- A network engineer needs a device that connects two separate IP networks and forwards packets between them based on Layer 3 destination addresses. Which device fills this role?
- A router
- A hub
- A media converter
- An IP phone
Correct answer: A router
A router is the device that connects separate IP networks and forwards packets between them using Layer 3 destination addresses and its routing table. A hub simply repeats signals out every port, a media converter only changes the physical medium, and an IP phone is an endpoint, so none of those provide inter-network routing.
- Which statement accurately compares a Layer 2 switch with a Layer 3 switch?
- Both forward traffic only by MAC address and never by IP
- A Layer 2 switch can route between subnets but a Layer 3 switch cannot
- A Layer 3 switch operates only at the physical layer
- A Layer 3 switch can forward frames by MAC and also route between subnets, while a Layer 2 switch forwards only by MAC
Correct answer: A Layer 3 switch can forward frames by MAC and also route between subnets, while a Layer 2 switch forwards only by MAC
A Layer 3 switch can both forward frames using MAC addresses and route packets between subnets, whereas a Layer 2 switch is limited to MAC-based frame forwarding within a broadcast domain. The reversed claim about routing is wrong, and a Layer 3 switch operates well above the physical layer, so the other options are incorrect.
- An organization wants a perimeter security device that can identify specific applications, decrypt and inspect content, and integrate intrusion prevention rather than filter solely on ports and protocols. Which device meets this need?
- A traditional packet-filtering router
- A next-generation firewall
- An unmanaged switch
- A passive optical splitter
Correct answer: A next-generation firewall
A next-generation firewall meets the need because it adds application identification, deep inspection, and integrated intrusion prevention beyond basic port and protocol filtering. A packet-filtering router lacks application awareness, an unmanaged switch performs no security inspection, and an optical splitter is purely a physical-layer component.
- How does a next-generation firewall's intrusion prevention capability differ from a stateless access list on a router?
- It can detect and block known attack patterns within the traffic flow, not just permit or deny by header fields
- It only counts packets without taking action
- It works exclusively on IPv6 traffic
- It requires the firewall to operate as a Layer 2 hub
Correct answer: It can detect and block known attack patterns within the traffic flow, not just permit or deny by header fields
The integrated intrusion prevention in a next-generation firewall inspects the content of traffic flows and can detect and block known attack signatures, which goes well beyond the permit-or-deny header matching of a stateless access list. It actively acts on threats rather than just counting, is not limited to IPv6, and does not turn the firewall into a hub.
- Which IEEE standard family describes the delivery of electrical power to devices over the same Ethernet cabling that carries data?
- 802.11 wireless standards
- 802.1Q tagging
- 802.3af and 802.3at Power over Ethernet
- 802.1X access control
Correct answer: 802.3af and 802.3at Power over Ethernet
The 802.3af and 802.3at standards define Power over Ethernet, allowing a switch to supply power to attached devices over the data cabling. The 802.11 family covers wireless, 802.1Q covers VLAN tagging, and 802.1X covers port-based access control, none of which deliver power.
- An IP security camera is mounted outdoors with no nearby power source, yet it powers up when its single Ethernet cable is connected to a capable switch port. Which switch capability enables this single-cable deployment?
- Power over Ethernet
- Spanning Tree Protocol
- Network Address Translation
- Dynamic ARP Inspection
Correct answer: Power over Ethernet
Power over Ethernet enables the single-cable deployment by delivering both data and DC power to the camera over one Ethernet run. Spanning Tree prevents Layer 2 loops, Network Address Translation rewrites IP addresses, and Dynamic ARP Inspection is a security feature, so none of those supply power.
- Which two layers are merged in a two-tier collapsed-core campus design?
- Core and distribution
- Access and core
- Distribution and transport
- Access and session
Correct answer: Core and distribution
A two-tier collapsed-core design merges the core and distribution layers into a single layer while keeping the access layer separate, which suits smaller campuses. The access layer is never merged in this model, and transport and session are OSI layers rather than campus design tiers.
- An enterprise is designing a small campus and wants to avoid the cost of a dedicated backbone layer while still keeping switch access for end users separate. Which design best matches this goal?
- A spine-leaf fabric
- A three-tier hierarchy with a dedicated core
- A two-tier collapsed-core design
- A full-mesh of access switches
Correct answer: A two-tier collapsed-core design
A two-tier collapsed-core design best matches the goal because it combines core and distribution functions to avoid a separate backbone layer while preserving a distinct access layer for users. A spine-leaf fabric targets data centers, a three-tier hierarchy adds the dedicated core the company wants to avoid, and a full mesh of access switches is impractical and unstructured.
- Which set of layers makes up the classic three-tier hierarchical campus model?
- Spine, leaf, and core
- Access, distribution, and core
- Physical, data link, and network
- Edge, transit, and peering
Correct answer: Access, distribution, and core
The three-tier hierarchical model consists of the access, distribution, and core layers, each with a defined role for scalability in larger campuses. Spine and leaf describe a data-center fabric, the physical and data-link names are OSI layers, and edge, transit, and peering are service-provider concepts rather than the campus hierarchy.
- In a three-tier campus design, what is the primary role of the distribution layer?
- To connect end-user devices directly to the network
- To provide the highest-speed backbone with no policy enforcement
- To translate private addresses to public addresses for the Internet
- To aggregate access-layer switches and apply policy before traffic reaches the core
Correct answer: To aggregate access-layer switches and apply policy before traffic reaches the core
The distribution layer aggregates the access-layer switches and is where routing boundaries and policy such as filtering are typically applied before traffic moves to the core. Connecting end devices is the access layer's job, high-speed backbone forwarding with minimal policy is the core's job, and address translation is a separate edge function.
- Which statement correctly describes the interconnection pattern of a spine-leaf topology?
- Each leaf switch connects to every spine switch, and leaf switches do not connect directly to each other
- Spine switches connect directly to end hosts while leaves sit idle
- All leaf and spine switches form a single ring
- Each spine connects to exactly one leaf for redundancy
Correct answer: Each leaf switch connects to every spine switch, and leaf switches do not connect directly to each other
In a spine-leaf fabric each leaf switch connects to every spine switch, and leaf switches never connect directly to one another, which keeps every leaf-to-leaf path the same length. Hosts attach to leaves rather than spines, the fabric is not a ring, and each spine connects to all leaves rather than just one.
- Why does a spine-leaf fabric deliver predictable latency for server-to-server traffic in a data center?
- Because all traffic is forced through a single central switch
- Because every leaf-to-leaf path traverses exactly one spine, giving a consistent hop count
- Because spine switches eliminate the need for IP addresses
- Because leaf switches buffer all traffic until the network is idle
Correct answer: Because every leaf-to-leaf path traverses exactly one spine, giving a consistent hop count
Spine-leaf delivers predictable latency because any leaf-to-leaf flow crosses exactly one spine, producing a uniform hop count and consistent delay across the fabric. Traffic is not funneled through one central switch, IP addressing is still used, and the design does not rely on buffering until idle.
- Which cabling choice is appropriate for a 10 km backbone link between two data centers?
- Category 5e copper
- Single-mode fiber
- Multimode fiber rated for 300 meters
- Twinaxial direct-attach copper
Correct answer: Single-mode fiber
Single-mode fiber is appropriate for a 10 km link because its narrow core and laser source carry signals over long distances with low attenuation. Category 5e copper is limited to about 100 meters, multimode fiber is designed for short runs, and twinaxial copper is a very short in-rack medium.
- An engineer is told a fiber run uses a large-core cable driven by a less expensive light source for a 200-meter intra-building link. Which fiber type is most likely in use?
- Single-mode fiber
- Coaxial cable
- Multimode fiber
- Shielded twisted pair
Correct answer: Multimode fiber
Multimode fiber is most likely in use because it has a larger core, commonly uses lower-cost light sources, and is designed for shorter intra-building distances such as 200 meters. Single-mode fiber uses a small core and lasers for long reach, while coaxial and shielded twisted pair are copper media, not fiber.
- A switch port shows incrementing late-collision and frame-check-sequence errors, and an engineer finds one end hard-coded to full duplex while the other autonegotiated to half duplex. What problem does this describe?
- A native VLAN mismatch
- A duplex mismatch
- An MTU mismatch
- A spanning-tree root change
Correct answer: A duplex mismatch
This describes a duplex mismatch, where one side operates full duplex and the other half duplex, producing late collisions and FCS errors. A native VLAN mismatch affects trunk tagging, an MTU mismatch affects frame size handling, and a spanning-tree root change affects Layer 2 topology, none of which match these duplex symptoms.
- Which configuration approach reliably avoids a duplex mismatch on a link between two switches?
- Hard-code full duplex on one end and leave the other on autonegotiation
- Place each end in a different VLAN
- Lower the speed on only one end
- Set both ends to the same explicit duplex value, or let both ends autonegotiate
Correct answer: Set both ends to the same explicit duplex value, or let both ends autonegotiate
Configuring both ends with the same explicit duplex value, or allowing both ends to autonegotiate, prevents a mismatch by ensuring agreement on duplex. Hard-coding one side while autonegotiating the other is a classic cause of mismatch, different VLANs and one-sided speed changes do not resolve the duplex disagreement.
- Which pair of characteristics correctly describes UDP at the transport layer?
- Connectionless and best-effort, with no acknowledgments or retransmissions
- Connection-oriented and reliable, using a three-way handshake
- Connectionless but guaranteeing in-order delivery
- Connection-oriented but with no flow control
Correct answer: Connectionless and best-effort, with no acknowledgments or retransmissions
UDP is connectionless and best-effort, sending datagrams without acknowledgments, retransmissions, or guaranteed ordering, which keeps overhead low. The three-way handshake and reliability describe TCP, UDP does not guarantee ordering, and the connection-oriented descriptions do not apply to UDP.
- A bulk file transfer must guarantee that every byte arrives intact and in order, retransmitting any lost segments. Which transport protocol provides these guarantees?
Correct answer: TCP
TCP provides these guarantees because it is connection-oriented and uses sequence numbers, acknowledgments, and retransmissions to ensure reliable, ordered delivery. UDP offers no such guarantees, while ICMP and ARP are not transport protocols used to carry file data.
- Which field in the TCP and UDP headers identifies the specific application or service a segment is destined for?
- The TTL field
- The destination port number
- The source MAC address
- The IP version field
Correct answer: The destination port number
The destination port number identifies the specific application or service that should receive the segment, such as 80 for HTTP. The TTL and IP version fields belong to the IP header, and the source MAC is a Layer 2 field, so none of those identify the destination application.
- A host is assigned 172.16.40.200 with a /27 mask. To which subnet does this address belong?
- 172.16.40.192/27
- 172.16.40.160/27
- 172.16.40.224/27
- 172.16.40.128/27
Correct answer: 172.16.40.192/27
With a /27 mask the subnets increment by 32 in the last octet, and 200 falls within the 192-to-223 block, so the host belongs to 172.16.40.192/27. The 160 block covers 160-191, the 224 block starts above 200, and the 128 block covers 128-159, so none of those contain the address.
- How many usable host addresses does a /29 subnet provide?
Correct answer: 6
A /29 leaves 3 host bits, producing 8 total addresses and 6 usable hosts after removing the network and broadcast addresses. Fourteen corresponds to a /28, 8 is the total rather than usable count, and 2 corresponds to a /30.
- An engineer must subnet 10.20.30.0/24 so each subnet supports at least 25 hosts while creating as many subnets as possible. Which mask should be chosen?
Correct answer: /27
A /27 should be chosen because it provides 30 usable hosts per subnet, which meets the 25-host requirement, while creating 8 subnets - the maximum possible when the host minimum constraint is respected. A /28 cannot meet the requirement (only 14 usable hosts). A /26 yields only 4 subnets. A /25 yields only 2 subnets. The correct optimization is /27: it satisfies the host floor and produces the most subnets.
- What is the network address of the subnet containing the host 192.168.50.85/26?
- 192.168.50.0
- 192.168.50.96
- 192.168.50.64
- 192.168.50.128
Correct answer: 192.168.50.64
A /26 mask creates subnets in blocks of 64, and 85 falls within the 64-to-127 range, so the network address is 192.168.50.64. The 0 block covers 0-63, the 96 value is a host inside the 64 subnet rather than a boundary, and 128 begins the next subnet above the host.
- Which address block is reserved for private IPv4 use by RFC 1918?
- 100.64.0.0/10
- 192.168.0.0/16
- 198.51.100.0/24
- 224.0.0.0/4
Correct answer: 192.168.0.0/16
The 192.168.0.0/16 block is one of the three RFC 1918 private ranges reserved for internal networks. 100.64.0.0/10 is shared address space for carrier-grade NAT, 198.51.100.0/24 is documentation space, and 224.0.0.0/4 is the multicast range, so none of those are RFC 1918 private blocks.
- An administrator wants to assign hosts addresses from the smallest RFC 1918 private range, which spans 172.16.0.0 through 172.31.255.255. What prefix length represents this entire block?
Correct answer: /12
The 172.16.0.0 through 172.31.255.255 private range is represented as 172.16.0.0/12, since the /12 mask covers exactly those 16 contiguous /16 networks. A /8 would be far larger, a /16 covers only one of those networks, and a /20 is smaller still, so they do not match the stated range.
- Which IPv6 address type uses the FF00::/8 prefix and delivers a packet to every interface that has joined the group?
- Global unicast
- Anycast
- Multicast
- Unique local
Correct answer: Multicast
An IPv6 multicast address uses the FF00::/8 prefix and delivers packets to all interfaces that have joined the corresponding group. Global unicast and unique local are unicast types delivered to a single interface, and anycast is delivered to the nearest of several interfaces, so none of those match the group-delivery behavior.
- Which IPv6 address type is assigned to multiple interfaces so that a packet is delivered to whichever one is nearest by routing metric?
- Anycast
- Multicast
- Link-local
- Loopback
Correct answer: Anycast
An anycast address is shared by multiple interfaces, and routing delivers the packet to the nearest one, which is useful for distributing services such as DNS resolvers. Multicast reaches a whole group, link-local is a scope on a single link, and loopback refers to the host itself, so none of those describe nearest-interface delivery.
- When forming a 64-bit interface identifier with modified EUI-64 from a 48-bit MAC, what two operations are performed?
- The MAC is hashed and then truncated to 64 bits
- FFFE is inserted in the middle of the MAC and the universal/local bit is inverted
- The MAC is reversed and the first octet is zeroed
- The MAC is doubled and the result is XORed with zeros
Correct answer: FFFE is inserted in the middle of the MAC and the universal/local bit is inverted
Modified EUI-64 inserts the hex value FFFE between the two halves of the 48-bit MAC and inverts the seventh bit (the universal/local bit) to produce the 64-bit interface ID. The MAC is not hashed, reversed, or doubled, so the other descriptions are incorrect.
- A host with MAC address AA:BB:CC:11:22:33 builds its IPv6 interface ID using modified EUI-64. What is the first byte of the resulting interface identifier after the required bit is flipped?
Correct answer: A8
Flipping the seventh bit of AA (binary 10101010) changes it to 10101000, which is A8, so the first byte of the modified EUI-64 interface ID becomes A8. The unmodified AA ignores the required bit flip, and BA and A0 result from altering the wrong bits.
- Which prefix identifies an IPv6 link-local address that is valid only on the directly connected link?
- 2000::/3
- FC00::/7
- FE80::/10
- FF02::/16
Correct answer: FE80::/10
IPv6 link-local addresses use the FE80::/10 prefix and are valid only on the directly connected link, never routed beyond it. 2000::/3 is global unicast, FC00::/7 is unique local, and FF02::/16 is a multicast scope, so none of those identify a link-local address.
- What allows two IPv6 routers on the same segment to exchange routing protocol messages even before any global addresses are configured?
- A shared anycast address
- The all-nodes broadcast address
- A manually configured loopback address
- Their automatically generated link-local addresses
Correct answer: Their automatically generated link-local addresses
The routers can communicate using their automatically generated link-local addresses, which exist on every IPv6 interface and support on-link functions such as routing protocol exchanges. A shared anycast address is not required, IPv6 has no broadcast, and a loopback address is not used for on-link neighbor communication.
- Which IPv6 prefix is reserved for unique local addresses used for private communication within a site?
- FE80::/10
- FC00::/7
- 2001:DB8::/32
- FF00::/8
Correct answer: FC00::/7
Unique local addresses use the FC00::/7 prefix and are intended for private, site-internal IPv6 communication that is not routed on the global Internet. FE80::/10 is link-local, 2001:DB8::/32 is documentation space, and FF00::/8 is multicast, so none of those is the unique local range.
- How is an IPv6 unique local address conceptually similar to RFC 1918 addressing in IPv4?
- Both are automatically generated on every interface for neighbor discovery
- Both provide globally routable Internet reachability
- Both provide private addressing that is not routed on the global Internet
- Both are used only as multicast group identifiers
Correct answer: Both provide private addressing that is not routed on the global Internet
A unique local address is conceptually similar to RFC 1918 because both provide private addressing meant for internal use and not routed on the global Internet. Automatic per-interface generation describes link-local, global reachability describes global unicast, and multicast identifiers are a separate function.
- In the 2.4 GHz band in North America, which channels are typically selected to provide nonoverlapping coverage among nearby access points?
- 3, 7, and 11
- 1, 6, and 11
- 2, 5, and 8
- 1, 5, and 9
Correct answer: 1, 6, and 11
Channels 1, 6, and 11 are the standard nonoverlapping set in the 2.4 GHz band because their frequency ranges are spaced far enough apart not to overlap. The other groupings include adjacent channels whose frequencies overlap, causing interference between access points.
- Two access points in adjacent rooms are both set to 2.4 GHz channel 1, and users between them report degraded throughput. From a channel-planning view, what is the most likely cause?
- A duplex mismatch on the wireless interface
- Co-channel interference because both radios share the same channel
- An IPv6 unique local address conflict
- Use of single-mode fiber between the access points
Correct answer: Co-channel interference because both radios share the same channel
The most likely cause is co-channel interference, because two nearby access points on the same channel contend for the same frequency and degrade performance, which is why nonoverlapping planning separates them onto channels 1, 6, and 11. Duplex mismatch applies to wired links, IPv6 address conflicts are unrelated to RF, and fiber type does not affect wireless channel contention.
- What does the SSID represent in a wireless LAN?
- The administratively configured name of the wireless network that clients select to associate
- The physical MAC address burned into the access point radio
- The pre-shared encryption key protecting the network
- The DHCP scope handed out to wireless clients
Correct answer: The administratively configured name of the wireless network that clients select to associate
The SSID represents the administratively configured name of the wireless network that clients see and select when associating. It is not the radio's MAC address, not the encryption key, and not the DHCP scope, all of which are separate elements of the wireless setup.
- A hospital needs staff, guest, and medical-device traffic to use three clearly separate wireless networks, each with its own name and security policy, on the same access points. Which feature provides this separation?
- Enabling Power over Ethernet on the access points
- Configuring a single nonoverlapping channel for all three
- Broadcasting multiple SSIDs, each mapped to its own settings
- Applying modified EUI-64 to the wireless clients
Correct answer: Broadcasting multiple SSIDs, each mapped to its own settings
Broadcasting multiple SSIDs provides the separation because each SSID can present a distinct wireless network with its own name and security policy on the same access points. Power over Ethernet only powers the device, choosing one channel does not create separate networks, and modified EUI-64 builds IPv6 interface IDs rather than segmenting wireless traffic.
- What is the primary purpose of a wireless LAN controller (WLC) in an enterprise wireless deployment?
- To assign public IPv4 addresses to every wireless client
- To replace the need for any switches in the wireless path
- To act as the default gateway for all wired hosts
- To centrally manage and configure many lightweight access points
Correct answer: To centrally manage and configure many lightweight access points
A wireless LAN controller centrally manages and configures many lightweight access points, handling tasks such as RF management, security policy, and client roaming from one place. It does not assign public addresses, replace switches, or serve as the wired default gateway, so the other options are incorrect.
- In a controller-based wireless network, how do lightweight access points typically reach the wireless LAN controller for management and to tunnel client traffic?
- By connecting through a serial console cable to the controller
- By broadcasting client data as IPv6 multicast to the Internet
- By routing directly to the controller using BGP
- By forming a CAPWAP tunnel to the controller across the wired network
Correct answer: By forming a CAPWAP tunnel to the controller across the wired network
Lightweight access points form a CAPWAP tunnel to the wireless LAN controller across the wired network, which carries both management and tunneled client traffic. They do not rely on serial console cabling, do not flood client data to the Internet, and do not use BGP for this purpose.
- When a switch receives a frame, how does it use the source MAC address to build its forwarding knowledge?
- It rewrites the source MAC to its own before forwarding
- It discards any frame whose source MAC is unknown
- It forwards the frame only to the default gateway
- It records the source MAC and the port it arrived on in the MAC address table
Correct answer: It records the source MAC and the port it arrived on in the MAC address table
A switch records the source MAC address and the ingress port in its MAC address table, which is how it learns where devices are located for future forwarding. It does not rewrite the Layer 2 source MAC, discard unknown-source frames, or forward learning frames solely to the gateway.
- A dynamically learned MAC entry has not been refreshed by any frames for the length of the aging timer. What happens to that entry?
- It is promoted to a static entry permanently
- It is copied into the routing table
- It is removed from the MAC address table
- It is broadcast to all neighboring switches
Correct answer: It is removed from the MAC address table
The dynamically learned entry is removed from the MAC address table once the aging timer expires without refreshing traffic, keeping the table current and freeing space. It is not made permanent, copied to the routing table, or broadcast to neighbors, so the other options are incorrect.
- Which information is stored in a switch's MAC address table?
- Mappings of MAC addresses to the switch ports where they were learned
- Mappings of IP networks to next-hop routers
- DHCP lease expiration times for each host
- The spanning-tree priority of every neighbor switch
Correct answer: Mappings of MAC addresses to the switch ports where they were learned
The MAC address table stores mappings of MAC addresses to the switch ports on which those addresses were learned, which drives Layer 2 forwarding decisions. IP-to-next-hop mappings live in the routing table, DHCP leases are tracked by the DHCP server, and spanning-tree priorities are part of STP state.
- How does a static MAC address table entry differ from a dynamically learned one?
- It ages out twice as fast as a dynamic entry
- It is automatically converted into an IP route
- It is flooded to all VLANs on a timer
- It does not age out and remains until manually removed or the switch reloads
Correct answer: It does not age out and remains until manually removed or the switch reloads
A static MAC address table entry does not age out and persists until an administrator removes it or the switch reloads, unlike a dynamic entry governed by the aging timer. It is not aged faster, converted to a route, or flooded across VLANs, so the other options are incorrect.
- A switch receives a unicast frame whose destination MAC address is not found in its MAC address table. What action does the switch take?
- It buffers the frame until the destination announces itself
- It returns the frame to the source port
- It floods the frame out all ports in the VLAN except the ingress port
- It silently drops the frame as unreachable
Correct answer: It floods the frame out all ports in the VLAN except the ingress port
For an unknown unicast destination, the switch floods the frame out all ports in the VLAN except the one it arrived on, so the frame can reach the destination if it exists elsewhere. It does not buffer the frame, send it back to the source, or drop it, so the other behaviors are incorrect.
- Why is a frame addressed to the broadcast MAC address FFFF.FFFF.FFFF flooded throughout its VLAN?
- Because the destination is intended for all hosts in the broadcast domain
- Because broadcast frames are encrypted and must reach everyone
- Because the routing table directs the switch to flood them
- Because the switch cannot interpret broadcast frames
Correct answer: Because the destination is intended for all hosts in the broadcast domain
A broadcast frame is flooded because its destination address is intended for all hosts in the broadcast domain, so the switch sends it out every port in the VLAN except the ingress port. Broadcasts are not encrypted, Layer 2 flooding is independent of the routing table, and the switch can interpret broadcast frames.
- Which device forwards traffic using MAC addresses and, by default, keeps all of its ports in a single broadcast domain unless VLANs are configured?
- A router
- A Layer 2 switch
- A next-generation firewall operating at Layer 7
- A DNS server
Correct answer: A Layer 2 switch
A Layer 2 switch forwards traffic by MAC address and, by default, keeps all ports in one broadcast domain until VLANs separate them. A router breaks broadcast domains and forwards by IP, a firewall's defining role is security inspection, and a DNS server resolves names rather than forwarding frames.
- Which IPv6 address type is delivered to exactly one interface and is the IPv6 equivalent of a normal one-to-one host address?
- Multicast
- Unicast
- Anycast
- Broadcast
Correct answer: Unicast
A unicast IPv6 address is delivered to exactly one interface and serves as the standard one-to-one host address. Multicast delivers to a group, anycast delivers to the nearest of several interfaces, and IPv6 does not use broadcast at all.
- An IPv4 host is configured as 10.10.10.190/26. What is the broadcast address of its subnet?
- 10.10.10.191
- 10.10.10.255
- 10.10.10.128
- 10.10.10.127
Correct answer: 10.10.10.191
With a /26 mask the subnets increment by 64, placing 190 in the 128-to-191 block whose broadcast address is 10.10.10.191. The value 10.10.10.255 is the broadcast for a /24, 10.10.10.128 is the network address of this subnet, and 10.10.10.127 is the broadcast of the lower 64-to-127 block.
- How many equal-size subnets result when a /24 network is divided using a /28 mask?
Correct answer: 16
Borrowing 4 bits to move from /24 to /28 yields 2⁴ = 16 subnets, each with 14 usable hosts. Eight subnets corresponds to /27, 32 subnets corresponds to /29, and 4 subnets corresponds to /26.
- Which of the following is a valid private IPv4 address suitable for an internal LAN host?
- 172.34.5.6
- 192.168.250.40
- 198.18.0.1
- 209.165.200.225
Correct answer: 192.168.250.40
The address 192.168.250.40 is valid private space because the entire 192.168.0.0/16 block is reserved by RFC 1918 for internal use. 172.34.5.6 falls outside the 172.16.0.0 to 172.31.255.255 private range, 198.18.0.1 is benchmarking space (RFC 2544), and 209.165.200.225 is public address space.
- An administrator sees FE80::5A on a router interface alongside a separate 2001:DB8::1 address. What can be concluded about FE80::5A?
- It is a globally routable unicast address
- It is an IPv6 link-local address valid only on the directly connected link
- It is a unique local address used across the whole site
- It is a multicast group address
Correct answer: It is an IPv6 link-local address valid only on the directly connected link
FE80::5A falls within the FE80::/10 range, so it is an IPv6 link-local address whose validity is limited to the directly connected link. It is not globally routable, not within the FC00::/7 unique local range, and not a multicast address, so the other conclusions are incorrect.
- A wireless engineer must place four access points in an open office on the 2.4 GHz band so adjacent radios do not interfere, but only three nonoverlapping channels exist. What is the best practice for the fourth access point?
- Reuse one of the channels 1, 6, or 11 on the access point physically farthest from the one already using it
- Assign the fourth access point to channel 4 to fill the gap
- Disable the fourth access point to avoid all interference
- Configure the fourth access point on the same channel as its nearest neighbor
Correct answer: Reuse one of the channels 1, 6, or 11 on the access point physically farthest from the one already using it
The best practice is to reuse one of the nonoverlapping channels 1, 6, or 11 on the access point that is physically farthest from the one already using that channel, minimizing co-channel interference through spatial separation. Channel 4 overlaps with 1 and 6, disabling the access point sacrifices coverage, and matching a near neighbor's channel maximizes interference.
- Why does choosing UDP rather than TCP reduce per-flow overhead for real-time applications?
- UDP encrypts each datagram, removing the need for higher-layer security
- UDP omits connection setup, acknowledgments, and retransmissions, sending datagrams immediately
- UDP guarantees delivery using fewer bits than TCP
- UDP uses larger headers that carry more control information
Correct answer: UDP omits connection setup, acknowledgments, and retransmissions, sending datagrams immediately
UDP reduces overhead because it omits connection setup, acknowledgments, and retransmissions and simply sends datagrams, which benefits latency-sensitive real-time applications. UDP does not encrypt traffic, does not guarantee delivery, and actually uses a smaller header than TCP, so the other options are incorrect.
- A network technician must terminate a horizontal run from a wiring closet to a desk 90 meters away for a standard gigabit workstation connection at the lowest cost. Which medium is most appropriate?
- Single-mode fiber
- Multimode fiber
- Category 6 unshielded twisted-pair copper
- Coaxial cable
Correct answer: Category 6 unshielded twisted-pair copper
Category 6 unshielded twisted-pair copper is most appropriate because it supports gigabit speeds within the 100-meter limit at the lowest cost for a typical desk run of 90 meters. Single-mode and multimode fiber add unnecessary cost and complexity for this distance, and coaxial cable is not used for standard structured horizontal cabling.
- A switch port connected to an IP phone shows that the attached device is receiving electrical power from the switch over the data cable. Which standard-based feature delivers this power, and how is the power level negotiated?
- Power over Ethernet, with the switch and device negotiating the required wattage during link establishment
- Network Address Translation, with the switch translating power requests into IP packets
- Spanning Tree Protocol, with the root bridge allocating power to edge ports
- Dynamic ARP Inspection, with the switch validating power requests against a binding table
Correct answer: Power over Ethernet, with the switch and device negotiating the required wattage during link establishment
Power over Ethernet delivers the power, and the switch and powered device negotiate the required wattage during link establishment so the switch supplies an appropriate power class. Network Address Translation rewrites IP addresses, Spanning Tree prevents loops, and Dynamic ARP Inspection validates ARP, so none of those deliver or negotiate power.
- Which statement about an IPv6 global unicast address is correct?
- It is automatically generated on every interface only for on-link neighbor discovery
- It begins with the FF00::/8 prefix and reaches a group of interfaces
- It is restricted to a single link and is never routed off that segment
- It is globally routable on the Internet and typically falls within the 2000::/3 range
Correct answer: It is globally routable on the Internet and typically falls within the 2000::/3 range
An IPv6 global unicast address is globally routable on the Internet and currently falls within the 2000::/3 range, making it the IPv6 equivalent of a public IPv4 address. Automatic per-interface generation for on-link use describes link-local, the FF00::/8 prefix describes multicast, and link-restricted scope describes link-local, so the other statements are incorrect.
- An organization wants to group users by job function rather than by their physical location in the building, so that a finance employee on the third floor and one in the basement share the same logical network. Which switching feature accomplishes this?
- Configuring both switch ports as trunks
- Lowering the spanning-tree bridge priority on both switches
- Assigning both users to the same VLAN regardless of which switch they plug into
- Enabling Power over Ethernet on both ports
Correct answer: Assigning both users to the same VLAN regardless of which switch they plug into
Assigning both users to the same VLAN regardless of which switch they connect to is the feature that groups people logically rather than physically, because a VLAN spans switches and defines membership independent of cabling location. Trunking carries VLANs between switches but does not define membership, bridge priority affects spanning tree, and Power over Ethernet supplies electricity, so the other options do not provide logical grouping.
- A new VLAN 60 is created and ports are assigned to it, but the engineer notices the VLAN is not propagating to other switches automatically and must be created manually on each one. Assuming default VTP behavior is not in use, why must VLAN 60 be defined on every switch that carries it?
- Because VLANs created on one switch are forwarded as broadcasts to all switches
- Because each switch maintains its own local VLAN database and a VLAN must exist locally for its ports and trunk to handle that traffic
- Because a trunk automatically copies VLAN definitions to neighbors
- Because spanning tree refuses to forward any VLAN not numbered below 50
Correct answer: Because each switch maintains its own local VLAN database and a VLAN must exist locally for its ports and trunk to handle that traffic
Each switch maintains its own local VLAN database, so VLAN 60 must exist on every switch that has ports or trunk traffic for it before that switch will forward the VLAN's frames. VLAN definitions are not flooded as broadcasts, a trunk carries tagged traffic but does not by itself create VLAN entries on the neighbor, and VLAN numbering has nothing to do with spanning-tree forwarding, so the other options are incorrect.
- An engineer issues show vlan brief and sees that VLAN 1 exists by default along with several reserved VLANs. Which statement about the default VLAN on a Cisco switch is correct?
- VLAN 1 must be deleted before any other VLAN can forward traffic
- VLAN 1 can carry only tagged frames
- VLAN 1 is automatically the spanning-tree root for every topology
- All switch ports belong to VLAN 1 by default until reassigned
Correct answer: All switch ports belong to VLAN 1 by default until reassigned
All switch ports belong to VLAN 1 by default until they are reassigned, which is why an out-of-the-box switch places every access port in VLAN 1. VLAN 1 cannot be deleted and need not be, it carries untagged traffic as the default native VLAN, and it is not automatically the spanning-tree root, so the other options are incorrect.
- A company segments its network into separate VLANs for staff and Internet-of-Things devices primarily to limit the scope of broadcasts and to contain a compromised device. Which benefit of VLAN segmentation does this describe?
- It shrinks broadcast domains and improves security by isolating device groups
- It increases the clock speed of each switch port
- It removes the need for any routing in the network
- It guarantees encryption of all inter-device traffic
Correct answer: It shrinks broadcast domains and improves security by isolating device groups
Shrinking broadcast domains and isolating device groups for security is the benefit being described, since a separate VLAN keeps IoT broadcasts and a potential compromise away from the staff network. VLANs do not change port clock speed, they actually require routing to interconnect, and they do not encrypt traffic, so the other options are incorrect.
- A workstation is connected to a switch port that should be a simple access port for VLAN 70, but the port unexpectedly negotiated into a trunk because the default dynamic mode was left in place. Which command pins the port as a permanent access port to prevent this?
- Switchport mode dynamic desirable
- Switchport mode access
- Switchport nonegotiate trunk
- Switchport trunk encapsulation dot1q
Correct answer: Switchport mode access
The command switchport mode access pins the port as a permanent access port so it will never negotiate into a trunk, which is the recommended setting for end-user ports. Dynamic desirable actively tries to trunk, nonegotiate alone does not set the mode to access, and the encapsulation command configures trunk tagging rather than forcing access mode, so the other options are incorrect.
- On a voice-enabled access port, how does the switch typically tell the IP phone which VLAN to use for its voice traffic so that the phone tags its own frames correctly?
- By assigning the phone an IP address through DHCP option 43
- By sending the voice VLAN ID to the phone through CDP or LLDP-MED
- By electing the phone as a designated bridge
- By bundling the phone link with LACP
Correct answer: By sending the voice VLAN ID to the phone through CDP or LLDP-MED
Sending the voice VLAN ID to the phone through CDP or LLDP-MED is how the switch informs the phone which VLAN to tag its voice frames with on a voice-enabled access port. DHCP option 43 helps phones find a call manager rather than learn the voice VLAN, a phone is not elected as a designated bridge, and LACP bundles links rather than conveying VLAN policy, so the other options are incorrect.
- An end user moves a laptop from a port in access VLAN 20 to a port in access VLAN 35, and the laptop keeps its old IP address from the VLAN 20 subnet. The laptop now cannot reach its gateway. From a Layer 2 access-port standpoint, what is the underlying cause?
- The new access port enabled BPDU guard and shut down
- The access port must be a trunk to assign an address
- The MAC address table cannot relearn the laptop after a move
- The laptop is now in a different VLAN and subnet, so its old IP no longer matches the local gateway
Correct answer: The laptop is now in a different VLAN and subnet, so its old IP no longer matches the local gateway
The underlying cause is that the laptop now sits in a different VLAN and IP subnet, so its retained VLAN 20 address no longer matches the gateway serving VLAN 35. BPDU guard triggers only on a received BPDU, an access port does not need to be a trunk to pass its assigned VLAN, and the MAC table readily relearns a moved device, so the other options are incorrect.
- Which characteristic distinguishes an access port from a trunk port in terms of how it handles VLAN membership for a connected device?
- An access port negotiates encryption keys with the device
- An access port load-balances the device across multiple VLANs
- An access port advertises a routing table to the device
- An access port belongs to a single VLAN and presents untagged frames to the device
Correct answer: An access port belongs to a single VLAN and presents untagged frames to the device
Belonging to a single VLAN and presenting untagged frames to the connected device is the distinguishing characteristic of an access port, which keeps the end device unaware of VLAN tagging. Access ports do not negotiate encryption keys, do not spread a device across multiple VLANs, and do not advertise routing tables, so the other options are incorrect.
- A switch-to-switch link must carry VLANs 10, 20, and 30 between two buildings over one cable. Which command first sets the interface to operate as a trunk so it can carry multiple tagged VLANs?
- Switchport access vlan 10
- Switchport port-security maximum 3
- Switchport mode trunk
- Spanning-tree portfast
Correct answer: Switchport mode trunk
The command switchport mode trunk sets the interface to operate as a trunk so it can carry multiple tagged VLANs across the single link. The access vlan command would limit the port to one VLAN, port-security limits MAC addresses, and portfast affects spanning-tree transition, so none of those establish trunking.
- An engineer runs show interfaces trunk and confirms a link is trunking, but a remote VLAN's hosts still cannot communicate across it even though both ends are configured as trunks. The output shows the VLAN is not in the allowed list. What is the most likely reason traffic is blocked?
- The trunk is forwarding the VLAN untagged
- The VLAN is pruned from the trunk's allowed VLAN list, so its frames are not carried
- The trunk has BPDU guard enabled
- The VLAN exceeds the 802.1Q tag size
Correct answer: The VLAN is pruned from the trunk's allowed VLAN list, so its frames are not carried
The most likely reason is that the VLAN is pruned from the trunk's allowed VLAN list, so the trunk does not carry that VLAN's frames even though the link is up. Untagged forwarding applies only to the native VLAN, BPDU guard is an edge-port feature not used on inter-switch trunks, and no normal VLAN ID exceeds the 802.1Q field, so the other options are incorrect.
- When a switch port is configured as a trunk, how does it normally connect to neighboring devices in a typical campus design?
- It connects to other switches or to routers that need to carry multiple VLANs
- It connects only to wireless clients
- It connects only to printers and phones
- It connects exclusively to a single end-user PC
Correct answer: It connects to other switches or to routers that need to carry multiple VLANs
A trunk port normally connects to other switches or to routers that must carry multiple VLANs, which is the standard role of trunking in a campus design. Trunks are not intended for wireless clients, printers and phones, or a single end-user PC, since those typically use access ports, so the other options are incorrect.
- An administrator wants to verify which VLANs a particular trunk is actually carrying and forwarding after configuration. Which command provides a concise summary of trunking mode, encapsulation, native VLAN, and the VLANs allowed and active on each trunk?
- Show mac address-table
- Show ip route
- Show interfaces trunk
- Show cdp neighbors
Correct answer: Show interfaces trunk
The command show interfaces trunk provides a concise summary of each trunk's mode, encapsulation, native VLAN, and the VLANs allowed and actively forwarding. The mac address-table command shows learned MACs, ip route shows Layer 3 routes, and cdp neighbors shows directly connected devices, so none of those summarize trunk status.
- Within the four-byte 802.1Q tag, which field carries the value used for Layer 2 class-of-service quality-of-service marking?
- The VLAN identifier field
- The Tag Protocol Identifier field
- The Priority Code Point (PCP) field
- The Canonical Format Indicator field
Correct answer: The Priority Code Point (PCP) field
The Priority Code Point field carries the 3-bit value used for Layer 2 class-of-service marking inside the 802.1Q tag. The VLAN identifier field carries the VLAN number, the Tag Protocol Identifier marks the frame as 802.1Q tagged, and the Canonical Format Indicator (now the drop-eligible indicator) does not convey priority, so the other options are incorrect.
- Where in an Ethernet frame does an 802.1Q switch insert the four-byte VLAN tag?
- At the very end of the frame after the frame check sequence
- Inside the payload, replacing user data
- Before the destination MAC address
- Between the source MAC address and the EtherType/length field
Correct answer: Between the source MAC address and the EtherType/length field
An 802.1Q switch inserts the four-byte tag between the source MAC address and the EtherType/length field, which is why tagged frames require the frame check sequence to be recalculated. The tag is not appended after the FCS, does not overwrite the payload, and is not placed before the destination MAC, so the other options are incorrect.
- Two switches are connected, but one end is forcing ISL-style behavior assumptions while the modern switch only supports IEEE tagging. Which encapsulation must both ends agree on for the trunk to interoperate on current Cisco hardware?
- 802.3af power encapsulation
- 802.1X authentication framing
- 802.1Q, the IEEE standard tagging method supported on modern switches
- 802.11 wireless framing
Correct answer: 802.1Q, the IEEE standard tagging method supported on modern switches
Both ends must agree on 802.1Q, the IEEE standard tagging method supported on modern Cisco switches, since the legacy ISL encapsulation is no longer supported on current platforms. 802.3af defines Power over Ethernet, 802.1X defines port authentication, and 802.11 is a wireless standard, so none of those is a VLAN trunk encapsulation.
- Why must a switch recalculate the frame check sequence when it adds an 802.1Q tag to an Ethernet frame?
- Because tagging encrypts the frame and changes its length
- Because the destination MAC address is removed during tagging
- Because the native VLAN requires a doubled FCS
- Because inserting the four-byte tag changes the frame contents that the original FCS covered
Correct answer: Because inserting the four-byte tag changes the frame contents that the original FCS covered
The switch must recalculate the frame check sequence because inserting the four-byte tag changes the frame contents the original FCS was computed over, so a new FCS must reflect the tagged frame. Tagging does not encrypt the frame, does not remove the destination MAC, and the native VLAN does not require a doubled FCS, so the other options are incorrect.
- On an 802.1Q trunk, which single VLAN has its frames transmitted without a tag by default, making it distinct from every other VLAN on that trunk?
- The native VLAN
- The highest-numbered VLAN
- The voice VLAN
- The management VLAN automatically
Correct answer: The native VLAN
The native VLAN is the single VLAN whose frames are transmitted untagged by default on an 802.1Q trunk, which is what distinguishes it from all other tagged VLANs. The choice is not based on the highest VLAN number, the voice VLAN is tagged, and the management VLAN is not automatically the native VLAN, so the other options are incorrect.
- A security team recommends explicitly tagging the native VLAN on all trunks using the vlan dot1q tag native command. What is the primary security goal of forcing the native VLAN to be tagged?
- To increase trunk bandwidth
- To prevent double-tagging VLAN-hopping attacks that exploit untagged native traffic
- To enable Power over Ethernet on the trunk
- To shorten spanning-tree convergence
Correct answer: To prevent double-tagging VLAN-hopping attacks that exploit untagged native traffic
The primary security goal of tagging the native VLAN is to prevent double-tagging VLAN-hopping attacks, which abuse the fact that native traffic is normally untagged. Tagging the native VLAN does not increase bandwidth, has nothing to do with Power over Ethernet, and does not change spanning-tree convergence, so the other options are incorrect.
- An engineer sets the native VLAN to 200 on one trunk end and leaves it at the default of 1 on the other. Besides logging a mismatch message, which protocol most directly detects and reports this native VLAN inconsistency between the two switches?
- Dynamic Host Configuration Protocol
- Hot Standby Router Protocol
- Address Resolution Protocol
- Cisco Discovery Protocol
Correct answer: Cisco Discovery Protocol
Cisco Discovery Protocol most directly detects and reports a native VLAN mismatch, because CDP exchanges the native VLAN value between neighbors and logs the inconsistency. DHCP assigns addresses, HSRP provides gateway redundancy, and ARP resolves IP-to-MAC mappings, so none of those reports a native VLAN mismatch.
- What is the default native VLAN on a newly configured 802.1Q trunk on a Cisco switch before any change is made?
- VLAN 1
- VLAN 1002
- VLAN 4094
- VLAN 99
Correct answer: VLAN 1
The default native VLAN on a newly configured 802.1Q trunk is VLAN 1, which is why best practice is to change it to an unused VLAN. VLAN 1002 is a legacy reserved VLAN, VLAN 4094 is at the top of the range and not a default, and VLAN 99 is only the native VLAN if an administrator sets it, so the other options are incorrect.
- In a router-on-a-stick configuration, what must the encapsulation dot1q value on each router subinterface match for that subinterface to route the correct VLAN's traffic?
- The bridge priority of the root switch
- The MAC aging timer of the switch
- The VLAN ID tagged by the switch trunk for that subinterface's VLAN
- The LACP system priority
Correct answer: The VLAN ID tagged by the switch trunk for that subinterface's VLAN
The encapsulation dot1q value on each subinterface must match the VLAN ID that the switch trunk tags for that VLAN, so the router associates incoming tagged frames with the correct subinterface and gateway. The bridge priority, MAC aging timer, and LACP system priority are unrelated to subinterface VLAN tagging, so the other options are incorrect.
- On a Layer 3 switch performing inter-VLAN routing, which command must be enabled globally so that configured switched virtual interfaces can actually route packets between VLANs?
- Ip routing
- Spanning-tree mode rapid-pvst
- Switchport mode trunk
- Cdp run
Correct answer: Ip routing
The global command ip routing must be enabled so the Layer 3 switch can route packets between its switched virtual interfaces, since SVIs alone do not forward at Layer 3 until routing is turned on. The spanning-tree mode, trunk mode, and CDP commands do not enable routing, so the other options are incorrect.
- A switched virtual interface for VLAN 50 is configured with an IP address on a Layer 3 switch, but it remains in a down/down state and cannot route. The VLAN exists and ip routing is enabled. What condition most commonly keeps an SVI down?
- The SVI needs a loopback before it activates
- The SVI requires BPDU guard to come up
- The SVI must be placed in the native VLAN
- No access or trunk port in that VLAN is up and forwarding
Correct answer: No access or trunk port in that VLAN is up and forwarding
An SVI most commonly stays down when no access or trunk port in that VLAN is up and forwarding, because the SVI line protocol depends on at least one active port in the VLAN. A loopback is not required, BPDU guard does not activate an SVI, and the native VLAN setting is unrelated, so the other options are incorrect.
- A small office uses one router connected to a switch by a single trunk to route between three VLANs. Compared with using a multilayer switch, what is the main drawback of this router-on-a-stick approach?
- It cannot route between any VLANs at all
- All inter-VLAN traffic shares the bandwidth of the single trunk link, which can become a bottleneck
- It requires encryption on every VLAN
- It eliminates the need to configure any IP addresses
Correct answer: All inter-VLAN traffic shares the bandwidth of the single trunk link, which can become a bottleneck
The main drawback is that all inter-VLAN traffic shares the bandwidth of the single trunk link, which can become a bottleneck under load, unlike a multilayer switch that routes in hardware across the backplane. Router-on-a-stick does route between VLANs, does not require encryption, and still needs IP addresses on each subinterface, so the other options are incorrect.
- At which layer of the OSI model does Cisco Discovery Protocol operate, allowing it to gather neighbor information even when IP addressing is misconfigured?
- The network layer (Layer 3)
- The transport layer (Layer 4)
- The data link layer (Layer 2)
- The application layer (Layer 7)
Correct answer: The data link layer (Layer 2)
Cisco Discovery Protocol operates at the data link layer (Layer 2), which is why it can gather neighbor information even when IP addressing is wrong or absent. It does not run at the network, transport, or application layers, so the other options are incorrect.
- An engineer wants to see the platform model and IOS version of a directly connected Cisco neighbor, not just its name and port. Which command displays this fuller per-neighbor information?
- Show cdp interface
- Show cdp neighbors detail
- Show cdp traffic
- Show cdp
Correct answer: Show cdp neighbors detail
The command show cdp neighbors detail displays the fuller per-neighbor information including platform model, IOS version, and management address. The cdp interface command shows CDP timers per interface, cdp traffic shows packet counters, and show cdp shows global CDP status, so none of those gives the detailed neighbor inventory.
- A security audit recommends disabling Cisco Discovery Protocol on ports facing untrusted or external connections. What is the primary security rationale for this recommendation?
- CDP advertises device details such as model and IOS version that could aid an attacker
- CDP encrypts traffic and slows the link
- CDP assigns IP addresses that attackers could hijack
- CDP forces all ports into trunk mode
Correct answer: CDP advertises device details such as model and IOS version that could aid an attacker
The primary rationale is that CDP advertises device details such as model and IOS version, which could give an attacker reconnaissance information about the network. CDP does not encrypt traffic, does not assign IP addresses, and does not force ports into trunk mode, so the other options are incorrect.
- By default, how often does a Cisco device send CDP advertisements out its enabled interfaces?
- Every 10 seconds
- Every 60 seconds
- Every 30 seconds
- Every 180 seconds
Correct answer: Every 60 seconds
By default a Cisco device sends CDP advertisements every 60 seconds, with a default holdtime of 180 seconds before a neighbor entry ages out. The 10-second and 30-second intervals do not match the CDP timer, and 180 seconds is the holdtime rather than the advertisement interval, so the other options are incorrect.
- Which IEEE standard defines LLDP, the vendor-neutral Layer 2 discovery protocol used to advertise device identity across mixed-vendor networks?
- IEEE 802.3af
- IEEE 802.1D
- IEEE 802.11ax
- IEEE 802.1AB
Correct answer: IEEE 802.1AB
IEEE 802.1AB defines LLDP, the vendor-neutral Layer 2 discovery protocol for advertising device identity across mixed-vendor networks. IEEE 802.3af defines Power over Ethernet, 802.1D defines classic spanning tree, and 802.11ax is a wireless standard, so none of those defines LLDP.
- An engineer wants a switch to listen for LLDP advertisements on an interface but not send its own, to passively learn about a neighbor. Which interface-level commands achieve receive-only LLDP behavior?
- Lldp run globally only
- No lldp transmit combined with lldp receive
- No cdp enable on the interface
- Switchport mode access
Correct answer: No lldp transmit combined with lldp receive
Configuring no lldp transmit together with lldp receive on the interface achieves receive-only behavior, letting the switch learn about the neighbor without advertising itself. The global lldp run command enables both directions, no cdp enable affects CDP not LLDP, and switchport mode access sets the port type rather than LLDP direction, so the other options are incorrect.
- In LLDP terminology, which mandatory pieces of information uniquely identify both the sending device and the specific port that originated an advertisement?
- The bridge priority and the root cost
- The DHCP lease and the subnet mask
- The chassis ID and the port ID
- The administrative distance and the metric
Correct answer: The chassis ID and the port ID
The chassis ID and the port ID are the mandatory LLDP fields that uniquely identify the sending device and the specific originating port. Bridge priority and root cost belong to spanning tree, DHCP lease and subnet mask are addressing details, and administrative distance and metric are routing concepts, so the other options are incorrect.
- A mixed network has Cisco switches running both CDP and LLDP, and non-Cisco switches running only LLDP. Why does enabling LLDP in addition to CDP improve end-to-end neighbor visibility?
- LLDP replaces the need for any IP addressing
- LLDP encrypts all neighbor data automatically
- LLDP lets Cisco and non-Cisco devices discover each other since the non-Cisco devices cannot speak CDP
- LLDP forces all neighbors onto the native VLAN
Correct answer: LLDP lets Cisco and non-Cisco devices discover each other since the non-Cisco devices cannot speak CDP
Enabling LLDP improves visibility because it lets Cisco and non-Cisco devices discover one another, since the non-Cisco switches cannot speak the proprietary CDP. LLDP does not remove the need for IP addressing, does not encrypt neighbor data, and does not move neighbors onto the native VLAN, so the other options are incorrect.
- An engineer bundles ports into an EtherChannel, but the bundle stays suspended because the member interfaces have inconsistent settings. Which set of parameters must match on all member ports for the EtherChannel to form?
- The IP address of each member
- Speed, duplex, and VLAN/trunk configuration on every member
- The serial number of each line card
- The DHCP scope of the attached hosts
Correct answer: Speed, duplex, and VLAN/trunk configuration on every member
Speed, duplex, and VLAN/trunk configuration must match on every member port for the EtherChannel to form, because inconsistent member settings cause the bundle to be suspended. Per-member IP addresses are not used on a Layer 2 bundle, line-card serial numbers are irrelevant, and the hosts' DHCP scope has nothing to do with bundling, so the other options are incorrect.
- After building a four-link EtherChannel, an engineer notices that traffic between two specific hosts always uses the same physical member link rather than spreading evenly. What explains this behavior of EtherChannel?
- EtherChannel load-balances per flow using a hash, so a single conversation stays on one member link
- EtherChannel splits each packet across all four links bit by bit
- EtherChannel blocks three links and uses only one at a time
- EtherChannel rotates links every second regardless of flow
Correct answer: EtherChannel load-balances per flow using a hash, so a single conversation stays on one member link
EtherChannel load-balances per flow using a hash of fields such as MAC or IP addresses, so a single conversation between two hosts consistently uses one member link. It does not split a packet bit by bit across links, does not block three of the four, and does not rotate by time, so the other options are incorrect.
- An engineer must configure a Layer 2 EtherChannel using only static bundling with no negotiation protocol on either side. Which channel-group mode accomplishes unconditional bundling?
- Mode active
- Mode passive
- Mode on
- Mode desirable
Correct answer: Mode on
Using channel-group mode on accomplishes unconditional static bundling with no negotiation protocol, which requires both ends to also be set to on. Active and passive are LACP negotiation modes, and desirable is a PAgP mode, so none of those provide pure static bundling.
- Two switches have a working EtherChannel, and one of the four member links physically fails. What happens to traffic on the bundle?
- The entire EtherChannel goes down until the link is repaired
- All traffic switches to spanning-tree blocking
- Traffic continues over the remaining member links with reduced aggregate bandwidth
- The bundle converts each surviving link into a separate VLAN
Correct answer: Traffic continues over the remaining member links with reduced aggregate bandwidth
Traffic continues over the remaining member links with reduced aggregate bandwidth when one member fails, which is the redundancy benefit of EtherChannel. The whole bundle does not go down, spanning tree does not need to block the survivors, and the links are not converted into separate VLANs, so the other options are incorrect.
- Which command bundles interfaces into an EtherChannel and simultaneously sets them to use LACP active negotiation?
- Channel-group 1 mode on
- Channel-group 1 mode desirable
- Switchport mode trunk
- Channel-group 1 mode active
Correct answer: Channel-group 1 mode active
The command channel-group 1 mode active bundles the interfaces and sets them to LACP active negotiation, where the port actively initiates LACP. Mode on uses no negotiation, mode desirable is PAgP, and switchport mode trunk only sets trunking rather than bundling, so the other options are incorrect.
- In LACP, what is the purpose of the system priority and port priority values when more potential member links exist than the bundle can use?
- They determine which links become active members and which are placed in standby
- They set the spanning-tree root for the bundle
- They assign IP addresses to each member
- They control the DHCP scope on the bundle
Correct answer: They determine which links become active members and which are placed in standby
LACP system and port priority values determine which links become active members and which are held in standby when there are more candidate links than the bundle can use. They do not set the spanning-tree root, assign IP addresses, or control DHCP, so the other options are incorrect.
- An engineer wants the EtherChannel negotiation to use the open IEEE protocol so it can interoperate with a non-Cisco switch on the far end. Which two LACP mode combinations will successfully negotiate across the vendors?
- On with on
- Desirable with auto
- Passive with passive
- Active with active, or active with passive
Correct answer: Active with active, or active with passive
Active with active, or active with passive, will successfully negotiate an LACP EtherChannel across vendors because at least one side actively initiates the open LACP protocol. On with on uses no protocol at all, desirable with auto is the Cisco-proprietary PAgP, and passive with passive never initiates, so those combinations are incorrect.
- Which command displays the LACP negotiation state and shows whether each member port has reached the bundled state in a port-channel?
- Show ip interface brief
- Show vlan brief
- Show mac address-table
- Show etherchannel summary
Correct answer: Show etherchannel summary
The command show etherchannel summary displays the LACP negotiation state and indicates whether each member port has reached the bundled state, often shown with a P flag. The ip interface brief, vlan brief, and mac address-table commands report addressing, VLANs, and learned MACs respectively, so none of those shows EtherChannel bundling status.
- Which sequence of port states does a port go through in classic 802.1D Spanning Tree Protocol before it begins forwarding user data?
- Blocking, listening, learning, forwarding
- Forwarding, blocking, disabled, learning
- Learning, forwarding, blocking, listening
- Listening, forwarding, blocking, learning
Correct answer: Blocking, listening, learning, forwarding
In classic 802.1D the port progresses through blocking, then listening, then learning, and finally forwarding before it passes user data. The other sequences list the states out of order, so they do not describe the correct STP progression.
- On a non-root switch in Spanning Tree Protocol, how is the single root port chosen among its multiple links toward the root bridge?
- It is the port with the highest VLAN number
- It is the port with the lowest cumulative path cost to the root bridge
- It is the port that received a frame most recently
- It is the port with the largest MAC address
Correct answer: It is the port with the lowest cumulative path cost to the root bridge
The root port on a non-root switch is the port with the lowest cumulative path cost to the root bridge, with sender bridge ID and port ID as tiebreakers. It is not chosen by VLAN number, recent frame arrival, or largest MAC address, so the other options are incorrect.
- A switch loses all incoming BPDUs on a segment because of a unidirectional link, and a previously blocked port erroneously transitions to forwarding, creating a loop. Which Spanning Tree Protocol concept explains why ongoing BPDU reception is essential to keep a port blocked?
- BPDUs assign IP addresses needed before blocking
- BPDUs supply Power over Ethernet to the blocking port
- BPDUs continually inform a switch that a better path exists, so losing them can cause an alternate port to unblock
- BPDUs encrypt the spanning-tree topology
Correct answer: BPDUs continually inform a switch that a better path exists, so losing them can cause an alternate port to unblock
Ongoing BPDU reception continually informs a switch that a better path exists, so when those BPDUs are lost the alternate port can age out and unblock, risking a loop. BPDUs do not assign IP addresses, supply power, or encrypt the topology, so the other options are incorrect.
- In a network running Rapid PVST+, which port roles replace the older designations and represent the best backup paths to the root and to a segment respectively?
- Alternate port and backup port
- Native port and voice port
- Trunk port and access port
- Helper port and relay port
Correct answer: Alternate port and backup port
The alternate port and backup port are the Rapid PVST+ roles that represent backup paths to the root and to a segment respectively, complementing the root and designated roles. Native and voice ports relate to VLAN assignment, trunk and access are switchport types, and helper and relay are not STP roles, so the other options are incorrect.
- Which command sets a Cisco switch to use the per-VLAN rapid spanning-tree variant that is based on 802.1w?
- Spanning-tree mode mst
- Spanning-tree mode pvst
- Spanning-tree mode rapid-pvst
- No spanning-tree vlan 1
Correct answer: Spanning-tree mode rapid-pvst
The command spanning-tree mode rapid-pvst sets the switch to the per-VLAN rapid spanning-tree variant based on 802.1w. The mst command selects Multiple Spanning Tree, the pvst command selects the slower 802.1D-based per-VLAN mode, and disabling STP on VLAN 1 does not set the rapid mode, so the other options are incorrect.
- Why does Rapid PVST+ classify a port connected to a single end host as an edge port, and what advantage does that classification provide?
- Because edge ports become the root bridge automatically
- Because edge ports tag all frames with the native VLAN
- Because edge ports always block to prevent loops
- Because no switch is expected there, the edge port transitions directly to forwarding without the proposal/agreement delay
Correct answer: Because no switch is expected there, the edge port transitions directly to forwarding without the proposal/agreement delay
Rapid PVST+ classifies a port to a single end host as an edge port because no switch is expected there, allowing it to transition directly to forwarding without the proposal/agreement delay. Edge ports do not become the root bridge, do not tag all frames with the native VLAN, and do not always block, so the other options are incorrect.
- An engineer enables PortFast on all access ports at once using a single global command instead of per interface. Which global default command applies PortFast to every operational access port automatically?
- Spanning-tree portfast default
- Spanning-tree portfast trunk
- Spanning-tree backbonefast
- Spanning-tree uplinkfast
Correct answer: Spanning-tree portfast default
The global command spanning-tree portfast default applies PortFast automatically to every operational access port, saving per-interface configuration. The portfast trunk option is for special trunk cases, while backbonefast and uplinkfast are separate convergence features, so the other options do not enable PortFast on all access ports by default.
- A server administrator complains that servers time out during DHCP because the switch port takes about 30 seconds to begin forwarding after a reboot. Which feature should be enabled on those access ports to eliminate the startup delay?
- Root guard, to force the server to become root
- BPDU filtering on the uplink trunk
- LACP active mode on the server port
- PortFast, so the port forwards immediately instead of waiting through listening and learning
Correct answer: PortFast, so the port forwards immediately instead of waiting through listening and learning
PortFast should be enabled so the access port forwards immediately rather than waiting through the listening and learning states, which eliminates the DHCP timeout on server boot. Root guard does not speed forwarding, BPDU filtering on a trunk is unrelated, and LACP applies to link bundling, so the other options are incorrect.
- What risk arises if PortFast is mistakenly enabled on a port that is actually connected to another switch?
- The port skips the loop-prevention delay and can immediately create a switching loop
- The port automatically becomes a trunk and routes traffic
- The port disables all VLANs on the switch
- The port begins supplying Power over Ethernet
Correct answer: The port skips the loop-prevention delay and can immediately create a switching loop
The risk is that the port skips the loop-prevention delay and can immediately create a switching loop, because PortFast assumes no switch is attached. It does not turn the port into a router, disable all VLANs, or supply Power over Ethernet, so the other options are incorrect.
- An access port protected by BPDU guard was placed in err-disabled state after a rogue switch was briefly connected and then removed. Which approach lets the port recover automatically after a set interval without manual intervention?
- Convert the port to a trunk
- Configure errdisable recovery for the bpduguard cause with a recovery interval
- Enable root guard on the same port
- Lower the bridge priority of the switch
Correct answer: Configure errdisable recovery for the bpduguard cause with a recovery interval
Configuring errdisable recovery for the bpduguard cause with a recovery interval lets the port re-enable automatically after the timer expires, avoiding a manual shut/no shut. Converting to a trunk, enabling root guard, or lowering bridge priority do not provide automatic err-disable recovery, so the other options are incorrect.
- Which command enables BPDU guard globally so it automatically protects all ports that have PortFast enabled?
- Spanning-tree guard root
- Spanning-tree portfast bpduguard default
- Spanning-tree mode mst
- Spanning-tree bpdufilter default
Correct answer: Spanning-tree portfast bpduguard default
The command spanning-tree portfast bpduguard default enables BPDU guard globally for all PortFast-enabled ports, so any unexpected BPDU err-disables the port. The guard root command applies root guard, the mode mst command changes the STP variant, and bpdufilter suppresses BPDUs rather than guarding, so the other options are incorrect.
- How does BPDU guard differ in its action from BPDU filter when an edge port unexpectedly receives a BPDU?
- BPDU guard reboots the switch, while BPDU filter blocks all VLANs
- BPDU guard err-disables the port, while BPDU filter simply ignores or drops BPDUs on the port
- BPDU guard routes the BPDU, while BPDU filter encrypts it
- BPDU guard and BPDU filter behave identically in all cases
Correct answer: BPDU guard err-disables the port, while BPDU filter simply ignores or drops BPDUs on the port
BPDU guard err-disables the port when an unexpected BPDU arrives, whereas BPDU filter simply ignores or drops BPDUs on the port without shutting it down. BPDU guard does not reboot the switch, neither feature routes or encrypts BPDUs, and the two do not behave identically, so the other options are incorrect.
- An engineer applies root guard on a distribution-switch port and then a downstream switch sends a superior BPDU claiming a better root. What recovery behavior does root guard exhibit once the superior BPDUs stop arriving?
- The port remains permanently err-disabled until reloaded
- The port converts into a routed Layer 3 interface
- The port is removed from its VLAN permanently
- The port automatically returns to forwarding from the root-inconsistent state
Correct answer: The port automatically returns to forwarding from the root-inconsistent state
Once the superior BPDUs stop arriving, root guard automatically returns the port to forwarding from the root-inconsistent state, which is a key difference from BPDU guard's err-disable behavior. The port is not permanently err-disabled, not converted to a routed interface, and not removed from its VLAN, so the other options are incorrect.
- Which command applies root guard to an interface so that any neighbor reached through that port is prevented from becoming the spanning-tree root?
- Spanning-tree guard root
- Spanning-tree bpduguard enable
- Spanning-tree portfast
- Spanning-tree cost 100
Correct answer: Spanning-tree guard root
The interface command spanning-tree guard root applies root guard so that any neighbor reached through the port cannot become the spanning-tree root. The bpduguard enable command applies BPDU guard, portfast speeds edge transition, and the cost command changes path cost, so none of those configures root guard.
- In a hierarchical campus, where is root guard most appropriately deployed to keep the root bridge anchored in the core or distribution layer?
- On the designated ports facing downstream toward access-layer switches
- On the uplink toward the core root bridge
- On every end-user access port
- On the loopback interface of each router
Correct answer: On the designated ports facing downstream toward access-layer switches
Root guard is most appropriately deployed on the designated ports facing downstream toward the access layer, because that blocks any downstream switch from claiming the root role. Applying it on the uplink toward the legitimate root, on end-user access ports (where BPDU guard fits better), or on a loopback would not protect root placement correctly, so the other options are incorrect.
- On a switch running Spanning Tree Protocol, two equal links lead toward the root bridge through different neighbors. After comparing path cost, the costs tie. Which value does the switch use next to break the tie and select its root port?
- The highest IP address on each link
- The MAC aging timer of the local switch
- The sending switch's bridge ID, then the sender's port ID
- The number of VLANs carried on each link
Correct answer: The sending switch's bridge ID, then the sender's port ID
When root path costs tie, the switch breaks the tie using the sending switch's bridge ID and then the sender's port ID to select its root port. The highest IP address, the MAC aging timer, and the number of VLANs are not part of the root-port tiebreaker, so the other options are incorrect.
- When a router examines its routing table, what does the next-hop value associated with a route tell the router?
- The number of hosts allowed on the destination subnet
- The encryption key required to reach the destination
- The MAC address aging timer for the destination VLAN
- The IP address or exit interface the router should use to forward packets toward that destination
Correct answer: The IP address or exit interface the router should use to forward packets toward that destination
The next-hop value tells the router the IP address or exit interface to use when forwarding packets toward the destination network, which is how the route is actually carried out. It does not indicate a host count, an encryption key, or a MAC aging timer, so the other options misstate what the next hop represents.
- In a Cisco routing table, what does the route source code letter at the beginning of an entry indicate?
- The administrative password protecting the route
- The total bandwidth of the destination link
- How the route was learned, such as directly connected, static, or by a dynamic protocol
- The spanning-tree role of the next-hop switch
Correct answer: How the route was learned, such as directly connected, static, or by a dynamic protocol
The route source code identifies how the route was learned, with letters such as C for connected, S for static, and O for OSPF. It does not represent a password, the link bandwidth, or a spanning-tree role, so the other options are incorrect.
- A router's routing table shows the entry C for the network directly attached to one of its interfaces. What does the C code indicate about how that route was placed in the table?
- It was learned through OSPF from a neighbor
- It is a directly connected network on an active interface with an IP address
- It was entered manually as a static route
- It was redistributed from another routing protocol
Correct answer: It is a directly connected network on an active interface with an IP address
The C code marks a directly connected network, meaning the router placed the route automatically because the interface is up and has an IP address in that subnet. It was not learned by OSPF, entered as a static route, or redistributed, so the other options describe different route sources.
- Which four elements are most directly read from a single routing table entry to forward a packet?
- The source MAC, the VLAN ID, the duplex setting, and the speed
- The DHCP lease time, the DNS server, the gateway MAC, and the TTL
- The SSID, the channel, the encryption type, and the signal strength
- The destination prefix, the prefix length or mask, the next-hop address, and the exit interface
Correct answer: The destination prefix, the prefix length or mask, the next-hop address, and the exit interface
A routing table entry provides the destination prefix, its prefix length or mask, the next-hop address, and the exit interface, which together let the router forward the packet. MAC and VLAN details, DHCP and DNS values, and wireless parameters are not routing table forwarding fields, so the other options are incorrect.
- A network has both 10.1.0.0/16 and 10.1.5.0/24 in the routing table. A packet is destined for 10.1.5.42. Which route does the router use to forward it, and why?
- 10.1.0.0/16, because a shorter prefix is always preferred
- Neither, because two overlapping routes cancel each other out
- 10.1.5.0/24, because it is the longest prefix that matches the destination
- Both at once, splitting the packet across them
Correct answer: 10.1.5.0/24, because it is the longest prefix that matches the destination
The router forwards using 10.1.5.0/24 because longest prefix match selects the most specific route that contains the destination address, and /24 is more specific than /16. A shorter prefix is not preferred, overlapping routes do not cancel, and a packet is not split across routes, so the other options are incorrect.
- What does the principle of longest prefix match govern on a router?
- Which redundant gateway becomes active in a first-hop redundancy group
- How a router selects the most specific matching route when forwarding a packet
- How many host bits are borrowed when subnetting
- How OSPF elects its designated router
Correct answer: How a router selects the most specific matching route when forwarding a packet
Longest prefix match governs how a router selects the most specific (longest matching prefix) route from its table when deciding where to forward a packet. It is unrelated to gateway election, host-bit borrowing during subnetting, or OSPF designated router selection, so the other options are incorrect.
- A router's table contains 0.0.0.0/0, 192.168.0.0/16, and 192.168.10.0/24. A packet is sent to 192.168.10.7. Using longest prefix match, which route is chosen?
- 192.168.10.0/24
- 0.0.0.0/0
- 192.168.0.0/16
- The router drops the packet because three routes match
Correct answer: 192.168.10.0/24
The router chooses 192.168.10.0/24 because, among the three matching routes, it has the longest prefix and is therefore the most specific match for 192.168.10.7. The default route and the /16 are less specific, and multiple matches do not cause a drop because longest prefix match resolves the choice, so the other options are incorrect.
- Two routing protocols offer a router a route to the same destination network. Which value does the router use to decide which protocol's route to install in the routing table?
- The administrative distance of each route source
- The MAC address aging timer
- The 802.1Q VLAN tag of the route
- The DHCP lease duration
Correct answer: The administrative distance of each route source
The router uses administrative distance to choose between route sources, installing the route from the source with the lower administrative distance because it is considered more trustworthy. MAC aging timers, VLAN tags, and DHCP lease durations have nothing to do with selecting between routing sources, so the other options are incorrect.
- What is the default administrative distance of a directly connected route on a Cisco router?
Correct answer: 0
A directly connected route has a default administrative distance of 0, the lowest value, because nothing is more trustworthy than a network the router is directly attached to. An administrative distance of 1 is the default for static routes, 90 is internal EIGRP, and 110 is OSPF, so the other values do not apply to connected routes.
- A router learns the same network from both OSPF (administrative distance 110) and a static route (administrative distance 1). Assuming both are valid, which route does the router install, and why?
- The OSPF route, because dynamic routes are always preferred
- The static route, because its lower administrative distance is more trusted
- Both routes, load-balancing equally between them
- Neither route, because the administrative distances conflict
Correct answer: The static route, because its lower administrative distance is more trusted
The router installs the static route because its administrative distance of 1 is lower than OSPF's 110, and a lower administrative distance is considered more trustworthy. Dynamic routes are not automatically preferred, the two are not load-balanced across differing administrative distances, and a difference in administrative distance is exactly how the router resolves the choice rather than a conflict, so the other options are incorrect.
- Which statement correctly describes the role of administrative distance versus a routing metric?
- Administrative distance and metric are the same value used interchangeably
- A metric chooses between routing protocols, while administrative distance ranks routes inside one protocol
- Both values apply only to directly connected interfaces
- Administrative distance compares routes from different sources, while a metric compares routes within the same protocol
Correct answer: Administrative distance compares routes from different sources, while a metric compares routes within the same protocol
Administrative distance is used to compare routes learned from different sources, while a metric is used by a single protocol to compare its own candidate routes to the same destination. The two are not interchangeable, the roles are not reversed, and they do not apply only to connected interfaces, so the other options are incorrect.
- What is the function of a default route on a router?
- It blocks all traffic destined for unknown networks
- It assigns IP addresses to directly connected hosts
- It elects the designated router for an OSPF segment
- It forwards packets whose destination does not match any more specific route in the table
Correct answer: It forwards packets whose destination does not match any more specific route in the table
A default route forwards packets toward a configured next hop whenever the destination does not match any more specific entry in the routing table, acting as a catch-all path. It does not block unknown traffic, assign host addresses, or elect an OSPF designated router, so the other options are incorrect.
- Which prefix and mask represent the default route in IPv4?
- 255.255.255.255/32
- 127.0.0.0/8
- 0.0.0.0/0
- 224.0.0.0/4
Correct answer: 0.0.0.0/0
The default route is written as 0.0.0.0/0, a prefix with a zero-length mask that matches every possible destination address as a last resort. 255.255.255.255/32 is a single host broadcast address, 127.0.0.0/8 is loopback, and 224.0.0.0/4 is multicast, so none of those represent the default route.
- A branch router connects to the Internet through a single ISP link and has no specific routes for external destinations. Which configuration most efficiently sends all unknown-destination traffic to the ISP?
- A separate static route for every possible Internet network
- An access list permitting all traffic
- A static default route pointing to the ISP next hop
- A floating static route with a high administrative distance
Correct answer: A static default route pointing to the ISP next hop
A static default route pointing to the ISP next hop is the most efficient choice because one entry catches all unknown destinations and forwards them out the single Internet link. Configuring a route for every Internet network is impossible to maintain, an access list does not forward traffic, and a floating static route would be a backup that stays inactive while a better route exists, so the other options do not fit.
- What is the defining characteristic of a floating static route?
- It changes its destination prefix automatically based on traffic load
- It is assigned an administrative distance higher than the primary route so it only activates if the primary fails
- It is learned dynamically and cannot be configured manually
- It forwards traffic to multiple next hops simultaneously at all times
Correct answer: It is assigned an administrative distance higher than the primary route so it only activates if the primary fails
A floating static route is defined by an administrative distance set higher than the primary route, so it stays out of the routing table and only floats in when the preferred route is lost. It does not change its prefix by load, it is configured manually rather than learned, and it serves as a backup rather than always forwarding to multiple next hops, so the other options are incorrect.
- An engineer wants a secondary WAN link to serve as a backup that is used only when the primary OSPF-learned path (administrative distance 110) goes down. Which administrative distance on the backup static route would make it a proper floating static route?
- A value of 130
- A value of 0
- A value of 1
- A value of 110
Correct answer: A value of 130
An administrative distance of 130 makes the static route float because it is higher than the primary OSPF route's 110, so the backup only enters the table after OSPF withdraws its route. A value of 0 or 1 would make the static route preferred over OSPF, and 110 would tie rather than back up the OSPF route, so the other values do not produce a backup.
- Why does a floating static route remain absent from the active routing table while the primary route is up?
- Because its higher administrative distance makes it less preferred than the active primary route
- Because its destination prefix is invalid until needed
- Because static routes can never coexist with dynamic routes
- Because it is automatically deleted every time the primary route refreshes
Correct answer: Because its higher administrative distance makes it less preferred than the active primary route
The floating static route stays out of the active table because its deliberately higher administrative distance makes it less preferred than the working primary route, so only the better route is installed. Its prefix is valid, static and dynamic routes can coexist, and it is suppressed rather than deleted, so the other options are incorrect.
- What type of routing protocol is OSPF?
- A distance-vector protocol that shares its full routing table with neighbors
- A path-vector protocol used between autonomous systems on the Internet
- A Layer 2 discovery protocol for directly connected neighbors
- A link-state protocol that builds a topology map and runs the shortest-path-first algorithm
Correct answer: A link-state protocol that builds a topology map and runs the shortest-path-first algorithm
OSPF is a link-state protocol, meaning each router builds a complete topology map from link-state advertisements and runs the shortest-path-first (Dijkstra) algorithm to compute routes. It is not a distance-vector or path-vector protocol, and it operates at Layer 3 rather than being a Layer 2 discovery protocol, so the other options are incorrect.
- Which metric does OSPF use by default to determine the best path to a destination?
- Hop count
- Administrative distance
- Cost, which is derived from interface bandwidth
- The number of configured VLANs
Correct answer: Cost, which is derived from interface bandwidth
OSPF uses cost as its metric, and by default the cost of an interface is derived from its bandwidth, so higher-bandwidth links have lower cost and are preferred. Hop count is used by RIP, administrative distance compares route sources rather than paths within OSPF, and VLAN count is irrelevant, so the other options are incorrect.
- Which command sequence enables OSPF process 1 and advertises the network 10.0.0.0/24 in area 0 on a Cisco router?
- Router ospf 1 followed by network 10.0.0.0 0.0.0.255 area 0
- Router ospf 1 followed by network 10.0.0.0 255.255.255.0 area 0
- Ip route 10.0.0.0 0.0.0.255 area 0
- Switchport ospf 1 area 0
Correct answer: Router ospf 1 followed by network 10.0.0.0 0.0.0.255 area 0
The correct sequence is router ospf 1 followed by network 10.0.0.0 0.0.0.255 area 0, because the OSPF network command uses a wildcard mask rather than a subnet mask. Supplying a subnet mask instead of a wildcard is incorrect, ip route configures static routes, and switchport ospf is not a valid command, so the other options are wrong.
- What does the OSPF scope described by single-area OSPFv2 mean?
- Each interface must reside in its own separate area
- All OSPF routers are placed in a single area, typically area 0, with no multi-area design
- OSPF runs only on a single physical interface per router
- Only one router in the network may run OSPF at a time
Correct answer: All OSPF routers are placed in a single area, typically area 0, with no multi-area design
Single-area OSPFv2 means all participating routers and links are placed within one area, usually the backbone area 0, rather than dividing the network into multiple areas. It does not require each interface in its own area, does not limit OSPF to one interface, and does not restrict OSPF to a single router, so the other options are incorrect.
- In a single-area OSPFv2 deployment, which area number is conventionally used for the backbone where all routers reside?
- Area 1
- Area 255
- Area 0
- Area 100
Correct answer: Area 0
Area 0 is the backbone area, and in a single-area design all routers reside in area 0 by convention. Areas 1, 255, and 100 are nonzero areas that would imply a multi-area design, so they are not the standard single-area backbone, making the other options incorrect.
- Two directly connected OSPF routers must form a neighbor adjacency. Which of the following values must match on both for the adjacency to come up?
- Their OSPF router IDs
- Their hello and dead interval timers and the area ID on the connecting interface
- Their hostnames
- Their administrative distance settings
Correct answer: Their hello and dead interval timers and the area ID on the connecting interface
The hello and dead interval timers and the area ID on the connecting interface must match for two OSPF routers to form an adjacency. Router IDs must instead be unique rather than matching, hostnames are irrelevant, and administrative distance is a local route-selection value, so the other options are incorrect.
- Two OSPF routers on the same subnet remain stuck in the two-way or init state and never reach full adjacency, and the engineer finds the interfaces are in different OSPF areas. Why does the adjacency fail?
- Because the routers have different hostnames
- Because OSPF requires matching area IDs on the connecting interfaces to form an adjacency
- Because one router has more interfaces than the other
- Because the link uses copper instead of fiber
Correct answer: Because OSPF requires matching area IDs on the connecting interfaces to form an adjacency
The adjacency fails because OSPF requires the interfaces on both sides of a link to be in the same area, and a mismatched area ID prevents the neighbors from progressing to full adjacency. Hostnames, interface counts, and the cabling medium do not determine OSPF adjacency, so the other options are incorrect.
- Which OSPF packet type do routers send periodically to discover and maintain neighbor relationships on a segment?
- Link-state update packets
- Hello packets
- Database description packets
- Link-state acknowledgment packets
Correct answer: Hello packets
OSPF routers send Hello packets periodically to discover neighbors and keep adjacencies alive on a segment. Link-state update packets carry routing information, database description packets summarize the database during synchronization, and link-state acknowledgments confirm receipt, so none of those are the neighbor-discovery hello mechanism.
- On an OSPF broadcast multiaccess network such as an Ethernet segment, why are a designated router (DR) and backup designated router (BDR) elected?
- To assign IP addresses to the other routers
- To reduce the number of adjacencies and limit link-state advertisement flooding on the segment
- To replace the need for a routing table on each router
- To encrypt OSPF hello packets
Correct answer: To reduce the number of adjacencies and limit link-state advertisement flooding on the segment
A DR and BDR are elected on broadcast multiaccess segments to reduce the number of full adjacencies and limit redundant link-state advertisement flooding, since all routers form full adjacencies only with the DR and BDR. The election does not assign addresses, eliminate routing tables, or encrypt hellos, so the other options are incorrect.
- Which router becomes the OSPF designated router on a broadcast segment when no interface priorities have been changed from their defaults?
- The router with the lowest IP address on the segment
- The router that booted most recently
- The router with the fewest interfaces
- The router with the highest OSPF priority, and if those tie, the highest router ID
Correct answer: The router with the highest OSPF priority, and if those tie, the highest router ID
The designated router is the router with the highest OSPF interface priority, and when priorities are equal (the default), the highest router ID breaks the tie. The lowest IP address, most recent boot time, and interface count are not the DR election criteria, so the other options are incorrect.
- An engineer wants a specific powerful router to always win the OSPF designated router election on a shared Ethernet segment. Which action most directly accomplishes this?
- Give that router the lowest router ID
- Set that router's OSPF interface priority higher than the other routers on the segment
- Disable OSPF hello packets on the other routers
- Configure that router with the smallest MTU
Correct answer: Set that router's OSPF interface priority higher than the other routers on the segment
Setting the router's OSPF interface priority higher than the others most directly makes it win the DR election, because priority is the first criterion evaluated. A lowest router ID would lose rather than win the tiebreak, disabling hellos would break adjacencies, and MTU does not influence the DR election, so the other options are incorrect.
- How does an OSPF router determine its router ID if no router ID is configured and no loopback interface exists?
- It generates a random 32-bit number at each boot
- It uses the highest IP address among its active physical interfaces
- It uses its lowest MAC address
- It copies the router ID from its OSPF neighbor
Correct answer: It uses the highest IP address among its active physical interfaces
Without a manually configured router ID or any loopback, an OSPF router selects the highest IP address among its active physical interfaces as its router ID. It does not pick a random value, derive the ID from a MAC address, or copy a neighbor's ID, so the other options are incorrect.
- What is the order of precedence OSPF uses to choose its router ID?
- Highest physical interface IP, then highest loopback IP, then manual configuration
- Lowest MAC address, then lowest IP, then manual configuration
- Manually configured router ID, then highest loopback IP, then highest active physical interface IP
- The router ID is always assigned by the designated router
Correct answer: Manually configured router ID, then highest loopback IP, then highest active physical interface IP
OSPF prefers a manually configured router ID first, then the highest IP address on a loopback interface, and finally the highest IP address on an active physical interface. The order is not reversed to favor physical interfaces first, it is not based on MAC addresses, and it is not assigned by the DR, so the other options are incorrect.
- Why do engineers commonly configure a loopback interface or an explicit router-id command for OSPF rather than relying on a physical interface address?
- Because OSPF cannot run without a loopback interface
- Because loopback addresses are required to form Layer 2 adjacencies
- Because a loopback or explicit router ID stays stable even if a physical interface goes down
- Because the router ID must change every time the router reboots
Correct answer: Because a loopback or explicit router ID stays stable even if a physical interface goes down
Engineers use a loopback or explicit router-id command so the OSPF router ID stays stable, since a loopback never goes down and an explicit ID is fixed, unlike a physical interface whose failure could otherwise change the ID. OSPF can run without a loopback, the router ID is a Layer 3 identifier not a Layer 2 requirement, and a stable ID is the goal rather than a changing one, so the other options are incorrect.
- What is the primary purpose of a first hop redundancy protocol on a network?
- To provide a redundant default gateway so hosts keep connectivity if one router fails
- To assign IP addresses to hosts on the subnet
- To encrypt all traffic leaving the subnet
- To aggregate multiple physical links into one logical link
Correct answer: To provide a redundant default gateway so hosts keep connectivity if one router fails
A first hop redundancy protocol provides a redundant default gateway, allowing hosts to keep connectivity when one gateway router fails by letting another take over the virtual gateway address. It does not assign host addresses, encrypt traffic, or aggregate links, so the other options describe unrelated functions.
- How does a first hop redundancy protocol present a redundant gateway to client hosts?
- By giving each host two separate default gateways to choose from manually
- By sharing a single virtual IP and virtual MAC address that the active router answers for
- By requiring each host to run a routing protocol
- By assigning every host a public IP address
Correct answer: By sharing a single virtual IP and virtual MAC address that the active router answers for
A first hop redundancy protocol presents a single virtual IP and virtual MAC address that the active router answers for, so hosts use one unchanging default gateway while routers fail over behind the scenes. Hosts do not pick between two gateways manually, do not run a routing protocol, and do not need public addresses, so the other options are incorrect.
- Two routers serve as gateways for a user subnet, and the design requires that if the primary gateway fails, hosts experience no need to change their configured default gateway. Which category of protocol satisfies this requirement?
- A Layer 2 discovery protocol
- A spanning-tree protocol
- A first hop redundancy protocol
- A configuration management tool
Correct answer: A first hop redundancy protocol
A first hop redundancy protocol satisfies the requirement because it lets a backup router assume the shared virtual gateway address transparently, so hosts never change their configured default gateway. A discovery protocol, spanning tree, and a configuration management tool do not provide gateway failover, so the other options are incorrect.
- What does HSRP provide in a network with two or more gateway routers?
- It bundles the routers' WAN links for more bandwidth
- It distributes IP addresses to clients on the subnet
- It elects a root bridge among the routers
- It allows the routers to share a virtual IP address with one active router forwarding and another on standby
Correct answer: It allows the routers to share a virtual IP address with one active router forwarding and another on standby
HSRP allows two or more routers to share a virtual IP address, with one acting as the active forwarding router and another waiting as standby to take over if the active fails. It does not bundle WAN links, assign client addresses, or elect a root bridge, so the other options are incorrect.
- In an HSRP group, how is the active router selected when priorities are at their default and preemption behavior is not a factor?
- The router with the lowest MAC address
- The router with the most interfaces
- The router that was powered on last
- The router with the highest configured priority, and if priorities tie, the highest IP address
Correct answer: The router with the highest configured priority, and if priorities tie, the highest IP address
HSRP selects the active router by highest priority, and when priorities are equal it uses the highest interface IP address as the tiebreaker. The lowest MAC address, the number of interfaces, and the power-on order are not HSRP active-router criteria, so the other options are incorrect.
- An engineer configures two routers in HSRP and sets RouterA to priority 110 and RouterB to the default of 100, enabling preemption on RouterA. What is the expected behavior?
- RouterB always stays active because it was configured second
- RouterA becomes active because of its higher priority, and with preemption it reclaims the active role after a failure and recovery
- Both routers forward traffic for the virtual IP at the same time
- Neither router becomes active until a third router joins the group
Correct answer: RouterA becomes active because of its higher priority, and with preemption it reclaims the active role after a failure and recovery
RouterA becomes the active router because its priority of 110 exceeds RouterB's 100, and with preemption enabled it reclaims the active role after recovering from a failure. RouterB does not stay active over a higher-priority peer, standard HSRP has one active forwarder rather than both, and no third router is required, so the other options are incorrect.
- In HSRP, what is the role of the standby router?
- It monitors the active router and assumes the active role if the active router fails
- It actively forwards traffic for the virtual IP alongside the active router
- It assigns the virtual IP address to client hosts
- It runs OSPF on behalf of the active router
Correct answer: It monitors the active router and assumes the active role if the active router fails
The standby router monitors the active router through hello messages and takes over the active role if the active router fails, providing the redundancy. It does not forward for the virtual IP while the active is healthy, does not assign addresses to hosts, and does not run OSPF for the active router, so the other options are incorrect.
- A router's routing table shows S* 0.0.0.0/0 [1/0] via 203.0.113.1. What does the asterisk next to the S indicate?
- That the route is currently down
- That the route was learned from OSPF
- That the route has a duplicate in another VLAN
- That the route is the candidate default route
Correct answer: That the route is the candidate default route
The asterisk next to the S marks the route as the candidate default route, meaning the static route is being used as the gateway of last resort. It does not signal that the route is down, it is a static route rather than OSPF-learned, and the asterisk has nothing to do with VLAN duplication, so the other options are incorrect.
- In a routing table entry shown as O 192.168.4.0/24 [110/20] via 10.0.0.2, what do the two numbers in the brackets represent?
- The VLAN ID and the port number
- The subnet mask and the broadcast address
- The hello and dead timers
- The administrative distance and the metric
Correct answer: The administrative distance and the metric
The bracketed numbers represent the administrative distance and the metric, so 110 is OSPF's administrative distance and 20 is the OSPF cost to reach that network. They are not a VLAN and port, a mask and broadcast address, or OSPF timers, so the other options misread the routing table notation.
- When a router receives a packet and finds no matching route in its routing table, including no default route, what does it do with the packet?
- It floods the packet out all interfaces
- It stores the packet until a route appears
- It drops the packet and may send an ICMP destination unreachable message
- It forwards the packet to its OSPF neighbor automatically
Correct answer: It drops the packet and may send an ICMP destination unreachable message
With no matching route and no default route, the router drops the packet and may return an ICMP destination unreachable message to the source. Routers do not flood unrouteable packets, do not buffer them awaiting a route, and do not blindly forward them to an OSPF neighbor, so the other options are incorrect.
- An administrator configures ip route 0.0.0.0 0.0.0.0 198.51.100.1 on an edge router. What is the effect of this command?
- It blocks all traffic to the 198.51.100.0 network
- It assigns 198.51.100.1 as the router's loopback address
- It creates a static default route sending unmatched traffic to 198.51.100.1
- It advertises the network into OSPF area 0
Correct answer: It creates a static default route sending unmatched traffic to 198.51.100.1
The command creates a static default route, sending any traffic that does not match a more specific route to the next hop 198.51.100.1. It does not block traffic, assign a loopback address, or advertise a network into OSPF, so the other options are incorrect.
- Why is a static route generally preferred over a dynamic routing protocol for a small stub network with a single exit point?
- Because static routes automatically adapt to topology changes faster
- Because static routes consume no protocol overhead and the single path makes dynamic routing unnecessary
- Because dynamic protocols cannot reach stub networks
- Because static routes provide encryption that dynamic routing lacks
Correct answer: Because static routes consume no protocol overhead and the single path makes dynamic routing unnecessary
A static route is preferred for a single-exit stub network because there is only one path, so dynamic routing's overhead and complexity add no benefit. Static routes do not adapt automatically, dynamic protocols can reach stub networks, and static routing does not provide encryption, so the other options are incorrect.
- An OSPF interface is configured as passive. What effect does this have on that interface?
- It disables IP forwarding entirely on the interface
- It forces the interface to become the designated router
- It increases the OSPF cost to its maximum value
- It stops sending OSPF hello packets out the interface but still advertises the interface's network
Correct answer: It stops sending OSPF hello packets out the interface but still advertises the interface's network
A passive OSPF interface stops sending hello packets out that interface, preventing adjacencies there, while the interface's network is still advertised into OSPF. It does not disable IP forwarding, force a DR role, or change the cost, so the other options are incorrect.
- Which command verifies the state of a router's OSPF neighbors, including whether they have reached the full state?
- Show ip route static
- Show running-config interface
- Show ip ospf neighbor
- Show vlan brief
Correct answer: Show ip ospf neighbor
The show ip ospf neighbor command verifies OSPF neighbor states, displaying each neighbor and whether the adjacency has reached full. The static route, running-config interface, and VLAN brief commands do not report OSPF neighbor states, so the other options are incorrect.
- Two OSPF routers connected by a serial link form an adjacency without electing a DR or BDR. What characteristic of the link explains this?
- It is a broadcast network requiring a DR
- It has mismatched subnet masks
- It is operating at half duplex
- It is a point-to-point network type, where no DR or BDR election occurs
Correct answer: It is a point-to-point network type, where no DR or BDR election occurs
The link is a point-to-point network type, and OSPF does not elect a DR or BDR on point-to-point links because only two routers exist on the segment. A broadcast type would trigger an election, mismatched masks would break the adjacency rather than skip the election, and duplex is irrelevant to OSPF network type, so the other options are incorrect.
- A subnet of hosts uses 10.5.5.1 as their default gateway, which is the HSRP virtual IP shared by two routers. The active router fails. From the hosts' perspective, what happens to their default gateway?
- The hosts must be reconfigured with a new gateway address
- The hosts lose all connectivity permanently
- The default gateway address stays the same as the standby router takes over forwarding
- Each host must run OSPF to find a new gateway
Correct answer: The default gateway address stays the same as the standby router takes over forwarding
From the hosts' perspective the default gateway address 10.5.5.1 stays the same because the standby router assumes the virtual IP and MAC and continues forwarding after the active router fails. The hosts do not need reconfiguration, do not lose connectivity permanently, and do not run OSPF, so the other options are incorrect.
- How does the active HSRP router signal to the standby router that it is still operational?
- By updating the standby router's routing table directly
- By flooding spanning-tree BPDUs
- By sending periodic HSRP hello messages
- By renewing a DHCP lease on the virtual IP
Correct answer: By sending periodic HSRP hello messages
The active HSRP router sends periodic HSRP hello messages, and if the standby stops receiving them within the hold time it takes over the active role. The active router does not edit the standby's routing table, flood BPDUs, or renew a DHCP lease to signal liveness, so the other options are incorrect.
- Which statement comparing HSRP with a generic first hop redundancy protocol is accurate?
- HSRP replaces the need for any default gateway on hosts
- A first hop redundancy protocol can only be implemented as HSRP
- HSRP is one specific implementation of the first hop redundancy concept
- HSRP operates at Layer 2 to prevent switching loops
Correct answer: HSRP is one specific implementation of the first hop redundancy concept
HSRP is one specific implementation of the broader first hop redundancy protocol concept, which provides gateway redundancy. Hosts still use a default gateway (the virtual IP), FHRP can be implemented by other protocols besides HSRP, and HSRP is a Layer 3 gateway-redundancy mechanism rather than a Layer 2 loop-prevention feature, so the other options are incorrect.
- Why does longest prefix match make a default route the path of last resort rather than a frequently chosen route?
- Because the default route's zero-length prefix is the least specific, so any more specific match is preferred
- Because default routes are administratively distant by definition
- Because default routes are only valid during business hours
- Because the default route has the highest metric automatically
Correct answer: Because the default route's zero-length prefix is the least specific, so any more specific match is preferred
The default route is the path of last resort because its zero-length prefix is the least specific possible match, so longest prefix match prefers any more specific route that also matches the destination. It is not about administrative distance, time-of-day validity, or an automatic highest metric, so the other options are incorrect.
- A router has two routes to 10.10.10.0: one as 10.10.10.0/24 and one as 10.0.0.0/8. A packet is sent to 10.10.10.5. Which route is selected, and what general rule applies?
- 10.0.0.0/8, because broader summaries are preferred
- Whichever route has the lower administrative distance regardless of prefix
- Both are used in round-robin order
- 10.10.10.0/24, because longest prefix match selects the most specific matching route
Correct answer: 10.10.10.0/24, because longest prefix match selects the most specific matching route
The router selects 10.10.10.0/24 because longest prefix match always chooses the most specific matching route, and a /24 is more specific than a /8 for the destination 10.10.10.5. Broader summaries are not preferred, prefix specificity is evaluated before falling back on administrative distance for equal prefixes, and the routes are not used round-robin, so the other options are incorrect.
- What does the gateway of last resort entry in a routing table refer to?
- The router with the highest OSPF priority on the segment
- The MAC address of the local switch
- The next hop used for packets that match no other route, derived from the default route
- The interface with the lowest administrative distance
Correct answer: The next hop used for packets that match no other route, derived from the default route
The gateway of last resort is the next hop used for any packet that matches no other, more specific route, and it is derived from the configured or learned default route. It is not an OSPF priority, a switch MAC address, or an interface administrative distance, so the other options are incorrect.
- A router learns a network via two equal-cost OSPF paths. How does the router typically use these two paths?
- It discards both because OSPF cannot have ties
- It picks the path with the higher administrative distance
- It converts one path into a floating static route
- It installs both and performs equal-cost load balancing across them
Correct answer: It installs both and performs equal-cost load balancing across them
When OSPF learns two equal-cost paths to a network, the router installs both and load-balances traffic across them using equal-cost multipath. It does not discard ties, OSPF does not choose by higher administrative distance within itself, and it does not convert a path into a static route, so the other options are incorrect.
- Why does OSPF prefer a path through a Gigabit Ethernet link over a path through a slower serial link to the same destination by default?
- Because the higher-bandwidth link has a lower OSPF cost
- Because serial links are never advertised in OSPF
- Because Gigabit Ethernet has a lower administrative distance
- Because OSPF counts hops and the Ethernet path is always shorter
Correct answer: Because the higher-bandwidth link has a lower OSPF cost
OSPF prefers the Gigabit Ethernet path because OSPF cost is inversely related to bandwidth, so a higher-bandwidth link has a lower cost and lower total cost wins. Serial links are advertised, administrative distance is the same for all OSPF routes, and OSPF uses cost rather than hop count, so the other options are incorrect.
- An OSPF adjacency between two routers flaps repeatedly, and the engineer finds the hello interval is 10 seconds on one router and 30 seconds on the other. Why does this prevent a stable adjacency?
- Because the router IDs are identical
- Because OSPF requires identical hostnames
- Because one router has more bandwidth than the other
- Because mismatched hello and dead intervals stop the routers from maintaining the neighbor relationship
Correct answer: Because mismatched hello and dead intervals stop the routers from maintaining the neighbor relationship
The adjacency is unstable because OSPF requires matching hello and dead intervals, and the mismatch prevents the routers from agreeing on neighbor timing and maintaining the relationship. Identical router IDs would be a separate problem, hostnames are irrelevant, and a bandwidth difference does not break the adjacency, so the other options are incorrect.
- An engineer configures router-id 1.1.1.1 under the OSPF process but the router still shows a different router ID. What must occur for the new router ID to take effect?
- The interface must be moved to a different VLAN
- The administrative distance must be lowered
- The OSPF process must be cleared or the router reloaded so the new router ID is adopted
- A default route must be added first
Correct answer: The OSPF process must be cleared or the router reloaded so the new router ID is adopted
The new OSPF router ID takes effect only after the OSPF process is cleared with clear ip ospf process or the router is reloaded, because OSPF does not change an in-use router ID dynamically. Moving the interface to another VLAN, lowering administrative distance, or adding a default route do not apply the router ID, so the other options are incorrect.
- Two routers fail to form an OSPF adjacency, and the engineer discovers both were assigned the router ID 2.2.2.2. Why does this duplicate router ID cause a problem?
- Because duplicate router IDs increase the OSPF cost
- Because duplicate router IDs disable the data plane
- Because the duplicate forces an immediate DR election on every link
- Because OSPF router IDs must be unique, and duplicates confuse the link-state database and break adjacency
Correct answer: Because OSPF router IDs must be unique, and duplicates confuse the link-state database and break adjacency
A duplicate router ID is a problem because OSPF requires each router ID to be unique to identify routers in the link-state database, and duplicates corrupt the database and prevent a proper adjacency. Duplicates do not raise the cost, disable the data plane, or force DR elections, so the other options are incorrect.
- Which value uniquely identifies an OSPF router within the OSPF domain and appears in its link-state advertisements?
- The OSPF router ID
- The default gateway address
- The native VLAN number
- The interface duplex setting
Correct answer: The OSPF router ID
The OSPF router ID uniquely identifies a router within the OSPF domain and appears in its link-state advertisements so other routers can build a consistent topology. A default gateway, native VLAN, and duplex setting do not identify an OSPF router, so the other options are incorrect.
- An engineer must decide between configuring a single static default route and enabling OSPF on a small branch router that connects to headquarters over one link and has no other paths. Which choice is most appropriate and why?
- A static default route, because the single link makes dynamic routing overhead unnecessary
- OSPF, because it is required on every router regardless of topology
- A floating static route as the only route, so it never activates
- Neither, because branch routers cannot forward traffic
Correct answer: A static default route, because the single link makes dynamic routing overhead unnecessary
A static default route is most appropriate because the branch has only one path to headquarters, so a single default route handles all traffic without the overhead and complexity of OSPF. OSPF is not mandatory on every router, a floating static route as the sole route would never become active, and branch routers can forward traffic, so the other options are incorrect.
- A router has a directly connected route, a static route, and an OSPF route all pointing to overlapping destinations with the same prefix length. Which route does the router prefer for that identical prefix?
- The OSPF route, because dynamic routing is preferred
- The directly connected route, because it has the lowest administrative distance
- The static route, because it was typed manually
- None, because identical prefixes are always dropped
Correct answer: The directly connected route, because it has the lowest administrative distance
For an identical prefix, the router prefers the directly connected route because its administrative distance of 0 is lower than the static route's 1 and OSPF's 110, and lower administrative distance is more trusted. Dynamic routing is not automatically preferred, manual entry does not win over a connected route, and identical prefixes are resolved by administrative distance rather than dropped, so the other options are incorrect.
- What does the default administrative distance of 110 identify a route as having been learned by?
- Static configuration
- A directly connected interface
- DHCP
- OSPF
Correct answer: OSPF
An administrative distance of 110 identifies a route as learned by OSPF, which is OSPF's default value. Static routes default to 1, directly connected routes to 0, and DHCP is not a routing source with that administrative distance, so the other options are incorrect.
- An engineer needs a backup default route over a secondary link that should only be used if the primary default route through OSPF or a lower-distance static route disappears. Which design accomplishes this?
- Configure a floating static default route with an administrative distance higher than the primary route
- Configure two equal default routes with the same administrative distance
- Configure the backup route with administrative distance 1
- Remove the primary route so only the backup remains
Correct answer: Configure a floating static default route with an administrative distance higher than the primary route
Configuring a floating static default route with a higher administrative distance than the primary accomplishes the goal, because the backup stays inactive until the primary route is withdrawn. Equal administrative distances would load-balance rather than back up, distance 1 would make the backup preferred, and removing the primary defeats redundancy, so the other options are incorrect.
- A floating static route configured with administrative distance 200 suddenly appears in the routing table and begins forwarding traffic. What does this most likely indicate about the network?
- The primary lower-distance route to that destination has gone down
- The floating route's administrative distance was automatically lowered to 0
- A new VLAN was created on the router
- The OSPF designated router changed
Correct answer: The primary lower-distance route to that destination has gone down
The floating static route appearing and forwarding most likely indicates that the primary, lower-distance route has gone down, allowing the higher-distance backup to float into the table. The administrative distance does not change itself, VLAN creation does not activate a route, and a DR change does not install a floating static route, so the other options are incorrect.
- In an OSPF broadcast segment with several routers, what relationship do the non-DR, non-BDR routers form with the designated router?
- They form full adjacencies with every router on the segment
- They form full adjacencies only with the DR and BDR, not with every other router
- They form no adjacencies at all
- They form adjacencies only with the router that has the lowest IP address
Correct answer: They form full adjacencies only with the DR and BDR, not with every other router
Non-DR, non-BDR routers form full adjacencies only with the DR and the BDR, which is exactly why the DR/BDR election reduces the number of adjacencies and flooding on the segment. They do not fully adjoin with every router, they do form adjacencies (just selectively), and the relationship is based on DR/BDR roles rather than lowest IP, so the other options are incorrect.
- On a broadcast segment, an OSPF router whose interface priority is set to 0 will exhibit which behavior in the DR/BDR election?
- It will never become the DR or BDR on that segment
- It will always win the DR election
- It will become the BDR automatically
- It will reset the election for all routers
Correct answer: It will never become the DR or BDR on that segment
An OSPF interface priority of 0 means the router will never become the DR or BDR on that segment, removing it from candidacy. A priority of 0 does not make it win, become BDR, or reset the election, so the other options are incorrect.
- When troubleshooting why a host cannot reach a remote network, an engineer checks the router and sees the destination network is missing from show ip route entirely. What is the immediate implication for packets to that network?
- The router will automatically generate the route on demand
- The packets will be switched at Layer 2 to the destination
- The router will drop those packets unless a default route covers them
- The router will forward the packets to its HSRP standby
Correct answer: The router will drop those packets unless a default route covers them
If the destination network is absent from the routing table, the router will drop packets to it unless a default route exists to catch them as a last resort. Routers do not generate missing routes on demand, cannot Layer 2 switch to a remote network, and do not forward unrouteable packets to an HSRP standby, so the other options are incorrect.
- Which statement correctly distinguishes a connected route from a static route in the routing table?
- A connected route is added automatically from an up interface with an IP, while a static route is manually configured
- A connected route is manually typed, while a static route is learned dynamically
- Both are learned only through OSPF
- A static route always has a lower administrative distance than a connected route
Correct answer: A connected route is added automatically from an up interface with an IP, while a static route is manually configured
A connected route is added automatically when an interface is up and has an IP address in that subnet, whereas a static route is manually configured by an administrator. The roles are not reversed, neither is learned through OSPF, and a connected route's administrative distance of 0 is lower than a static route's 1, so the other options are incorrect.
- Why does a network designer deploy two routers running a first hop redundancy protocol instead of a single default gateway router for a critical user subnet?
- To eliminate the single point of failure at the default gateway so the subnet survives one router failing
- To double the IP address space available to hosts
- To remove the need for a routing table on the subnet
- To force all hosts onto the native VLAN
Correct answer: To eliminate the single point of failure at the default gateway so the subnet survives one router failing
The designer deploys two routers with a first hop redundancy protocol to eliminate the single point of failure at the default gateway, so the subnet keeps connectivity if one router fails. It does not change the address space, remove routing tables, or force hosts onto the native VLAN, so the other options are incorrect.
- An HSRP active and standby pair is working, and the active router's uplink to the rest of the network fails while its LAN interface stays up. Without interface tracking configured, what undesirable situation can occur?
- The active router keeps forwarding for the virtual IP even though its uplink is down, black-holing traffic
- The standby router immediately takes over because the LAN interface failed
- Both routers shut down their LAN interfaces
- The virtual IP is released back to DHCP
Correct answer: The active router keeps forwarding for the virtual IP even though its uplink is down, black-holing traffic
Without interface tracking, the active router keeps forwarding for the virtual IP even though its uplink is down, so traffic is sent to a router that can no longer reach the rest of the network, black-holing it. The standby does not take over because the LAN interface is still up, the routers do not shut their LAN interfaces, and the virtual IP is not released to DHCP, so the other options are incorrect.
- An organization uses one public IPv4 address for hundreds of internal hosts that share that address when reaching the internet. Which NAT variation makes this many-to-one sharing possible?
- Port Address Translation, which multiplexes many inside addresses onto a single global address using unique source ports
- Static one-to-one NAT, which permanently maps each inside host to its own global address
- A NAT pool with no overload, which assigns one global address per concurrent flow
- DNS round robin, which alternates which internal host answers each request
Correct answer: Port Address Translation, which multiplexes many inside addresses onto a single global address using unique source ports
Port Address Translation (PAT), also called NAT overload, is the correct answer. PAT lets many inside hosts share one public address by tracking each conversation with a unique source-port number in the translation table, which is why a single global address can serve hundreds of users. Static one-to-one NAT and a pool without overload both consume one global address per host, so they cannot achieve many-to-one sharing, and DNS round robin is a name-resolution load technique, not address translation.
- A web server inside a private network must always be reachable from the internet using one fixed public address, with no port multiplexing. Which NAT configuration meets this requirement?
- Dynamic NAT drawn from a pool of public addresses
- PAT overload using the outside interface address
- Static NAT mapping the server's inside local address to a dedicated inside global address
- A default route pointing at the ISP gateway
Correct answer: Static NAT mapping the server's inside local address to a dedicated inside global address
Static NAT is the correct choice. Static NAT creates a permanent one-to-one mapping between the server's inside local address and a fixed inside global (public) address, so external clients can always initiate connections to the same public address. Dynamic NAT assigns addresses temporarily and is not predictable for inbound sessions, PAT shares one address across many hosts and is built for outbound flows, and a default route only directs traffic and performs no translation.
- In Cisco NAT terminology, what does the term inside local address describe?
- The public address that outside hosts use to reach an inside host
- The public address of a host located on the outside network
- The private address of an outside host before translation
- The private address assigned to a host on the inside network as seen inside the network
Correct answer: The private address assigned to a host on the inside network as seen inside the network
The inside local address is the private address assigned to an inside host as it is seen within the inside network. Cisco's NAT model pairs it with the inside global address, which is how that same inside host appears to the outside world after translation. The description of a public address used to reach an inside host is the inside global address, and the two outside-host descriptions refer to outside global and outside local addresses.
- An engineer configures PAT but inside hosts still cannot reach the internet. The ACL referenced by the NAT statement correctly matches the inside subnet, and a default route exists. Which missing element most likely prevents translation from occurring?
- The ip nat inside and ip nat outside designations were never applied to the interfaces
- The inside hosts are using RFC 1918 addresses
- The ACL should be a named extended ACL instead of standard
- NTP has not been configured on the router
Correct answer: The ip nat inside and ip nat outside designations were never applied to the interfaces
The most likely cause is that the interfaces were never marked with ip nat inside and ip nat outside. NAT only translates traffic that crosses from an interface flagged as inside to one flagged as outside, so without those designations the router never builds translations even when the ACL and route are correct. Using RFC 1918 addresses inside is exactly the normal scenario for NAT, a standard ACL is perfectly valid for selecting source addresses, and NTP has no bearing on whether translation happens.
- A network administrator wants all routers and switches to share one consistent, accurate time source so that log timestamps and certificate checks line up. Which protocol should be configured for this purpose?
Correct answer: NTP
NTP (Network Time Protocol) is the correct answer because it synchronizes the clocks of network devices to a common reference, keeping log timestamps and time-sensitive security checks consistent across the network. SNMP is used to monitor and manage devices, syslog carries event messages but does not set the clock, and CDP is a Layer 2 neighbor-discovery protocol unrelated to timekeeping.
- In an NTP hierarchy, what does a lower stratum number indicate about a time source?
- It is administratively preferred but less accurate than higher strata
- It is closer to the authoritative reference clock and is considered more accurate
- It is reserved for unsynchronized devices that should be ignored
- It indicates a faster polling interval rather than accuracy
Correct answer: It is closer to the authoritative reference clock and is considered more accurate
A lower stratum number means the source is closer to the authoritative reference clock and is therefore considered more accurate. Stratum 0 is the reference clock itself, stratum 1 servers attach directly to it, and each hop downstream increases the number. The other choices misstate the model, including stratum 16 which marks an unsynchronized clock, and polling interval is a separate setting that does not define stratum.
- An engineer enters ntp server 192.0.2.10 on a router. What role does this command assign to the router?
- It configures the router as an NTP client that synchronizes its clock from 192.0.2.10
- It makes the router an authoritative NTP master for all clients
- It enables NTP authentication keys for that peer
- It sets the router's local hardware clock to a static value
Correct answer: It configures the router as an NTP client that synchronizes its clock from 192.0.2.10
The ntp server command configures the router to act as an NTP client, telling it to synchronize its software clock from the server at the specified address. Becoming an authoritative master is done with ntp master, configuring keys uses ntp authentication-key, and setting the hardware clock manually uses the clock set command, so none of those describe this command.
- A host boots on a network with no manually configured IP information and automatically obtains an address, subnet mask, default gateway, and DNS server. Which protocol provides this information?
Correct answer: DHCP
DHCP (Dynamic Host Configuration Protocol) is the correct answer because it dynamically assigns a client an IP address, subnet mask, default gateway, DNS server, and other options when the host boots. ARP resolves IP addresses to MAC addresses, DNS resolves names to addresses, and ICMP is used for diagnostics and error reporting, so none of those hand out IP configuration.
- Which sequence correctly represents the four messages exchanged when a client leases an address through DHCP?
- Request, Offer, Discover, Acknowledge
- Offer, Discover, Acknowledge, Request
- Discover, Request, Offer, Acknowledge
- Discover, Offer, Request, Acknowledge
Correct answer: Discover, Offer, Request, Acknowledge
The correct order is Discover, Offer, Request, Acknowledge, commonly remembered as DORA. The client broadcasts a Discover, available servers send an Offer, the client formally requests one offer with a Request, and the chosen server confirms the lease with an Acknowledgment. The other sequences scramble these steps, which would break the lease negotiation.
- DHCP clients send a broadcast Discover, but the DHCP server sits on a different subnet across a router that does not forward broadcasts. Which configuration allows clients to still obtain leases from that remote server?
- Configure ip helper-address pointing to the DHCP server on the router interface facing the clients
- Enable proxy ARP on the server's subnet
- Add a static host route to each client
- Configure the router as an NTP server for the clients
Correct answer: Configure ip helper-address pointing to the DHCP server on the router interface facing the clients
Configuring ip helper-address on the client-facing interface is the correct solution. This turns the router into a DHCP relay agent that converts the client's broadcast into a unicast forwarded to the specified server's address, letting clients lease across subnets. Proxy ARP, static host routes, and NTP do not relay DHCP broadcasts, so they cannot solve the cross-subnet problem.
- When a router acts as a DHCP relay agent using ip helper-address, what does it do with a client's broadcast DHCP Discover message?
- It drops the broadcast because routers never forward DHCP
- It converts the broadcast into a unicast and forwards it to the configured DHCP server
- It answers the client directly from its own local address pool only
- It floods the Discover out every interface on the router
Correct answer: It converts the broadcast into a unicast and forwards it to the configured DHCP server
A DHCP relay agent intercepts the client's broadcast Discover and forwards it as a unicast to the DHCP server address configured under ip helper-address, also recording the receiving interface so the server can pick the right scope. The router does not simply drop the message, it is not required to serve from a local pool, and it does not flood the Discover everywhere, which is what the helper feature is designed to avoid.
- A user can reach a website by typing its IP address but not by typing its hostname. Which network service is most likely failing?
Correct answer: DNS
DNS is the most likely culprit because it resolves human-readable hostnames into IP addresses; when address access works but name access fails, name resolution is broken. DHCP would have prevented IP connectivity entirely if it failed, NTP only affects time synchronization, and NAT would affect reachability by address as well, so none of those match the symptom of name-only failure.
- Which statement best describes the primary role of DNS within a network?
- It assigns IP addresses and lease times to clients automatically
- It synchronizes device clocks to a common time reference
- It maps domain names to IP addresses so users can reach resources by name
- It translates private addresses to public addresses for internet access
Correct answer: It maps domain names to IP addresses so users can reach resources by name
Mapping domain names to IP addresses is DNS's core role, allowing people to use easy-to-remember names while devices still route using IP addresses. Automatic address assignment with lease times describes DHCP, clock synchronization describes NTP, and translating private to public addresses describes NAT, so those three describe entirely different services.
- A Cisco router needs to resolve hostnames itself, for example to ping a server by name. Which command tells the router which DNS server to query?
- Ip name-server
- Ip dns resolver
- Ip host lookup
- Ip domain server
Correct answer: Ip name-server
The ip name-server command specifies the DNS server address the router queries to resolve names, and it works together with ip domain-lookup, which enables name resolution. The other command forms shown are not valid IOS syntax for pointing the device at a DNS server.
- A monitoring station needs to poll routers for interface counters and receive unsolicited alerts when an interface goes down. Which protocol is designed for this management role?
Correct answer: SNMP
SNMP (Simple Network Management Protocol) is the correct answer because it lets a management station poll devices for values such as interface counters and also receive device-initiated trap or inform messages when events occur. Syslog only carries event logs, NetFlow exports traffic-flow statistics, and TFTP is a simple file-transfer protocol, so none of them combine polling with event notifications the way SNMP does.
- Which statement accurately distinguishes an SNMP trap from an SNMP get-request?
- A trap is sent by the manager to read a value, while a get-request is sent by the agent
- A trap is an unsolicited message sent by the agent to the manager, while a get-request is the manager polling the agent for a value
- Both are sent only by the manager and differ only in port number
- A trap requires SNMPv3 encryption while a get-request cannot use authentication
Correct answer: A trap is an unsolicited message sent by the agent to the manager, while a get-request is the manager polling the agent for a value
A trap is an unsolicited alert that the managed device's agent sends to the manager when an event occurs, whereas a get-request is initiated by the manager to read a specific value from the agent. The other options reverse the roles, claim both come from the manager, or invent version restrictions that do not define the difference between traps and polling.
- Which SNMP version should be deployed when authentication and encryption of management traffic are required?
- SNMPv1, which uses community strings sent in clear text
- SNMPv2c, which adds bulk retrieval but still relies on clear-text community strings
- SNMPv3, which supports authentication and privacy (encryption)
- Any version, because all SNMP versions encrypt by default
Correct answer: SNMPv3, which supports authentication and privacy (encryption)
SNMPv3 is the correct choice because it adds a security model providing message authentication and privacy (encryption), unlike earlier versions. SNMPv1 and SNMPv2c rely on clear-text community strings with no encryption, and it is incorrect to say all versions encrypt by default, so v3 is the only version that meets a confidentiality and integrity requirement.
- Syslog severity levels range from 0 to 7. Which severity level represents the most critical condition, an unusable system?
- Level 0, emergency
- Level 3, error
- Level 5, notification
- Level 7, debugging
Correct answer: Level 0, emergency
Level 0, emergency, is the most severe, indicating the system is unusable; severity numbers increase as conditions become less urgent. Level 3 errors are serious but not the top severity, level 5 notifications are normal-but-significant events, and level 7 debugging is the least severe and most verbose, so emergency at level 0 is the correct answer.
- A router is configured with logging trap 4. Which syslog messages will the router send to the configured logging server?
- Only messages at severity level 4
- Messages at severity levels 4 through 7
- Messages at severity levels 0 through 4
- All messages regardless of severity
Correct answer: Messages at severity levels 0 through 4
Setting logging trap 4 sends messages at the configured level and all more severe levels, meaning levels 0 (emergency) through 4 (warning). Because lower numbers are more critical, the device forwards everything as severe as or worse than the threshold, so choices limiting output to only level 4, to the less-severe 4 through 7 range, or to all levels are incorrect.
- On a converged network, voice and video traffic must be prioritized over bulk file downloads during congestion. What is the first QoS action a device performs so it can treat these traffic types differently?
- Shaping, which buffers excess traffic to a defined rate
- Classification, which identifies and groups traffic into categories
- Policing, which drops or remarks traffic above a rate
- Queuing, which decides transmit order
Correct answer: Classification, which identifies and groups traffic into categories
Classification is the first step because the device must first identify and group traffic into categories before any differentiated treatment can occur. Marking, queuing, policing, and shaping all depend on classification having already determined what each packet is. Shaping buffers traffic, policing enforces a rate by dropping or remarking, and queuing sets transmit order, but all of those come after the traffic has been classified.
- In a QoS policy, what is the purpose of marking traffic, for example by setting a DSCP value in the IP header?
- It encrypts the payload so downstream devices cannot read it
- It records a class identifier in the packet so downstream devices can apply consistent per-hop treatment
- It guarantees a fixed bandwidth reservation end to end
- It compresses the header to reduce overhead
Correct answer: It records a class identifier in the packet so downstream devices can apply consistent per-hop treatment
Marking writes a class value such as a DSCP code point into the packet header so that every downstream device can recognize the traffic's priority and apply consistent per-hop behavior without reclassifying it. Marking does not encrypt or compress anything, and it does not by itself reserve bandwidth; it simply labels packets so later queuing, policing, and shaping decisions are coordinated.
- An administrator must manage a remote switch over an encrypted CLI session instead of clear-text Telnet. Which protocol provides this secure remote access?
Correct answer: SSH
SSH (Secure Shell) is the correct answer because it encrypts the entire remote management session, protecting credentials and commands that Telnet would send in clear text. TFTP transfers files without encryption, SNMPv2c manages devices with clear-text community strings, and HTTP is unencrypted web access, so none of those provide a secure interactive CLI session.
- Which set of steps is required before a Cisco router will accept inbound SSH connections on its VTY lines?
- Set a hostname and domain name, generate RSA crypto keys, then enable SSH and apply transport input ssh on the VTY lines
- Enable Telnet, then simply add the command ip ssh enable
- Assign an SNMP community string and configure logging
- Configure NTP and a default route to the management station
Correct answer: Set a hostname and domain name, generate RSA crypto keys, then enable SSH and apply transport input ssh on the VTY lines
The correct preparation is to configure a hostname and IP domain name, generate the RSA key pair the encryption relies on, then enable SSH and restrict the VTY lines with transport input ssh (along with a local username and login local). Generating RSA keys requires the hostname and domain name to exist first. Enabling Telnet, adding SNMP communities, or configuring NTP and routing do not establish the cryptographic keys SSH needs.
- An engineer wants to back up a router's running configuration to a server using a lightweight, connectionless protocol that has no authentication and runs over UDP. Which protocol fits this description?
Correct answer: TFTP
TFTP (Trivial File Transfer Protocol) is the correct answer because it is a minimal, connectionless file-transfer protocol that runs over UDP and provides no authentication, which is why it is common for quick image and configuration transfers on a trusted network. FTP uses TCP and supports authentication, SCP transfers files securely over SSH, and HTTPS is an encrypted web protocol, so none of those match the lightweight, unauthenticated, UDP-based description.
- Which statement correctly compares the capabilities of FTP and TFTP for transferring files to and from a Cisco device?
- Both run over UDP and neither supports user authentication
- FTP runs over TCP and supports authentication and directory listing, while TFTP runs over UDP with no authentication and a simpler feature set
- TFTP runs over TCP and is more reliable, while FTP runs over UDP
- FTP is connectionless while TFTP is connection-oriented
Correct answer: FTP runs over TCP and supports authentication and directory listing, while TFTP runs over UDP with no authentication and a simpler feature set
FTP runs over TCP and offers user authentication and directory operations, while TFTP runs over UDP, lacks authentication, and provides only basic file transfer. The remaining choices are wrong because they claim both use UDP, swap the transport protocols, or reverse which protocol is connection-oriented; in reality FTP is the connection-oriented, fuller-featured option.
- A company keeps a public web server reachable from the internet at a single fixed public address, while all of its employee workstations share a different single public address only for outbound browsing. Which combination of NAT types satisfies both needs at once?
- Static NAT for the web server and PAT (NAT overload) for the workstations
- PAT for the web server and static NAT for each workstation
- Dynamic NAT for both, with no static entries
- Static NAT for every device including each workstation
Correct answer: Static NAT for the web server and PAT (NAT overload) for the workstations
Static NAT for the server plus PAT for the workstations is the correct combination. The publicly reachable server needs a permanent one-to-one mapping so inbound clients always find the same address, which static NAT provides, while the many workstations only initiate outbound sessions and can efficiently share one public address through PAT overload. Reversing the two, using dynamic NAT for inbound reachability, or assigning every workstation its own static public address would either break inbound access or waste scarce public addresses.
- An administrator issues show ip nat translations after configuring PAT, and sees multiple inside local addresses mapped to the same inside global address but with different port numbers. What does this output confirm?
- Static NAT is misconfigured because addresses are being reused
- The router has run out of pool addresses and is dropping flows
- DNS is resolving all hosts to one address
- PAT overload is working, distinguishing each conversation by a unique port on the shared global address
Correct answer: PAT overload is working, distinguishing each conversation by a unique port on the shared global address
This output confirms PAT overload is working correctly: many inside hosts share one inside global address, and the router keeps the conversations separate by assigning a unique port number to each, which is exactly what the translation table shows. It is not a static NAT error, not an exhausted pool, and unrelated to DNS, since port multiplexing on a single shared global address is the normal, expected behavior of NAT overload.
- A switch shows the wrong date and time in its log messages even though an NTP server is configured. The administrator confirms reachability but notices show ntp status reports the clock is unsynchronized. Which step most directly addresses an NTP synchronization problem caused by a mismatched authentication setting?
- Disable logging on the switch so timestamps are ignored
- Reload the switch to clear the software clock
- Verify the configured ntp authentication-key and trusted-key values match the server's, or remove authentication if not required
- Change the syslog severity threshold to a lower number
Correct answer: Verify the configured ntp authentication-key and trusted-key values match the server's, or remove authentication if not required
Verifying that the NTP authentication key and trusted-key configuration match the server (or removing authentication if it is not needed) is the correct step, because a key mismatch causes the client to reject the server's time and remain unsynchronized even though the server is reachable. Disabling logging or lowering the syslog threshold only hides the symptom, and reloading the switch does not fix a configuration mismatch that will simply recur.
- A manager argues that adopting network automation will let the company eliminate its entire network engineering team. Which response most accurately corrects this expectation?
- Automation shifts engineers toward designing, validating, and maintaining the automation itself rather than removing the need for skilled staff
- Automation removes the need for any IP addressing knowledge on the team
- Automation makes routing protocols unnecessary, so fewer engineers are required
- Automation guarantees that no configuration errors can ever occur again
Correct answer: Automation shifts engineers toward designing, validating, and maintaining the automation itself rather than removing the need for skilled staff
Network automation shifts engineers toward designing, validating, and maintaining the automation rather than eliminating the need for skilled staff, so the team's role changes rather than disappears. Automation does not remove the need for addressing knowledge, does not eliminate routing protocols, and cannot guarantee that no errors will ever occur, so the other options misstate its impact.
- Before deploying a configuration change to production, an automation pipeline first applies it to a virtual lab and runs validation tests. Which network automation goal does this staging step most directly serve?
- Increasing the clock speed of the production switches
- Reducing the risk of pushing a faulty change by testing it before it reaches production
- Assigning additional VLANs to every access port automatically
- Replacing the need for a routing protocol between the lab and production
Correct answer: Reducing the risk of pushing a faulty change by testing it before it reaches production
Testing a change in a virtual lab before production reduces the risk of pushing a faulty change, which is a core network automation goal of safer, validated deployments. It does not change switch clock speed, add VLANs to ports, or replace routing protocols, so the other options do not describe the purpose of the staging step.
- An organization measures that human typing errors during manual device configuration drop sharply after introducing templated automation. Which benefit of network automation does this reduction in typos best demonstrate?
- Higher physical throughput on every uplink
- Automatic election of a spanning-tree root bridge
- Greater consistency and fewer human-introduced errors
- Conversion of static routes into dynamic routes
Correct answer: Greater consistency and fewer human-introduced errors
A sharp drop in typing errors after templated automation best demonstrates greater consistency and fewer human-introduced errors, a primary benefit of automation. It does not raise physical throughput, elect a spanning-tree root, or convert static routes to dynamic, so the other options are unrelated to the observed result.
- In a controller-based network, an engineer wants to confirm overall network health and see device, client, and application status in one consolidated view. Where is this kind of consolidated dashboard most likely provided?
- On each switch's local console line, viewed one device at a time
- By the centralized network controller, which aggregates status across the managed fabric
- By the spanning-tree protocol running on the access layer
- By the DHCP server that leases addresses to clients
Correct answer: By the centralized network controller, which aggregates status across the managed fabric
A consolidated view of device, client, and application status is most likely provided by the centralized network controller, which aggregates status across the managed fabric. A per-device console shows only one device, while spanning tree and a DHCP server perform unrelated functions, so the other options do not provide the consolidated dashboard.
- Which statement best contrasts how configuration changes are applied in a controller-based network versus a traditional network?
- In both models the engineer must log into each device's CLI individually to make a change
- In a controller-based network each device is configured individually, while a traditional network uses one central console
- In a controller-based network changes are defined centrally and propagated by the controller, while in a traditional network each device is configured individually
- Neither model allows configuration changes after initial deployment
Correct answer: In a controller-based network changes are defined centrally and propagated by the controller, while in a traditional network each device is configured individually
In a controller-based network, changes are defined centrally and propagated by the controller, whereas a traditional network requires configuring each device individually. The option claiming both require per-device CLI ignores central management, the one reversing the models is backwards, and the claim that no changes are allowed is false, so the other options are incorrect.
- An enterprise migrating to a controller-based model is told the controller can enforce a uniform access policy for users regardless of which switch they connect to. Which characteristic of controller-based networking makes this possible?
- The controller assigns the same MAC address to every connected user
- Each switch independently invents its own policy and the others copy it
- The controller disables Layer 3 routing so policy is simpler
- The controller has a centralized, network-wide view that lets it apply consistent policy across all managed devices
Correct answer: The controller has a centralized, network-wide view that lets it apply consistent policy across all managed devices
A controller can enforce uniform user policy because it has a centralized, network-wide view that lets it apply consistent policy across all managed devices. It does not assign identical MAC addresses, does not rely on switches inventing and copying policy, and does not disable Layer 3 routing, so the other options are incorrect.
- Which statement correctly describes a defining principle of software-defined networking relative to traditional device-centric networking?
- It tightly couples the control logic into each device's hardware and forbids external programmability
- It decouples the network control logic from the underlying forwarding hardware so the network can be managed programmatically
- It requires that every packet be inspected by a human before forwarding
- It mandates that the network use only half-duplex links
Correct answer: It decouples the network control logic from the underlying forwarding hardware so the network can be managed programmatically
A defining principle of software-defined networking is decoupling the control logic from the underlying forwarding hardware so the network can be managed programmatically. It does not tightly couple control into each device and forbid programmability, require human packet inspection, or mandate half-duplex links, so the other options misstate SDN.
- A vendor states that its software-defined networking solution lets customers integrate the network with their own custom applications and orchestration tools. Which property of SDN architecture makes this integration practical?
- Its use of console cables to each device for every API call
- Its requirement that all applications run directly on the switches
- Its reliance on programmable interfaces and open APIs for external systems to consume
- Its dependence on spanning tree to expose network state
Correct answer: Its reliance on programmable interfaces and open APIs for external systems to consume
Integration with custom applications is practical because SDN architecture relies on programmable interfaces and open APIs for external systems to consume. It does not use console cables for API calls, require applications to run on the switches, or depend on spanning tree to expose state, so the other options are incorrect.
- A traditional campus and an SDN-managed campus both still need to move user packets at line rate. In the SDN-managed campus, what continues to perform the actual packet forwarding?
- The SDN controller forwards each user packet on the devices' behalf
- The forwarding hardware on the individual switches, using rules the controller has installed
- The northbound API forwards the packets directly to applications
- Spanning tree forwards each packet based on bridge priority
Correct answer: The forwarding hardware on the individual switches, using rules the controller has installed
In an SDN-managed campus the forwarding hardware on the individual switches continues to perform packet forwarding, using rules the controller has installed. The controller installs rules rather than forwarding packets itself, the northbound API faces applications rather than forwarding traffic, and spanning tree does not forward user packets by bridge priority, so the other options are incorrect.
- An engineer states that on a router the function responsible for building and maintaining the routing table is logically separate from the function that moves packets through the box. Which two planes is the engineer distinguishing?
- The management plane and the backplane
- The data plane, which builds the routing table, and the control plane, which forwards packets
- The application plane and the session plane
- The control plane, which builds the routing table, and the data plane, which forwards packets
Correct answer: The control plane, which builds the routing table, and the data plane, which forwards packets
The engineer is distinguishing the control plane, which builds and maintains the routing table, from the data plane, which forwards packets through the device. One option names a physical backplane rather than a forwarding plane, another reverses the two roles, and another lists planes that are not part of this model, so the other options are incorrect.
- Processing an inbound ARP request, running the spanning-tree algorithm, and answering an SNMP poll are handled by the device's CPU rather than its forwarding ASICs. Sending these tasks to the device's processor instead of forwarding hardware reflects which distinction?
- These are data-plane tasks that bypass the CPU entirely
- These are control- and management-plane tasks handled by the CPU, separate from data-plane hardware forwarding
- These are physical-layer tasks handled by the transceivers
- These tasks are performed only by the SDN controller and never by the device
Correct answer: These are control- and management-plane tasks handled by the CPU, separate from data-plane hardware forwarding
Running the spanning-tree algorithm, processing ARP, and answering SNMP polls are control- and management-plane tasks handled by the CPU, kept separate from data-plane hardware forwarding. They are not data-plane tasks that bypass the CPU, not physical-layer transceiver work, and not exclusive to an SDN controller, so the other options are incorrect.
- Why does sustained, high-volume traffic flowing through a router normally have little effect on the load of its control plane?
- Because the control plane forwards each of those packets individually
- Because the control plane recomputes the routing table for every packet that arrives
- Because forwarded user traffic is handled by the data plane, while the control plane only manages route computation and protocol state
- Because high traffic automatically disables the control plane
Correct answer: Because forwarded user traffic is handled by the data plane, while the control plane only manages route computation and protocol state
Sustained user traffic has little effect on control-plane load because forwarded user traffic is handled by the data plane, while the control plane only manages route computation and protocol state. The control plane does not forward each packet, does not recompute the table per packet, and is not disabled by high traffic, so the other options are incorrect.
- In a controller-based architecture, a network operations application needs to read alerts and push configuration intent to the controller. Which interface of the controller is this application interacting with?
- The northbound interface, which faces applications above the controller
- The southbound interface, which faces the managed network devices
- The console interface of each managed switch
- The spanning-tree interface between switches
Correct answer: The northbound interface, which faces applications above the controller
A network operations application reading alerts and pushing intent interacts with the northbound interface, which faces applications above the controller. The southbound interface faces the managed devices, and a switch console or a spanning-tree exchange are not controller application interfaces, so the other options are incorrect.
- An engineer explains that the southbound interface is what makes a centralized controller useful for actually changing the network. What is the primary role of the southbound interface?
- To present a simplified service interface to business applications
- To assign IP addresses to end-user hosts
- To communicate with and program the managed network devices on behalf of the controller
- To exchange Layer 2 discovery information between two switches
Correct answer: To communicate with and program the managed network devices on behalf of the controller
The primary role of the southbound interface is to communicate with and program the managed network devices on behalf of the controller. Presenting a service interface to applications is the northbound role, and assigning host IPs or exchanging Layer 2 discovery are unrelated functions, so the other options are incorrect.
- An orchestration platform calls the controller's API, and the controller then translates that request into commands sent down to the switches. Which sequence of API directions is being used?
- Southbound from the platform to the controller, then northbound from the controller to the switches
- Northbound from the platform to the controller, then southbound from the controller to the switches
- Northbound in both steps, since the controller is always above
- Southbound in both steps, since switches are always below
Correct answer: Northbound from the platform to the controller, then southbound from the controller to the switches
The platform calls the controller over the northbound interface, and the controller then uses the southbound interface to send commands to the switches. One option reverses the directions, and the two same-direction options ignore that the controller sits between an application above and devices below, so the other options are incorrect.
- An engineer reviewing a REST API call sees the request line GET /api/v1/devices used to list all managed devices. Which characteristic of REST does the use of standard HTTP methods like GET illustrate?
- REST requires a custom binary protocol instead of HTTP methods
- REST uses HTTP methods to convey the action being requested on a resource
- REST forbids the use of GET and only permits POST
- REST methods determine the physical cabling between devices
Correct answer: REST uses HTTP methods to convey the action being requested on a resource
Using GET to list devices illustrates that REST uses HTTP methods to convey the action being requested on a resource. REST does not require a custom binary protocol, does not forbid GET, and HTTP methods have nothing to do with physical cabling, so the other options are incorrect.
- A REST client receives an HTTP 403 status code in response to its request. What does this most directly tell the client about the request?
- The server could not be reached at all
- A new resource was created successfully
- The server understood the request but is refusing to authorize it for this client
- The request body contained valid JSON
Correct answer: The server understood the request but is refusing to authorize it for this client
An HTTP 403 status most directly tells the client that the server understood the request but is refusing to authorize it for this client. It does not mean the server was unreachable, that a resource was created, or that the body was valid JSON, so the other options misinterpret the code.
- A developer needs to pass an authentication token and specify that the response should be returned as JSON on every REST request. Where in the HTTP request are values such as the authentication token and the desired response format typically placed?
- In the spanning-tree bridge ID
- In the device's MAC address table
- In the routing table next-hop field
- In the HTTP headers of the request
Correct answer: In the HTTP headers of the request
Values such as an authentication token and the desired response format are typically placed in the HTTP headers of the request. A spanning-tree bridge ID, a MAC address table, and a routing-table next hop are unrelated networking constructs, so the other options are incorrect.
- An engineer is told that a particular API is RESTful and therefore treats network elements as addressable resources reached through URIs. What does identifying each element by its own URI most directly enable a client to do?
- Force every device onto the same VLAN
- Reference and act on a specific resource directly, such as a single interface or device
- Eliminate the need for any authentication
- Guarantee the data is returned only in XML
Correct answer: Reference and act on a specific resource directly, such as a single interface or device
Identifying each element by its own URI most directly lets a client reference and act on a specific resource directly, such as a single interface or device. It does not force devices onto one VLAN, remove the need for authentication, or guarantee XML output, so the other options are incorrect.
- An automation engineer maps the four CRUD operations to their typical REST HTTP methods. Which mapping is correct?
- Create to GET, Read to POST, Update to DELETE, Delete to PUT
- Create to DELETE, Read to PUT, Update to GET, Delete to POST
- Create to POST, Read to GET, Update to PUT or PATCH, Delete to DELETE
- Create to PUT, Read to DELETE, Update to GET, Delete to POST
Correct answer: Create to POST, Read to GET, Update to PUT or PATCH, Delete to DELETE
The correct mapping is Create to POST, Read to GET, Update to PUT or PATCH, and Delete to DELETE, which aligns each CRUD operation with its conventional HTTP method. The other options scramble the methods, assigning the wrong verb to each operation, so they are incorrect.
- An engineer wants to fully replace an existing device object with a complete new representation, overwriting all of its fields at once. Which HTTP method best fits a full replacement of an existing resource?
Correct answer: PUT
The PUT method best fits a full replacement of an existing resource, overwriting all of its fields with the supplied representation. GET only retrieves, HEAD returns headers without a body, and OPTIONS lists supported methods, so none of those perform a full replacement.
- A team standardizes that repeatedly sending the same Delete request for an already-removed object should not cause an error and should leave the system in the same final state. Which property are they relying on for the Delete operation?
- That Delete creates a new resource each time it is called
- That Delete is idempotent, so repeating it leaves the resource absent in the same way
- That Delete returns different data on every call
- That Delete physically powers off the device
Correct answer: That Delete is idempotent, so repeating it leaves the resource absent in the same way
The team is relying on Delete being idempotent, so repeating it leaves the resource absent in the same final state. Delete does not create a new resource, is not expected to return different data each time, and does not power off the device, so the other options are incorrect.
- Consider the JSON snippet {"vlans": [10, 20, 30]}. How should an engineer interpret the value associated with the vlans key?
- As a single string containing the digits 102030
- As three separate objects with no relationship
- As an array (ordered list) of three numeric values
- As a Boolean value
Correct answer: As an array (ordered list) of three numeric values
The value associated with vlans is an array, an ordered list of three numeric values, indicated by the square brackets. It is not a single concatenated string, not three unrelated objects, and not a Boolean, so the other interpretations misread the JSON.
- In the JSON object {"device": {"hostname": "R1", "interfaces": {"count": 4}}}, what does the structure of the interfaces value indicate?
- It is a nested object, because its value is enclosed in its own set of braces
- It is an array, because it uses square brackets
- It is a string, because it is in quotation marks
- It is a number, because it is not quoted
Correct answer: It is a nested object, because its value is enclosed in its own set of braces
The interfaces value is a nested object, because its value is enclosed in its own set of braces containing another key-value pair. It does not use square brackets so it is not an array, it is not in quotation marks so it is not a string, and the value as a whole is not a bare number, so the other options are incorrect.
- An engineer must hand-write JSON and is unsure how to format the keys. Which statement about JSON keys is correct?
- Keys must be unquoted bare words
- Keys must always be numbers
- Keys are separated from their values by an equals sign
- Keys are written as strings enclosed in double quotation marks
Correct answer: Keys are written as strings enclosed in double quotation marks
JSON keys are written as strings enclosed in double quotation marks. They are not unquoted bare words, are not required to be numbers, and are separated from their values by a colon rather than an equals sign, so the other options are incorrect.
- A team wants a configuration management tool they can run from a single control machine over SSH without first installing any software on the network devices. Which tool's architecture best matches this requirement?
- A tool that requires installing a persistent agent on each device first
- Cisco Discovery Protocol, because it discovers neighbors
- Ansible, because it uses an agentless model over SSH from a control node
- A spanning-tree variant, because it prevents loops
Correct answer: Ansible, because it uses an agentless model over SSH from a control node
Ansible best matches the requirement because it uses an agentless model, connecting over SSH from a control node without preinstalled software on the devices. A tool requiring a persistent agent contradicts the requirement, while Cisco Discovery Protocol and spanning tree are not configuration management tools, so the other options are incorrect.
- An engineer reviewing an Ansible playbook notices it describes the end state each device should reach, such as which VLANs and interfaces should exist, rather than a step-by-step script of commands. Which approach to configuration does this reflect?
- A purely procedural approach listing exact CLI keystrokes in order
- A hardware diagnostic that tests the device's memory
- A routing protocol that advertises networks to neighbors
- A declarative, desired-state approach describing what the result should be
Correct answer: A declarative, desired-state approach describing what the result should be
Describing the end state each device should reach reflects a declarative, desired-state approach that specifies what the result should be rather than every command. It is not a purely procedural keystroke list, not a hardware diagnostic, and not a routing protocol, so the other options are incorrect.
- A host is configured for DHCP but cannot reach the DHCP server, so it self-assigns an address from the 169.254.0.0/16 range. Which mechanism produced this address?
- Automatic Private IP Addressing (APIPA), used when no DHCP lease is obtained
- Static NAT translation performed by the local router
- Stateless Address Autoconfiguration negotiated with the gateway
- A DHCP relay agent forwarding a scope from a remote server
Correct answer: Automatic Private IP Addressing (APIPA), used when no DHCP lease is obtained
The address came from Automatic Private IP Addressing (APIPA). When a client fails to obtain a DHCP lease, it picks a link-local address from 169.254.0.0/16 so it can still communicate on the local segment, but this address is not routable and signals that DHCP is unavailable. NAT, SLAAC (an IPv6 feature), and DHCP relay are unrelated to this self-assignment.
- On a legacy shared Ethernet segment using a hub, which access method do devices use to detect and recover from simultaneous transmissions?
- CSMA/CD, which listens before sending and backs off when a collision is detected
- CSMA/CA, which reserves the medium before every transmission
- Token passing, which circulates a permission frame around the ring
- Time-division multiplexing, which assigns each host a fixed timeslot
Correct answer: CSMA/CD, which listens before sending and backs off when a collision is detected
The method is CSMA/CD (Carrier Sense Multiple Access with Collision Detection). Hosts on a shared half-duplex segment listen for an idle medium before transmitting and, if two transmit at once, detect the collision, send a jam signal, and use a random backoff timer before retrying. CSMA/CA is used by wireless, token passing belongs to Token Ring, and TDM is a circuit technique.
- An engineer replaces a hub with a switch on a busy segment. How does this change the collision and broadcast domain structure?
- Each switch port becomes its own collision domain, while all ports remain in one broadcast domain
- The switch merges every port into a single collision domain and many broadcast domains
- Each port becomes a separate broadcast domain but they share one collision domain
- The switch eliminates both collision and broadcast domains entirely
Correct answer: Each switch port becomes its own collision domain, while all ports remain in one broadcast domain
The answer is that each switch port becomes its own collision domain while all ports stay in a single broadcast domain. A switch micro-segments collisions per port, so full-duplex links have no collisions, but broadcast frames are flooded out all ports in the same VLAN, keeping them in one broadcast domain until a router or separate VLANs break it up.
- Host A needs to send an IP packet to Host B on the same subnet but does not know Host B's MAC address. Which protocol resolves the destination MAC?
- ARP, which broadcasts a request asking who owns the target IP
- DNS, which maps the hostname to a hardware address
- ICMP, which echoes the MAC back in a reply
- DHCP, which leases the MAC along with the IP
Correct answer: ARP, which broadcasts a request asking who owns the target IP
The protocol is ARP (Address Resolution Protocol). To deliver a frame on the local subnet, Host A broadcasts an ARP request for the IP it wants to reach; the owner replies with its MAC, which Host A caches. DNS resolves names to IPs, ICMP handles diagnostics like ping, and DHCP assigns addressing, none of which map an IP to a MAC.
- A host on subnet 192.168.10.0/24 sends a packet destined for 8.8.8.8. What role does the configured default gateway play?
- It receives the packet because the destination is on a different network and routes it onward
- It rewrites the destination IP to a host on the local subnet
- It is only used for traffic that stays within 192.168.10.0/24
- It assigns the host a new IP before forwarding
Correct answer: It receives the packet because the destination is on a different network and routes it onward
The default gateway receives and routes the packet because the destination is outside the local subnet. A host compares the destination against its own subnet; when the target is remote, it forwards the frame to the default gateway's MAC, and the gateway routes it toward the destination. Local-only traffic never goes to the gateway, and the gateway does not reassign the host's IP.
- An engineer must send a 1600-byte IPv4 packet across a link whose MTU is 1500 bytes with fragmentation allowed. What happens to the packet?
- The router fragments the packet into pieces that each fit within the 1500-byte MTU
- The router silently drops the packet without any notification
- The link automatically raises its MTU to 1600 bytes for that packet
- The packet is compressed to fit and decompressed at the destination
Correct answer: The router fragments the packet into pieces that each fit within the 1500-byte MTU
The router fragments the oversized packet into smaller fragments that each fit the 1500-byte MTU when fragmentation is permitted (the Don't Fragment bit is clear). The fragments are reassembled by the destination host. If the DF bit were set, the router would drop the packet and return an ICMP message instead, but it does not raise the link MTU or compress data.
- Two directly connected switch interfaces are both left at their default of speed and duplex auto-negotiation. What is the expected result on a modern gigabit link?
- They negotiate the highest common speed and full duplex automatically
- They default to 10 Mbps half duplex because auto-negotiation is unreliable
- The link stays down until speed and duplex are hardcoded on both ends
- One side runs full duplex and the other half, causing a guaranteed mismatch
Correct answer: They negotiate the highest common speed and full duplex automatically
With both ends set to auto, the interfaces negotiate the highest common speed and full duplex, which is the recommended configuration for modern links. A duplex mismatch arises only when one side is hardcoded and the other is left on auto; when both are auto, they agree successfully and the link comes up at the best supported settings.
- A data center runs many isolated server instances on a single physical host, each with its own guest operating system managed by a hypervisor. What is this technology called?
- Server virtualization using virtual machines
- Spanning-tree load balancing across uplinks
- Link aggregation of multiple NICs
- Network address translation of internal hosts
Correct answer: Server virtualization using virtual machines
This is server virtualization using virtual machines. A hypervisor abstracts the physical hardware so multiple VMs, each with a full guest OS, run on one server, improving resource utilization. Spanning tree, link aggregation, and NAT are networking functions and do not describe running multiple guest operating systems on shared hardware.
- Which copper cabling category is the minimum recommended choice to reliably support 10GBASE-T over a 100-meter run?
- Category 6a
- Category 3
- Category 5
- Coaxial RG-6
Correct answer: Category 6a
Category 6a is the minimum twisted-pair category that reliably carries 10GBASE-T over the full 100-meter channel because its shielding and tighter specs reduce alien crosstalk. Cat3 tops out around 10 Mbps, Cat5 supports up to 100 Mbps, and RG-6 coax is a different medium used for video and broadband, not structured 10G Ethernet runs.
- A network uses a topology where every device connects to a central switch, and a cable fault to one device affects only that device. Which physical topology is described?
- Star topology
- Full-mesh topology
- Ring topology
- Bus topology
Correct answer: Star topology
This describes a star topology, where each endpoint has its own cable to a central device such as a switch, so a single cable failure isolates only that endpoint. A full mesh connects every node to every other node, a ring chains devices in a loop, and a bus shares one backbone where a break can disrupt the whole segment.
- On a Cisco interface, the show command reports incrementing CRC errors with a low collision count on a full-duplex link. What does a rising CRC counter most directly indicate?
- Frames are arriving corrupted, often due to bad cabling, interference, or a faulty transceiver
- The interface is administratively shut down
- The VLAN assignment on the port is incorrect
- The routing protocol has lost its neighbor adjacency
Correct answer: Frames are arriving corrupted, often due to bad cabling, interference, or a faulty transceiver
A climbing CRC counter most directly indicates frames are arriving corrupted, with the frame check sequence failing, commonly from damaged cabling, electromagnetic interference, or a bad transceiver. CRC errors are a physical-layer integrity problem; an administratively down port shows a different state, and VLAN or routing issues do not increment the CRC counter.
- How many usable host addresses does the subnet 172.16.20.0/26 provide?
- 62 usable host addresses
- 64 usable host addresses
- 30 usable host addresses
- 126 usable host addresses
Correct answer: 62 usable host addresses
A /26 yields 62 usable host addresses. The /26 mask leaves 6 host bits, giving 2⁶ = 64 total addresses; subtracting the network and broadcast addresses leaves 62 usable hosts. A /27 would give 30 and a /25 would give 126, so 62 is correct for the /26.
- Which transport-layer behavior is unique to TCP and absent from UDP?
- Establishing a connection with a three-way handshake before data transfer
- Adding a 16-bit source and destination port number to each segment
- Encapsulating application data for delivery to the network layer
- Using a checksum field for basic error detection
Correct answer: Establishing a connection with a three-way handshake before data transfer
Establishing a connection through a three-way handshake is unique to TCP; UDP is connectionless and sends data without setup. Both protocols use port numbers, both hand data to the network layer, and both include a checksum, so those traits are shared. The handshake, along with sequencing and acknowledgments, is what distinguishes reliable TCP from best-effort UDP.
- An engineer configures a static route on a Cisco router so that traffic to 10.2.2.0/24 leaves through the next hop 10.1.1.2. Which command syntax is correct?
- Ip route 10.2.2.0 255.255.255.0 10.1.1.2
- Ip route 10.2.2.0 0.0.0.255 10.1.1.2
- Route add 10.2.2.0/24 via 10.1.1.2
- Ip default-network 10.2.2.0 10.1.1.2
Correct answer: Ip route 10.2.2.0 255.255.255.0 10.1.1.2
The correct syntax is ip route 10.2.2.0 255.255.255.0 10.1.1.2, which specifies the destination network, the subnet mask in dotted-decimal form, and the next-hop address. Static routes use a subnet mask, not a wildcard mask, so 0.0.0.255 is wrong, and the route add and ip default-network forms are not valid for a standard static route here.
- By default on a Cisco router, OSPF derives interface cost from a reference bandwidth of 100 Mbps. What problem does this default cause on Gigabit and faster links?
- All links at or above 100 Mbps receive the same cost of 1, so faster paths are not preferred
- OSPF refuses to form adjacencies on interfaces faster than 100 Mbps
- The router automatically converts those interfaces to passive
- Higher-bandwidth links are assigned an infinite cost and ignored
Correct answer: All links at or above 100 Mbps receive the same cost of 1, so faster paths are not preferred
With the default 100 Mbps reference bandwidth, all links of 100 Mbps or faster compute to a cost of 1, so OSPF cannot distinguish a Gigabit link from a 100 Mbps one and may not choose the truly faster path. The fix is to raise the reference bandwidth with auto-cost reference-bandwidth. OSPF still forms adjacencies and does not mark these interfaces passive or unreachable.
- An engineer wants a single summary route advertised in place of the four contiguous networks 192.168.0.0/24 through 192.168.3.0/24. Which summary correctly covers exactly those four?
- 192.168.0.0/22
- 192.168.0.0/24
- 192.168.0.0/21
- 192.168.0.0/23
Correct answer: 192.168.0.0/22
The correct summary is 192.168.0.0/22, which aggregates the four contiguous /24 networks (.0, .1, .2, and .3) into one advertisement. A /22 borrows two bits to group four /24 blocks. A /24 covers only one network, a /23 covers two, and a /21 would over-summarize by including eight /24 networks.
- Which command configures an IPv6 static route on a Cisco router to reach the destination 2001:db8:acad:1::/64 via next hop 2001:db8:acad:2::2?
- Ipv6 route 2001:db8:acad:1::/64 2001:db8:acad:2::2
- Ip route 2001:db8:acad:1::/64 2001:db8:acad:2::2
- Ipv6 route 2001:db8:acad:1:: 255.255.255.0 2001:db8:acad:2::2
- Route ipv6 2001:db8:acad:1::/64 next-hop 2001:db8:acad:2::2
Correct answer: Ipv6 route 2001:db8:acad:1::/64 2001:db8:acad:2::2
The correct command is ipv6 route 2001:db8:acad:1::/64 2001:db8:acad:2::2. IPv6 static routes use the ipv6 route keyword with prefix length notation and a next-hop address, not a dotted-decimal mask. The ip route command is for IPv4, the dotted-mask form is invalid for IPv6, and the route ipv6 syntax is not a Cisco IOS command.
- Two switches connect over a link, and both ports are set to switchport mode dynamic auto. What trunking outcome results?
- The link stays an access port because neither side actively initiates trunk negotiation
- The link forms a trunk because both sides default to trunking
- The link goes down because the DTP modes are incompatible
- The link becomes a trunk only after a reload of both switches
Correct answer: The link stays an access port because neither side actively initiates trunk negotiation
The link remains an access port because dynamic auto waits for the other side to start DTP negotiation; with both ends auto, neither initiates, so no trunk forms. A trunk would form only if at least one side were dynamic desirable or set to trunk. The ports do not go down or require a reload; they simply settle as access ports.
- An engineer needs to create VLAN 2000 on a Cisco switch. Which statement about this VLAN ID is correct?
- It is an extended-range VLAN (1006 to 4094), which is supported but not stored in the legacy VLAN database file
- It is a normal-range VLAN that is saved in vlan.dat by default
- It is an invalid VLAN ID because the maximum is 1005
- It is a reserved VLAN that cannot carry user traffic
Correct answer: It is an extended-range VLAN (1006 to 4094), which is supported but not stored in the legacy VLAN database file
VLAN 2000 is an extended-range VLAN, falling in the 1006 to 4094 range. Extended-range VLANs are configurable and carry user traffic, but they are stored in the running configuration rather than the legacy vlan.dat database used for normal-range VLANs (1 to 1005). The maximum usable VLAN ID is 4094, so 2000 is valid and not reserved.
- A switch port connects to an IP phone with a PC daisy-chained behind it. What does configuring a separate voice VLAN on that access port accomplish?
- It separates phone traffic into its own VLAN while PC data uses the access VLAN on the same port
- It converts the port into an 802.1Q trunk carrying every VLAN on the switch
- It disables the data VLAN so only voice frames are permitted
- It assigns the phone and PC the same VLAN to simplify addressing
Correct answer: It separates phone traffic into its own VLAN while PC data uses the access VLAN on the same port
Configuring a voice VLAN separates phone traffic into its own VLAN while the attached PC's data frames use the port's access (data) VLAN. The phone tags its voice frames with the voice VLAN ID and the PC sends untagged frames, letting one port serve both with proper segmentation and QoS. It does not make the port a full trunk, disable data, or merge the two into one VLAN.
- An access port is configured with switchport port-security and the default violation mode. When an unauthorized MAC address exceeds the limit, what does the switch do?
- It places the port in err-disabled state and drops traffic until the port is recovered
- It forwards the frames but logs a syslog message without dropping anything
- It silently discards the offending frames while keeping the port up and counting violations
- It automatically reassigns the violating device to a guest VLAN
Correct answer: It places the port in err-disabled state and drops traffic until the port is recovered
With the default shutdown violation mode, the switch places the port in err-disabled state and drops all traffic until an administrator or errdisable recovery brings it back up. The describe-but-forward behavior matches protect or restrict modes, not the default. Protect drops silently with no log, restrict drops and logs, and none of the modes reassign the device to a guest VLAN.
- On a Cisco switch access port, an engineer wants to limit the port to a maximum of two learned MAC addresses and shut the port if a third appears. Which feature does this?
- Port security
- Dynamic ARP inspection
- DHCP snooping
- Spanning Tree Protocol
Correct answer: Port security
Port security limits the number of MAC addresses learned on an access port and can take a violation action (shutdown, restrict, or protect). Dynamic ARP inspection and DHCP snooping address different Layer 2 threats.
- Which Layer 2 security feature builds a trusted binding table of IP-to-MAC-to-port mappings and drops DHCP server responses arriving on untrusted ports?
- DHCP snooping
- Port security
- 802.1Q tagging
- BPDU Guard
Correct answer: DHCP snooping
DHCP snooping marks ports as trusted or untrusted and discards DHCP server messages (Offer/Ack) received on untrusted ports, preventing rogue DHCP servers. Its binding table also feeds Dynamic ARP Inspection.
- An attacker on a LAN sends forged ARP replies to redirect traffic through their host. Which Cisco feature, relying on the DHCP snooping binding table, blocks these invalid ARP messages?
- Dynamic ARP Inspection (DAI)
- Port security
- NAT
- Root Guard
Correct answer: Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection validates ARP packets against the DHCP snooping binding table and drops those with invalid IP-to-MAC bindings, stopping ARP spoofing / on-path attacks.
- Which wireless security standard uses Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks and is the current recommended choice on the CCNA?
Correct answer: WPA3
WPA3 introduces SAE (the Dragonfly handshake), which resists offline password guessing and adds forward secrecy. WPA2 uses AES/CCMP but its PSK handshake is vulnerable; WEP and original WPA are deprecated.
- In the AAA framework, which component determines what an authenticated user is allowed to do?
- Authorization
- Authentication
- Accounting
- Auditing
Correct answer: Authorization
AAA = Authentication (who you are), Authorization (what you may do), and Accounting (logging what you did). Authorization grants the specific permissions after identity is verified.
- Which protocol, commonly used for AAA, encrypts the entire packet payload and separates authentication, authorization, and accounting, making it preferred for device administration?
- TACACS+
- RADIUS
- SNMPv2c
- Syslog
Correct answer: TACACS+
TACACS+ (a Cisco protocol) encrypts the full payload and separates AAA functions, which suits device administration. RADIUS encrypts only the password and combines authentication and authorization, and is common for network access.
- An engineer configures a standard IPv4 ACL. Based on what does a standard ACL filter traffic?
- Source IP address only
- Source and destination IP and port
- Destination MAC address
- VLAN ID
Correct answer: Source IP address only
A standard IPv4 ACL filters based on the source IP address only. Extended ACLs can match source and destination addresses, protocol, and port numbers.
- In what order does a Cisco router evaluate the entries (ACEs) in an access control list, and what happens to traffic matching no entry?
- Top-down; an implicit deny drops unmatched traffic
- Bottom-up; unmatched traffic is permitted
- Random order; unmatched traffic is logged
- Most specific first; unmatched traffic is queued
Correct answer: Top-down; an implicit deny drops unmatched traffic
A router processes ACL entries top-down and stops at the first match. Traffic that matches no entry hits the implicit 'deny any' at the end of every ACL and is dropped.
- Where should an extended IPv4 ACL generally be placed to filter traffic most efficiently?
- Close to the source of the traffic
- Close to the destination
- On the default gateway only
- On every interface in the path
Correct answer: Close to the source of the traffic
Extended ACLs match specific source and destination criteria, so they are placed close to the source to drop unwanted traffic early. Standard ACLs (source-only) are placed close to the destination to avoid blocking too much.
- Which term describes a weakness in a system that could be exploited by a threat?
- Vulnerability
- Exploit
- Mitigation
- Threat actor
Correct answer: Vulnerability
A vulnerability is a weakness; a threat is the potential danger; an exploit is the method or code that takes advantage of a vulnerability; mitigation reduces the risk.
- An organization requires users to provide a password and a one-time code from a mobile app to log in. Which security concept is this?
- Multifactor authentication (MFA)
- Single sign-on
- Role-based access control
- Defense in depth
Correct answer: Multifactor authentication (MFA)
Multifactor authentication combines two or more factors — something you know (password), something you have (token/phone), or something you are (biometric) — strengthening access security beyond a single password.
- Which type of VPN creates a permanent encrypted tunnel between two networks (for example, a branch office and headquarters) without per-user client software?
- Site-to-site VPN
- Remote-access VPN
- Clientless SSL VPN
- Split-tunnel VPN
Correct answer: Site-to-site VPN
A site-to-site VPN connects entire networks through gateways (often IPsec), so hosts communicate transparently. A remote-access VPN connects an individual user's device to the network.
- To secure remote management of a Cisco device's CLI, which protocol should replace Telnet?
Correct answer: SSH
SSH encrypts the management session, protecting credentials and commands. Telnet sends everything in clear text and should be disabled. SSH requires a hostname, domain name, and an RSA key pair on the device.
- Which physical security control is an example of a network security program element rather than a technical configuration?
- Locking the wiring closet and badge access to the data center
- Applying an ACL to a router interface
- Enabling port security on a switch
- Configuring WPA3 on the WLAN
Correct answer: Locking the wiring closet and badge access to the data center
Security programs include physical access control, user awareness, and training — non-technical elements. ACLs, port security, and WPA3 are technical controls.
- Which Layer 2 attack floods a switch with bogus source MAC addresses to overflow the MAC address table and force the switch to flood frames out all ports?
- MAC address table overflow (CAM flooding)
- VLAN double-tagging
- DHCP starvation
- ARP poisoning
Correct answer: MAC address table overflow (CAM flooding)
Flooding the CAM table with fake MACs fills it so the switch can no longer store legitimate entries and floods traffic, letting the attacker sniff frames. Port security mitigates it by limiting MACs per port.
- Which password-hardening command encrypts all plaintext passwords in a Cisco device's running configuration so they are not readable in clear text?
- Service password-encryption
- Enable password
- Username admin secret
- No shutdown
Correct answer: Service password-encryption
The 'service password-encryption' global command applies weak (type 7) encryption to clear-text passwords in the config. For the enable secret and local users, the stronger 'secret' keyword uses a one-way hash.