedium

Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DAI first intercepts ARP packets on untrusted ports, then checks the sender MAC and IP against the DHCP snooping binding, validates ARP cache consistency, drops packets that mismatch, and finally forwards valid packets to the destination.

24
Drag & Dropmedium

Drag and drop the steps of configuring a Cisco IOS Zone-Based Firewall (ZBFW) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ZBFW configuration begins by defining zones to group interfaces. Next, create a class-map to classify traffic of interest. Then, create a policy-map to specify actions (inspect, drop, pass) for each class.

After that, assign the policy-map to a zone-pair between source and destination zones. Finally, assign interfaces to their respective zones to activate the firewall.

25
MCQmedium

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.49231 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 01:23:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 192.168.1.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.1.2 Based on this output, what can be concluded?

A.The LDP session is not yet established.
B.The LDP session is using TCP port 646.
C.The LDP neighbor is using a different router ID than 10.0.0.2.
D.The LDP session has been up for 1 hour 23 minutes.
AnswerB

The TCP connection shows port 646, which is the well-known port for LDP.

Why this answer

The output shows an LDP neighbor with peer LDP identifier 10.0.0.2:0. The state is Operational, meaning the LDP session is established. The discovery source is GigabitEthernet0/0 with source IP 192.168.1.2.

The peer's addresses include the LDP router ID and the interface IP.

26
Multi-Selecthard

Which three statements about Control Plane Policing (CoPP) are true? (Choose three.)

Select 3 answers
A.CoPP uses Modular QoS CLI (MQC) to define traffic classes and policies.
B.CoPP is used to police traffic in the data plane to protect against DoS attacks.
C.CoPP can rate-limit or drop certain types of control plane traffic to prevent CPU overload.
D.CoPP classifies traffic into categories such as critical, normal, and management.
E.CoPP is applied directly to physical interfaces using the 'service-policy' command.
AnswersA, C, D

Correct because CoPP is configured using MQC with class maps, policy maps, and the 'service-policy' command applied to the control plane.

Why this answer

CoPP protects the control plane by applying QoS policies to traffic destined to the route processor. Option A is correct because CoPP uses MQC (Modular QoS CLI) to define class maps and policy maps. Option C is correct because CoPP can rate-limit or drop traffic to prevent CPU overload.

Option D is correct because CoPP classifies traffic into categories such as critical, normal, and management. Option B is incorrect because CoPP does not apply to the data plane; it applies to the control plane. Option E is incorrect because CoPP is applied to the control plane, not to interfaces directly; interface-level policing is done by other mechanisms.

27
MCQmedium

Consider the following configuration on a Cisco IOS-XE router: ``` ip access-list extended BLOCK_SSH deny tcp any any eq 22 permit ip any any ! line vty 0 4 access-class BLOCK_SSH in ``` Which statement is true about this configuration?

A.The ACL blocks all SSH traffic to the router, but permits other IP traffic.
B.The ACL blocks all traffic to the router because the deny statement is first.
C.The ACL only filters traffic going through the router, not destined to it.
D.The ACL permits SSH traffic because the permit statement overrides the deny.
AnswerA

Correct. The ACL is applied inbound on VTY lines, so SSH (TCP/22) is denied.

Why this answer

The access-class applied to the VTY lines filters incoming Telnet/SSH sessions. The ACL denies TCP port 22 (SSH) and permits all other IP traffic. This blocks SSH access to the router.

28
MCQhard

A network engineer is implementing MACsec on a Cisco switch-to-switch link to provide encryption. Both switches support MACsec and are configured with the same pre-shared key (PSK). The engineer configures 'mka' and 'macsec' on the interfaces. After configuration, the link does not come up, and the engineer sees 'MKA not operational' in the show macsec status. What is the most likely cause?

A.The pre-shared key (PSK) configured on both switches does not match.
B.MACsec requires a RADIUS server for key distribution, which is not configured.
C.The interfaces are configured with different VLANs, causing MACsec to fail.
D.The interfaces must be configured as trunk ports for MACsec to work.
AnswerA

Correct because MKA requires matching keys to establish a secure channel.

Why this answer

MACsec requires that both ends have matching keys and that the interfaces are in the same security mode (e.g., should-secure or must-secure). If one end is configured as 'must-secure' and the other as 'should-secure', they may not establish a secure channel. Option A is correct because a mismatch in the key chain or key string is a common issue.

Option B is incorrect because MACsec can work with PSK. Option C is incorrect because MACsec does not require dot1q. Option D is incorrect because MACsec does not require a specific duplex setting.

29
Multi-Selecthard

Which three statements about dynamic ARP inspection (DAI) are true? (Choose three.)

Select 3 answers
A.DAI validates ARP packets by checking the sender MAC and IP addresses against the DHCP snooping binding table.
B.DAI can be configured on a per-VLAN basis using the 'ip arp inspection vlan' command.
C.DAI includes rate limiting to prevent ARP flooding attacks.
D.DAI inspects both IPv4 ARP and IPv6 Neighbor Discovery packets.
E.DAI validates the destination IP address in ARP requests to prevent man-in-the-middle attacks.
AnswersA, B, C

Correct because DAI uses the DHCP snooping database to ensure ARP packets are legitimate.

Why this answer

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. It uses the DHCP snooping binding table to verify the MAC-to-IP address mapping. DAI is configured on a per-VLAN basis and can be applied to specific interfaces.

Rate limiting is used to prevent ARP storms. Option D is incorrect because DAI does not inspect ARP replies for IPv6; it is for IPv4 ARP only. Option E is incorrect because DAI does not validate the destination IP address of ARP requests; it validates the sender MAC and IP in the ARP body.

30
Drag & Dropmedium

Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF checks the source IP of incoming packets by first looking up the source in the FIB. If the best reverse path to the source uses the same interface, the packet is forwarded; otherwise, it is dropped. Strict mode requires exact match, while loose mode only requires a route.

31
Matchingmedium

Drag and drop each AAA service on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RADIUS

TACACS+

RADIUS

TACACS+

TACACS+

Why these pairings

Authentication typically uses RADIUS, authorization uses TACACS+, accounting can use either, but RADIUS is more common for accounting; TACACS+ encrypts the entire packet and separates AAA functions.

32
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip access-lists 101 Extended IP access list 101 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (100 matches) 20 deny tcp any any eq 23 (50 matches) 30 permit ip any any (200 matches) Based on this output, what can be concluded?

A.Telnet traffic from 192.168.1.0/24 is permitted.
B.Telnet traffic from any source is denied.
C.HTTP traffic from any source is permitted.
D.All traffic is permitted because of the last entry.
AnswerB

Entry 20 denies TCP port 23 (Telnet) from any source to any destination.

Why this answer

The ACL 101 has three entries. The first permits HTTP traffic from 192.168.1.0/24 to any destination. The second denies Telnet traffic from any source.

The third permits all other IP traffic. The match counters show hits. Since Telnet is denied, any Telnet attempt will be blocked unless it matches a preceding permit (which it doesn't).

33
Drag & Dropmedium

Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DAI validates ARP packets by first enabling it on VLANs, then using the DHCP snooping binding table as a source of truth. It checks the sender MAC and IP against the binding table and validates the packet format before forwarding or dropping.

34
Matchingmedium

Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

interface range GigabitEthernet0/1-24 ; shutdown

banner login ^C Authorized access only ^C

ip ssh version 2

no cdp run

service password-encryption

Why these pairings

Disable unused ports with 'interface range ... shutdown'; set login banner with 'banner login'; enable SSH with 'ip ssh version 2'; disable CDP with 'no cdp run'; set password encryption with 'service password-encryption'.

35
Multi-Selecthard

Which two statements about IP Source Guard are true? (Choose two.)

Select 2 answers
A.IP Source Guard uses the DHCP snooping binding table to validate the source IP address of packets received on a port.
B.IP Source Guard can be configured with port security to provide additional MAC address filtering.
C.IP Source Guard only works with DHCP-assigned IP addresses, not static IP addresses.
D.IP Source Guard filters traffic based on the destination MAC address.
E.IP Source Guard requires 802.1X authentication to be enabled on the port.
AnswersA, B

Correct because IPSG relies on the DHCP snooping database to determine allowed source IPs.

Why this answer

IP Source Guard (IPSG) is a security feature that filters IP traffic on untrusted Layer 2 ports based on the DHCP snooping binding table or static IP source bindings. It can be configured with or without port security. IPSG is typically applied on access ports facing end devices.

Option C is incorrect because IPSG can be used with both static and DHCP-assigned IP addresses. Option D is incorrect because IPSG filters traffic at Layer 3 (IP), not Layer 2. Option E is incorrect because IPSG does not require 802.1X authentication; it can operate independently.

36
Matchingmedium

Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port security

DHCP snooping

Dynamic ARP Inspection

BPDU guard

Disable Dynamic Trunking Protocol

Why these pairings

MAC flooding is mitigated by port security; DHCP starvation by DHCP snooping; ARP spoofing by DAI; STP manipulation by BPDU guard; VLAN hopping by disabling DTP.

37
MCQeasy

A network engineer runs the following command on Router R1: R1# show vrf brief Name Default RD Protocols Interfaces CUSTOMER_A 65000:100 ipv4 Gi0/0.100 CUSTOMER_B 65000:200 ipv4 Gi0/0.200 MANAGEMENT 65000:999 ipv4 Gi0/1 Based on this output, what can be concluded?

A.All VRFs are using the same route distinguisher.
B.The MANAGEMENT VRF is used for customer traffic.
C.CUSTOMER_A and CUSTOMER_B are on the same physical interface but different subinterfaces.
D.The router is running MPLS L3VPN.
AnswerC

Both are on Gi0/0 with different subinterfaces (.100 and .200), indicating they share the same physical port.

Why this answer

The output shows three VRFs: CUSTOMER_A, CUSTOMER_B, and MANAGEMENT. Each has a route distinguisher and is associated with specific interfaces. The CUSTOMER_A and CUSTOMER_B VRFs are on subinterfaces of GigabitEthernet0/0, while MANAGEMENT is on a separate physical interface.

38
MCQhard

A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?

A.The RA guard policy does not include the IPv6 address or MAC address of the legitimate default gateway.
B.The switch has DHCPv6 snooping enabled, which conflicts with RA guard.
C.SLAAC requires the host to send a router solicitation first, which is being blocked by RA guard.
D.RA guard is configured in 'block' mode, which drops all RAs regardless of the policy.
AnswerA

Correct because RA guard drops RAs from devices not matching the policy, so the gateway's RAs are dropped.

Why this answer

RA guard uses a policy to determine which devices can send RAs. If the policy is configured to allow only a specific device (e.g., the default gateway), but the device's MAC address or IPv6 address is not correctly identified, all RAs are dropped. Option A is correct because the policy must include the gateway's address.

Option B is incorrect because RA guard does not require DHCPv6. Option C is incorrect because RA guard can work with SLAAC. Option D is incorrect because RA guard does not block all RAs by default; it uses the policy.

39
Drag & Dropmedium

Drag and drop the steps of IP Source Guard binding and enforcement into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IP Source Guard relies on the DHCP snooping binding table. It is enabled on an interface, and then the switch creates a PVACL based on the binding. When a packet arrives, the source IP is checked against the binding; if it matches, the packet is forwarded; otherwise, it is dropped.

40
MCQmedium

Consider the following DHCP snooping configuration on a Cisco IOS-XE switch: ``` ip dhcp snooping ip dhcp snooping vlan 10 interface GigabitEthernet0/1 ip dhcp snooping trust ! interface GigabitEthernet0/2 ip dhcp snooping limit rate 10 ``` Which statement is true?

A.Gi0/1 is trusted for DHCP snooping, and Gi0/2 will drop DHCP packets exceeding 10 per second.
B.Gi0/2 is trusted and will forward all DHCP packets without rate limiting.
C.The switch will only snoop DHCP on VLAN 10, but rate limiting applies to all VLANs.
D.Gi0/1 will rate-limit DHCP packets to 10 per second.
AnswerA

Correct. Trusted ports are typically for DHCP servers; rate limit applies to untrusted ports.

Why this answer

DHCP snooping is enabled globally and for VLAN 10. Gi0/1 is trusted (typically uplink to DHCP server). Gi0/2 is untrusted and has a rate limit of 10 packets per second to prevent DHCP starvation.

41
Matchingmedium

Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2

Layer 3

Layer 4

Layer 7

Layer 2

Why these pairings

Port security operates at Layer 2, ACLs at Layer 3, firewall at Layer 4, IPS at Layer 7, and 802.1X at Layer 2.

42
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map interface GigabitEthernet0/0 GigabitEthernet0/0 Service-policy input: QOS_POLICY Class-map: VOICE (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 police cir 1000000 bc 31250 be 31250 conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop violated 0 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 12000 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 100/12000 Based on this output, what can be concluded?

A.The policy is applied in the output direction.
B.Voice traffic is being policed at 1 Mbps and any excess is dropped.
C.All traffic is being policed at 8 kbps.
D.The policy is shaping traffic to 1 Mbps.
AnswerB

The VOICE class has a police statement with CIR 1 Mbps, and actions for exceed and violate are drop.

Why this answer

The policy-map QOS_POLICY is applied inbound on GigabitEthernet0/0. It has two classes: VOICE (matching DSCP EF) and class-default. The VOICE class has a police command with a CIR of 1 Mbps, and actions for conform (transmit) and exceed/violate (drop).

The class-default has no police. The output shows no packets matched VOICE, so no policing has occurred for that class. The class-default has 100 packets.

43
Matchingmedium

Drag and drop each Control plane protection feature on the left to its matching threat on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DoS attack on control plane

IP spoofing attack

Rogue DHCP server attack

ARP cache poisoning attack

IP spoofing on access ports

Why these pairings

CoPP protects against DoS attacks on the control plane, uRPF against IP spoofing, DHCP snooping against rogue DHCP servers, DAI against ARP cache poisoning, and IP Source Guard against IP spoofing at Layer 2.

44
Matchingmedium

Drag and drop each Cisco security feature on the left to its matching OSI layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 2

Layer 3

Layer 3/4

Layer 4-7

Layer 2

Why these pairings

Port security operates at Layer 2; ACL at Layer 3; zone-based firewall at Layer 3/4; IPS at Layer 4-7; MACsec at Layer 2.

45
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Gi0/3 Desg FWD 19 128.3 P2p Based on this output, what can be concluded?

A.SW1 is the root bridge for VLAN 10.
B.Gi0/2 is in blocking state due to loop prevention.
C.Gi0/3 is a root port.
D.The root bridge has a higher priority than SW1.
AnswerB

Gi0/2 is an alternate port in blocking state, which is normal STP behavior to prevent loops.

Why this answer

The output shows that the root bridge has address 0011.2233.4455, and SW1's bridge ID is 0011.2233.4466. Since the root bridge has a lower MAC address (and same priority), SW1 is not the root. Gi0/1 is the root port, Gi0/2 is an alternate port (blocking), and Gi0/3 is a designated port.

This indicates a redundant topology with a loop, and STP is blocking Gi0/2 to prevent it.

46
MCQmedium

Examine the following CoPP configuration on a Cisco IOS-XE router: ``` class-map match-all CONTROL-PLANE match access-group name COPP-ACL ! policy-map COPP-POLICY class CONTROL-PLANE police 1000000 200000 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ``` What is the effect of this configuration?

A.Traffic matching the ACL is rate-limited to 1 Mbps; traffic exceeding the rate is dropped.
B.All control plane traffic is rate-limited to 1 Mbps.
C.Traffic exceeding 1 Mbps is marked down but still transmitted.
D.The policy-map is applied to the data plane, not the control plane.
AnswerA

Correct. The police command enforces a 1 Mbps rate with drop for excess.

Why this answer

This applies a policy-map to the control plane that polices traffic matching the class-map. The police command limits traffic to 1 Mbps (1000000 bps) with a normal burst of 200000 bytes; conforming traffic is transmitted, exceeding traffic is dropped.

47
Multi-Selecthard

Which three statements about DHCP snooping are true? (Choose three.)

Select 3 answers
A.DHCP snooping is configured on a per-VLAN basis.
B.DHCP snooping prevents all types of ARP spoofing attacks.
C.The DHCP snooping binding database includes the client MAC address, IP address, lease time, VLAN, and port.
D.Ports connected to DHCP servers should be configured as trusted ports.
E.DHCP snooping encrypts all DHCP traffic between the client and server.
AnswersA, C, D

Correct because DHCP snooping is enabled on specific VLANs using the 'ip dhcp snooping vlan' command.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages. It builds a DHCP snooping binding database from trusted sources. Option A is correct because DHCP snooping is typically enabled on VLANs, not globally on the switch.

Option C is correct because the binding database contains the client MAC address, IP address, lease time, VLAN, and port. Option D is correct because ports connected to DHCP servers are configured as trusted to allow DHCP server messages. Option B is incorrect because DHCP snooping does not prevent all ARP spoofing; that is the role of Dynamic ARP Inspection (DAI).

Option E is incorrect because DHCP snooping does not encrypt DHCP traffic; it only filters messages based on trust.

48
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.16
AnswerA

Correct. EIGRP's maximum hop count is 255.

Why this answer

EIGRP uses a maximum hop count of 255 to prevent routing loops, though the default is 100.

49
Matchingmedium

Drag and drop each AAA service on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RADIUS

TACACS+

RADIUS

TACACS+

RADIUS

Why these pairings

Authentication uses RADIUS; authorization uses TACACS+; accounting uses RADIUS; command authorization uses TACACS+; dot1x authentication uses RADIUS.

50
Matchingmedium

Drag and drop each Layer 2 attack on the left to its matching mitigation feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port security

DHCP snooping

Dynamic ARP Inspection

BPDU guard

Disable Dynamic Trunking Protocol

Why these pairings

MAC flooding is mitigated by port security, DHCP starvation by DHCP snooping, ARP spoofing by DAI, STP manipulation by BPDU guard, and VLAN hopping by disabling DTP.

51
Multi-Selectmedium

Which two statements about 802.1X port-based authentication on a Cisco switch are true? (Choose two.)

Select 2 answers
A.The switch acts as the authenticator in the 802.1X framework.
B.The RADIUS server acts as the authenticator in the 802.1X framework.
C.802.1X can only be configured on router interfaces, not on switch ports.
D.EAP over LAN (EAPoL) is used between the supplicant and the authenticator.
E.802.1X authentication is only applicable to wireless networks.
AnswersA, D

Correct because in 802.1X, the switch (or wireless controller) is the authenticator that controls access to the network.

Why this answer

802.1X uses EAP over LAN (EAPoL) to authenticate devices at the port level. The switch acts as an authenticator and can use a RADIUS server for authentication. Option A is correct because the switch is the authenticator.

Option D is correct because EAPoL is the protocol used between the supplicant and the authenticator. Option B is incorrect because the RADIUS server is the authentication server, not the authenticator. Option C is incorrect because 802.1X can be configured on Layer 2 switch ports, not just routers.

Option E is incorrect because 802.1X is not limited to wireless; it is commonly used on wired switch ports.

52
Drag & Dropmedium

Drag and drop the steps of Cisco IBNS 2.0 policy configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IBNS 2.0 uses a modular policy framework. First, define the authentication template to specify the method (e.g., dot1x, MAB). Second, create the policy map that references the template and defines the behavior.

Third, apply the policy map to the interface. Fourth, enable authentication on the interface. Finally, verify the configuration using show commands.

53
MCQeasy

What is the default OSPF hello interval on an Ethernet link in a Cisco router?

A.10 seconds
B.30 seconds
C.5 seconds
D.40 seconds
AnswerA

Correct. The default hello interval for Ethernet is 10 seconds.

Why this answer

By default, OSPF sends hello packets every 10 seconds on broadcast and point-to-point links (e.g., Ethernet).

54
Multi-Selectmedium

Which two statements about IP Source Guard are true? (Choose two.)

Select 2 answers
A.IP Source Guard uses the DHCP snooping binding database to validate source IP addresses.
B.IP Source Guard filters traffic based on the source MAC address.
C.IP Source Guard is applied on Layer 3 interfaces of a switch.
D.IP Source Guard can be configured with a static IP source binding for hosts with static IP addresses.
E.IP Source Guard requires 802.1X authentication to function.
AnswersA, D

Correct because IPSG relies on the DHCP snooping binding database to determine which source IP addresses are allowed on a given port.

Why this answer

IP Source Guard (IPSG) filters IP traffic on a per-port basis using the DHCP snooping binding database. Option A is correct because IPSG uses the binding database to validate source IP addresses. Option D is correct because IPSG can be configured with a static IP source binding for hosts with static IP addresses.

Option B is incorrect because IPSG does not filter MAC addresses; that is the role of port security. Option C is incorrect because IPSG is applied on Layer 2 switch ports, not on Layer 3 interfaces. Option E is incorrect because IPSG does not require 802.1X; it can work with DHCP snooping alone.

55
Drag & Dropmedium

Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping builds the binding table by first enabling snooping globally, then on specific VLANs, and designating trusted ports. The switch intercepts DHCP messages, extracts client info from ACK packets, and populates the binding table with the lease information.

56
Matchingmedium

Drag and drop each Control plane protection feature on the left to its matching threat on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

CPU overload from excessive control plane traffic

IP spoofing attacks

Rogue DHCP server

ARP cache poisoning

IP spoofing on access ports

Why these pairings

CoPP protects against CPU overload; uRPF against IP spoofing; DHCP snooping against rogue DHCP server; DAI against ARP cache poisoning; IP Source Guard against IP spoofing on access ports.

57
Matchingmedium

Drag and drop each infrastructure hardening technique on the left to its matching configuration command on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

shutdown

banner login

ip ssh version 2

access-class

security passwords min-length

Why these pairings

Disable unused ports with 'shutdown', set a login banner with 'banner login', enable SSH with 'ip ssh version 2', restrict VTY access with 'access-class', and set a minimum password length with 'security passwords min-length'.

58
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:38 192.168.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:32 192.168.1.3 GigabitEthernet0/0 10.0.0.4 1 FULL/BDR 00:00:35 192.168.1.4 GigabitEthernet0/0 Based on this output, what can be concluded?

A.Router R1 is the DR on this segment.
B.Router R1 is the BDR on this segment.
C.Router R1 is a DROTHER on this segment.
D.Router R1 has no OSPF neighbors.
AnswerC

R1 has a FULL adjacency with DR and BDR, but only 2WAY with another DROTHER, indicating R1 is also a DROTHER.

Why this answer

The output shows OSPF neighbors on a multi-access network. The router with the highest priority becomes DR, and the next highest becomes BDR. Here, 10.0.0.2 is DR (FULL/DR), 10.0.0.4 is BDR (FULL/BDR), and 10.0.0.3 is a DROTHER (2WAY/DROTHER).

The router R1 itself is not shown, but its state is implied: since it has a FULL adjacency with DR and BDR, but only 2WAY with DROTHER, R1 is likely a DROTHER.

Ready to test yourself?

Try a timed practice session using only Infrastructure Security questions.