CCNA Network Implementation Questions

29 of 104 questions · Page 2/2 · Network Implementation · Answers revealed

76
MCQmedium

A network administrator needs to allow multiple VLANs to traverse a single link between two switches. Which configuration must be applied on the switch ports?

A.Access port
B.Trunk port
C.Hybrid port
D.Routed port
AnswerB

A trunk port is configured to carry multiple VLANs by tagging frames with VLAN information using 802.1Q or ISL.

Why this answer

A trunk port is configured to carry traffic for multiple VLANs over a single link by tagging frames with IEEE 802.1Q VLAN identifiers. This allows the switch to distinguish which VLAN each frame belongs to, enabling inter-switch VLAN connectivity without requiring separate physical links per VLAN.

Exam trap

The trap here is that candidates often confuse a trunk port with an access port, thinking that multiple VLANs can be carried by simply assigning multiple VLANs to an access port, but access ports can only be assigned a single untagged VLAN.

How to eliminate wrong answers

Option A is wrong because an access port belongs to only one VLAN and strips any VLAN tags, making it unable to carry multiple VLANs. Option C is wrong because hybrid ports are a vendor-specific concept (e.g., Huawei) and are not a standard Cisco term for this scenario; Cisco switches use trunk ports for multi-VLAN links. Option D is wrong because a routed port is a Layer 3 interface used for routing, not for carrying multiple VLANs over a single link.

77
MCQhard

A network engineer has successfully established an IPsec site-to-site VPN tunnel between a branch office (10.0.1.0/24) and the main office (192.168.1.0/24). The tunnel status shows as active, and both sides can ping each other's tunnel interface IP addresses. However, users at the branch office cannot ping the main office server at 192.168.1.10, and the main office cannot ping the branch office server at 10.0.1.10. The firewall rules on both sides permit IPsec traffic and all internal traffic. What should the engineer check NEXT?

A.Verify routing entries on both routers to ensure the remote internal subnets are reachable via the tunnel.
B.Check the IPsec security associations for encryption algorithm mismatch.
C.Disable the firewall on the internal interfaces temporarily.
D.Regenerate the pre-shared key on both sides.
AnswerA

Both routers need to have routes pointing to the remote internal subnets (e.g., 192.168.1.0/24 and 10.0.1.0/24) with the tunnel interface as the next hop. Without these routes, traffic from internal hosts will not be directed into the tunnel.

Why this answer

The tunnel is active and both sides can ping each other's tunnel interface IPs, confirming that IPsec phase 1 and phase 2 are established and the tunnel itself is functional. However, users cannot reach the remote internal subnets (10.0.1.0/24 and 192.168.1.0/24), which indicates a routing problem: the routers likely lack routes for those remote subnets pointing to the tunnel interface. Without proper routing entries, traffic destined for the remote LAN is sent out the wrong interface or dropped, even though the tunnel is up.

Exam trap

Cisco often tests the distinction between tunnel reachability (pinging the tunnel interface IP) and subnet reachability (pinging hosts behind the tunnel), trapping candidates who assume a working tunnel automatically means all traffic flows correctly, when in fact routing for the remote LANs must be explicitly configured.

How to eliminate wrong answers

Option B is wrong because an encryption algorithm mismatch would prevent the IPsec security associations (SAs) from forming, causing the tunnel to fail or show as not active — but the tunnel is active and tunnel interface pings succeed, so the SAs are correctly negotiated. Option C is wrong because disabling the firewall on internal interfaces is an unnecessary and risky troubleshooting step; the firewall rules already permit IPsec and internal traffic, and the problem is not firewall-related since tunnel interface pings work, indicating the firewall is not blocking the tunnel itself.

78
MCQmedium

A network administrator is creating a new VLAN 50 on a switch. After creating the VLAN, the administrator notices that the switch does not send VLAN information to other switches in the network. Which of the following is the most likely reason?

A.VTP mode is set to transparent.
B.The trunk link is not configured.
C.The VLAN is not allowed on the trunk.
D.STP is blocking the VLAN.
AnswerA

In transparent mode, the switch forwards VTP advertisements but does not originate or propagate its own VLAN changes.

Why this answer

When VTP mode is set to transparent, the switch does not originate or forward VTP advertisements, so VLAN changes made on it are not propagated to other switches. This explains why VLAN 50 was created locally but not shared with the rest of the network.

Exam trap

Cisco often tests the misconception that a trunk misconfiguration (like not allowing the VLAN on the trunk) is the cause of VTP propagation failure, when in fact VTP transparent mode completely disables advertisement generation regardless of trunk settings.

How to eliminate wrong answers

Option B is wrong because a trunk link is required for VLAN information to be passed between switches, but the absence of a trunk would prevent all VLAN traffic, not specifically the failure to send VLAN information. Option C is wrong because if a VLAN is not allowed on the trunk, it would block traffic for that VLAN across the trunk, but it would not prevent the switch from sending VTP advertisements about the VLAN; VTP operates independently of the allowed VLAN list.

79
MCQhard

A network architect is implementing a Software-Defined Networking (SDN) solution. The SDN controller needs to communicate with the physical switches to install flow rules. Which type of API is used for this communication?

A.Southbound API
B.Northbound API
C.Eastbound API
D.Westbound API
AnswerA

Southbound APIs (e.g., OpenFlow, Netconf) are used by the SDN controller to communicate with and configure network devices.

Why this answer

The Southbound API is the correct interface because it enables the SDN controller to communicate with the underlying physical or virtual network devices (switches, routers) to install flow rules, modify forwarding tables, and gather telemetry. This API typically uses protocols such as OpenFlow, NETCONF, or OVSDB to translate controller decisions into device-level actions, making it the essential southbound channel in an SDN architecture.

Exam trap

The trap here is that candidates confuse the Southbound API with the Northbound API, mistakenly thinking the controller communicates upward to applications rather than downward to switches, or they invent 'Eastbound' or 'Westbound' as plausible-sounding but incorrect terms for controller-to-switch communication.

How to eliminate wrong answers

Option B (Northbound API) is wrong because it is used for communication between the SDN controller and higher-layer applications or orchestration tools, not for installing flow rules on physical switches. Option C (Eastbound API) is wrong because it refers to communication between multiple SDN controllers in a federated or hierarchical deployment, not between a controller and switches. Option D (Westbound API) is wrong because it is not a standard SDN API term; it is sometimes used to describe communication between controllers in different administrative domains, but it does not involve installing flow rules on switches.

80
MCQmedium

A company is setting up a new branch office and needs to connect it to the main office over the internet using a secure VPN. The branch office has a dynamic public IP address. Which type of VPN should be configured?

A.Site-to-site IPsec VPN with static IPs
B.Remote access VPN using SSL
C.Dynamic Multipoint VPN (DMVPN)
D.Policy-based VPN
AnswerC

Correct. DMVPN is designed for hub-and-spoke topologies and can accommodate branch sites with dynamic IP addresses by using mGRE and NHRP.

Why this answer

C is correct because Dynamic Multipoint VPN (DMVPN) is designed to handle sites with dynamic public IP addresses, such as a branch office with a dynamically assigned IP. DMVPN uses mGRE (multipoint Generic Routing Encapsulation) and NHRP (Next Hop Resolution Protocol) to dynamically establish tunnels between spoke routers without requiring static IP configurations on each spoke, making it ideal for this scenario.

Exam trap

The trap here is that candidates often choose site-to-site IPsec VPN (Option A) because it is the most familiar VPN type, failing to recognize that dynamic IPs at the branch require a technology like DMVPN that can handle address changes without manual reconfiguration.

How to eliminate wrong answers

Option A is wrong because site-to-site IPsec VPN with static IPs requires both endpoints to have static public IP addresses; the branch office has a dynamic IP, so this configuration would fail when the IP changes. Option B is wrong because remote access VPN using SSL is designed for individual client-to-site connections (e.g., a single user connecting from a laptop), not for connecting an entire branch office network to the main office network. Option D is wrong because policy-based VPNs (which define traffic selectors based on source/destination subnets) still require static IP addresses or a dynamic IP resolution mechanism; they do not inherently handle dynamic spoke IPs like DMVPN does.

81
MCQmedium

A new switch is installed in a remote wiring closet. It has been configured with a management IP address of 10.1.2.50/24. The switch is connected via a trunk to the distribution switch, and the management station (10.1.1.0/24) is on a different subnet. The switch cannot be pinged from the management station. The distribution switch has routing to the 10.1.2.0/24 subnet. What is the most likely cause?

A.The management VLAN is not allowed on the trunk.
B.The default gateway is not configured on the new switch.
C.The switch port to the distribution switch is in access mode.
D.The management IP is configured on the wrong VLAN.
AnswerB

The switch must have a default gateway pointing to the distribution switch to route responses to other subnets.

Why this answer

The management station is on subnet 10.1.1.0/24, while the switch's management IP is 10.1.2.50/24. For the switch to reply to pings from a different subnet, it must have a default gateway configured so it knows where to send return traffic. Without a default gateway, the switch will only respond to traffic on its local subnet, making it unreachable from the management station.

Exam trap

Cisco often tests the misconception that a management IP alone is sufficient for remote access, but candidates forget that a default gateway is mandatory for inter-subnet communication, especially when the management station and switch are on different subnets.

How to eliminate wrong answers

Option A is wrong because the management VLAN not being allowed on the trunk would prevent all VLAN traffic, including the management VLAN, from reaching the distribution switch, but the question states the distribution switch has routing to 10.1.2.0/24, implying the trunk is functional; the issue is specifically about the switch's ability to route return traffic. Option C is wrong because if the port were in access mode, it would only carry a single VLAN, but the question states it is a trunk, and even if it were access, the switch could still be reachable if the management IP were on that VLAN and a default gateway existed. Option D is wrong because while the management IP could be on the wrong VLAN, the most direct and common cause given the scenario is the missing default gateway; the management IP being on the wrong VLAN would still require a default gateway for inter-subnet communication, and the question does not provide evidence of a VLAN mismatch.

82
MCQmedium

An organization needs to connect two buildings that are 2 km apart with a point-to-point wireless link. Which antenna type is BEST suited for this long-distance directional connection?

A.Omni-directional antenna
B.Yagi antenna
C.Patch antenna
D.Parabolic dish antenna
AnswerD

Parabolic dish antennas provide very high gain and narrow beamwidth, making them ideal for long-distance point-to-point wireless bridges.

Why this answer

A parabolic dish antenna is the best choice for a 2 km point-to-point wireless link because it provides a very narrow beamwidth and high gain, focusing the signal in a specific direction to maximize distance and minimize interference. This makes it ideal for long-distance, high-throughput links where precise alignment is possible.

Exam trap

The trap here is that candidates often confuse 'directional' with 'high gain,' assuming a Yagi or patch antenna is sufficient for long distances, but the parabolic dish's superior focus and gain are critical for maintaining signal integrity over 2 km.

How to eliminate wrong answers

Option A is wrong because an omni-directional antenna radiates signal in all directions equally, resulting in low gain and significant signal loss over 2 km, making it unsuitable for long-distance point-to-point links. Option B is wrong because a Yagi antenna, while directional, typically offers moderate gain (e.g., 10-15 dBi) and a wider beamwidth than a parabolic dish, which may not provide sufficient signal strength and focus for a reliable 2 km link. Option C is wrong because a patch antenna (panel antenna) has a broader beamwidth (e.g., 30-90 degrees) and lower gain (e.g., 8-12 dBi) compared to a parabolic dish, making it better suited for shorter distances or sector coverage rather than long-distance point-to-point.

83
MCQhard

A network engineer is designing a wireless network for a large warehouse with many metal racks and heavy machinery that cause significant RF interference. The network must support a high density of IoT sensors and provide reliable connectivity. Which IEEE wireless standard should the engineer implement to best meet these requirements?

A.802.11ac (Wi-Fi 5)
B.802.11ax (Wi-Fi 6)
C.802.11n (Wi-Fi 4)
D.802.11g (Wi-Fi 3)
AnswerB

802.11ax uses OFDMA and improved MU-MIMO, allowing better handling of many devices and interference. It also supports both 2.4 GHz and 5 GHz bands, providing better coverage in challenging environments.

Why this answer

802.11ax (Wi-Fi 6) is the correct choice because it introduces Orthogonal Frequency Division Multiple Access (OFDMA), which subdivides channels into smaller resource units (RUs) to serve multiple IoT sensors simultaneously, improving efficiency in dense, interference-heavy environments. Additionally, Wi-Fi 6 includes BSS Coloring, which reduces co-channel interference by allowing devices to ignore transmissions from overlapping basic service sets, and Target Wake Time (TWT), which schedules IoT sensor transmissions to conserve battery and reduce contention.

Exam trap

The trap here is that candidates often choose 802.11ac (Wi-Fi 5) because it is widely known for high throughput, but they overlook that 802.11ax's OFDMA and TWT are specifically designed for high-density IoT and interference-heavy environments, not just raw speed.

How to eliminate wrong answers

Option A (802.11ac) is wrong because it uses OFDM only, lacks OFDMA and TWT, and does not handle high-density IoT sensor traffic or RF interference as efficiently as Wi-Fi 6. Option C (802.11n) is wrong because it relies on older MIMO and channel bonding without the advanced interference mitigation and scheduling features of Wi-Fi 6, making it unsuitable for dense IoT deployments in high-interference environments. Option D (802.11g) is wrong because it operates only in the 2.4 GHz band with a maximum data rate of 54 Mbps, lacks MIMO, OFDMA, and any interference-avoidance mechanisms, and cannot support the required density or reliability.

84
MCQmedium

A network administrator needs to connect two switches to allow multiple VLANs to traverse the link. Which protocol should be used to tag frames with VLAN information?

A.STP (Spanning Tree Protocol)
B.802.1Q
C.VTP (VLAN Trunking Protocol)
D.LACP (Link Aggregation Control Protocol)
AnswerB

802.1Q is the standard for VLAN tagging on trunk links, ensuring proper VLAN identification across switches.

Why this answer

802.1Q is the IEEE standard for VLAN tagging, which inserts a 4-byte tag into the Ethernet frame header to identify the VLAN membership of the frame. This allows multiple VLANs to traverse a single trunk link between switches, enabling inter-switch VLAN communication without requiring separate physical links per VLAN.

Exam trap

The trap here is that candidates often confuse VTP (a management protocol) with the actual tagging protocol, assuming VTP handles frame tagging because of the word 'trunking' in its name.

How to eliminate wrong answers

Option A is wrong because STP (Spanning Tree Protocol) is used to prevent loops in a network topology by blocking redundant links, not for tagging frames with VLAN information. Option C is wrong because VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol for synchronizing VLAN databases across switches, but it does not tag frames; it relies on 802.1Q or ISL for actual tagging. Option D is wrong because LACP (Link Aggregation Control Protocol) is used to bundle multiple physical links into a single logical link for increased bandwidth and redundancy, not for VLAN tagging.

85
MCQmedium

A network engineer is planning to connect two switches that are 150 meters apart. The link must support at least 1 Gbps and the budget is limited. Which cable type should be used?

A.Cat6a twisted-pair copper
B.Multimode fiber optic
C.Single-mode fiber optic
D.Cat5e twisted-pair copper
AnswerB

Multimode fiber with 1000BASE-SX transceivers supports 1 Gbps up to 550m (depending on fiber grade). This is sufficient for 150m and is cost-effective.

Why this answer

Multimode fiber optic cable supports 1 Gbps over distances up to 550 meters (OM2) or more, easily covering the 150-meter requirement at a lower cost than single-mode fiber. It is the best choice for this distance and budget because twisted-pair copper (Cat5e/Cat6a) is limited to 100 meters for 1 Gbps, and single-mode fiber is more expensive due to laser-based transceivers.

Exam trap

CompTIA often tests the 100-meter distance limit for twisted-pair copper (Cat5e/Cat6a) at 1 Gbps, and candidates mistakenly assume Cat6a can exceed this due to its higher rating, but the standard still caps it at 100 meters for 1 Gbps.

How to eliminate wrong answers

Option A is wrong because Cat6a twisted-pair copper is limited to 100 meters for 1 Gbps (per TIA/EIA-568 standards), so it cannot reach 150 meters. Option C is wrong because single-mode fiber optic can easily cover 150 meters but is overkill and more expensive than multimode for this distance, making it unsuitable for a limited budget. Option D is wrong because Cat5e twisted-pair copper is also limited to 100 meters for 1 Gbps (per IEEE 802.3ab) and cannot support the 150-meter distance.

86
MCQhard

A network engineer is deploying a wireless network using 802.11ac. To allow clients to roam between access points without re-authenticating to the authentication server, which IEEE standard should be implemented?

A.802.1X
B.802.11r
C.802.11i
D.802.11e
AnswerB

802.11r enables fast roaming by using a caching mechanism that allows clients to reassociate quickly without full EAP exchanges.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables clients to roam between access points using a cached Pairwise Master Key (PMK) without requiring a full 802.1X/EAP re-authentication with the RADIUS server. This reduces roaming latency to under 50 ms, which is critical for voice and video applications.

Exam trap

Cisco often tests the distinction between 802.1X (authentication framework) and 802.11r (fast roaming), leading candidates to mistakenly choose 802.1X because they associate it with 'authentication' without realizing the question specifically asks about avoiding re-authentication during roaming.

How to eliminate wrong answers

Option A is wrong because 802.1X is the port-based authentication framework that handles initial client authentication (e.g., EAP exchange with a RADIUS server), but it does not provide fast roaming mechanisms; without 802.11r, a client must perform a full 802.1X re-authentication at each AP transition. Option C is wrong because 802.11i (WPA2) defines security protocols like CCMP/AES and 4-way handshake key management, but it does not include the fast roaming handshake optimization that 802.11r adds.

87
MCQmedium

A network engineer needs to connect two switches located 400 meters apart. The cable run includes high electromagnetic interference from nearby machinery. The engineer decides to use fiber optic cabling. Which transceiver type and fiber combination should be used to ensure the link reaches 400 meters while remaining cost-effective?

A.Single-mode fiber with 1000BASE-LX transceivers
B.Multimode fiber with 1000BASE-SX transceivers
C.Multimode fiber with 10GBASE-SR transceivers
D.Single-mode fiber with 1000BASE-EX transceivers
AnswerB

1000BASE-SX over multimode fiber supports distances up to 550 meters, making it suitable and cost-effective for 400m.

Why this answer

Option B is correct because 1000BASE-SX transceivers over multimode fiber (typically OM2 or OM3) can reliably reach 400 meters at 1 Gbps, and this combination is cost-effective for short-to-medium distances. Multimode fiber uses a larger core that is cheaper to terminate and pair with lower-cost VCSEL-based SX optics, making it ideal for runs under 550 meters in environments with high EMI.

Exam trap

Cisco often tests the misconception that single-mode fiber is always superior or necessary for any distance over 100 meters, but the trap here is ignoring the cost-effectiveness requirement and assuming LX is the only option for 400 meters, when SX over multimode is both sufficient and cheaper.

How to eliminate wrong answers

Option A is wrong because single-mode fiber with 1000BASE-LX transceivers can easily reach 400 meters, but it is not the most cost-effective choice for this distance; single-mode optics and fiber are more expensive than multimode alternatives, and LX transceivers are typically used for longer distances (up to 5–10 km). Option C is wrong because 10GBASE-SR transceivers over multimode fiber can also reach 400 meters (especially with OM3/OM4), but the question specifies a cost-effective solution for a 1 Gbps link, and 10GBASE-SR optics and supporting hardware are significantly more expensive than 1000BASE-SX, making it overkill for the required bandwidth.

88
MCQmedium

A network engineer is designing a subnet for a department that requires exactly 50 usable host addresses. Which subnet mask provides the minimum number of usable host addresses while still accommodating the requirement?

A./26
B./27
C./28
D./25
AnswerA

A /26 provides 64 total addresses (62 usable), which is the smallest subnet that can accommodate 50 hosts.

Why this answer

A /26 subnet mask (255.255.255.192) provides 2^(32-26) = 64 total addresses, of which 62 are usable (subtracting network and broadcast addresses). This is the smallest subnet that meets the requirement of exactly 50 usable hosts, as /27 yields only 30 usable addresses and /28 yields only 14, while /25 provides 126 usable addresses, which is more than necessary.

Exam trap

CompTIA often tests the confusion between total addresses and usable addresses, where candidates mistakenly think a /27 (32 total addresses) can support 50 hosts, or they forget to subtract the network and broadcast addresses from the total.

How to eliminate wrong answers

Option B (/27) is wrong because it provides only 2^(32-27) = 32 total addresses, yielding 30 usable hosts, which is insufficient for 50 hosts. Option C (/28) is wrong because it provides only 2^(32-28) = 16 total addresses, yielding 14 usable hosts, far below the requirement. Option D (/25) is wrong because it provides 2^(32-25) = 128 total addresses, yielding 126 usable hosts, which exceeds the requirement and is not the minimum subnet that accommodates 50 hosts.

89
MCQmedium

A company has just installed a new fiber optic connection between two buildings 2 km apart. The connection is using multimode fiber. However, the signal is too weak at the receiving end. What is the most likely cause?

A.Attenuation due to distance
B.Electromagnetic interference
C.Incorrect termination
D.Crosstalk
AnswerA

Multimode fiber has a maximum effective distance that varies by speed but is generally under 1 km for higher data rates. 2 km exceeds that limit, causing significant signal loss (attenuation).

Why this answer

Multimode fiber (MMF) is designed for shorter distances, typically up to 550 meters for 10 Gbps (OM3/OM4) and up to 2 km only for lower speeds like 100 Mbps or 1 Gbps using older OM1/OM2 fiber. At 2 km, the signal attenuation exceeds the power budget of the MMF link, causing a weak signal at the receiver. Single-mode fiber (SMF) would be required for reliable transmission over this distance.

Exam trap

CompTIA often tests the misconception that fiber is immune to all distance limitations, but the trap here is that multimode fiber has strict distance limits due to modal dispersion and higher attenuation, unlike single-mode fiber which can span 2 km easily.

How to eliminate wrong answers

Option B is wrong because electromagnetic interference (EMI) does not affect fiber optic cables, as they transmit light, not electrical signals; fiber is immune to EMI. Option C is wrong because incorrect termination would typically cause a complete loss of signal or high reflectance (e.g., due to poor polishing or misalignment), not a weak but present signal; the symptom described points to distance-related attenuation, not a termination fault.

90
MCQhard

A network engineer has configured an IPsec site-to-site VPN between two offices. The tunnel is established and shows as active. However, users at the branch office (10.0.1.0/24) cannot reach servers at the main office (192.168.1.0/24). Both routers have the correct VPN policies and firewall rules permitting IPsec traffic. What should the engineer check next?

A.A) That the DNS server addresses are correctly configured
B.B) That the routing tables on both routers include routes to the remote subnet
C.C) That the MTU size is set to 1500 on both ends
D.D) That the SSID is correctly configured on the access points
AnswerB

Correct. Without routes for the remote network pointing to the tunnel interface, traffic will not be sent through the VPN.

Why this answer

The tunnel being active means Phase 1 and Phase 2 of IPsec are established, but traffic still cannot flow because the routers lack routes to the remote subnets. Without a route for 10.0.1.0/24 on the main office router (or 192.168.1.0/24 on the branch router), packets will be dropped or sent out the wrong interface, even though the VPN policy and firewall rules are correct. The engineer must verify that static routes or a dynamic routing protocol (e.g., OSPF over the tunnel) are in place to direct traffic into the IPsec tunnel interface.

Exam trap

Cisco often tests the misconception that a 'green light' tunnel status guarantees traffic flow, but candidates forget that routing is a separate layer that must explicitly direct traffic into the tunnel interface.

How to eliminate wrong answers

Option A is wrong because DNS server addresses affect name resolution, not IP-level reachability; if the tunnel is up and routing is correct, users could still reach servers by IP even with misconfigured DNS. Option C is wrong because an MTU mismatch typically causes fragmentation issues or packet loss, not a complete inability to reach the remote subnet; the tunnel is already established, and MTU problems would manifest as intermittent connectivity or performance degradation, not a total black hole.

91
MCQmedium

A network administrator is configuring a new switch for management access via SSH. Which step must be performed FIRST?

A.Generate RSA key pair.
B.Configure a VTY password.
C.Enable SSH version 2.
D.Configure an IP address on the management VLAN.
AnswerD

Without an IP address, the switch cannot be reached over the network; this is the most fundamental step for remote management.

Why this answer

Before SSH can function, the switch must have an IP address assigned to the management VLAN (typically VLAN 1 or a dedicated management VLAN) so that the switch is reachable over the network. Without this IP configuration, the switch cannot establish the TCP/IP connectivity required for SSH sessions, making it the foundational step that must be performed first.

Exam trap

The trap here is that candidates often assume SSH configuration begins with key generation or version selection, forgetting that the switch must first have an IP address on the management VLAN to be reachable for any remote management protocol.

How to eliminate wrong answers

Option A is wrong because generating an RSA key pair is a prerequisite for SSH encryption, but it cannot be completed until the switch has a hostname and domain name configured (which are not the first step), and more importantly, the switch must be IP-reachable first. Option B is wrong because configuring a VTY password is necessary for remote login, but it is part of the line configuration that occurs after basic network connectivity is established; without an IP address, VTY lines have no transport to listen on. Option C is wrong because enabling SSH version 2 is a security enhancement that requires SSH to already be operational (with RSA keys and IP connectivity), so it cannot be the first step.

92
MCQhard

A network engineer needs to connect two switches that are located 450 meters apart. Which combination of fiber optic transceiver and cable type would support the highest data rate over this distance?

A.10GBASE-SR with multimode fiber
B.1000BASE-LX with single-mode fiber
C.10GBASE-LR with single-mode fiber
D.1000BASE-SX with multimode fiber
AnswerC

10GBASE-LR is a 10 Gbps transceiver designed for single-mode fiber with a reach of up to 10 km, easily covering 450 m at full speed.

Why this answer

10GBASE-LR (Long Reach) supports 10 Gbps over single-mode fiber (SMF) up to 10 km, easily covering the 450-meter distance. Single-mode fiber has a smaller core (9 µm) that minimizes modal dispersion, enabling higher data rates over longer distances compared to multimode fiber. This combination provides the highest data rate (10 Gbps) among the options for the given distance.

Exam trap

The trap here is that candidates assume 10GBASE-SR is sufficient for 450 meters, but the maximum distance for 10GBASE-SR over OM3 MMF is 300 meters, and over OM4 it is 400 meters—both fall short of 450 meters, making 10GBASE-LR the correct choice for the highest data rate.

How to eliminate wrong answers

Option A is wrong because 10GBASE-SR uses multimode fiber (MMF) with a maximum reach of only 300–400 meters (depending on OM3/OM4 grade), which is insufficient for 450 meters. Option B is wrong because 1000BASE-LX is limited to 1 Gbps, which is a lower data rate than 10 Gbps, even though it can use single-mode fiber for longer distances. Option D is wrong because 1000BASE-SX operates at 1 Gbps over multimode fiber with a maximum distance of 220–550 meters (depending on fiber type), but it offers a lower data rate than 10 Gbps.

93
Drag & Dropmedium

Drag and drop the steps in the DHCP lease process (DORA) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DORA stands for Discover, Offer, Request, Acknowledge.

94
MCQmedium

A network engineer is implementing OSPF on a router. All directly connected neighbors are listed with state FULL, but routes from another area are not appearing in the routing table. Which of the following is the most likely cause?

A.The router is not configured with a router ID
B.The router has an ACL blocking inbound OSPF updates
C.The router is configured as an ABR but does not have a virtual-link configured
D.The link-state database is corrupted
AnswerB

An ACL that blocks OSPF protocol traffic (e.g., IP protocol 89) can prevent Type 3 LSAs from being received, causing inter-area routes to be missing while local adjacencies remain.

Why this answer

Option B is correct because an ACL applied to the OSPF process or interface can filter inbound Type 3 LSAs (summary LSAs) from other areas. Even though neighbor adjacencies reach FULL state, the router will not install those inter-area routes into the routing table if the ACL blocks the LSA updates. This explains why directly connected neighbors are fine but routes from another area are missing.

Exam trap

Cisco often tests the misconception that FULL neighbor state guarantees all routes are learned, when in fact ACLs or distribute-lists can filter LSAs without affecting the neighbor relationship.

How to eliminate wrong answers

Option A is wrong because a router ID is required for OSPF to form adjacencies; since neighbors are already in FULL state, a router ID must be present (either configured or automatically selected). Option C is wrong because an ABR does not need a virtual-link to receive routes from another area; virtual-links are only used to connect a non-backbone area to the backbone through a transit area when the backbone is partitioned, not for normal inter-area route propagation.

95
MCQhard

A network administrator is configuring dynamic routing between two routers in the same organization. The routers must support VLSM, converge quickly, and use a metric that is based on bandwidth and delay. Which routing protocol should be configured?

A.RIP
B.OSPF
C.EIGRP
D.BGP
AnswerC

EIGRP is a Cisco proprietary protocol that supports VLSM, converges quickly, and uses bandwidth and delay as the default metric components.

Why this answer

C is correct because EIGRP is a Cisco-proprietary hybrid routing protocol that supports Variable-Length Subnet Masking (VLSM), converges rapidly using the Diffusing Update Algorithm (DUAL), and uses a composite metric that by default includes bandwidth and delay. This makes it ideal for the scenario where both VLSM support and fast convergence are required with a metric based on bandwidth and delay.

Exam trap

The trap here is that candidates often choose OSPF because it is a widely used link-state protocol that supports VLSM and converges quickly, but they overlook the specific requirement for a metric based on both bandwidth and delay, which is unique to EIGRP's default composite metric.

How to eliminate wrong answers

Option A is wrong because RIP (Routing Information Protocol) uses hop count as its metric, not bandwidth and delay, and it does not support VLSM in RIPv1 (RIPv2 does support VLSM but still uses hop count). Option B is wrong because OSPF (Open Shortest Path First) uses cost as its metric, which is typically derived from bandwidth but does not include delay by default, and while it supports VLSM and converges quickly, it does not use a metric based on both bandwidth and delay as specified.

96
MCQmedium

An organization wants to deploy Wi-Fi in a large, open office space. They need high throughput and the ability to support many simultaneous clients, but they are budget-constrained. Which IEEE wireless standard should they choose?

A.802.11ac (Wi-Fi 5)
B.802.11ax (Wi-Fi 6)
C.802.11n (Wi-Fi 4)
D.802.11b (Wi-Fi 1)
AnswerB

Correct. 802.11ax is optimized for dense client environments with improved capacity and throughput, making it the best choice despite budget constraints.

Why this answer

802.11ax (Wi-Fi 6) is the correct choice because it introduces Orthogonal Frequency Division Multiple Access (OFDMA) and MU-MIMO (both uplink and downlink), which significantly improve throughput and capacity in dense environments. It also operates in both 2.4 GHz and 5 GHz bands, providing backward compatibility and better spectrum utilization, all while maintaining cost-effectiveness for large-scale deployments.

Exam trap

CompTIA often tests the misconception that 802.11ac is sufficient for high-density environments, but the trap is that 802.11ac lacks OFDMA and uplink MU-MIMO, which are critical for efficiently handling many simultaneous clients in a budget-constrained deployment.

How to eliminate wrong answers

Option A is wrong because 802.11ac (Wi-Fi 5) operates only in the 5 GHz band and relies solely on OFDM, lacking OFDMA and uplink MU-MIMO, which limits its ability to efficiently handle many simultaneous clients in a dense open office. Option C is wrong because 802.11n (Wi-Fi 4) uses only OFDM and supports only up to 4 spatial streams with a maximum theoretical data rate of 600 Mbps, which is insufficient for high throughput and high client density in a modern large office. Option D is wrong because 802.11b (Wi-Fi 1) is an outdated standard with a maximum data rate of 11 Mbps and uses DSSS, making it completely unsuitable for high throughput or supporting many simultaneous clients.

97
MCQmedium

A network administrator needs to power IP phones and wireless access points through the Ethernet cable. Which standard should be supported?

A.802.3af
B.802.11ac
C.802.1X
D.802.3ab
AnswerA

802.3af is the IEEE standard for Power over Ethernet, providing up to 15.4W to powered devices.

Why this answer

The 802.3af standard, also known as Power over Ethernet (PoE), delivers up to 15.4 watts of DC power over twisted-pair Ethernet cabling. This allows devices like IP phones and wireless access points to receive both data and power through a single Ethernet cable, eliminating the need for separate power supplies.

Exam trap

The trap here is confusing the 802.3 family of wired Ethernet standards (which includes PoE) with the 802.11 family of wireless standards (like 802.11ac), leading candidates to mistakenly select a Wi-Fi standard for a power-over-cable requirement.

How to eliminate wrong answers

Option B (802.11ac) is wrong because it is a wireless networking standard that defines Wi-Fi speeds and frequencies (5 GHz band), not a method for delivering power over Ethernet cables. Option C (802.1X) is wrong because it is a port-based network access control protocol used for authentication (e.g., with RADIUS servers), not a power delivery standard.

98
Drag & Dropmedium

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The TCP three-way handshake establishes a connection: SYN, SYN-ACK, ACK.

99
MCQmedium

A network engineer is configuring a trunk link between two switches to carry VLANs 10, 20, and 30. On Switch A, the port is configured with 'switchport mode trunk' and 'switchport nonegotiate'. On Switch B, the port is left at the default configuration. Which additional configuration is required on Switch B?

A.Set the native VLAN to 1.
B.Enable DTP on Switch B.
C.Manually set the port to trunk mode.
D.Configure the allowed VLAN list.
AnswerC

Since Switch A is set to 'nonegotiate', Switch B must be manually configured as a trunk port (e.g., 'switchport mode trunk') to establish the trunk link.

Why this answer

Switch B is left at default configuration, which on most Cisco switches means the port is in dynamic desirable or dynamic auto mode, relying on DTP to negotiate trunking. Since Switch A has 'switchport nonegotiate' configured, it will not send DTP frames, so Switch B will never receive a negotiation trigger and will remain in access mode. Therefore, the port on Switch B must be manually set to trunk mode with 'switchport mode trunk' to establish the trunk link.

Exam trap

CompTIA often tests the misconception that DTP is always required or that 'switchport nonegotiate' only affects DTP on the local switch, when in fact it prevents the remote switch from ever learning that trunking is desired, forcing a manual configuration on the remote end.

How to eliminate wrong answers

Option A is wrong because setting the native VLAN to 1 is the default behavior and does not enable trunking; the issue is that Switch B is not in trunk mode at all. Option B is wrong because enabling DTP on Switch B would not help, as Switch A has 'switchport nonegotiate' which disables DTP frame transmission, so no negotiation can occur. Option D is wrong because configuring the allowed VLAN list is only relevant after the port is already in trunk mode; the primary missing configuration is the trunk mode itself.

100
MCQmedium

A network engineer is configuring a Link Aggregation Group (LAG) between two switches. Switch A is set to LACP active mode. Which mode should be configured on Switch B to form the LAG?

A.Passive
B.On
C.Static
D.Auto
AnswerA

LACP passive mode will respond to negotiation requests from the active peer, forming the LAG. This is the correct complementary mode.

Why this answer

LACP active mode initiates negotiation by sending LACP packets, while passive mode responds to those packets without initiating. Since Switch A is set to active, Switch B must be in passive mode to successfully form a Link Aggregation Group (LAG). This combination allows the two switches to exchange LACP frames and agree on the aggregation parameters.

Exam trap

Cisco often tests the distinction between LACP modes (active/passive) and PAgP modes (desirable/auto), leading candidates to mistakenly choose 'Auto' (a PAgP mode) for LACP questions.

How to eliminate wrong answers

Option B (On) is wrong because 'On' refers to static LAG configuration without LACP, which does not use LACP negotiation and cannot interoperate with LACP active mode. Option C (Static) is wrong because it is not a valid LACP mode; static LAGs are configured without LACP and require both sides to be set to 'On'. Option D (Auto) is wrong because 'Auto' is a Cisco proprietary mode for PAgP (Port Aggregation Protocol), not LACP, and would not form a LAG with LACP active mode.

101
MCQeasy

A network administrator is configuring a new switch in a production environment. The switch must be managed remotely. Which of the following should be configured on the switch's management interface?

A.Default gateway
B.Spanning tree priority
C.VLAN 1 membership
D.Port security
AnswerA

The default gateway allows the management interface to communicate with devices outside its own subnet, which is essential for remote management from another network.

Why this answer

The default gateway is required for remote management because the management interface (often a virtual interface like VLAN 1 or a dedicated management VLAN) needs a route to reach devices on different subnets. Without a default gateway, the switch can only be accessed from hosts within the same subnet, making remote management impossible across routed networks.

Exam trap

The trap here is that candidates often think VLAN 1 membership (Option C) is sufficient for remote management, forgetting that the switch needs a default gateway to route management traffic beyond its local subnet.

How to eliminate wrong answers

Option B is wrong because spanning tree priority is a STP (802.1D) parameter that influences root bridge election and loop prevention, not remote management connectivity. Option C is wrong because VLAN 1 membership is typically the default for the management interface, but it does not provide IP routing; the switch still needs a default gateway to reach remote management hosts. Option D is wrong because port security is a Layer 2 feature that restricts MAC addresses on access ports to prevent unauthorized devices, and it has no role in enabling remote management.

102
MCQmedium

A network administrator is installing cable in a plenum space (an area used for air circulation, such as above a drop ceiling). Which cable type is required by most building codes for such an installation?

A.PVC-jacketed cable
B.Riser-rated cable
C.Plenum-rated cable
D.Low Smoke Zero Halogen (LSZH) cable
AnswerC

Plenum-rated cables are specifically manufactured with low-smoke, fire-retardant materials to meet building codes for installation in air-handling spaces.

Why this answer

Plenum-rated cable is required by most building codes (e.g., NFPA 70, National Electrical Code) for installation in plenum spaces because it is constructed with fire-retardant materials, such as FEP or PFA, that produce minimal smoke and are self-extinguishing. This prevents toxic fumes and flames from spreading through air-handling areas, ensuring safety in case of a fire. Standard PVC-jacketed cable would release hazardous smoke and support flame propagation, making it illegal in plenum spaces.

Exam trap

The trap here is that candidates often confuse 'plenum-rated' with 'riser-rated' or 'LSZH', assuming any low-smoke cable suffices, but the exam specifically tests that only CMP meets the fire and smoke spread requirements for plenum spaces as defined by the NEC.

How to eliminate wrong answers

Option A is wrong because PVC-jacketed cable is not fire-retardant; it emits dense, toxic smoke and can propagate flames, making it unsafe and prohibited in plenum spaces by building codes. Option B is wrong because riser-rated cable (CMR) is designed for vertical runs between floors, not for air-handling spaces; it lacks the low-smoke, self-extinguishing properties required for plenum environments. Option D is wrong because LSZH cable, while low-smoke and halogen-free, is not specifically fire-retardant or self-extinguishing to the degree required by plenum codes; it is often used in confined spaces like trains or tunnels, but plenum-rated cable (CMP) is the specific standard mandated for air-handling spaces.

103
MCQmedium

A network administrator is configuring Quality of Service (QoS) on a router to prioritize voice traffic. Which of the following fields should be used to mark packets for classification and prioritization?

A.Source IP address
B.DSCP
C.Source port number
D.MAC address
AnswerB

DSCP is a 6-bit field in the IP header used for packet classification and prioritization in QoS. It allows consistent priority handling across the network.

Why this answer

DSCP (Differentiated Services Code Point) is the correct field because it is a 6-bit value in the IP header used to mark packets for QoS classification and prioritization, as defined in RFC 2474. Voice traffic typically uses DSCP EF (Expedited Forwarding, value 46) to ensure low latency and jitter, making it the standard choice for QoS marking on routers.

Exam trap

The trap here is that candidates confuse classification (using source IP, port, or MAC to identify traffic) with marking (setting a QoS field like DSCP or CoS), leading them to choose a valid classification method instead of the actual marking field required by the question.

How to eliminate wrong answers

Option A is wrong because the source IP address identifies the sender but does not provide a standardized QoS marking field; it can be used for classification via ACLs but not for packet marking. Option C is wrong because the source port number can identify voice traffic (e.g., UDP port 5060 for SIP) but is not a field within the packet header used for QoS marking; it is used for classification, not for setting a priority value. Option D is wrong because the MAC address is a Layer 2 identifier and is not used for QoS marking in IP networks; while CoS (Class of Service) can mark frames at Layer 2, the question specifies a router and IP-based marking, where DSCP is the appropriate field.

104
MCQeasy

A network technician needs to connect two switches to support multiple VLANs between them. The technician wants to use a single link to carry traffic for all VLANs. Which protocol should be used to tag frames with VLAN information?

A.802.1Q
B.802.1X
C.802.11
D.802.3
AnswerA

Correct. 802.1Q is the standard for VLAN tagging on trunk links.

Why this answer

802.1Q is the IEEE standard for VLAN tagging, which inserts a 4-byte tag into the Ethernet frame header to identify the VLAN membership of the frame. This allows a single trunk link between two switches to carry traffic for multiple VLANs by tagging each frame with its corresponding VLAN ID (1-4094).

Exam trap

The trap here is that candidates often confuse 802.1Q (VLAN tagging) with 802.1X (port authentication) because of the similar numbering, or they assume 802.3 handles VLANs since it is the base Ethernet standard.

How to eliminate wrong answers

Option B (802.1X) is wrong because it is a port-based Network Access Control (NAC) protocol used for authentication, not for VLAN tagging. Option C (802.11) is wrong because it is a set of standards for wireless LANs (Wi-Fi), not for tagging frames on wired Ethernet trunk links. Option D (802.3) is wrong because it defines the physical and data-link layer specifications for Ethernet (e.g., frame format, cabling), but does not include VLAN tagging functionality.

← PreviousPage 2 of 2 · 104 questions total

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.