CCNA Advanced Networking Questions

16 of 91 questions · Page 2/2 · Advanced Networking topic · Answers revealed

76
MCQhard

You are a network administrator for a medium-sized company. The company has a Linux server acting as a router/firewall with three network interfaces: eth0 (public, 203.0.113.2/24, gateway 203.0.113.1), eth1 (DMZ, 10.0.1.1/24), and eth2 (internal, 192.168.1.1/24). The DMZ hosts a web server with IP 10.0.1.100, and the internal network has client machines. The firewall rules are currently set to default DROP on INPUT and FORWARD, ACCEPT on OUTPUT. The administrator wants to allow internal clients (192.168.1.0/24) to access the web server (10.0.1.100) on port 80. Additionally, the administrator wants to allow external users (from the internet) to access the web server's public IP (203.0.113.2) on port 80, which should be DNATed to 10.0.1.100. The administrator has enabled IP forwarding and added the following rules: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.100:80 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j ACCEPT Internal clients cannot access the web server. External users are able to access the web server successfully. What is the most likely reason internal clients cannot access the web server?

A.The DNAT rule does not apply to traffic coming from the internal network because it is not received on eth0.
B.The web server cannot route back to the internal clients because it is in the DMZ.
C.The FORWARD rule for return traffic does not match because the destination is the client.
D.IP forwarding is not enabled for the internal interface.
AnswerA

Internal traffic uses eth2 as input interface, so DNAT rule does not trigger; the destination remains the public IP, which is not local.

Why this answer

The DNAT rule is placed in the PREROUTING chain of the nat table, which only processes packets arriving on the specified interface (eth0). Internal clients (192.168.1.0/24) sending traffic to the web server (10.0.1.100) do not enter via eth0; they are routed through eth2. Therefore, the DNAT rule never matches their packets, and the destination remains 10.0.1.100, which is directly reachable without NAT.

However, the FORWARD rules only allow traffic from eth0 to eth1 and back, so internal client traffic from eth2 to eth1 is implicitly dropped by the default FORWARD policy, causing the failure.

Exam trap

The trap here is that candidates assume DNAT rules apply to all incoming traffic regardless of interface, but PREROUTING rules are interface-specific, and internal traffic bypasses them entirely.

How to eliminate wrong answers

Option B is wrong because the web server in the DMZ can route back to internal clients via the router's eth1 interface; the router has a route to 192.168.1.0/24 via eth2, so return traffic is not blocked by routing. Option C is wrong because the FORWARD rule for return traffic matches packets with source port 80, regardless of destination; the issue is not the return rule but the lack of a forward rule for the initial connection from eth2 to eth1. Option D is wrong because IP forwarding is enabled globally (the administrator enabled it), and it applies to all interfaces; there is no per-interface setting for IP forwarding in Linux.

77
MCQhard

A client on the internet sends a TCP SYN packet to 10.0.1.10:8080. The router receives it on eth0. According to the exhibit, what will happen to the packet?

A.The packet is dropped because the destination IP is not directly connected.
B.The packet is forwarded to 10.0.1.1 because it is the default gateway.
C.The packet is forwarded to 10.0.2.5:80 via eth1, with source IP changed to 10.0.2.20.
D.The packet is forwarded to 10.0.2.5:80 via eth1, with source IP unchanged.
AnswerD

As described, DNAT changes destination, routing sends it to eth1, and no SNAT is applied.

Why this answer

The router receives the TCP SYN packet on eth0 destined for 10.0.1.10:8080. According to the exhibit (not shown but implied), a destination NAT (DNAT) rule is configured to translate the destination IP and port to 10.0.2.5:80. The packet is forwarded out eth1 with the destination changed, but the source IP remains unchanged because DNAT does not modify the source address.

This is a standard port forwarding scenario.

Exam trap

The trap here is that candidates often confuse DNAT with SNAT and assume the source IP is also changed, or they think the packet is dropped because the destination IP is not directly connected to the router's LAN interface.

How to eliminate wrong answers

Option A is wrong because the destination IP 10.0.1.10 is directly connected to the router (assuming it is a public IP on eth0 or a DMZ), so the packet is not dropped for being not directly connected. Option B is wrong because the default gateway is used for forwarding packets to external networks, not for handling packets destined to a local IP that has a NAT rule applied. Option C is wrong because DNAT only changes the destination IP and port, not the source IP; source IP modification would require source NAT (SNAT) or masquerading, which is not indicated.

78
Multi-Selecthard

Which TWO tools are commonly used for traffic shaping and QoS on Linux? (Choose two.)

Select 2 answers
A.ethtool
B.wondershaper
C.iptables
D.tc
E.route
AnswersB, D

Script that simplifies use of tc for bandwidth limiting.

Why this answer

Wondershaper is a user-friendly shell script that wraps the `tc` command to simplify traffic shaping by limiting bandwidth on a network interface. It uses the Linux kernel's QoS capabilities, specifically the HTB (Hierarchical Token Bucket) queuing discipline, to prioritize and throttle traffic. This makes it a common tool for basic traffic shaping tasks on Linux.

Exam trap

The trap here is that candidates confuse iptables' ability to mark packets for QoS with actually performing traffic shaping, forgetting that iptables itself does not implement queuing or bandwidth limits.

79
MCQmedium

Based on the capture, which of the following statements is correct about the communication between 10.0.0.1 and 10.0.0.3?

A.The three-way handshake is complete for a TCP connection
B.All of the above
C.The client is using a random high port
D.The server 10.0.0.3 is running an HTTP server
AnswerB

All three statements are correct based on the capture.

Why this answer

Option B is correct because the TCP three-way handshake (SYN, SYN-ACK, ACK) is visible in the capture, the client 10.0.0.1 uses a high ephemeral port (e.g., 49152), and the server 10.0.0.3 responds on port 80, indicating an HTTP server is running. All three statements (A, C, D) are true, making 'All of the above' the correct choice.

Exam trap

The trap here is that candidates may assume only one statement is correct, but the question is designed so that all three individual statements (A, C, D) are true, making 'All of the above' the only comprehensive answer.

How to eliminate wrong answers

Option A is wrong because it is actually correct—the three-way handshake is complete, so it cannot be eliminated alone. Option B is the correct answer, not wrong. Option C is wrong because it is also correct—the client uses a random high port (e.g., 49152) as per ephemeral port range.

Option D is wrong because it is correct—the server 10.0.0.3 responds on port 80, which is the default HTTP port, indicating an HTTP server is running.

80
MCQeasy

Which of the following commands creates a new network namespace named 'test'?

A.netns add test
B.network namespace add test
C.ip netns add test
D.ip netns create test
AnswerC

This is the correct syntax to create a new network namespace.

Why this answer

The correct command to create a new network namespace named 'test' is 'ip netns add test'. The 'ip netns' command is part of the iproute2 suite and is the standard tool for managing network namespaces in Linux. The 'add' subcommand creates a new namespace by binding it to a mount point under /var/run/netns/.

Exam trap

The trap here is that candidates may confuse the 'ip netns' subcommands, incorrectly using 'create' instead of 'add', or omitting the 'ip' prefix, because they are misled by the generic verb 'create' or the phrase 'network namespace' from other contexts like Docker or systemd-nspawn.

How to eliminate wrong answers

Option A is wrong because 'netns add test' is not a valid command; the correct syntax requires the 'ip' prefix to invoke the iproute2 tool. Option B is wrong because 'network namespace add test' is not a valid Linux command; the proper command uses 'ip netns' and not the full phrase 'network namespace'. Option D is wrong because 'ip netns create test' uses the incorrect subcommand 'create'; the correct subcommand is 'add', as 'create' is not recognized by the ip netns utility.

81
Multi-Selectmedium

Which TWO conditions must be met for a Linux bridge to forward traffic between its ports?

Select 2 answers
A.The bridge has an IP address.
B.The bridge has at least two ports added.
C.The kernel module bridge is loaded.
D.The interfaces are in promiscuous mode.
E.Spanning Tree Protocol is disabled.
AnswersB, C

Forwarding between ports requires at least two interfaces in the bridge.

Why this answer

Option B is correct because a Linux bridge requires at least two ports to forward traffic; a bridge with only one port cannot forward frames between interfaces. Option C is correct because the bridge kernel module must be loaded (e.g., via `modprobe bridge`) to provide the bridging functionality; without it, bridge operations are impossible.

Exam trap

The trap here is that candidates often confuse the requirements for a bridge with those for a router, incorrectly assuming an IP address is necessary for forwarding, or they forget that the bridge kernel module must be explicitly loaded in Linux.

82
Multi-Selecthard

Which TWO of the following are valid methods to configure a Linux system to use a specific DNS server for name resolution?

Select 2 answers
A.Add an entry to /etc/hosts with the DNS server's IP.
B.Write the DNS server IP to /etc/resolv.conf using systemd-resolved.
C.Set the 'hosts' line in /etc/nsswitch.conf to include 'dns'.
D.Use NetworkManager to set DNS servers for a connection.
E.Edit the /etc/resolv.conf file and add a nameserver line.
AnswersD, E

NetworkManager can manage DNS settings dynamically.

Why this answer

Option D is correct because NetworkManager provides a centralized way to manage network connections, including DNS settings. When you configure DNS servers via NetworkManager (e.g., using `nmcli` or the GUI), it writes the appropriate `nameserver` lines to `/etc/resolv.conf` (or manages it via its own internal resolver), ensuring the system uses those DNS servers for name resolution. Option E is correct because directly editing `/etc/resolv.conf` and adding a `nameserver` line is the traditional, low-level method to specify DNS servers, which the resolver library reads directly.

Exam trap

The trap here is that candidates often confuse the role of `/etc/hosts` (static hostname-to-IP mapping) with DNS server configuration, or they think editing `/etc/nsswitch.conf` alone sets the DNS server, when it only defines the lookup order.

83
MCQmedium

Based on the exhibit, what is the configuration of the network interfaces?

A.eth0 is directly connected to a bridge; eth0.10 is a separate physical interface; br0 uses VLAN tagging.
B.eth0 is a VLAN ID 10 access port; eth0.10 is a separate link.
C.eth0 is a member of VLAN 1 only; eth0.10 is a bridge port.
D.eth0 is a VLAN trunk port with native VLAN 1; eth0.10 is a VLAN interface for VLAN 10; br0 is a bridge containing eth0.
AnswerD

Correct interpretation of the exhibit.

Why this answer

Option D is correct because the configuration shows eth0 as a trunk port carrying multiple VLANs, with VLAN 1 as the native VLAN (untagged). The eth0.10 is a VLAN subinterface for VLAN 10, and br0 is a Linux bridge that includes eth0, allowing bridged traffic for the native VLAN while the subinterface handles tagged traffic for VLAN 10.

Exam trap

The trap here is that candidates often confuse VLAN subinterfaces with separate physical interfaces or assume eth0 is an access port, failing to recognize that a trunk port with a native VLAN and subinterfaces is the standard configuration for carrying multiple VLANs over a single link.

How to eliminate wrong answers

Option A is wrong because eth0.10 is not a separate physical interface; it is a VLAN subinterface created on eth0. Option B is wrong because eth0 is not an access port for VLAN 10; it is a trunk port with native VLAN 1, and eth0.10 is not a separate link but a logical interface. Option C is wrong because eth0 is not a member of VLAN 1 only; it carries multiple VLANs as a trunk, and eth0.10 is not a bridge port but a VLAN subinterface.

84
Multi-Selecthard

An administrator is configuring netfilter rules to implement a stateful firewall. Which TWO of the following commands are necessary to allow the firewall to correctly forward TCP traffic from internal to external networks (assuming proper default policies)?

Select 2 answers
A.iptables -A FORWARD -m state --state NEW -j ACCEPT
B.iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
C.iptables -A FORWARD -j ACCEPT
D.iptables -A FORWARD -m state --state RELATED -j ACCEPT
E.iptables -A FORWARD -m state --state NEW -p tcp --dport 80 -j ACCEPT
AnswersB, D

This allows established connections, crucial for stateful firewall.

Why this answer

Option B is correct because a stateful firewall must allow packets belonging to already established connections to pass through the FORWARD chain. The `-m state --state ESTABLISHED` match ensures that any packet that is part of an existing TCP connection (i.e., has seen the three-way handshake) is accepted, which is essential for forwarding return traffic from external networks back to internal hosts.

Exam trap

The trap here is that candidates often think only the `ESTABLISHED` rule is needed, forgetting that `RELATED` is also required for protocols like FTP or ICMP error messages that are associated with an existing connection but are not part of the same TCP stream.

85
MCQhard

A Linux administrator is setting up an IPsec VPN between two sites using strongSwan. The VPN established successfully, but traffic between the sites is not being encrypted. What is the most probable cause?

A.The IPsec policies are not configured to match the traffic.
B.The firewall is blocking UDP port 500.
C.The kernel does not support IPsec (net.ipv4.ip_forward=0).
D.The IPsec daemon is not started.
AnswerA

The SPD defines which traffic should be encrypted; without matching policies, traffic flows in plain text.

Why this answer

Option A is correct because the most probable cause for traffic not being encrypted after a successful IPsec tunnel establishment is that the IPsec policies (e.g., strongSwan's `ipsec.conf` `conn` section with `leftsubnet`/`rightsubnet`) do not match the actual traffic flows. Even if the IKE/SA is up, strongSwan only applies encryption to packets that match the configured selectors; mismatched subnets or protocols result in cleartext traffic bypassing the tunnel.

Exam trap

The trap here is that candidates assume a successful IKE/SA establishment guarantees encryption for all traffic, but LPIC-2 tests the understanding that IPsec policies (SPD selectors) independently control which packets are encrypted, and a mismatch leaves traffic unencrypted.

How to eliminate wrong answers

Option B is wrong because if the firewall were blocking UDP port 500 (IKE), the VPN would not have established successfully—IKE negotiation would fail. Option C is wrong because `net.ipv4.ip_forward=0` disables IP forwarding between interfaces, which would prevent any traffic flow (encrypted or not) between sites, but the question states traffic flows unencrypted, so forwarding must be enabled. Option D is wrong because if the IPsec daemon (strongSwan's `charon`) were not started, the VPN could not have established at all; the successful establishment proves the daemon is running.

86
MCQmedium

A network administrator notices that VLAN tagging is not working on a Linux bridge. The bridge interface br0 has member ports eth0 and eth1. The administrator runs 'bridge vlan show' and sees that only the default VLAN 1 is present. What is the most likely cause?

A.The bridge is not enabled for VLAN filtering
B.The kernel module for VLAN is not loaded
C.The VLAN protocol is not set to 802.1Q
D.Ports eth0 and eth1 are not set to promiscuous mode
AnswerA

Without enabling VLAN filtering on the bridge, only the default VLAN (VLAN 1) is allowed.

Why this answer

The 'bridge vlan show' command only displays VLAN filtering information when VLAN filtering is enabled on the bridge. By default, Linux bridges operate in a simple switching mode without VLAN awareness, meaning all frames are forwarded regardless of VLAN tags. The administrator must explicitly enable VLAN filtering using 'ip link set dev br0 type bridge vlan_filtering 1' to activate per-VLAN forwarding and filtering, which is why only the default untagged VLAN 1 appears.

Exam trap

The trap here is that candidates assume VLAN tagging works automatically on a Linux bridge because they are familiar with VLAN interfaces or managed switches, but Linux bridges require explicit VLAN filtering configuration to process 802.1Q tags.

How to eliminate wrong answers

Option B is wrong because the kernel module for VLAN (8021q) is only required for creating VLAN interfaces (e.g., eth0.10) or for the host to process VLAN tags at the network layer; the bridge itself handles VLAN tagging natively when VLAN filtering is enabled, without needing the 8021q module. Option C is wrong because the VLAN protocol is implicitly 802.1Q in Linux bridges; there is no separate configuration to set the protocol, and the issue is not about protocol mismatch but about the bridge not being configured to filter VLANs. Option D is wrong because promiscuous mode is not required for VLAN tagging on a bridge; promiscuous mode allows a NIC to receive all packets, but VLAN filtering is a bridge-level feature independent of promiscuous mode on member ports.

87
MCQhard

A company wants to set up a Linux bridge to connect a wireless interface (wlan0) to a wired interface (eth0) to allow devices on the wired network to access the internet through the wireless uplink. The Linux server runs Debian with hostapd to create an access point on wlan0. The administrator creates a bridge br0 using brctl and adds eth0 and wlan0 as ports. They assign IP 192.168.10.1/24 to br0 and start hostapd. Clients on the wired network can access the internet, but cannot ping clients on the wireless network, and vice versa. The administrator verifies that both interfaces are enslaved to br0 (brctl show shows both). They also confirm that IP forwarding is enabled and there are no iptables rules blocking anything. Which of the following is the most likely cause?

A.The wireless interface wlan0 is not set to 4-address mode (WDS) to allow bridging.
B.The DHCP server is only listening on the bridge interface, not on the individual interfaces.
C.The hostapd configuration is missing the 'bridge' parameter to bind to the bridge.
D.The iptables firewall is blocking broadcast traffic between bridge ports.
AnswerA

Bridging requires 4-address frames on wireless interfaces.

Why this answer

A is correct because a standard wireless interface (station mode) uses 3-address frames (source, destination, BSSID) and drops frames with a fourth address, which is required for bridging. When a bridge forwards a frame from the wired side to the wireless side, it uses the MAC addresses of the original source and destination, but the wireless medium requires the fourth address (the transmitter address) to identify the bridge itself. Without enabling 4-address mode (WDS) on wlan0, the wireless driver will reject these bridged frames, preventing communication between wired and wireless clients.

Exam trap

The trap here is that candidates assume bridging works identically on wireless and wired interfaces, overlooking the 802.11 frame format limitation that requires 4-address mode for transparent bridging.

How to eliminate wrong answers

Option B is wrong because DHCP server scope does not affect Layer 2 bridging; clients on different sides of the bridge can still ping each other if the bridge forwards frames correctly, regardless of DHCP configuration. Option C is wrong because the 'bridge' parameter in hostapd is used to integrate with a bridge for DHCP forwarding and client isolation, but its absence does not prevent the bridge from forwarding frames between ports at Layer 2. Option D is wrong because the administrator explicitly confirmed there are no iptables rules blocking anything, and iptables does not filter traffic between bridge ports by default unless ebtables or netfilter bridge rules are configured.

88
MCQeasy

An administrator wants to implement network bonding for redundancy on a Linux server running RHEL 8. The server has two physical interfaces em1 and em2. The administrator creates a bond interface bond0 with mode active-backup (mode 1) and adds the slaves em1 and em2. They assign IP address 192.168.50.10/24 to bond0 and bring up the bond. The bond appears to work initially, with one slave active. However, when they disconnect the cable from the active slave, the bond does not fail over to the other slave. The administrator checks /proc/net/bonding/bond0 and sees that the link status for both slaves shows 'up' even after the disconnection. They confirm the bonding module is loaded and the mode is correct. Which of the following is the most likely missing configuration?

A.The MII monitoring interval (miimon) is not configured.
B.The bond interface requires a specific kernel module that is missing.
C.The slave interfaces were not set to 'down' before enslaving.
D.The bond mode is set to mode 0 instead of mode 1.
AnswerA

miimon is required for link monitoring.

Why this answer

The correct answer is A because in active-backup bonding mode (mode 1), the kernel bonding driver requires the MII (Media Independent Interface) monitoring interval (miimon) to be configured in order to detect link failures. Without miimon, the driver never polls the slave interfaces for link state changes, so even when a cable is disconnected, the driver continues to see the link as 'up' and does not trigger a failover. The administrator must set miimon=100 (or another value in milliseconds) in the bond configuration to enable periodic link monitoring.

Exam trap

The trap here is that candidates often assume active-backup mode automatically handles failover without additional configuration, but the LPIC-2 exam tests the understanding that link monitoring (miimon) must be explicitly configured for the bonding driver to detect physical link loss.

How to eliminate wrong answers

Option B is wrong because the bonding module is already loaded and the bond interface works initially, indicating the required kernel module (bonding) is present; a missing module would prevent the bond from working at all. Option C is wrong because setting slave interfaces to 'down' before enslaving is not a requirement for bonding; the bonding driver can enslave interfaces that are up, and the bond will manage their state. Option D is wrong because the administrator confirmed the mode is active-backup (mode 1), and the symptom of no failover despite correct mode points to a missing monitoring mechanism, not a mode mismatch.

89
MCQhard

A Linux router running FRR (Free Range Routing) needs to participate in OSPF with adjacent Cisco routers. Which configuration file should be modified to enable OSPF?

A./etc/quagga/ospfd.conf
B./etc/network/interfaces
C./etc/frr/frr.conf
D./etc/ospfd.conf
AnswerC

FRR main configuration file where OSPF, BGP, etc. are defined.

Why this answer

FRR (Free Range Routing) stores its unified routing protocol configuration in /etc/frr/frr.conf. This file is the primary configuration file for all FRR daemons, including OSPF, and is read by the frr service at startup. Modifying this file and then reloading FRR enables OSPF on the Linux router to peer with adjacent Cisco routers.

Exam trap

The trap here is that candidates familiar with the older Quagga project may assume the configuration file is still /etc/quagga/ospfd.conf, but FRR has replaced Quagga and uses /etc/frr/frr.conf as the single configuration file for all routing protocols.

How to eliminate wrong answers

Option A is wrong because /etc/quagga/ospfd.conf is the configuration file for the older Quagga project, not FRR; FRR is a fork of Quagga and uses its own directory structure. Option B is wrong because /etc/network/interfaces is used by Debian/Ubuntu for basic network interface configuration (IP addresses, routes) and does not control OSPF routing daemon settings. Option D is wrong because /etc/ospfd.conf is not a standard path for any routing suite; FRR does not use a separate ospfd.conf file and instead consolidates all protocol configurations into frr.conf.

90
MCQmedium

A company has multiple subnets and wants to implement policy-based routing to direct traffic from a specific development subnet (192.168.10.0/24) through a specialized firewall for content filtering, while all other traffic uses the default gateway. Which of the following steps is required to achieve this using iproute2 tools?

A.Use iptables to mark packets from the development subnet and then use ip rule to use the main table for marked packets.
B.Add an ip rule to route traffic from 192.168.10.0/24 to the firewall without creating a new table.
C.Add a static route to the main routing table for 192.168.10.0/24 pointing to the firewall.
D.Create a new routing table (e.g., table 100), add a default route via the firewall in that table, and add an ip rule to use table 100 for traffic from 192.168.10.0/24.
AnswerD

This correctly implements policy-based routing by using a separate routing table and a rule.

Why this answer

Option D is correct because policy-based routing (PBR) with iproute2 requires creating a separate routing table, adding a default route via the firewall in that table, and then using an ip rule to match traffic from the source subnet (192.168.10.0/24) and direct it to that custom table. This allows traffic from the development subnet to follow a different path than the default gateway, while all other traffic continues to use the main routing table.

Exam trap

The trap here is that candidates often confuse destination-based static routing (which affects where traffic goes) with source-based policy routing (which affects how traffic leaves), leading them to choose Option C or B instead of recognizing the need for a separate routing table and ip rule.

How to eliminate wrong answers

Option A is wrong because iptables marking is not required for source-based PBR; ip rule can match directly on source address without marks, and using the main table for marked packets would not route them through the firewall. Option B is wrong because ip rule without a custom table cannot override the default route; the rule must reference a distinct routing table that contains the desired default route via the firewall. Option C is wrong because adding a static route to the main routing table for 192.168.10.0/24 would only affect traffic destined to that subnet, not traffic originating from it; policy routing requires source-based rules, not destination-based routes.

91
Matchingmedium

Match each system log to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General system messages (legacy)

System log on Debian-based systems

Authentication and security events

Kernel messages

Mail server logs

Why these pairings

These log files are commonly found in Linux systems.

← PreviousPage 2 of 2 · 91 questions total

Ready to test yourself?

Try a timed practice session using only Advanced Networking questions.