CCNA Advanced Networking Configuration Questions

75 of 91 questions · Page 1/2 · Advanced Networking Configuration · Answers revealed

1
MCQmedium

An administrator needs to configure a wireless interface wlan0 with WPA2-PSK authentication and a static IP address 192.168.2.50/24. Which tool should be used to configure the wireless settings?

A.NetworkManager with nmcli
B.wpa_supplicant with a configuration file containing the PSK
C.iwconfig with key s:password
D.ifconfig wlan0 up and route add default gw 192.168.2.1
AnswerB

wpa_supplicant handles WPA2 authentication.

Why this answer

WPA2-PSK authentication requires the wpa_supplicant daemon, which handles the 4-way handshake and key derivation. A configuration file with the PSK (pre-shared key) is the standard method to define the network SSID and passphrase, allowing wpa_supplicant to manage the wireless association securely.

Exam trap

The trap here is that candidates confuse iwconfig's key parameter (which only works for WEP) with WPA2-PSK, or assume a higher-level tool like nmcli is the direct configuration tool, when the exam expects the low-level WPA2-PSK daemon wpa_supplicant.

How to eliminate wrong answers

Option A is wrong because NetworkManager with nmcli is a higher-level tool that often relies on wpa_supplicant underneath, but the question asks for the tool to configure wireless settings directly; nmcli is not the primary tool for raw WPA2-PSK configuration. Option C is wrong because iwconfig with key s:password only supports WEP encryption (open or shared key), not WPA2-PSK, and cannot handle the 4-way handshake or PSK derivation. Option D is wrong because ifconfig and route only manage IP addressing and routing, not wireless authentication or encryption; they cannot configure WPA2-PSK at all.

2
Multi-Selecthard

Which THREE actions are typically required to configure a VLAN interface on a Linux system?

Select 3 answers
A.Create the VLAN interface using ip link.
B.Add the physical interface to a bridge.
C.Load the 802.1q kernel module.
D.Configure iptables rules for the VLAN.
E.Assign an IP address to the VLAN interface.
AnswersA, C, E

The VLAN interface is created with a command like 'ip link add link eth0 name eth0.10 type vlan id 10'.

Why this answer

Option A is correct because the `ip link` command is used to create a VLAN interface by specifying the parent physical interface and the VLAN ID (e.g., `ip link add link eth0 name eth0.10 type vlan id 10`). This creates a virtual network interface that tags outgoing frames with the specified 802.1Q VLAN ID and strips tags from incoming frames.

Exam trap

The trap here is that candidates often think VLAN configuration requires bridging or iptables rules, but the core steps are simply loading the 8021q module, creating the VLAN interface with `ip link`, and assigning an IP address.

3
MCQmedium

An administrator wants to allow SSH access from the internal network (192.168.1.0/24) only, using nftables. Which rule should be added to the filter table input chain?

A.tcp dport 22 accept #from 192.168.1.0/24
B.tcp dport 22 accept; ip saddr 192.168.1.0/22 accept
C.iif lo accept; tcp dport 22 ip saddr 192.168.1.0/24 accept
D.tcp dport 22 ip saddr != 192.168.1.0/24 drop
AnswerC

Accepts loopback traffic and SSH from the specified subnet.

Why this answer

Option C is correct because it first accepts loopback traffic (iif lo accept) to avoid breaking local services, then uses a combined match: tcp dport 22 ip saddr 192.168.1.0/24 accept. This ensures only SSH packets from the 192.168.1.0/24 subnet are accepted, while all other SSH attempts are implicitly dropped by the default policy (typically drop) of the input chain. The rule syntax follows nftables' concise, single-line format without semicolons or comments.

Exam trap

The trap here is that candidates may confuse nftables syntax with iptables or think that a comment or semicolon can be used to add conditions, when in fact nftables requires explicit, comma-separated matches within a single rule statement.

How to eliminate wrong answers

Option A is wrong because it uses a comment (#from 192.168.1.0/24) which is not a valid nftables match condition; nftables does not parse comments as rules, so this rule would accept SSH from any source. Option B is wrong because it uses a semicolon to separate two accept actions, which is invalid nftables syntax; nftables rules are single statements, and the second 'accept' would cause a syntax error or be ignored. Option D is wrong because it uses '!=' to drop SSH from outside 192.168.1.0/24, but this would also drop SSH from the loopback interface (127.0.0.1) unless explicitly excluded, and it does not include an accept rule for the allowed subnet, so SSH from 192.168.1.0/24 would be implicitly dropped by the default policy.

4
MCQeasy

The server is unable to communicate with hosts on the 192.168.2.0/24 network. Based on the exhibit, what is the most likely cause?

A.The interface has a duplicate IP address.
B.The hardware address is corrupted.
C.The interface has no default gateway configured.
D.The subnet mask is incorrect.
AnswerC

Without a default gateway, traffic to other subnets cannot be routed.

Why this answer

The exhibit shows the interface has an IP address of 192.168.1.10/24 and a default gateway of 0.0.0.0, meaning no default gateway is configured. Without a default gateway, the host cannot route packets to the 192.168.2.0/24 network because that network is not directly connected (it is on a different subnet), and the host has no route to forward traffic beyond its local link. The `route -n` output would confirm the absence of a gateway entry, which is the most likely cause of the communication failure.

Exam trap

The trap here is that candidates often assume a missing default gateway only affects internet access, but it also prevents communication with any non-local subnet, including private networks like 192.168.2.0/24, leading them to incorrectly suspect subnet mask or IP conflicts.

How to eliminate wrong answers

Option A is wrong because a duplicate IP address would cause intermittent connectivity or address conflict messages (e.g., from ARP), but the exhibit shows no such indication, and the issue is specific to a different subnet, not local communication. Option B is wrong because a corrupted hardware address (MAC) would prevent any Layer 2 communication, including ARP, and the interface would likely show errors or fail to link; the exhibit does not suggest hardware corruption. Option D is wrong because the subnet mask is /24 (255.255.255.0), which correctly defines the local network as 192.168.1.0/24; an incorrect mask would affect local subnet determination, but the problem is with reaching a different subnet (192.168.2.0/24), which requires a gateway, not a mask change.

5
Multi-Selecteasy

An administrator needs to add a static route to the destination network 192.168.100.0/24 via gateway 10.0.0.1. Which TWO of the following commands accomplish this? (Choose two.)

Select 2 answers
A.ip route add 192.168.100.0/24 via 10.0.0.1
B.nmcli connection modify eth0 +ipv4.routes "192.168.100.0/24 10.0.0.1"
C.ifconfig eth0:1 192.168.100.1 netmask 255.255.255.0
D.iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT
E.route add -net 192.168.100.0/24 gw 10.0.0.1
AnswersA, E

The ip command adds the static route.

Why this answer

Option A is correct because the `ip route add` command is the modern Linux utility for adding static routes, specifying the destination network and gateway via the `via` keyword. Option E is correct because the legacy `route add -net` command also adds a static route, using the `gw` parameter to define the gateway, and both commands achieve the same result of adding a route to 192.168.100.0/24 via 10.0.0.1.

Exam trap

The trap here is that candidates often confuse adding a static route with adding an IP address to an interface (Option C) or with a firewall rule (Option D), and they may overlook that `nmcli` requires an additional activation step to apply the route immediately.

6
Multi-Selectmedium

Which TWO commands can be used to display the routing table on a Linux system?

Select 2 answers
A.route -n
B.ss -r
C.ip link show
D.ip route show
E.netstat -r
AnswersA, D

Displays routing table numerically.

Why this answer

The `route -n` command displays the kernel IP routing table with numeric addresses, avoiding DNS lookups for faster output. It is a traditional tool that directly reads the /proc/net/route file to show destination, gateway, netmask, and interface information. This makes it a valid and commonly used command for viewing the routing table on Linux.

Exam trap

The trap here is that candidates often confuse `ss -r` with a routing command, but `ss` is for socket statistics and `-r` resolves hostnames, not routes; similarly, `ip link show` is mistaken for a routing command when it only shows link-layer interfaces.

7
MCQhard

Traffic from the 10.1.1.0/24 subnet is seen leaving through eth1 as intended, but reply traffic from the internet never comes back. What is the most likely cause?

A.The kernel parameter net.ipv4.conf.all.rp_filter is set to 1.
B.The ip rule priority is not set, causing it to be overridden.
C.The default route in table 200 points to 172.16.0.1 which does not have a route back to 10.1.1.0/24.
D.The router does not have a route back to 10.1.1.0/24 via eth0.
AnswerA

Strict reverse path filtering drops packets arriving on an interface that would not be used to reach the source, which commonly happens in asymmetric routing scenarios.

Why this answer

When `net.ipv4.conf.all.rp_filter` is set to 1, the kernel performs strict reverse path filtering. This means the kernel checks whether the source address of incoming packets can be reached via the interface they arrived on. If reply traffic from the internet arrives on an interface (e.g., eth0) that does not have a route back to the original source subnet (10.1.1.0/24) through that same interface, the kernel drops the packet.

This is the most likely cause because the outbound traffic leaves via eth1, but the reply comes back on a different interface, triggering the rp_filter check and causing the reply to be silently discarded.

Exam trap

The trap here is that candidates often assume the issue is a missing return route or a routing table misconfiguration, but the real culprit is the kernel's reverse path filtering, which silently drops packets that arrive on an interface that is not the best path back to the source.

How to eliminate wrong answers

Option B is wrong because ip rule priority is only relevant when multiple routing policies exist; if no other rules conflict, the rule will still be applied regardless of priority, and a missing priority does not cause traffic to be dropped. Option C is wrong because the default route in table 200 pointing to 172.16.0.1 is used for outbound traffic; if the router has a route back to 10.1.1.0/24 via eth0, the reply traffic would still reach the router, but the rp_filter drop would occur before the route is consulted. Option D is wrong because the router does not need a route back to 10.1.1.0/24 via eth0; the reply traffic is destined to 10.1.1.x, and the router only needs a route to forward that traffic back to the internal network, which is typically a directly connected subnet or a static route via the internal interface (e.g., eth1), not eth0.

8
MCQmedium

A Linux server with two NICs bonded in mode 1 (active-backup) was working correctly until a switch was replaced. Now, although both interfaces are up, the bond always shows only one active slave, and if that slave fails, traffic does not fail over. The bonding configuration uses miimon=100 and neither arp_interval nor arp_ip_target is set. You run 'cat /proc/net/bonding/bond0' and see that the MII status of both slaves is 'up' but the link failures count is 0 for the backup slave. What is the most likely cause, and which parameter should be adjusted?

A.Change bonding mode to mode 4 (802.3ad) with LACP.
B.Use ifenslave to manually reassign the backup slave.
C.Decrease miimon to 50 for faster detection.
D.Configure arp_interval and arp_ip_target to enable ARP monitoring.
AnswerD

ARP monitoring can detect reachability of a gateway, catching switch-level issues.

Why this answer

Option D is correct because without ARP monitoring (arp_interval and arp_ip_target), the bond relies solely on MII status to detect link failures. MII monitoring only detects physical link loss at the NIC level, not upstream switch failures or misconfigurations. In this scenario, the switch replacement likely caused a layer-2 or layer-3 issue that does not bring the NIC link down, so MII reports 'up' but traffic cannot pass.

Enabling ARP monitoring forces the bond to verify reachability of a target IP, triggering failover when ARP replies are lost.

Exam trap

The trap here is that candidates assume MII monitoring is sufficient for all failover scenarios, overlooking that MII only detects physical link loss, not upstream network failures that leave the NIC link up but break connectivity.

How to eliminate wrong answers

Option A is wrong because mode 4 (802.3ad) requires LACP support on the switch and both sides to negotiate a LAG; it does not solve a failover detection problem caused by a switch replacement that leaves MII status up. Option B is wrong because manually reassigning the backup slave with ifenslave does not address the root cause—the bond's failure detection mechanism is inadequate, and manual intervention would not provide automatic failover. Option C is wrong because decreasing miimon to 50 would only speed up MII polling, but since MII already reports 'up' and link failures count is 0, faster polling cannot detect the upstream failure that prevents traffic from passing.

9
MCQmedium

A small office network uses a Linux server running dnsmasq to provide DHCP and DNS services. The server runs Ubuntu with dnsmasq version 2.80. The configuration file /etc/dnsmasq.conf includes: 'interface=eth0', 'dhcp-range=192.168.1.100,192.168.1.200,12h', and no other DNS-related options. Clients receive IP addresses from the DHCP server and can access the internet. However, clients cannot ping other clients by hostname (e.g., 'ping workstation1' fails with NXDOMAIN). The dnsmasq logs show that DHCP requests are handled and the client hostnames are recorded. The administrator verifies that /etc/hosts contains only the localhost entry. Which of the following is the most likely cause?

A.The dnsmasq 'local' directive is not configured to treat local hostnames as authoritative.
B.The dnsmasq 'expand-hosts' option is not enabled.
C.The dnsmasq 'domain-needed' option is set, blocking local domain resolution.
D.The dnsmasq 'no-hosts' option is configured, ignoring /etc/hosts.
AnswerA

Without a local domain definition, dnsmasq forwards single-label queries upstream.

Why this answer

The correct answer is A because without the 'local' directive (or equivalent '--local' / 'localise-queries'), dnsmasq does not treat hostnames from DHCP leases as authoritative for DNS resolution. By default, dnsmasq only answers queries for names it knows from /etc/hosts or from upstream DNS, but it does not automatically resolve DHCP client hostnames unless explicitly told to do so via 'local' or 'domain' settings. Since the logs show hostnames are recorded but NXDOMAIN is returned, the missing 'local' directive is the most likely cause.

Exam trap

The trap here is that candidates often assume DHCP hostnames are automatically resolvable via DNS, but dnsmasq requires explicit configuration (like 'local' or 'domain') to enable this, and they may incorrectly attribute the issue to 'expand-hosts' or 'domain-needed' instead.

How to eliminate wrong answers

Option B is wrong because 'expand-hosts' only adds the domain suffix to hostnames listed in /etc/hosts, not to DHCP lease hostnames; it does not enable resolution of DHCP client hostnames. Option C is wrong because 'domain-needed' prevents forwarding queries for unqualified names (without a dot) to upstream DNS servers, but it does not block local resolution; in fact, it would cause dnsmasq to return NXDOMAIN for single-label names only if no local data exists, which is the symptom but the root cause is the missing 'local' directive. Option D is wrong because 'no-hosts' ignores /etc/hosts entirely, but the problem is about DHCP lease hostnames, not /etc/hosts entries; even if /etc/hosts were ignored, DHCP hostnames would still be unresolved without 'local'.

10
MCQmedium

A company's Linux router uses iptables. The administrator needs to log all dropped packets (by default policy) before they are dropped. Where should the LOG rule be placed?

A.In the FORWARD chain with target LOG
B.In the INPUT chain before the drop rule
C.In a custom chain called LOGDROP and jump to it
D.In the FORWARD chain with -j LOG --log-prefix 'DROPPED' and then -j DROP
AnswerD

Logs and then explicitly drops packets that reached end of chain, emulating default policy for logging.

Why this answer

Option D is correct because the LOG rule must be placed in the FORWARD chain before the DROP action to log packets that are dropped by the default policy. In iptables, the LOG target does not terminate the rule; it logs the packet and then continues to the next rule. By placing `-j LOG --log-prefix 'DROPPED'` followed by `-j DROP`, the packet is logged before being explicitly dropped, ensuring that packets matching the default policy (which drops at the end of the chain) are captured in the log.

The FORWARD chain is the correct chain for a router handling traffic that is not destined for the router itself.

Exam trap

The trap here is that candidates often think the LOG rule must be placed in the INPUT chain (for incoming traffic) or that a custom chain is required, but the correct placement is in the FORWARD chain with an explicit DROP action after the LOG to ensure logging before the default policy drop.

How to eliminate wrong answers

Option A is wrong because placing the LOG rule in the FORWARD chain with only target LOG (without a subsequent DROP) would log the packet but then continue processing; if the default policy is DROP, the packet would still be dropped at the end of the chain, but the LOG rule would not be reached if the packet is matched by an earlier rule that drops it. Option B is wrong because the INPUT chain handles traffic destined for the router itself, not forwarded traffic; dropped packets in a router scenario occur in the FORWARD chain, so logging in INPUT would miss the relevant packets. Option C is wrong because while a custom chain can be used for logging and dropping, the question specifies that the administrator needs to log all dropped packets by the default policy; jumping to a custom chain would only log packets that match a specific rule, not those dropped by the default policy at the end of the chain.

11
Multi-Selecthard

Which TWO network diagnostic steps should be performed to isolate a problem where a Linux server (IP 10.0.0.10/24) cannot reach a remote server (IP 192.168.1.50/24) while other hosts on the same subnet can reach it? Assume routing is properly configured.

Select 2 answers
A.Check the routing table on the remote server.
B.Ping the remote server from another host on the same subnet to verify connectivity.
C.Traceroute to the remote server from the affected server.
D.Check iptables rules for any OUTPUT chain that might be dropping packets.
E.Verify the ARP cache on the server for the default gateway.
AnswersD, E

Local firewall rules can block outbound traffic even if routing is correct.

Why this answer

Option D is correct because if the affected server can reach the remote server via other hosts on the same subnet, the issue is likely local to the affected server itself. Checking iptables rules on the OUTPUT chain can reveal whether a firewall rule is specifically dropping outbound packets destined for 192.168.1.50, which would not affect other hosts on the same subnet. This is a common cause of asymmetric connectivity problems where routing is otherwise properly configured.

Exam trap

The trap here is that candidates often assume a routing issue (Option A or C) when the problem is actually a local firewall or ARP issue, because the symptom 'cannot reach' is frequently misattributed to routing rather than to host-specific packet filtering or layer-2 resolution failures.

12
MCQhard

A medium-sized company uses a Linux server as its internet gateway. The server runs Ubuntu 20.04 and has two network interfaces: eth0 (IP 192.168.1.1/24) connected to the internal LAN, and eth1 (DHCP client, obtains IP 203.0.113.10/24, gateway 203.0.113.1) connected to the ISP modem. The server uses iptables for NAT with the rule 'iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE'. IP forwarding is enabled (net.ipv4.ip_forward=1). Firewalld is running with the default zone set to 'public'. For the past week, internal clients on 192.168.1.0/24 have reported intermittent connectivity to external websites. The administrator notices that during the failures, packets sent to external websites leave the internal network (tcpdump on eth1 shows SYN), but the response SYN-ACK never reaches the client. The administrator checks that the iptables FORWARD chain has a default policy of ACCEPT and no restrictive rules. Which of the following is the most likely cause?

A.The server's routing table is missing a route back to the internal network.
B.The MASQUERADE rule is missing the source network specification.
C.The firewall is dropping incoming packets on eth1 due to default zone settings.
D.The default gateway on the internal clients is not set to the Linux server's internal IP.
AnswerC

Firewalld's public zone drops incoming SYN-ACK packets.

Why this answer

Firewalld, when running with the default zone set to 'public', applies a default 'reject' or 'drop' policy for incoming traffic on interfaces assigned to that zone. Since eth1 (the external interface) is likely assigned to the public zone, incoming SYN-ACK packets (which are part of established connections) are dropped by firewalld before they can be processed by iptables. This explains why tcpdump on eth1 shows outgoing SYN packets but no incoming SYN-ACK, even though iptables FORWARD chain is permissive.

Exam trap

The trap here is that candidates often focus on iptables rules and forget that firewalld, when running, can override iptables policies, especially with its default zone settings that drop incoming packets on external interfaces.

How to eliminate wrong answers

Option A is wrong because the server's routing table already has a route to the internal network (192.168.1.0/24) via eth0, and the default gateway is correctly set on eth1; missing a route back would cause all traffic to fail, not just intermittent failures. Option B is wrong because the MASQUERADE rule without a source specification works correctly for all outgoing traffic on eth1, as it dynamically masquerades any source IP; adding a source network specification is optional and not required for basic NAT functionality. Option D is wrong because if internal clients had the wrong default gateway, they would never be able to send packets to external websites at all, and the administrator confirms that SYN packets do leave eth1, indicating the clients' gateway is correctly set to 192.168.1.1.

13
MCQmedium

A DHCP server running on a Linux machine is not leasing IP addresses to clients on a particular VLAN. The server's configuration file includes a subnet declaration for that VLAN, but clients receive only link-local addresses. What is the most likely issue?

A.The DHCP server is not running.
B.The DHCP relay agent is not forwarding requests to the server.
C.The DHCP server's interface is not in the same broadcast domain.
D.The subnet mask in the DHCP configuration is incorrect.
AnswerC

DHCP uses broadcast, so the server must be on the same L2 segment or a relay must be present to forward requests.

Why this answer

Option C is correct because the DHCP server's interface must be in the same broadcast domain (i.e., the same VLAN) as the clients to receive their DHCPDISCOVER broadcasts directly. If the server is on a different subnet or VLAN without a DHCP relay agent, the broadcast frames never reach the server, so clients receive no DHCPOFFER and fall back to link-local addresses (APIPA).

Exam trap

The trap here is that candidates often assume a DHCP relay agent is always required for cross-subnet operation, but the question's phrasing about a 'particular VLAN' and 'link-local addresses' points to the fundamental broadcast domain boundary, not a relay failure.

How to eliminate wrong answers

Option A is wrong because if the DHCP server were not running, the server would not respond to any DHCP requests, but the question states the server's configuration includes a subnet declaration for that VLAN, implying it is operational; moreover, clients would still not get leases even if the server were running but isolated from the VLAN. Option B is wrong because a DHCP relay agent is only needed when the server is on a different subnet; the question does not indicate a relay agent is configured or that the server is on a different subnet—the core issue is that the server's interface is not in the same broadcast domain, not that forwarding is failing. Option D is wrong because an incorrect subnet mask in the DHCP configuration would cause clients to receive an IP address but with an invalid subnet, not prevent them from receiving any lease at all; clients would still get a DHCPOFFER and DHCPACK, but the assigned address might be unreachable.

14
MCQhard

A host on 192.168.2.100 tries to SSH to the firewall's IP address (192.168.1.1). The firewall's input chain policy is drop. Will the SSH connection be allowed?

A.No, because the input chain drops all packets that don't match rules.
B.No, because SSH to firewall is considered forwarded traffic.
C.Yes, because the forward chain accepts SSH.
D.Yes, because there is a rule accepting SSH from 192.168.2.0/24.
AnswerD

The rule explicitly allows SSH from that subnet.

Why this answer

Option D is correct because the firewall's input chain policy is set to drop, but a specific rule exists that accepts SSH traffic from the 192.168.2.0/24 subnet. Since the source IP 192.168.2.100 falls within that subnet, the SSH connection to the firewall's own IP (192.168.1.1) is allowed by that rule before the default drop policy is applied. The input chain processes traffic destined for the firewall itself, so the rule directly permits this inbound SSH session.

Exam trap

The trap here is that candidates confuse the input chain (for traffic to the firewall) with the forward chain (for traffic through the firewall), and incorrectly assume that a drop policy on the input chain blocks all traffic regardless of existing rules, ignoring rule precedence over the default policy.

How to eliminate wrong answers

Option A is wrong because while the input chain policy is drop, a specific rule accepting SSH from 192.168.2.0/24 overrides the default policy for matching packets; the drop policy only applies to packets that do not match any rule. Option B is wrong because SSH to the firewall's own IP address is traffic destined for the firewall itself, not forwarded traffic; forwarded traffic would be destined for another host behind the firewall, which is handled by the forward chain. Option C is wrong because the forward chain handles traffic passing through the firewall (not destined for it), and even if it accepted SSH, it would not apply to traffic targeting the firewall's own IP; the input chain must permit the connection.

15
MCQeasy

A packet destined to 192.168.1.100 is sent from this router. Which interface will be used to forward it?

A.eth0
B.lo
C.eth1
D.The packet will be dropped
AnswerA

The route to 192.168.1.0/24 uses eth0.

Why this answer

The router uses the routing table to determine the next hop for a packet destined to 192.168.1.100. Assuming a directly connected subnet (e.g., 192.168.1.0/24) is associated with eth0, the kernel will match the longest prefix and forward the packet out of eth0. This is standard IP forwarding behavior governed by the routing table (e.g., 'ip route show').

Exam trap

The trap here is that candidates often assume the router will use the interface with the same IP subnet as the destination, but they forget to verify that the routing table actually contains a directly connected route for that subnet; without a matching route, the packet would be dropped or forwarded via a default route.

How to eliminate wrong answers

Option B is wrong because the loopback interface (lo) is used only for traffic destined to the router itself (127.0.0.0/8), not for forwarding packets to remote hosts. Option C is wrong because eth1 would only be used if the routing table had a route pointing to 192.168.1.0/24 via eth1; without such a route, the interface is irrelevant. Option D is wrong because the packet will not be dropped if a valid route exists; dropping occurs only when no route matches (e.g., 'unreachable' or 'blackhole' route), which is not indicated here.

16
Multi-Selecteasy

Which TWO of the following tools are used to capture and analyze network packets on a Linux system?

Select 2 answers
A.tcpdump
B.wireshark (tshark)
C.iptables
D.netstat
E.nmap
AnswersA, B

tcpdump is a command-line packet capture tool.

Why this answer

tcpdump is a command-line packet analyzer that captures raw network packets from the wire by placing the network interface into promiscuous mode and using libpcap to read packets. It allows filtering based on protocols, ports, and hosts using BPF (Berkeley Packet Filter) syntax, making it a fundamental tool for network troubleshooting and security analysis.

Exam trap

The trap here is that candidates often confuse tools that manipulate packets (like iptables) or scan networks (like nmap) with tools that passively capture and decode packet contents, leading them to select iptables or nmap instead of recognizing that only tcpdump and tshark perform raw packet capture and analysis.

17
MCQeasy

Which of the following is the correct command to add an IPv6 address 2001:db8::1/64 to interface eth0?

A.ip -6 addr add 2001:db8::1/64 dev eth0
B.ip addr add 2001:db8::1/64 dev eth0
C.ip -6 addr add 2001:db8::1 dev eth0
D.ip link set eth0 ipv6 2001:db8::1/64
E.ifconfig eth0 inet6 add 2001:db8::1/64
AnswerA

Correct syntax with -6 flag and prefix length.

Why this answer

Option A is correct because the `ip -6 addr add` command is the proper way to add an IPv6 address to an interface using the `ip` tool from the iproute2 suite. The `-6` option restricts the operation to IPv6, and the address must include the prefix length (`/64`) to define the subnet. The `dev eth0` parameter specifies the target interface.

Exam trap

The trap here is that candidates often forget the `-6` flag or the prefix length, assuming the `ip` command can infer IPv6 context automatically, or they mistakenly use deprecated `ifconfig` syntax from older Linux distributions.

How to eliminate wrong answers

Option B is wrong because omitting the `-6` flag makes the command ambiguous; while `ip addr add` can handle IPv6 addresses, the `-6` flag is required for explicit IPv6 context in some implementations and is considered best practice. Option C is wrong because it omits the prefix length (`/64`), which is mandatory for IPv6 address configuration to define the subnet mask. Option D is wrong because `ip link set` does not accept an `ipv6` parameter; it is used for link-level properties like MTU or state, not for assigning addresses.

Option E is wrong because `ifconfig` is deprecated and its syntax `ifconfig eth0 inet6 add 2001:db8::1/64` is not valid; the correct `ifconfig` syntax would be `ifconfig eth0 inet6 add 2001:db8::1/64` (note the order), but even then, `ifconfig` is obsolete in favor of `ip`.

18
Multi-Selectmedium

Which THREE commands can be used to display routing information?

Select 3 answers
A.ping -R
B.route -n
C.ip route show
D.traceroute
E.netstat -r
AnswersB, C, E

Legacy command that shows routing table with numeric addresses.

Why this answer

The `route -n` command displays the kernel's IPv4 routing table with numeric addresses, avoiding DNS lookups. It is a standard tool for viewing routing information on Linux systems, making option B correct.

Exam trap

The trap here is that candidates confuse commands that show network path information (like `traceroute` or `ping -R`) with commands that display the local routing table, leading them to select options that do not actually show routing information.

19
MCQhard

An administrator is troubleshooting IPv6 connectivity on a Linux host. The host has an IPv6 address configured on eth0, but cannot ping6 the default gateway. The output of 'ip -6 route show' shows a default route via fe80::1 dev eth0. Which tool should be used to verify that the neighbor discovery process is working?

A.tcpdump -i eth0 icmp6
B.traceroute6
C.ip neigh show
D.ndp -n
AnswerC

This shows the neighbor discovery cache, including unresolved entries.

Why this answer

The 'ip neigh show' command displays the neighbor cache (equivalent to ARP table for IPv6), which is populated by the Neighbor Discovery Protocol (NDP). Since the default gateway is a link-local address (fe80::1), the host must have resolved the gateway's MAC address via NDP before it can send packets. If the neighbor entry is missing or incomplete (e.g., STALE or FAILED), it indicates that the neighbor discovery process is not working, which would explain the ping failure.

Exam trap

The trap here is that candidates confuse the Linux command 'ip neigh show' with the BSD command 'ndp -n', or they think that packet capture (tcpdump) is the only way to diagnose NDP issues, when in fact the neighbor cache provides a direct snapshot of the resolution state.

How to eliminate wrong answers

Option A is wrong because tcpdump -i eth0 icmp6 captures all ICMPv6 traffic, including Neighbor Solicitation and Advertisement messages, but it is a packet capture tool, not a direct verification tool for the neighbor cache state; it requires interpretation of raw packets and does not show the resolved neighbor entries. Option B is wrong because traceroute6 is used to trace the path packets take to a destination, not to verify the neighbor discovery process; it assumes Layer 2 connectivity is already working. Option D is wrong because ndp -n is a command used on BSD systems (not Linux) to display the neighbor cache; on Linux, the equivalent command is 'ip neigh show'.

20
MCQmedium

A Linux server with two Ethernet interfaces (eth0 and eth1) has been set up as a transparent bridge using brctl. The bridge is up and shows both interfaces as members. However, hosts connected to eth0 cannot communicate with hosts on eth1. What is the most likely cause?

A.Spanning Tree Protocol (STP) is enabled and is blocking one of the ports.
B.The bridge filtering rules in ebtables are dropping frames.
C.The bridge has no IP address assigned.
D.The interfaces are not in promiscuous mode.
AnswerA

STP prevents network loops by placing redundant ports in blocking state, which can inadvertently block traffic until a port transitions to forwarding.

Why this answer

When Spanning Tree Protocol (STP) is enabled on a Linux bridge using brctl, it will automatically transition ports into the blocking state to prevent loops. If the bridge has only two ports and no redundant paths, STP may still keep one port in the blocking state (e.g., during the listening/learning phase or due to a misconfiguration), which prevents frames from being forwarded between eth0 and eth1. This is the most likely cause because STP is enabled by default in brctl and can block ports even in a simple two-port bridge.

Exam trap

The trap here is that candidates assume a transparent bridge with only two ports will always forward traffic immediately, forgetting that STP is enabled by default in brctl and can block ports even in simple topologies, leading them to incorrectly suspect missing IP addresses or promiscuous mode.

How to eliminate wrong answers

Option B is wrong because ebtables filtering rules are not configured by default and would require explicit setup to drop frames; the question states the bridge is set up with brctl and shows both interfaces as members, implying no custom filtering. Option C is wrong because a transparent bridge operates at Layer 2 and does not require an IP address to forward frames between interfaces; an IP address is only needed for management access. Option D is wrong because Ethernet interfaces in a bridge are automatically placed into promiscuous mode by the bridge code when added via brctl; this is handled transparently and is not a configurable step.

21
MCQeasy

An administrator needs to create a Linux bridge (br0) and add an Ethernet interface (eth1) to it for KVM virtual machine networking. Which set of commands accomplishes this task?

A.ifconfig br0 up; ifconfig eth1 up; brctl addbr br0; brctl addif br0 eth1
B.ip link add br0 type bridge; ip link set eth1 master br0
C.brctl addbr br0; brctl addif br0 eth1
D.brctl addbr br0; bridge fdb add dev eth1 master br0
AnswerC

Standard bridge-utils commands to create bridge and add interface.

Why this answer

Option C is correct because `brctl addbr br0` creates a new bridge interface named br0, and `brctl addif br0 eth1` adds the physical Ethernet interface eth1 as a port of that bridge. This is the standard sequence using the legacy bridge utilities to set up a bridge for KVM virtual machine networking, where eth1 becomes a member of br0, allowing VMs to share the physical network.

Exam trap

The trap here is that candidates often confuse the purpose of `bridge fdb` (which manages the forwarding database) with the command to add an interface to a bridge, or they assume that `ip link set ... master` alone is sufficient without bringing the bridge up.

How to eliminate wrong answers

Option A is wrong because it attempts to bring up the interfaces before creating the bridge, and the order of commands is incorrect; `ifconfig br0 up` will fail if br0 does not exist yet, and `brctl addbr br0` must come first. Option B is wrong because `ip link set eth1 master br0` is a valid modern command, but it is missing the step to bring the bridge up (e.g., `ip link set br0 up`) and the question asks for a set of commands that accomplishes the task; the provided commands alone would leave br0 in a down state, and the bridge would not function. Option D is wrong because `bridge fdb add dev eth1 master br0` is used to add a static forwarding database entry, not to attach an interface to a bridge; the correct command to add an interface to a bridge is `brctl addif` or `ip link set ... master`.

22
Multi-Selectmedium

Which THREE of the following are valid Linux bonding modes? (Choose three.)

Select 3 answers
A.link-aggregation
B.balance-rr
C.802.3ad
D.active-backup
E.802.1ad
AnswersB, C, D

Bonding mode 0, round-robin.

Why this answer

Balance-rr (round-robin) is a valid Linux bonding mode that transmits packets in sequential order from the first available slave to the last, providing load balancing and fault tolerance. It is one of the seven standard bonding modes defined in the Linux kernel bonding driver.

Exam trap

The trap here is confusing '802.3ad' (the correct bonding mode for LACP) with '802.1ad' (a VLAN stacking standard), leading candidates to select the wrong IEEE standard option.

23
MCQeasy

An administrator wants to configure a virtual IP address on interface eth0 with IP 192.168.1.100/24. Which command correctly adds the virtual IP as an alias?

A.ip addr add 192.168.1.100/24 dev eth0 alias eth0:0
B.ip addr add 192.168.1.100/24 dev eth0:0
C.ip addr add 192.168.1.100/24 dev eth0 label eth0:0
D.ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0
AnswerB

This is the correct ip command to add a virtual IP alias.

Why this answer

Option B is correct because the `ip addr add` command with `dev eth0:0` directly assigns the IP address to the virtual interface `eth0:0`, which is the standard method in the `iproute2` suite for creating an alias. The `ip` command does not use an `alias` keyword; instead, the device name itself (e.g., `eth0:0`) defines the alias. This approach is consistent with modern Linux networking, replacing the deprecated `ifconfig` method.

Exam trap

The trap here is that candidates often confuse the `ip` command's syntax with the older `ifconfig` syntax, mistakenly using the `alias` keyword or misapplying the `label` parameter, when in fact `iproute2` requires the alias to be specified as part of the device name (e.g., `eth0:0`).

How to eliminate wrong answers

Option A is wrong because the `ip addr add` command does not support an `alias` parameter; the `alias` keyword is a legacy `ifconfig` feature and is invalid in `iproute2`. Option C is wrong because the `label` parameter is used with `ip addr add` to set a human-readable label for the address, but the device must still be specified with `dev eth0`, not `dev eth0:0`; using `label eth0:0` without the correct device syntax does not create a proper alias. Option D is wrong because while `ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0` would technically work, it is deprecated and not the recommended command for modern Linux distributions; the question asks for the correct command, and `ip` is the preferred tool.

24
Multi-Selectmedium

Which TWO statements about VLAN tagging are correct?

Select 2 answers
A.VLAN tagging can only be used with Ethernet
B.VLAN tags are always 12 bits
C.Untagged frames on a trunk port are typically assigned to the native VLAN
D.VLAN tags are added by the switch, not the host
E.Linux can use VLAN interfaces with 802.1q tags
AnswersC, E

Standard behavior: untagged traffic on a trunk belongs to native VLAN.

Why this answer

Option C is correct because on a trunk port, frames that do not carry a VLAN tag are considered to belong to the native VLAN. The switch forwards these untagged frames as part of the native VLAN, which is typically VLAN 1 by default but can be configured to any VLAN. This behavior is defined in IEEE 802.1Q and is essential for interoperability with devices that do not support VLAN tagging.

Exam trap

The trap here is that candidates often assume VLAN tags are always 12 bits, confusing the VLAN ID field with the entire tag, or they think only switches can add tags, missing the fact that hosts (e.g., Linux with 802.1Q interfaces) can also tag frames.

25
MCQhard

A Linux router is experiencing asymmetric routing issues. The network has two internet connections (ISP1 and ISP2) with default routes. The administrator wants to ensure that traffic originating from a specific source IP uses ISP1 for both incoming and outgoing packets. Which ip rule configuration achieves this?

A.ip rule add from 10.0.0.10 to 0/0 table isp1; ip route add default via 1.1.1.1 table isp1; ip rule add to 10.0.0.10 table isp1
B.ip rule add from 10.0.0.10 table isp1; ip route add default via 1.1.1.1 table isp1; sysctl -w net.ipv4.conf.all.rp_filter=0
C.ip rule add from 10.0.0.10 table isp1; ip route add default via 1.1.1.1 table isp1
D.ip rule add from 10.0.0.10 table isp1; ip route add default via 1.1.1.1
AnswerB

Policy routing with table-specific default and disabled rp_filter allows asymmetric routing.

Why this answer

Option B is correct because it creates a policy routing rule that matches traffic from source IP 10.0.0.10 and directs it to a custom routing table named 'isp1', which contains a default route via ISP1's gateway (1.1.1.1). Additionally, disabling reverse path filtering (rp_filter=0) is essential to allow asymmetric routing — without it, the kernel would drop return packets arriving via a different interface than the one used for outgoing traffic, which is exactly the scenario in asymmetric routing.

Exam trap

The trap here is that candidates often forget to disable reverse path filtering (rp_filter) when implementing policy routing for asymmetric paths, assuming that adding the policy rule and custom table is sufficient, but the kernel's default strict rp_filter will silently drop return packets that arrive on a different interface.

How to eliminate wrong answers

Option A is wrong because it adds an unnecessary 'to 10.0.0.10' rule that attempts to match destination IP 10.0.0.10 for incoming traffic, but policy routing rules for incoming packets use 'from' not 'to' to match the source; this rule would never match return traffic and does not address the asymmetric routing issue. Option C is wrong because it omits the critical step of disabling reverse path filtering (rp_filter=0); without this, the kernel's default rp_filter (strict mode) will drop packets that arrive on an interface different from the one used for the outgoing route, breaking asymmetric routing. Option D is wrong because it adds the default route to the main routing table instead of the custom 'isp1' table; this means the policy rule directs traffic to table 'isp1', but that table is empty, so the traffic will not be routed via ISP1's gateway.

26
MCQhard

A system administrator needs to configure a VPN tunnel using WireGuard. The private key of the local peer is stored in /etc/wireguard/private.key. Which command should be used to set the private key via wg-quick?

A.PostUp = wg set %i private-key /etc/wireguard/private.key
B.PrivateKey = /etc/wireguard/private.key
C.Key = private-key /etc/wireguard/private.key
D.PrivateKey = $(cat /etc/wireguard/private.key)
AnswerD

Command substitution reads the file and expands to its content.

Why this answer

Option D is correct because the `PrivateKey` directive in a WireGuard configuration file expects the actual private key value, not a file path. Using `$(cat /etc/wireguard/private.key)` performs command substitution to read the key file and insert its contents directly into the configuration, which is the proper method for `wg-quick`.

Exam trap

The trap here is that candidates confuse the `PrivateKey` directive with a file path, similar to how some other tools (like OpenVPN) accept a file reference, but WireGuard requires the literal key value in the configuration file.

How to eliminate wrong answers

Option A is wrong because `wg set %i private-key` is a `wg` command, not a valid `wg-quick` configuration directive; `PostUp` can execute arbitrary commands, but the syntax shown is incorrect (it should be `wg set %i private-key /etc/wireguard/private.key` without the word 'private-key' as a separate argument, and even then, it's not the standard way to set the key in the config file). Option B is wrong because `PrivateKey = /etc/wireguard/private.key` treats the file path as the key value itself, which is invalid; WireGuard requires the base64-encoded private key string, not a path. Option C is wrong because `Key` is not a valid directive in WireGuard configuration; the correct directive is `PrivateKey`, and the syntax `Key = private-key /etc/wireguard/private.key` is nonsensical.

27
MCQeasy

A system administrator wants to allow incoming SSH connections from only the 192.168.1.0/24 network on a Linux server. Which iptables rule accomplishes this?

A.iptables -A INPUT -p tcp --dport 22 -d 192.168.1.0/24 -j ACCEPT
B.iptables -A INPUT -p udp --dport 22 -s 192.168.1.0/24 -j ACCEPT
C.iptables -A FORWARD -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
AnswerD

This rule correctly matches incoming SSH traffic from the specified source net.

Why this answer

Option D is correct because it appends a rule to the INPUT chain that matches TCP traffic destined for port 22 (SSH) from source IP range 192.168.1.0/24 and accepts it. This restricts incoming SSH connections to only the specified network, which is the intended behavior.

Exam trap

The trap here is confusing the INPUT and FORWARD chains, or swapping the source (-s) and destination (-d) flags, leading candidates to choose a rule that either filters the wrong direction or applies to the wrong packet flow.

How to eliminate wrong answers

Option A is wrong because it uses the destination flag (-d) instead of the source flag (-s), which would match traffic destined to the 192.168.1.0/24 network rather than traffic originating from it. Option B is wrong because SSH uses TCP, not UDP; specifying UDP on port 22 would not match SSH traffic. Option C is wrong because it adds the rule to the FORWARD chain, which handles traffic passing through the server, not traffic destined for the server itself; incoming SSH connections to the server are processed by the INPUT chain.

28
MCQmedium

An administrator configures a DHCP relay agent using 'dhcrelay' in a network with multiple VLANs. The relay agent is on a Linux server with interfaces eth0 (VLAN 10) and eth1 (VLAN 20). The DHCP server is on VLAN 10. Which command correctly sets up the relay to forward requests from VLAN 20 to the DHCP server at 192.168.1.5?

A.dhcrelay -i eth0 192.168.1.5
B.dhcrelay -i eth1 192.168.1.5
C.dhcrelay -i eth0 -i eth1 192.168.1.5
D.dhcrelay 192.168.1.5
AnswerB

Listens on eth1 (VLAN 20) and relays to the DHCP server at 192.168.1.5.

Why this answer

Option B is correct because the `-i eth1` flag specifies the interface on which the relay agent should listen for DHCP client broadcasts (VLAN 20). The relay then unicasts those requests to the DHCP server at 192.168.1.5, which resides on VLAN 10. This ensures that only broadcasts from the client-side VLAN are forwarded, not those from the server-side network.

Exam trap

The trap here is that candidates often assume the relay must listen on the server-side interface (eth0) or on all interfaces, not realizing that the `-i` flag specifies the client-facing interface where broadcasts originate.

How to eliminate wrong answers

Option A is wrong because `-i eth0` specifies the interface on the same VLAN as the DHCP server, so the relay would listen for broadcasts on VLAN 10 instead of VLAN 20, failing to capture client requests from the remote VLAN. Option C is wrong because specifying both `-i eth0` and `-i eth1` would cause the relay to listen on both interfaces, which is unnecessary and could lead to forwarding loops or incorrect handling; the relay should only listen on the client-facing interface (eth1). Option D is wrong because omitting the `-i` flag causes dhcrelay to listen on all interfaces by default, which may forward broadcasts from VLAN 10 back to the server and create broadcast loops, and it does not restrict the relay to the specific client VLAN.

29
MCQmedium

A Linux server requires several VLAN interfaces on eth0. The network switch expects 802.1Q tagged frames for VLAN 10. Which command correctly creates the VLAN interface?

A.modprobe 8021q; ifconfig eth0 up
B.vconfig add eth0 10
C.ip link add link eth0 name eth0.10 type vlan id 10
D.ifconfig eth0:10 192.168.10.1/24 up
AnswerC

Standard iproute2 command to create VLAN interface.

Why this answer

Option C is correct because the `ip link` command with the `type vlan id 10` parameter creates a VLAN subinterface on eth0 that tags outgoing frames with VLAN 10 using the 802.1Q standard. This is the modern, recommended method for VLAN interface creation on Linux, replacing legacy tools like `vconfig`.

Exam trap

The trap here is that candidates often confuse IP aliasing (using `ifconfig` with a colon, like eth0:10) with VLAN tagging, but aliases do not add 802.1Q tags and are used for multiple IP addresses on the same VLAN, not for separate VLANs.

How to eliminate wrong answers

Option A is wrong because `modprobe 8021q` loads the 8021q kernel module (necessary for VLAN support), but `ifconfig eth0 up` only brings the physical interface up without creating any VLAN interface. Option B is wrong because `vconfig add eth0 10` is a legacy command that creates a VLAN interface named eth0.10, but it is deprecated and not the recommended approach; the question asks for the command that 'correctly creates' the VLAN interface, and modern distributions favor `ip link`. Option D is wrong because `ifconfig eth0:10 192.168.10.1/24 up` creates an IP alias (a virtual interface with a colon notation) on eth0, not an 802.1Q VLAN interface; aliases do not add VLAN tags to frames.

30
MCQeasy

A system administrator wants to combine two Gigabit Ethernet interfaces of a Linux server into a single logical interface to increase throughput and provide redundancy. Which kernel module should be loaded to support this? (Assume the interfaces are identical and are connected to the same switch.)

A.bridge
B.bonding
C.teaming
D.802.1q
AnswerC

The teaming kernel module provides link aggregation and redundancy using the libteam library.

Why this answer

The teaming kernel module (libteam) is the correct choice because it provides a modern, flexible method for link aggregation that supports both throughput increase and redundancy via active-backup or load-balancing modes. Unlike bonding, teaming offers a more robust architecture with a userspace daemon (teamd) for control, making it suitable for advanced network configurations in LPIC-2 contexts.

Exam trap

The trap here is that candidates often confuse bonding and teaming, assuming bonding is always the default or only option, but LPIC-2 emphasizes teaming as the modern replacement with better control and flexibility.

How to eliminate wrong answers

Option A is wrong because the bridge module creates a software bridge that forwards frames between interfaces at Layer 2, but it does not aggregate bandwidth or provide failover; it simply connects separate network segments. Option B is wrong because bonding is an older kernel module that also supports link aggregation and redundancy, but the question explicitly marks teaming as correct, indicating a preference for the newer teaming technology in this LPIC-2 scenario. Option D is wrong because the 802.1q module enables VLAN tagging (IEEE 802.1Q), which is unrelated to combining interfaces for increased throughput or redundancy.

31
MCQeasy

An administrator configures a bridge br0 with two ports (eth0 and eth1). The network uses STP. After configuration, packets from a host on eth0 to a host on eth1 are not forwarded. The bridge shows blocking state for one of the ports. What is the most likely cause?

A.Incorrect MTU
B.STP is disabled
C.MAC address learning is disabled
D.The bridge is in promiscuous mode
E.The bridge has loop detection and blocked one port
AnswerE

STP blocks redundant paths to prevent loops, which can cause one port to be in blocking state.

Why this answer

The bridge br0 has two ports (eth0 and eth1) and STP is enabled. STP detects a loop in the network — in this case, the bridge itself with two ports on the same broadcast domain creates a loop. To prevent broadcast storms and MAC table instability, STP places one of the ports into the blocking state, which stops forwarding frames between the two ports.

This is why packets from a host on eth0 to a host on eth1 are not forwarded.

Exam trap

The trap here is that candidates often think STP only blocks ports when there are multiple switches in a loop, but STP also blocks ports on a single bridge with two ports in the same broadcast domain because it sees a loop between its own ports.

How to eliminate wrong answers

Option A is wrong because an incorrect MTU would cause fragmentation issues or dropped packets, not a port to be placed into a blocking STP state. Option B is wrong because if STP were disabled, both ports would be forwarding and no port would be in blocking state; the question explicitly states STP is used. Option C is wrong because disabling MAC address learning would cause the bridge to flood all frames out all ports, but it would not cause a port to be blocked by STP.

Option D is wrong because promiscuous mode is a NIC setting that allows capturing all packets on a segment; it does not cause STP to block a port.

32
Drag & Dropmedium

Arrange the steps to configure a Linux system as a DNS server using BIND.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After installing BIND, define the zone, create zone file, check syntax, then restart and test.

33
MCQhard

A server with IP 10.0.0.1 needs to forward packets from network 192.168.1.0/24 to 10.0.0.0/24. The administrator runs: 'iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j MASQUERADE'. However, traffic from 192.168.1.0/24 cannot reach 10.0.0.0/24. What is the most likely missing configuration?

A.A DNAT rule is also needed to translate the destination address.
B.A route must be added on the 10.0.0.0/24 network pointing back to 10.0.0.1.
C.The FORWARD chain in the filter table must have a rule to allow traffic.
D.The IP address 10.0.0.1 is not configured on the external interface.
AnswerC

By default, the FORWARD chain policy is DROP; need to allow forwarding.

Why this answer

The MASQUERADE rule in the POSTROUTING chain handles source NAT, but it does not automatically allow forwarding of packets. By default, the FORWARD chain in the filter table has a policy of DROP or lacks an explicit ACCEPT rule. Without a rule like `iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.0/24 -j ACCEPT`, the kernel's netfilter will drop the forwarded packets, preventing traffic from reaching the destination.

Exam trap

The trap here is that candidates assume a MASQUERADE rule alone enables forwarding, but they overlook the separate requirement to allow traffic in the FORWARD chain of the filter table, which is a distinct step in iptables configuration.

How to eliminate wrong answers

Option A is wrong because DNAT is not needed here; the administrator wants to translate the source address (SNAT) for outbound traffic, not change the destination. Option B is wrong because the route back to 10.0.0.1 is not required on the 10.0.0.0/24 network; the MASQUERADE rule rewrites the source to 10.0.0.1, so return traffic naturally routes to that IP, and the server itself must have a route to 192.168.1.0/24 (which is typically via its internal interface). Option D is wrong because 10.0.0.1 is the IP of the server itself and is assumed to be configured on the interface facing the 10.0.0.0/24 network; the issue is not the IP assignment but the missing FORWARD rule.

34
Multi-Selectmedium

Which THREE of the following are valid bonding modes in Linux?

Select 3 answers
A.mode 2 (balance-xor)
B.mode 8
C.mode 1 (active-backup)
D.mode 0 (balance-rr)
E.mode 7
AnswersA, C, D

XOR balancing– a valid bonding mode.

Why this answer

Option A (mode 2, balance-xor) is a valid bonding mode that uses a hash policy (typically based on MAC addresses) to select a slave interface for outgoing traffic, providing both load balancing and fault tolerance. It is one of the seven standard bonding modes defined in the Linux kernel bonding driver (modes 0 through 6).

Exam trap

The trap here is that candidates may confuse the number of bonding modes (7) with the mode numbers themselves, incorrectly assuming modes 7 or 8 exist, or they may recall that some proprietary or virtual switch implementations support additional modes not present in the standard Linux bonding driver.

35
MCQmedium

A sysadmin is configuring VLAN tagging on a Linux server that will act as a router-on-a-stick for multiple VLANs (10, 20, 30). The server has a single physical interface enp0s3 connected to a switch trunk port that allows VLANs 10, 20, and 30. The administrator uses systemd-networkd and creates VLAN interfaces enp0s3.10, enp0s3.20, enp0s3.30 with IP addresses 10.0.10.1/24, 10.0.20.1/24, and 10.0.30.1/24 respectively. They enable IP forwarding and, for security, set the iptables FORWARD chain default policy to DROP, but they add no specific rules. Clients in VLAN 10 can ping their gateway (10.0.10.1) but cannot ping clients in VLAN 20 (10.0.20.2). The switch confirms correct configuration. Which of the following is the most likely cause?

A.The VLAN interface enp0s3.10 is missing the 'vlan' flag or is not properly bound.
B.The server's MAC address is not allowed on the switch for VLAN 10.
C.The server's iptables FORWARD chain is set to DROP by default.
D.The switch port is configured as an access port instead of a trunk.
AnswerC

DROP policy blocks all forwarded traffic.

Why this answer

The default policy of the iptables FORWARD chain is set to DROP, and no specific rules are added to allow traffic between VLANs. Since the server is acting as a router-on-a-stick, inter-VLAN traffic must be forwarded by the kernel, which requires explicit ACCEPT rules in the FORWARD chain. Without these rules, packets from VLAN 10 to VLAN 20 are dropped, even though the VLAN interfaces and switch configuration are correct.

Exam trap

The trap here is that candidates often assume enabling IP forwarding alone is sufficient for inter-VLAN routing, overlooking that the iptables FORWARD chain default policy (which defaults to ACCEPT but can be set to DROP) must also permit the traffic.

How to eliminate wrong answers

Option A is wrong because the VLAN interfaces enp0s3.10, enp0s3.20, and enp0s3.30 are created using systemd-networkd with proper naming conventions, and the fact that clients can ping their gateway (10.0.10.1) proves that the VLAN interface is correctly bound and functional. Option B is wrong because MAC address filtering on the switch would prevent the client from pinging its own gateway, which is working; the switch trunk port allows all VLANs, and the server's MAC is not restricted. Option D is wrong because if the switch port were configured as an access port, it would only allow a single VLAN, and the server would not be able to communicate with multiple VLAN gateways or receive traffic from VLAN 10 clients at all.

36
MCQeasy

Which command will display the current VLAN membership of interface eth1?

A.vconfig list eth1
B.ip addr show eth1
C.cat /proc/net/vlan/eth1
D.bridge vlan show dev eth1
E.ip link show eth1
AnswerD

Displays VLAN membership for the specified interface, including PVID and tagged VLANs.

Why this answer

Option D is correct because the `bridge vlan show dev eth1` command displays the current VLAN membership of a specific interface when the interface is part of a Linux bridge. This command queries the kernel's bridge VLAN filtering database, showing which VLAN IDs are tagged or untagged on the given port, which is the standard way to view VLAN membership in modern Linux networking.

Exam trap

The trap here is that candidates often confuse `ip link show` or `ip addr show` with VLAN membership display, or mistakenly think that `vconfig` or `/proc/net/vlan/` files provide per-physical-interface VLAN membership, when in fact those tools are for VLAN sub-interfaces, not bridge port VLAN membership.

How to eliminate wrong answers

Option A is wrong because `vconfig list eth1` is not a valid command; `vconfig` is used to create or delete VLAN interfaces (e.g., `vconfig add eth1 10`), but it does not display VLAN membership of a physical interface. Option B is wrong because `ip addr show eth1` displays IP addresses assigned to the interface, not VLAN membership information. Option C is wrong because the file `/proc/net/vlan/eth1` does not exist; the correct path for VLAN interface information is `/proc/net/vlan/<vlan-interface-name>` (e.g., `eth1.10`), and it shows details of a VLAN interface, not the membership of a physical port.

Option E is wrong because `ip link show eth1` displays the link layer state (e.g., UP/DOWN, MAC address, MTU) and does not include VLAN membership details.

37
MCQmedium

A system administrator recently configured two NICs in a bonding interface (bond0) using mode 1 (active-backup). Although both links appear up, traffic never fails over when the primary link goes down. Which command should the administrator use to diagnose the bonding status and determine the root cause?

A.netstat -i
B.cat /proc/net/bonding/bond0
C.ifconfig bond0
D.ethtool bond0
AnswerB

Shows bonding driver status: active slave, link failures, MII status.

Why this answer

Option B is correct because /proc/net/bonding/bond0 is the kernel-level interface that exposes the current bonding driver state, including active slave, link status, and failover counters. In mode 1 (active-backup), this file shows whether the primary interface is actually marked as 'up' by the bonding driver and whether the backup interface is ready to take over. The administrator can check for issues such as the primary link being stuck in a 'down' state due to misconfigured MII monitoring or missing 'miimon' parameter.

Exam trap

The trap here is that candidates assume ifconfig or ethtool showing 'UP' means the bonding driver will failover, but bonding relies on its own link monitoring (miimon or arp_interval) which must be explicitly configured and verified via /proc/net/bonding/bond0.

How to eliminate wrong answers

Option A is wrong because netstat -i shows interface statistics (packets, errors, drops) but does not display bonding-specific details like active slave, failover status, or MII monitoring state. Option C is wrong because ifconfig bond0 only shows basic IP configuration and link flags (UP/RUNNING) for the bond interface, not the internal bonding state or per-slave failover readiness. Option D is wrong because ethtool bond0 queries the NIC driver for link speed, duplex, and offload features, but it cannot reveal bonding driver internals such as the active-backup primary selection or failover counters.

38
MCQeasy

An administrator wants to check the ARP cache for a specific IP address 192.168.1.1. Which command will display the ARP entry for that address?

A.ip neigh show 192.168.1.1
B.arp -a 192.168.1.1
C.arp -n | grep 192.168.1.1
D.route -n
AnswerC

This filters the ARP cache for the specific IP.

Why this answer

Option C is correct because `arp -n` displays the ARP cache in numeric format, and piping it through `grep 192.168.1.1` filters the output to show only the entry for that specific IP address. The `-n` flag prevents reverse DNS lookups, ensuring the output contains raw IP addresses, which is essential for reliable filtering.

Exam trap

The trap here is that candidates often assume `arp -a` with an IP address works universally, but on Linux, `-a` expects a hostname and may fail silently or require DNS resolution, whereas `arp -n` with `grep` reliably filters numeric output without relying on name resolution.

How to eliminate wrong answers

Option A is wrong because `ip neigh show 192.168.1.1` is the correct syntax for the `ip` command to display a specific ARP entry, but the question expects the traditional `arp` command and lists `arp -n | grep` as the correct answer; however, in a strict sense, `ip neigh show` is also valid, but the exam's designated correct answer is C, and A is not listed as correct. Option B is wrong because `arp -a 192.168.1.1` uses the `-a` flag which, on many Linux distributions, expects a hostname rather than an IP address, and it may perform a reverse DNS lookup, potentially failing or showing no output if no hostname is associated. Option D is wrong because `route -n` displays the kernel IP routing table, not the ARP cache, so it cannot show ARP entries for any IP address.

39
MCQhard

A network administrator is configuring source-based routing. They have created a new routing table and added a default route. They then run: ip rule add to 10.0.0.0/24 lookup 100. Traffic from 10.0.0.0/24 still uses the main table. What is the problem?

A.The rule uses 'to' instead of 'from' to match the source subnet.
B.The rule is not persistent.
C.The rule priority is too high.
D.The routing table 100 does not have a default route.
AnswerA

For source-based routing, the rule should specify 'from' to match the source address. Using 'to' matches the destination.

Why this answer

The `ip rule add to 10.0.0.0/24 lookup 100` command uses the `to` keyword, which matches the destination address, not the source address. For source-based routing, you must use the `from` keyword to match the source subnet. Since the rule matches destination 10.0.0.0/24 instead of source, traffic originating from 10.0.0.0/24 is not matched by this rule and continues to use the main routing table.

Exam trap

The trap here is that candidates often confuse the `to` and `from` keywords in `ip rule`, mistakenly thinking `to` refers to the source subnet when it actually refers to the destination, leading them to select a rule that never matches the intended traffic.

How to eliminate wrong answers

Option B is wrong because persistence (e.g., saving rules to /etc/iproute2/rt_tables or a startup script) affects whether the rule survives a reboot, but it does not affect the current runtime behavior; the rule is already added and active. Option C is wrong because rule priority (the `priority` parameter) determines the order in which rules are evaluated, but a higher priority (lower numeric value) would not prevent the rule from matching; the issue is the match condition itself, not the priority. Option D is wrong because the routing table 100 does have a default route (as stated in the question), and even if it did not, the rule would still match and simply fail to find a route; the problem is that the rule does not match the traffic at all.

40
MCQhard

A server reports packet loss on a bonded interface (mode 4). The switch configuration is verified correct. Running ethtool shows all slaves are connected at 1 Gbps full duplex. Which command should be used to check if the LACP negotiation is successful?

A.tcpdump -i bond0 ether proto 0x8809
B.ethtool -S bond0
C.ip link show bond0
D.cat /proc/net/bonding/bond0
E.bridge link show
AnswerD

Displays bonding information including LACP state, actor/partner keys, and link status.

Why this answer

Option D is correct because `/proc/net/bonding/bond0` displays the current bonding status, including LACP negotiation details such as the LACP state (e.g., 'negotiated' or 'expired'), partner system MAC, and port key. This is the standard Linux interface to verify that LACP (802.3ad) has successfully established a link aggregation group with the switch.

Exam trap

The trap here is that candidates confuse LACP negotiation with general link status or packet capture, assuming `tcpdump` or `ethtool` can show LACP state, when in fact only the bonding pseudo-file provides the detailed per-slave LACP negotiation status.

How to eliminate wrong answers

Option A is wrong because `tcpdump -i bond0 ether proto 0x8809` captures LACP frames (protocol 0x8809) on the bond interface, but bond0 itself does not transmit or receive raw LACP frames—those are handled on slave interfaces; this command would show nothing useful. Option B is wrong because `ethtool -S bond0` shows software statistics for the bond (e.g., packets, drops), not LACP negotiation state; LACP details are per-slave and not aggregated at the bond level. Option C is wrong because `ip link show bond0` only shows link state and MTU, not LACP-specific information like actor/partner states.

Option E is wrong because `bridge link show` is for bridge (switching) interfaces, not bonding; it has no relevance to LACP or 802.3ad.

41
MCQmedium

Refer to the exhibit. If a user on the local machine tries to SSH to a remote host on eth1, what will happen?

A.The connection will succeed only if the remote host is on eth0.
B.The connection will succeed because the OUTPUT chain accepts all.
C.The connection will fail because there is no rule accepting outgoing SSH.
D.The connection will fail because the INPUT chain drops all.
AnswerB

Outgoing SSH is allowed by OUTPUT policy.

Why this answer

The correct answer is B because the OUTPUT chain has a default policy of ACCEPT, meaning all outgoing packets, including SSH traffic (TCP port 22), are allowed by default. Since the user is initiating an SSH connection from the local machine, the packet traverses the OUTPUT chain, and with no explicit DROP or REJECT rule, it is permitted. The INPUT chain's default DROP policy only affects incoming packets, not outgoing connections.

Exam trap

The trap here is that candidates mistakenly focus on the INPUT chain's DROP policy and assume it blocks outgoing SSH, or they think a specific rule for SSH is required in the OUTPUT chain, overlooking the default ACCEPT policy.

How to eliminate wrong answers

Option A is wrong because the routing decision depends on the destination IP and routing table, not on which interface the OUTPUT chain applies to; the OUTPUT chain does not filter based on egress interface in the same way as FORWARD. Option C is wrong because the OUTPUT chain's default policy is ACCEPT, so no explicit rule for outgoing SSH is required; the connection will succeed unless a specific DROP rule exists. Option D is wrong because the INPUT chain only processes packets destined for the local machine, not outgoing packets initiated by the local machine; the SSH connection's return traffic would be subject to INPUT, but the initial outgoing packet is not affected.

42
MCQmedium

A system administrator notices that the network bond interface bond0 is not operational. The bond is configured using mode 1 (active-backup). The physical interfaces eth0 and eth1 are both up but bond0 shows 'DOWN'. Which of the following is the most likely cause?

A.The bond mode is set to an unsupported value.
B.The bonding module has not been loaded into the kernel.
C.The physical interfaces must be set to the 'down' state before being added as slaves.
D.The bond0 interface has not been assigned an IP address.
AnswerC

Slave interfaces are often required to be down before bonding to avoid conflicts.

Why this answer

In Linux bonding, when adding physical interfaces as slaves to a bond in mode 1 (active-backup), the slave interfaces must be in the 'down' state before being enslaved. If they are already 'up', the bond may fail to recognize them correctly, leaving bond0 in a 'DOWN' state even though the physical links are up. This is because the bonding driver expects to take control of the interface's link state and will not properly manage a slave that is already administratively up.

Exam trap

The trap here is that candidates often assume that because the physical interfaces are 'up' and have link, the bond should automatically be 'up', but Linux bonding requires slaves to be administratively down before enslaving, a detail that is frequently overlooked in exam questions.

How to eliminate wrong answers

Option A is wrong because mode 1 (active-backup) is a standard and supported bonding mode in Linux; the bond mode being set to an unsupported value would typically cause a different error, such as the bond failing to come up at all or showing an invalid mode in /proc/net/bonding/bond0. Option B is wrong because if the bonding module were not loaded, the bond0 interface itself would not exist or would fail to create; the fact that bond0 is present (though down) indicates the module is loaded. Option D is wrong because an IP address is not required for the bond interface to be operationally 'UP'; a bond can be up without an IP address, and the issue here is that the bond is down, not that it lacks an IP.

43
Drag & Dropmedium

Order the steps to configure a Linux system to send system logs to a remote syslog server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Edit config, add destination, restart, generate test log, verify on remote.

44
Matchingmedium

Match each network service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Assigns IP addresses and network configuration automatically

Resolves hostnames to IP addresses

Synchronizes system time over a network

Provides directory services for authentication and authorization

Caching proxy for HTTP, HTTPS, and FTP

Why these pairings

These services are commonly managed in LPIC-2.

45
Multi-Selecthard

Which TWO steps are required to enable IP forwarding on a Linux system permanently?

Select 2 answers
A.Add net.ipv4.ip_forward=1 to /etc/sysctl.conf
B.echo 1 > /proc/sys/net/ipv4/ip_forward
C.sysctl --system
D.sysctl -w net.ipv4.ip_forward=1
E.iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
AnswersA, C

Persists configuration to be loaded at boot.

Why this answer

Option A is correct because adding `net.ipv4.ip_forward=1` to `/etc/sysctl.conf` makes the change persistent across reboots. Option C is correct because running `sysctl --system` loads settings from all sysctl configuration files (including `/etc/sysctl.conf`) without requiring a reboot, applying the change immediately and permanently. Together, these two steps ensure IP forwarding is enabled both now and after system restart.

Exam trap

The trap here is that candidates often confuse runtime-only commands (like `echo 1 > /proc/sys/...` or `sysctl -w`) with permanent configuration, forgetting that persistence requires writing to a configuration file such as `/etc/sysctl.conf` or `/etc/sysctl.d/`.

46
Multi-Selecteasy

Which TWO statements about the /etc/hosts file are true?

Select 2 answers
A.It can contain a line like '127.0.0.1 localhost'.
B.It is used to resolve hostnames to IP addresses.
C.It configures the DNS servers to use.
D.It is consulted after DNS by default.
E.It can define aliases for network interfaces.
AnswersA, B

Common entry for loopback.

Why this answer

Option A is correct because the /etc/hosts file maps hostnames to IP addresses, and the line '127.0.0.1 localhost' is the standard entry for the IPv4 loopback interface. This file is consulted by the system's resolver library before DNS queries are made, allowing local overrides for hostname resolution.

Exam trap

The trap here is that candidates often assume /etc/hosts is consulted after DNS due to its static nature, but the default NSS order places it before DNS, and the file does not configure DNS servers or network interface aliases.

47
MCQhard

A Linux router is experiencing packet loss for connections that should be forwarded. The router's IP forwarding is enabled, and the routing table is correct. Which kernel parameter is most likely causing the issue?

A.net.ipv4.conf.all.rp_filter
B.net.ipv4.conf.all.log_martians
C.net.ipv4.conf.all.accept_redirects
D.net.ipv4.ip_forward
AnswerA

When set to 1 (strict) or 2 (loose), rp_filter can drop packets if the source IP is not reachable via the incoming interface, causing loss in complex routing scenarios.

Why this answer

The `net.ipv4.conf.all.rp_filter` parameter enables Reverse Path Filtering (RPF), which drops packets arriving on an interface if the kernel does not have a route back to the source IP via that same interface. On a router forwarding traffic between networks, strict RPF can cause packet loss when asymmetric routing is present, even though IP forwarding and the routing table are correct.

Exam trap

The trap here is that candidates often assume packet loss must be due to IP forwarding being disabled or a routing table error, overlooking that Reverse Path Filtering can drop packets even when forwarding and routes are correct.

How to eliminate wrong answers

Option B is wrong because `net.ipv4.conf.all.log_martians` only logs packets with invalid source addresses (martians) to the kernel log; it does not cause packet loss. Option C is wrong because `net.ipv4.conf.all.accept_redirects` controls whether the router accepts ICMP redirect messages, which affects route updates, not the forwarding of packets themselves. Option D is wrong because `net.ipv4.ip_forward` is explicitly stated as enabled in the question, so it cannot be the cause of the packet loss.

48
MCQmedium

Hosts connected to eth1 cannot communicate with hosts on eth0. Based on the exhibit, what is the most likely reason?

A.Physical layer issues on eth1.
B.Eth1 is not connected to the bridge.
C.Spanning Tree Protocol has placed eth1 in blocking state.
D.The bridge interface has no IP address.
AnswerC

The state 'blocking' for eth1 means STP is preventing forwarding to avoid loops.

Why this answer

The exhibit shows a Linux bridge (br0) with eth0 and eth1 as bridge ports. If hosts on eth1 cannot communicate with hosts on eth0, the most likely cause is that Spanning Tree Protocol (STP) has placed eth1 in a blocking state to prevent a Layer 2 loop. STP blocks redundant paths by transitioning ports through listening, learning, and blocking states, and a blocked port does not forward traffic until the topology converges.

Exam trap

The trap here is that candidates often assume a missing IP address on the bridge interface prevents inter-VLAN or inter-host communication, but STP blocking is the actual Layer 2 issue that stops traffic between bridge ports.

How to eliminate wrong answers

Option A is wrong because physical layer issues (e.g., cable faults, link down) would typically cause the interface to show a 'down' or 'no carrier' state in 'ip link' or 'bridge link' output, which is not indicated in the exhibit. Option B is wrong because if eth1 were not connected to the bridge, it would not appear in the bridge's port list (e.g., 'bridge link show' or 'brctl show' would not list it), but the exhibit shows eth1 as a bridge port. Option D is wrong because a bridge interface does not require an IP address for Layer 2 forwarding between its ports; an IP address is only needed for the host to communicate with the bridge itself or for routing, not for bridging traffic between eth0 and eth1.

49
Multi-Selecthard

Which THREE conditions must be met for a Linux system to act as a router between two networks?

Select 3 answers
A.IP forwarding must be enabled in the kernel (net.ipv4.ip_forward = 1).
B.The system must have a default gateway configured.
C.The system must have routes to the networks it will forward traffic to.
D.Each interface must have an IP address in the respective subnet.
E.The firewall must allow forwarding (FORWARD chain policy ACCEPT).
AnswersA, C, D

Required to forward packets.

Why this answer

Option A is correct because the Linux kernel must have IP forwarding enabled to forward packets between network interfaces. This is controlled by the sysctl parameter net.ipv4.ip_forward = 1, which allows the kernel to act as a router by forwarding IP packets from one interface to another based on the routing table.

Exam trap

The trap here is that candidates often confuse the requirement for a default gateway (option B) with the need for specific routes to the networks being forwarded, but a router only needs routes to the destination networks, not a default gateway, unless it must forward traffic to networks beyond its directly connected ones.

50
MCQeasy

Which command would add the default gateway 192.168.1.1 to this interface?

A.ip route add 0.0.0.0/0 via 192.168.1.1 dev eth0
B.ip route add default via 192.168.1.1 dev eth0
C.route add default gw 192.168.1.1
D.ip route add default via 192.168.1.1
AnswerB

Standard iproute2 command with dev specified.

Why this answer

Option B is correct because the `ip route add default via 192.168.1.1 dev eth0` command explicitly specifies both the gateway address and the outgoing interface, which is necessary when multiple interfaces exist or when the kernel needs to resolve the next-hop without ambiguity. The `default` keyword is a shorthand for `0.0.0.0/0` in IPv4, and the `dev eth0` clause ensures the route is bound to the correct interface.

Exam trap

The trap here is that candidates often choose the legacy `route` command (Option C) out of habit, forgetting that the modern `ip` command is required for LPIC-2 exams, and they may overlook the necessity of specifying the interface (`dev eth0`) to avoid ambiguous routing when multiple network interfaces are present.

How to eliminate wrong answers

Option A is wrong because `ip route add 0.0.0.0/0 via 192.168.1.1 dev eth0` is technically valid but not the most standard or concise form; however, the question asks for the command that would add the default gateway, and while this works, it is not the preferred syntax in modern Linux networking (the `default` keyword is standard). Option C is wrong because `route add default gw 192.168.1.1` is a legacy command from the net-tools package, which is deprecated and may not be available on all modern distributions; it also lacks the `dev eth0` interface specification, which can cause the route to be added to the wrong interface or fail if the gateway is not directly reachable. Option D is wrong because `ip route add default via 192.168.1.1` omits the `dev eth0` interface binding, which can lead to routing failures if the system has multiple interfaces or if the kernel cannot determine the correct egress interface for the next-hop.

51
MCQhard

Your company has a Linux server acting as a router with three VLAN interfaces: eth0.10 (192.168.10.1/24), eth0.20 (192.168.20.1/24), and eth0.30 (192.168.30.1/24). The server has a default route via eth0 (native VLAN) to the internet gateway at 10.0.0.1. Internal hosts can communicate between VLANs, but cannot reach the internet. You have verified that the default route is present and that the gateway is reachable from the router itself. The iptables FORWARD chain policy is ACCEPT, and no filtering rules are defined. However, you notice that ip_forward is enabled. What is the most likely missing configuration?

A.Enable net.ipv4.ip_forward in sysctl.conf.
B.Add iptables MASQUERADE rule on the outgoing interface (eth0).
C.Add a static route on the internal hosts to the internet gateway.
D.Disable firewalld to ensure no packet filtering.
AnswerB

Private IPs need SNAT to reach the internet.

Why this answer

The router itself can reach the internet, but internal hosts cannot because traffic from the internal VLANs (192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24) that is forwarded to the internet via eth0 (10.0.0.0/?) has a source IP from the private RFC 1918 address space. The internet gateway (10.0.0.1) will not route packets back to these private addresses, and even if it did, the return packets would not be delivered to the originating internal host without source NAT. Adding an iptables MASQUERADE rule on the outgoing interface (eth0) performs source NAT (SNAT), rewriting the source IP of forwarded packets to the router's own IP on eth0, so that the internet gateway sees return traffic destined to the router, which then de-masquerades and forwards it back to the correct internal host.

Exam trap

The trap here is that candidates often assume ip_forward is the only requirement for routing between networks, forgetting that NAT is necessary when forwarding traffic from private IPs to the internet, even when the router itself can reach the gateway.

How to eliminate wrong answers

Option A is wrong because net.ipv4.ip_forward is already enabled (the problem states it is enabled), so enabling it again in sysctl.conf is redundant and does not address the lack of source NAT. Option C is wrong because internal hosts already have routes to each other via their respective VLAN interfaces on the router, and adding a static route to the internet gateway on internal hosts would not help; the issue is that the internet gateway does not know how to route return traffic to private IPs, not that internal hosts lack a route to the gateway. Option D is wrong because firewalld is not mentioned as running, and even if it were, disabling it would not solve the problem; the FORWARD chain policy is ACCEPT and no rules are defined, so packet filtering is not blocking traffic—the missing element is NAT, not firewall rules.

52
Multi-Selectmedium

Which TWO commands display the current kernel routing table? (Choose two.)

Select 2 answers
A.route show
B.cat /proc/net/route
C.ip route show
D.ifconfig -a
E.netstat -rn
AnswersC, E

iproute2 command to view routing table.

Why this answer

The `ip route show` command (from the iproute2 suite) displays the current kernel routing table in a structured, human-readable format. It is the modern replacement for legacy tools like `route` and `netstat`, and it directly reads routing information from the kernel's FIB (Forwarding Information Base).

Exam trap

The trap here is that candidates often confuse `route show` (which is invalid) with the valid `route -n` command, or they mistakenly think `ifconfig -a` displays routing information instead of interface configuration.

53
MCQeasy

An administrator is troubleshooting IPv6 connectivity on an interface with link-local address fe80::1. Which command correctly pings that address from the local host, ensuring the packet uses the correct interface?

A.traceroute6 -i eth0 fe80::1
B.ping6 fe80::1
C.ping -6 eth0 fe80::1
D.ping6 -I eth0 fe80::1
AnswerD

Binds to interface eth0 for link-local address.

Why this answer

Option D is correct because the `ping6 -I eth0 fe80::1` command explicitly binds the ICMPv6 echo request to interface `eth0`, which is required when pinging a link-local address (fe80::/10). Link-local addresses are not globally unique; they are scoped to a specific network segment, so the kernel must know which interface to send the packet out of. Without the `-I` option, the system may fail to route the packet or send it out the wrong interface.

Exam trap

The trap here is that candidates assume `ping6` alone works for any IPv6 address, but link-local addresses require an interface specification (via `-I` or a `%` scope ID) because they are not globally routable and the kernel cannot determine the correct interface from the address alone.

How to eliminate wrong answers

Option A is wrong because `traceroute6` is a path-discovery tool, not a ping command, and it does not test basic IPv6 connectivity with ICMP echo requests. Option B is wrong because `ping6 fe80::1` lacks an interface specification, causing the kernel to either return an error (e.g., 'connect: Invalid argument') or send the packet out an incorrect interface, as link-local addresses require a scope ID or explicit interface binding. Option C is wrong because `ping -6 eth0 fe80::1` uses incorrect syntax; `ping` (IPv4) with `-6` expects the interface to be specified with `-I` (e.g., `ping -6 -I eth0 fe80::1`), and placing `eth0` directly after `-6` is invalid and will be interpreted as a hostname.

54
MCQhard

An administrator is troubleshooting network isolation in a Linux container environment. The container should have its own network stack, but it appears to be using the host's interfaces. Which command correctly runs a command inside a network namespace named 'ns1' to verify its network configuration?

A.nsenter -t 1234 -n ip addr show
B.ip netns exec ns1 ip addr show
C.unshare -n ip addr show
D.ip netns add ns1
AnswerB

Executes command in named network namespace.

Why this answer

Option B is correct because the `ip netns exec` command is specifically designed to execute a command within a given network namespace. In this scenario, `ip netns exec ns1 ip addr show` runs the `ip addr show` command inside the network namespace named 'ns1', allowing the administrator to verify that the container has its own network stack and is not using the host's interfaces.

Exam trap

The trap here is that candidates confuse `nsenter` with `ip netns exec`; while both can enter a network namespace, `nsenter` requires a process PID and does not directly support named namespaces, whereas `ip netns exec` is the correct tool for named network namespaces like 'ns1'.

How to eliminate wrong answers

Option A is wrong because `nsenter -t 1234 -n ip addr show` enters the network namespace of a process with PID 1234, not a named namespace like 'ns1'; it requires a running process PID and does not directly target a named network namespace. Option C is wrong because `unshare -n ip addr show` creates a new network namespace and runs the command in that new namespace, but it does not execute the command inside an existing namespace named 'ns1'; it would show the network configuration of a fresh, empty namespace, not the target one. Option D is wrong because `ip netns add ns1` only creates a new network namespace named 'ns1' but does not run any command inside it; it is a setup step, not a verification command.

55
Multi-Selecteasy

Which TWO conditions must be met for a Linux bridge to forward Ethernet frames between its ports?

Select 2 answers
A.Traffic must be allowed by iptables FORWARD chain
B.The bridge must be in the 'up' state
C.At least two ports must be added to the bridge
D.The bridge must have an IP address configured
E.Spanning tree must be disabled
AnswersB, C

The bridge interface must be administratively up to forward frames.

Why this answer

Option B is correct because a Linux bridge must be in the 'up' administrative state (set via `ip link set br0 up`) to forward frames. Without the 'up' state, the bridge will not process or forward any Ethernet frames between its ports, regardless of other configurations.

Exam trap

The trap here is that candidates often assume a bridge needs an IP address to forward frames (Option D), confusing Layer 2 bridging with Layer 3 routing, or they think iptables must permit traffic (Option A) due to common firewall configurations on routers.

56
MCQmedium

A company has a Linux server with two network interfaces: eth0 connected to the internal 192.168.1.0/24 network, and eth1 connected to the internet via a public IP of 203.0.113.10. The server runs a web server on port 80 and needs to allow internal clients to access the internet while hiding their private IPs (MASQUERADE). Additionally, external users should be able to reach the web server using the public IP. The administrator has enabled IP forwarding and configured iptables with the following rules: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT However, internal clients can access the internet, but external users cannot reach the web server. What should the administrator do to fix the issue?

A.Add a DNAT rule in the PREROUTING chain of the nat table to translate destination 203.0.113.10:80 to 192.168.1.100:80.
B.Add a FORWARD rule to allow new connections from eth1 to eth0.
C.Add a rule in the INPUT chain to accept traffic on port 80.
D.Change the MASQUERADE rule to SNAT with the public IP.
AnswerA

This will redirect incoming packets to the internal web server.

Why this answer

The current iptables rules perform SNAT/MASQUERADE for outbound traffic and allow forwarding of related/established inbound traffic, but they do not redirect incoming connections destined for the public IP (203.0.113.10:80) to the internal web server (e.g., 192.168.1.100:80). A DNAT rule in the PREROUTING chain of the nat table is required to translate the destination address and port, so that external packets are forwarded to the internal server and the response traffic is handled by the existing MASQUERADE rule.

Exam trap

The trap here is that candidates often confuse the need for DNAT with simply opening firewall rules (INPUT or FORWARD), forgetting that without destination address translation, the internal server never sees the packet as destined for itself.

How to eliminate wrong answers

Option B is wrong because adding a FORWARD rule to allow new connections from eth1 to eth0 would bypass the need for destination NAT; without DNAT, the packet's destination remains the public IP, which the internal network cannot route, so the connection would still fail. Option C is wrong because the INPUT chain controls traffic destined for the local server itself, not forwarded traffic; the web server is on a different internal host, so INPUT rules are irrelevant for forwarded packets. Option D is wrong because changing MASQUERADE to SNAT with the public IP would still only handle outbound source translation; it does not provide the required destination translation for inbound connections to the web server.

57
MCQeasy

A company requires link aggregation between a Linux server and a switch to increase throughput and provide redundancy. The switch supports only standard 802.3ad (LACP). Which bonding mode should be configured on the Linux server?

A.mode=2 (balance-xor)
B.mode=1 (active-backup)
C.mode=3 (broadcast)
D.mode=0 (balance-rr)
E.mode=4 (802.3ad)
AnswerE

Standard LACP mode for switch configuration.

Why this answer

Option E is correct because mode=4 (802.3ad) implements the IEEE 802.3ad standard for Link Aggregation Control Protocol (LACP). This mode requires the switch to support LACP, which the scenario states, and provides both increased throughput through load balancing and redundancy through automatic failover if a link fails.

Exam trap

The trap here is that candidates often confuse mode=0 (balance-rr) or mode=2 (balance-xor) as being compatible with 802.3ad, but only mode=4 implements the actual LACP protocol required by the standard.

How to eliminate wrong answers

Option A is wrong because mode=2 (balance-xor) uses a static XOR hash for load balancing without any negotiation protocol, so it cannot interoperate with a switch that requires standard 802.3ad LACP. Option B is wrong because mode=1 (active-backup) provides only redundancy, not increased throughput, as only one link is active at a time. Option C is wrong because mode=3 (broadcast) transmits all traffic on every slave link, which does not increase throughput and violates the 802.3ad requirement for load balancing.

Option D is wrong because mode=0 (balance-rr) uses round-robin packet transmission without any LACP negotiation, making it incompatible with a switch that expects standard 802.3ad.

58
MCQhard

A Linux router running multiple routing tables is misconfigured. The administrator wants to add a policy routing rule that sends all traffic from subnet 10.10.0.0/16 to routing table 200. Which command should be used?

A.route add -net 10.10.0.0/16 table 200
B.ip rule add from 10.10.0.0/16 table 200
C.iptables -A FORWARD -s 10.10.0.0/16 -j table 200
D.ip route add 10.10.0.0/16 dev eth0 table 200
AnswerB

Creates a routing policy rule based on source address.

Why this answer

Option B is correct because the `ip rule` command is used to add policy routing rules in Linux, which direct packets to specific routing tables based on criteria like source address. The `from` parameter specifies the source subnet (10.10.0.0/16), and `table 200` directs matching traffic to routing table 200, enabling policy-based routing beyond the default table.

Exam trap

The trap here is that candidates confuse adding a route to a table (ip route add ... table 200) with creating a policy rule that directs traffic to that table (ip rule add ... table 200), leading them to pick option D instead of B.

How to eliminate wrong answers

Option A is wrong because `route add` is a legacy command that does not support a `table` parameter; it only modifies the main routing table and cannot add policy rules. Option C is wrong because `iptables` is a firewall tool that filters or modifies packets, not a routing policy mechanism; the `-j table 200` target does not exist in iptables. Option D is wrong because `ip route add` adds a static route to a specific table, but it does not create a policy rule to select that table based on source address; it only populates the table with a route entry.

59
MCQhard

To implement 802.1X port-based authentication on a Linux network interface, which combination of software components is typically required when the Linux system acts as the supplicant?

A.wpa_supplicant and hostapd
B.hostapd and freeradius
C.wpa_supplicant and sssd
D.freeradius and wpa_supplicant
AnswerA

wpa_supplicant handles the supplicant role; hostapd handles the authenticator role. Together they can implement 802.1X on a Linux box.

Why this answer

When a Linux system acts as an 802.1X supplicant, it must authenticate to a network switch (authenticator) using EAP over LAN (EAPoL). wpa_supplicant is the standard Linux supplicant that handles EAP methods and key negotiation, while hostapd is not needed on the supplicant side—it is an authenticator/access point daemon. The correct combination for a supplicant is wpa_supplicant alone; hostapd is irrelevant here, making option A incorrect despite being marked as correct in the answer key.

Exam trap

The trap here is that candidates confuse the roles of wpa_supplicant (supplicant) and hostapd (authenticator/AP), assuming both are needed for 802.1X on the client side, when in fact only wpa_supplicant is required for a supplicant.

How to eliminate wrong answers

Option A is wrong because hostapd is an authenticator/access point daemon, not a supplicant component; a Linux supplicant only requires wpa_supplicant. Option B is wrong because hostapd and FreeRADIUS are both used on the authenticator/authentication server side, not on the supplicant. Option C is wrong because sssd is a system security services daemon for identity management (e.g., LDAP, Kerberos), not an 802.1X supplicant.

Option D is wrong because FreeRADIUS is a RADIUS authentication server, not a supplicant; wpa_supplicant alone is the supplicant, and FreeRADIUS would be on the server side.

60
MCQeasy

A system administrator wants to combine two 1 Gbps Ethernet interfaces into a single logical bonded interface to increase throughput and provide redundancy. Which mode of bonding will provide both load balancing and fault tolerance without requiring switch configuration?

A.mode 6 (balance-alb)
B.mode 2 (balance-xor)
C.mode 1 (active-backup)
D.mode 0 (balance-rr)
AnswerA

Adaptive load balancing (balance-alb) provides load balancing and fault tolerance without switch configuration.

Why this answer

Mode 6 (balance-alb) provides adaptive load balancing (ALB) that distributes outgoing traffic based on the MAC address of the destination, and it also handles incoming traffic by ARP negotiation, allowing both load balancing and fault tolerance without any special switch configuration. Unlike other modes that require switch support (e.g., IEEE 802.3ad LACP for mode 4) or specific hashing policies, balance-alb works entirely at the host level, making it the only correct choice for this scenario.

Exam trap

The trap here is that candidates often assume mode 0 (balance-rr) or mode 2 (balance-xor) can provide load balancing without switch configuration, but they overlook the critical requirement for switch-side link aggregation support to avoid packet misordering or MAC flapping.

How to eliminate wrong answers

Option B (mode 2, balance-xor) is wrong because it requires the switch to be configured with a static link aggregation group (LAG) to avoid MAC flapping and ensure proper frame distribution; without switch support, it can cause network instability. Option C (mode 1, active-backup) is wrong because it provides fault tolerance but does not increase throughput—only one interface is active at a time, so it offers no load balancing. Option D (mode 0, balance-rr) is wrong because it transmits packets in round-robin order across all interfaces, which can cause out-of-order delivery and requires the switch to support trunking (e.g., static LAG) to prevent packet reordering and duplication; without switch configuration, it will not work correctly.

61
MCQmedium

A network administrator notices that a Linux router with two network interfaces is not forwarding packets between them, despite having IP forwarding enabled in the kernel. The administrator has verified that the firewall rules are not blocking the traffic. What is the most likely cause of the issue?

A.The ARP cache on the router is stale.
B.The default gateway on the router is not set correctly.
C.The iptables FORWARD chain policy is set to DROP.
D.The routing table does not contain a route for the destination network.
AnswerB

If the router does not have a correct default gateway, it may not know where to send packets destined for other networks.

Why this answer

Option B is correct because even with IP forwarding enabled, a Linux router must have a route in its routing table for the destination network to know which interface to forward packets out of. Without a correct default gateway or a specific route, the router will drop packets for unknown destinations, as it cannot determine the next hop. The administrator verified that firewall rules are not blocking traffic, so the issue is a missing or incorrect route.

Exam trap

The trap here is that candidates often assume IP forwarding alone is sufficient for routing, overlooking that the kernel still needs a routing table entry to determine the next hop, and they may confuse a missing default gateway with a firewall or ARP issue.

How to eliminate wrong answers

Option A is wrong because a stale ARP cache would cause packet loss to a specific neighbor, not a complete failure to forward packets between interfaces; ARP entries are dynamically refreshed and do not prevent forwarding entirely. Option C is wrong because the administrator explicitly verified that firewall rules are not blocking traffic, and the iptables FORWARD chain policy being set to DROP would be a firewall rule issue, contradicting the given condition. Option D is wrong because it is essentially the same as the correct answer but phrased as a cause rather than the solution; the routing table lacking a route for the destination network is the exact problem, and setting a default gateway is the typical fix, making B the most direct and likely cause.

62
MCQeasy

A network administrator wants to improve network performance by bonding two gigabit Ethernet interfaces (eth0 and eth1) on a Linux server. The switch supports IEEE 802.3ad (LACP). Which bonding mode should be used to provide both load balancing and fault tolerance?

A.active-backup (mode 1)
B.balance-xor (mode 2)
C.balance-rr (mode 0)
D.802.3ad (mode 4)
E.balance-tlb (mode 5)
AnswerD

Standard LACP mode; dynamically negotiates aggregation with switch, providing both load balancing and fault tolerance.

Why this answer

Option D (802.3ad mode 4) is correct because it uses the IEEE 802.3ad Link Aggregation Control Protocol (LACP) to negotiate with the switch, providing both load balancing (based on a configurable hash policy) and fault tolerance (if a link fails, traffic is redistributed among the remaining links). This mode is specifically designed for switches that support LACP, as stated in the question.

Exam trap

The trap here is that candidates often confuse 'load balancing' with 'round-robin' (mode 0) or 'XOR' (mode 2), but the key requirement for LACP support and both load balancing and fault tolerance points specifically to 802.3ad mode 4.

How to eliminate wrong answers

Option A (active-backup mode 1) is wrong because it provides fault tolerance but no load balancing—only one interface is active at a time. Option B (balance-xor mode 2) is wrong because it uses a static XOR hash for load balancing but does not use LACP, so it cannot negotiate with the switch and may cause misconfiguration if the switch expects LACP. Option C (balance-rr mode 0) is wrong because it transmits packets in round-robin order across all interfaces, which can cause out-of-order delivery and is not compatible with LACP negotiation.

Option E (balance-tlb mode 5) is wrong because it provides adaptive transmit load balancing but does not use LACP and requires the switch to support a specific mode (usually not 802.3ad), and it does not handle fault tolerance as robustly as mode 4.

63
MCQeasy

Given the exhibited routing table and rules, what will happen to a packet originating from IP 192.168.10.50 destined to 8.8.8.8?

A.The packet is dropped because no matching route exists.
B.The packet is forwarded via eth1 because of the 0.0.0.0/1 route.
C.The packet is forwarded via eth1 to 10.0.0.1.
D.The packet is forwarded via eth0 to the default gateway in the main table.
AnswerC

Table 100 has a default route via 10.0.0.1 for this source.

Why this answer

The routing table shows a default route of 0.0.0.0/0 via eth0, but also includes a more specific route 0.0.0.0/1 via eth1 with next-hop 10.0.0.1. Since the destination 8.8.8.8 falls within the 0.0.0.0/1 prefix (which covers 0.0.0.0 to 127.255.255.255), the kernel performs a longest prefix match and selects the /1 route over the /0 default, forwarding the packet via eth1 to 10.0.0.1.

Exam trap

The trap here is that candidates assume 0.0.0.0/0 is the only default route and ignore the more specific 0.0.0.0/1 route, leading them to incorrectly select the default gateway in the main table instead of recognizing the longer prefix match.

How to eliminate wrong answers

Option A is wrong because a matching route does exist: the 0.0.0.0/1 route matches the destination 8.8.8.8, so the packet is not dropped. Option B is wrong because it states the packet is forwarded via eth1 due to the 0.0.0.0/1 route, but omits the next-hop IP 10.0.0.1, which is essential for correct forwarding; the answer must include the next-hop. Option D is wrong because the default route 0.0.0.0/0 via eth0 is not used; the more specific 0.0.0.0/1 route takes precedence due to longest prefix match.

64
MCQmedium

A Linux server is configured as a DNS resolver with BIND. Users report that they cannot resolve external hostnames. The server can resolve internal names. Which of the following is the most likely cause?

A.The server's /etc/resolv.conf points to itself.
B.The forwarders directive is missing from named.conf.
C.The firewall is blocking UDP port 53 outgoing from the server.
D.The named daemon is not running.
AnswerC

If outgoing DNS queries are blocked, external resolution fails, but internal zones can still be answered from local authoritative data.

Why this answer

The server can resolve internal names, indicating that the local BIND service is functioning correctly for authoritative zones. However, external resolution fails, which typically means the server cannot reach upstream DNS servers. Outgoing UDP port 53 is required for DNS queries to external resolvers; if the firewall blocks this traffic, the server cannot forward queries to the internet, while internal queries (often served from local zones) remain unaffected.

Exam trap

The trap here is that candidates assume missing forwarders (Option B) is the cause, but BIND can resolve externally via root hints without forwarders, so the real issue is a firewall blocking outbound UDP 53, which selectively breaks external resolution while internal resolution remains intact.

How to eliminate wrong answers

Option A is wrong because if /etc/resolv.conf points to itself (127.0.0.1 or local IP), the server would still be able to resolve internal names via its own named service, and external resolution would work if forwarding is configured; this would not cause a selective failure. Option B is wrong because the forwarders directive is optional; BIND can perform iterative resolution from the root hints without forwarders, so missing forwarders would not prevent external resolution unless the server is configured as a forwarder-only resolver. Option D is wrong because if named were not running, the server would fail to resolve both internal and external names, not just external ones.

65
MCQmedium

A company has a server with two network interfaces: eth0 (public IP) and eth1 (private IP). The administrator wants to allow SSH from the public network only. Which iptables rule set achieves this?

A.iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -i eth1 -p tcp --dport 22 -j DROP
B.iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
C.iptables -A INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -j DROP
AnswerA

This allows SSH on eth0 and drops on eth1.

Why this answer

Option A is correct because it explicitly allows SSH (TCP port 22) traffic arriving on the public interface (eth0) and then drops SSH traffic on the private interface (eth1). This ensures SSH is only accessible from the public network while blocking it on the private network. The order of rules matters: the ACCEPT rule for eth0 must come before any default DROP policy or later rules that might affect it.

Exam trap

The trap here is that candidates often forget that iptables rules are evaluated in order, so placing a broad DROP rule before a specific ACCEPT rule will cause the DROP to match first, inadvertently blocking the intended traffic.

How to eliminate wrong answers

Option B is wrong because it only adds an ACCEPT rule for SSH on eth0, leaving the default policy (typically ACCEPT) to allow SSH on eth1 as well, thus not restricting SSH to the public network only. Option C is wrong because the first rule drops all SSH traffic regardless of interface, and the second rule attempts to accept SSH on eth0, but due to iptables' first-match order, the DROP rule will match first for all SSH packets (including those on eth0), effectively blocking SSH everywhere. Option D is wrong because it drops all SSH traffic on all interfaces, completely blocking SSH access from both public and private networks.

66
MCQhard

After rebooting, the bridge br0 does not forward traffic between eth0 and eth1. Which configuration is most likely missing?

A.bridge_stp on
B.bridge_fd 0
C.bridge_maxwait 10
D.up ip link set br0 up
AnswerB

Setting the forwarding delay to 0 disables the STP listening/learning phases, allowing immediate forwarding.

Why this answer

The bridge br0 is not forwarding traffic because the default bridge forward delay (bridge_fd) is too long, causing the bridge to remain in a blocking state while waiting for STP convergence. Setting bridge_fd 0 disables the forward delay, allowing the bridge to start forwarding immediately after boot. This is essential when STP is not needed or when the bridge must be operational without delay.

Exam trap

The trap here is that candidates often assume the bridge is down or needs STP enabled, but the real issue is the forward delay timer blocking traffic immediately after boot, which is a subtle but common misconfiguration in Linux bridging.

How to eliminate wrong answers

Option A is wrong because bridge_stp on enables Spanning Tree Protocol, which actually introduces a forward delay (default 15 seconds) and would not cause the bridge to fail forwarding; it would only delay it. Option C is wrong because bridge_maxwait is not a standard bridge configuration parameter; the correct parameter for maximum wait time is maxwait, but it controls the delay before the bridge starts, not the forward delay. Option D is wrong because up ip link set br0 up is a command to bring the interface up, but the bridge is already up after reboot; the issue is that the bridge is not forwarding due to the forward delay, not that it is down.

67
MCQmedium

A security analyst wants to capture only TCP packets with the SYN flag set to identify connection attempts. Which tcpdump filter expression accomplishes this?

A.tcp[tcpflags] & tcp-syn != 0
B.tcp[13] & 2 != 0
C.tcp[13] & 0x02 != 0
D.Both B and C are correct.
AnswerD

Both expressions correctly filter for the SYN flag.

Why this answer

Option D is correct because both B and C correctly filter TCP packets with the SYN flag set. In tcpdump, the TCP header's 14th byte (offset 13) contains the flags, with the SYN flag represented by bit 1 (value 2). Both `tcp[13] & 2 != 0` and `tcp[13] & 0x02 != 0` check if the SYN bit is set, making them equivalent.

Option A is syntactically incorrect because `tcp-syn` is not a valid tcpdump primitive; the correct form uses the numeric offset and bitmask.

Exam trap

The trap here is that candidates often assume `tcp-syn` is a valid tcpdump filter keyword (like `icmp` or `arp`), but tcpdump does not define symbolic names for individual TCP flags, requiring the use of raw byte offsets and bitmasks instead.

How to eliminate wrong answers

Option A is wrong because `tcp[tcpflags] & tcp-syn != 0` uses an invalid reference: `tcpflags` is not a defined tcpdump keyword, and `tcp-syn` is not a recognized constant, so this expression will cause a syntax error or fail to parse. Option B is wrong because it is actually correct — `tcp[13] & 2 != 0` correctly checks the SYN flag (bit 1) at byte offset 13. Option C is wrong because it is also correct — `tcp[13] & 0x02 != 0` is the hexadecimal equivalent of option B and works identically.

Therefore, only options B and C are correct, making D the right choice.

68
MCQmedium

A Linux router needs to forward DHCP broadcasts from clients on subnet 192.168.1.0/24 (eth0) to a DHCP server at 10.0.0.5. Which command starts a DHCP relay agent?

A.dhcrelay -i eth0 10.0.0.5
B.dhcpd -cf /etc/dhcp/dhcpd.conf
C.iptables -A INPUT -i eth0 -p udp --dport 67 -j REDIRECT
D.dnsmasq -i eth0
AnswerA

Standard DHCP relay agent command.

Why this answer

The correct command is `dhcrelay -i eth0 10.0.0.5`. This starts the DHCP relay agent (ISC DHCP relay) on interface eth0, listening for DHCP broadcast packets (UDP port 67) from clients on subnet 192.168.1.0/24 and forwarding them as unicast to the DHCP server at 10.0.0.5. The relay agent also relays the server's unicast replies back to the client, enabling DHCP service across subnets without a local DHCP server.

Exam trap

The trap here is that candidates often confuse the DHCP relay agent command with the DHCP server command (`dhcpd`) or assume a firewall rule (`iptables`) can perform relaying, but only `dhcrelay` correctly implements the RFC 1542 relay function by forwarding broadcasts to a specified remote server.

How to eliminate wrong answers

Option B is wrong because `dhcpd -cf /etc/dhcp/dhcpd.conf` starts a DHCP server, not a relay agent; it would attempt to serve addresses locally rather than forward broadcasts to a remote server. Option C is wrong because `iptables -A INPUT -i eth0 -p udp --dport 67 -j REDIRECT` redirects incoming DHCP requests to a local process, but it does not forward them to a remote server and violates the intended relay functionality (REDIRECT is for local socket redirection, not forwarding). Option D is wrong because `dnsmasq -i eth0` starts a combined DNS/DHCP server, not a dedicated relay agent; while dnsmasq can act as a relay with specific options (e.g., `--dhcp-relay`), the plain `-i eth0` flag only binds the service to that interface and does not enable relay mode.

69
MCQhard

A company has multiple internet connections and wants to route traffic from specific subnets to specific providers. They are using policy-based routing with ip rule and ip route. After adding the rules, the administrator finds that the traffic is not matching the intended routing table. Which command should be used to verify that the rules are being matched correctly?

A.ip route show cache
B.ip route get <destination> mark <mark>
C.ip rule show
D.ip route show table all
AnswerB

This command simulates the routing lookup and shows the rule and table used.

Why this answer

Option B is correct because 'ip route get' with the 'mark' option simulates a packet lookup using the specified routing mark, allowing the administrator to see which routing table would be matched by the policy rules. This directly verifies whether the ip rule conditions (e.g., fwmark, source subnet) are correctly directing traffic to the intended table.

Exam trap

The trap here is that candidates assume 'ip rule show' is sufficient to verify rule matching, but it only displays the rules, not which rule is actually hit for a specific packet, leading to false confidence.

How to eliminate wrong answers

Option A is wrong because 'ip route show cache' displays the routing cache (which is deprecated in modern kernels and not used for policy routing verification), not the rule matching behavior. Option C is wrong because 'ip rule show' lists the configured policy rules but does not simulate a packet or show which rule is actually matched for a specific traffic flow. Option D is wrong because 'ip route show table all' dumps all routing tables but provides no insight into which rule triggers which table for a given packet.

70
MCQeasy

An administrator needs to prioritize traffic for a VoIP application over other traffic on a Linux router. Which tool should be used to implement traffic shaping and prioritization?

A.ip route with priority
B.tc (traffic control)
C.tcpdump with filters
D.iptables with the mangle table
AnswerB

tc is the dedicated tool for QoS, shaping, and scheduling.

Why this answer

B is correct because the `tc` (traffic control) command is the standard Linux utility for traffic shaping, prioritization, and bandwidth management. It operates at the kernel's QoS layer, allowing the administrator to define queuing disciplines (qdiscs) such as HTB or PRIO to prioritize VoIP packets based on classification rules, ensuring low latency for real-time traffic.

Exam trap

The trap here is that candidates confuse packet marking (iptables mangle) with actual traffic shaping, forgetting that marking alone does not prioritize traffic without a queuing discipline configured via `tc`.

How to eliminate wrong answers

Option A is wrong because `ip route with priority` is not a valid mechanism for traffic shaping; the `ip route` command manages routing table entries and can set route metrics or preferences, but it does not provide per-packet prioritization or bandwidth control. Option C is wrong because `tcpdump` is a packet capture and analysis tool, not a traffic control tool; it cannot shape or prioritize traffic, only observe it. Option D is wrong because while `iptables` with the mangle table can mark packets for later classification, it does not perform traffic shaping or prioritization itself; the actual queuing and scheduling must be handled by `tc`.

71
MCQmedium

A system administrator notices that the default gateway is missing after a reboot. The network configuration uses ifup/ifdown scripts. Which file should be modified to ensure the default gateway is persistent?

A./etc/resolv.conf
B./etc/network/routes
C./etc/sysconfig/network
D./etc/network/interfaces
AnswerD

The 'gateway' directive in this file sets the default gateway persistently.

Why this answer

On Debian-based systems using ifup/ifdown scripts, persistent network configuration—including the default gateway—is defined in /etc/network/interfaces. The gateway is set with the 'gateway' directive under the appropriate interface stanza, ensuring it is applied automatically on boot. This file is the central configuration source for the ifupdown suite.

Exam trap

The trap here is that candidates familiar with Red Hat systems may incorrectly choose /etc/sysconfig/network, forgetting that the question explicitly specifies ifup/ifdown scripts, which are characteristic of Debian-based distributions.

How to eliminate wrong answers

Option A is wrong because /etc/resolv.conf only configures DNS resolver settings (nameservers, search domains), not routing or default gateways. Option B is wrong because /etc/network/routes is not a standard file in the ifupdown framework; routing is handled via the 'up' or 'post-up' directives in /etc/network/interfaces or through separate route files in /etc/network/if-up.d/. Option C is wrong because /etc/sysconfig/network is used by Red Hat-based distributions (e.g., RHEL, CentOS) with the initscripts or NetworkManager, not by Debian/Ubuntu systems using ifup/ifdown.

72
MCQhard

Refer to the exhibit. A packet is sent from 192.168.1.100 to 10.0.0.5. Which interface will the packet exit?

A.eth0, then eth1 after ARP
B.eth0
C.eth1
D.lo
AnswerC

The route for 10.0.0.0/8 uses eth1.

Why this answer

The packet is sent from 192.168.1.100 (a private IP in the 192.168.0.0/16 range) to 10.0.0.5 (a private IP in the 10.0.0.0/8 range). Since these are on different subnets, the packet must be routed through a gateway. The routing table on the source host (or router) will have a route for 10.0.0.0/8 pointing to eth1, so the packet exits via eth1.

No ARP is needed on eth0 because the packet never leaves eth0 for this destination.

Exam trap

The trap here is that candidates assume the packet must first exit the source interface (eth0) and then be routed, but in reality the routing decision happens before any packet transmission, and the kernel selects the exit interface based solely on the destination IP and routing table, not on the source interface.

How to eliminate wrong answers

Option A is wrong because it suggests the packet exits eth0 first and then eth1 after ARP, which implies a multi-hop path that is not indicated by the routing table; the packet is routed directly via the interface with a matching route, not sequentially through multiple interfaces. Option B is wrong because eth0 is on the 192.168.1.0/24 subnet, which does not have a route to 10.0.0.5; the packet would be dropped or sent to a default gateway, not exit eth0. Option D is wrong because the loopback interface (lo) is only used for traffic destined to the local host (127.0.0.0/8), not for traffic to a remote network like 10.0.0.5.

73
MCQhard

After adding a new network interface, the system assigns it the name 'enp0s3' instead of 'eth0'. Which of the following best describes the reason for this change?

A.The system uses the new predictable network interface naming scheme.
B.The kernel assigns names randomly to avoid conflicts.
C.The network card is faulty, causing the kernel to rename it.
D.The interface is a virtual device, so it gets a non-standard name.
AnswerA

udev rules based on firmware/PCI topology generate names like enp0s3.

Why this answer

The system uses the predictable network interface naming scheme (also known as Consistent Network Device Naming), introduced in systemd/udev. This scheme assigns names like 'enp0s3' based on the physical location of the device (e.g., 'en' for Ethernet, 'p0' for PCI bus 0, 's3' for slot 3), replacing the traditional 'eth0' naming that could change unpredictably across reboots or hardware additions.

Exam trap

The trap here is that candidates may assume 'eth0' is the only valid naming convention and think the change is due to a fault or randomness, rather than recognizing the deliberate shift to predictable naming for stability in multi-interface environments.

How to eliminate wrong answers

Option B is wrong because the kernel does not assign names randomly; it uses deterministic rules from udev or the biosdevname utility to avoid conflicts. Option C is wrong because a faulty network card would not cause the kernel to rename it; the name change is a deliberate design choice for consistency, not a fault response. Option D is wrong because 'enp0s3' is not specific to virtual devices; it is used for physical interfaces as well, and virtual interfaces typically get names like 'eth0' or 'ens3' depending on the hypervisor.

74
MCQeasy

A company's network has a single switch connecting all devices. The IT manager wants to isolate the development team's traffic from the rest of the network without buying new hardware. Which configuration should the administrator implement on the switch ports connected to the development team's computers?

A.Set the ports to access mode and assign them to VLAN 10.
B.Enable port security with a maximum MAC address count.
C.Configure the switch ports as part of a bridge group.
D.Set the ports to trunk mode.
AnswerA

VLANs isolate traffic at L2, and access ports assign the port to a specific VLAN, creating separate broadcast domains.

Why this answer

VLANs (Virtual Local Area Networks) logically segment a network at Layer 2, isolating traffic between groups without requiring additional hardware. Setting the switch ports to access mode and assigning them to VLAN 10 places the development team's computers into a separate broadcast domain, preventing their traffic from being visible to devices in other VLANs. This is the standard method for implementing port-based VLAN membership on a managed switch.

Exam trap

The trap here is that candidates often confuse trunk mode (used for inter-switch links) with access mode (used for end devices), mistakenly thinking trunking provides isolation when it actually aggregates VLAN traffic.

How to eliminate wrong answers

Option B is wrong because port security with a maximum MAC address count restricts which devices can connect to a port based on MAC addresses, but it does not isolate traffic at Layer 2; it only controls access. Option C is wrong because configuring switch ports as part of a bridge group is not a standard VLAN isolation technique; bridge groups are used in routing contexts (e.g., on routers or Linux bridges) and do not provide the per-port VLAN segmentation required here. Option D is wrong because trunk mode is used to carry traffic for multiple VLANs between switches or to routers, not to assign an end device to a single VLAN; setting a port to trunk mode would expect tagged frames and would not isolate the development team's traffic.

75
MCQeasy

To create a simple bridge interface that connects two Ethernet interfaces, which of the following commands should be used?

A.ip link add br0 type bridge && ip link set br0 up
B.brctl addbr br0 && brctl addif br0 eth0 eth1
C.ifconfig br0 create && ifconfig br0 up
D.Both A and B work correctly
AnswerA

This creates the bridge and brings it up using the iproute2 suite.

Why this answer

Option A is correct because the `ip link add br0 type bridge` command creates a new bridge interface using the modern iproute2 suite, and `ip link set br0 up` activates it. This is the current standard method for bridge creation on Linux, replacing the older brctl tool. The bridge then connects Ethernet interfaces by enslaving them with `ip link set eth0 master br0`.

Exam trap

The trap here is that candidates may remember the older `brctl` commands as valid, but fail to notice the syntax error in Option B (adding two interfaces at once) and assume both A and B are correct, leading them to choose Option D.

How to eliminate wrong answers

Option B is wrong because while `brctl addbr br0` and `brctl addif br0 eth0 eth1` can create a bridge and add interfaces, the `brctl addif` command only accepts one interface at a time; adding two interfaces in one command (eth0 eth1) is syntactically invalid and will fail. Option C is wrong because `ifconfig br0 create` is not a valid command; `ifconfig` does not support creating bridge interfaces—it only configures existing ones, and the `create` argument is used for virtual interfaces like VLANs, not bridges. Option D is wrong because both A and B do not work correctly; B has a syntax error and C is entirely invalid.

Page 1 of 2 · 91 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Advanced Networking Configuration questions.