200-301 Cisco Certified Network Associate: (Version 3.0)

Cisco Certified Network Associate – 200-301
200-301
Cisco Certified Network Associate
(Version 3.0)
QUESTION: 1
What are two advantages of private RFC 1918 addressing?
A. conserve address space

B. internet connectivity
C. easier to manage
D. multiple address classes
E. network security
Answer: A,E
Explanation
The primary advantages of private RFC 1918 addressing is address conservation and network security. It
is only RFC 1918 addresses that are assigned to internal hosts and network devices. They are assigned to
a privately managed routing domain that is not routable across the internet. As a result, the same
addresses are assignable to different companies. Only public addressing is uniquely assigned. There is
added security since the private addresses are not exposed to the internet.
QUESTION: 2
What IOS commands will display the operational status of IPv4 configured addresses? (Select three)
A. show ip interface brief

B. show protocols
C. show interfaces
D. show running-config
E. show interfaces trunk
Answer: A,B,C
QUESTION: 3
What subnet mask enables at least 40 host IP addresses per subnet?
1|Page
A. 255.255.255.192(/26]
B. 255.255.255.224(/27)
C. 255.255.255.240(/28)
D. 255.255.255.248(/29)
Answer: A
Explanation
Refer to the Class C subnetting table for a subnet mask that enables at least 40 hosts addresses. The
nearest subnet mask is 255.255.255.192 that allows you to assign a maximum of 62 host IP addresses to
network interfaces.
QUESTION: 4
What is the maximum number of host addresses that are assignable to network interfaces with a class C
address of 192.168.1.0/24?
A. 255
B. 254
C. None
D. 1
E. 256
Answer: B
Explanation
Class C subnetting is available for class C, class B and class A addresses. 192.168.1.0/24 is a class C
address with a default (classful) subnet mask of 255.255.255.0 so it is not subnetting. There is only a
single subnet 192.168.1.0 with host address range 192.168.1.1/24 to 192.168.1.254/24 that enables 254
hosts addresses. The next classful subnet is 192.168.2.0/24 with 254 host addresses available.
QUESTION: 5
What is the length of an IPv6 address?
A. 64 bits
B. 48 bits
C. 32 bits
D. 128 bits
Answer: D
2|Page
QUESTION: 6
What feature most correctly describes wireless SSID?
A. BSSID
B. VLAN
C. WLAN
D. Subnet
Answer: C
Explanation
SSID is a wireless LAN (WLAN). Multiple AP can be assigned to same SSID. WLAN is configured with radio,
security and QoS settings. The common practice is to assign a single SSID to a VLAN and VLAN to a
subnet.
QUESTION: 7
What three channels are non-overlapping in 2.4 GHz frequency band?
A. 1
B. 2
C. 6
D. 11
E. 23
Answer: A,C,D
Explanation
The older 2.4 GHz band provides only three non-overlapping channels. As a result, with more than three
access points, you start assigning from channel 1 again.
QUESTION: 8
What cable type is required to connect the same device type?
A. crossover
B. serial
C. straight-through
D. rollover
Answer:
Explanation
Crossover cable is used when connecting two switches or two routers for example. The straight-through
cable is used to connect dissimilar devices such as switch to router or host to switch.
3|Page
QUESTION: 9
What are three primary differences between TCP and UDP?
A. TCP is connection-oriented
B. TCP provides best effort delivery model
C. TCP is faster than UDP
D. TCP is preferred for video streaming
E. TCP provides flow control and error correction
F. TCP provides retransmission of dropped packets
Answer: A,E,F
Explanation
TCP is connection-oriented with handshake setup, flow control and sequencing. The purpose is to
detect, prevent and correct packet drops. It is less efficient than UDP with increased overhead and
packet processing. UDP is faster than TCP however it is connectionless with no guarantee of packet
delivery (best effort). Some applications such as video streaming prefer UDP where there is less latency
resulting from retransmissions.
QUESTION: 10
What command displays IP parameters on a Windows host?
A. ifconfig
B. telnet
C. ipconfig/all
D. show ip interface
Answer: C
Explanation
Host-1 is enabled as a DHCP client to obtain IP addressing from the DHCP server. The ipconfig /all
command verifies there is no IP addressing currently assigned to host-1. The IP address 169.254.237.117
is a private IPv4 link-local address that is assigned when DHCP request fails. It provides connectivity only
within the same subnet.
c:/> ipconfig /all
FastEthernet0 Connection: (default port)
Connection-specific DNS Suffix
Physical Address : 0007.EC0D.ED75
Link-local IPv6 Address : FE80::207:ECFF:FE0D:ED75
Autoconfiguration IP Address : 169.254.237.117
Subnet Mask : 255.255.0.0
4|Page
Default Gateway : 0.0.0.0

DNS Servers : 0.0.0.0
DHCP Servers : 0.0.0.0
DHCPv6 Client DUID : 00-01-00-01-15-7D-1C-DC-00-07-EC-0D-ED-75
QUESTION: 11
What are three characteristics of Spine-Leaf architecture?
A. alternative to older SIP designs

B. designed for east-west traffic
C. Layer 2 only
D. full mesh {Correct}
E. north-south traffic
F. partial mesh
Answer: A,B
Explanation
Cisco is now promoting what is called Spine-Leaf architecture. It is comprised of a 2-Tier layered design
with switches connected via full mesh topology. There are leaf switches connected in a full mesh
topology to each spine switch. As a result, each switch is only a single-hop to a neighbor for east-west
traffic with low latency connections. Newer fabric architecture defines a physical underlay and virtual
overlay that supports L2 and/or L3 designs. The virtual overlay is unique to Spine-Leaf and required for
programmability and SDN applications. Cisco DNA Center is based on fabric architecture.
QUESTION: 12
What additional route is added to routing table when interface Gi0/0 is enabled with IP address
172.33.2.1/24?
A. 172.33.2.1/24
B. 172.33.2.1/32
C. 172.33.2.0/32
D. 172.33.2.0/24
E. none
Answer: B
Explanation
Connected routes are not manually configured or dynamic. They are automatically added to a routing
table. The route entry includes a local network interface. Local router interfaces are configured with an
IP address that is within a particular subnet. Anytime routing services are enabled, you will notice at
5|Page
least some connected routes in the routing table. The router installs a corresponding local host route as
well for each connected interface. It is assigned a /32 subnet mask that indicates a host route.
C 172.33.2.1/24 is directly connected, Ethernet1/0
L 172.33.2.1/32 is directly connected, Ethernet1/0
QUESTION: 13
Refer to the network topology drawing where Host-1 is sending a packet to Server-1. What is the source
and destination MAC address at P1. In addition, what is the source and destination IP address at P2?
A: P1:source MAC address = 0000.000a.aaaa

P1:destination MAC address = 0000.1234.5678
P2:source IP address =192.1E-8.1.3
P2:destination IP address =192.168.3.3
B: P1:source MAC address = 0000.000a.aaaa

P1:destination MAC address = 0000.1234.5678
P2:source IP address =192.168.3.3
P2:destination IP address =192.168.3.1
C: P1:source MAC address = 0000.000a.aaaa

P1:destination MAC address = 0000.000b.bbbb
6|Page
P2:source IP address =192.168.1.1

P2:destination IP address = 192.168.3.1
D: P1:source MAC address = 0000.000a.aaaa

P1:destination MAC address = fff.ffff.ffff
P2:source IP address = 192.168.1.3
P2:destination IP address = 192.168.3.1
Answer:
Explanation
The source and destination MAC address are rewritten at each router hop. The switch only examines the
source and destination MAC address. Host-1 sends data to server-1 at P1 with source MAC address of
network interface (0000.000a.aaaa). The destination MAC address at P1 is router-1 interface Gi0/1
(0000.000b.bbbb). Switch-1 must only read and forward based on the destination MAC address. The
source and destination IP address do not change in packets as they traverse the network. The
forwarding path at P1 is from host-1 to server-1. The source IP address is 192.168.1.1 (host-1) and
destination IP address is 192.168.3.1 (server-1).
P1: source MAC address = 0000.000a.aaaa
P1: destination MAC address = 0000.000b.bbbb
P2: source IP address = 192.168.1.1 (host-1)
P2: destination IP address = 192.168.3.1 (server-1)
QUESTION: 14
What is the correct syntax for an IPv6 static route?
A. ip route 2001:DB8:3C4D:1 ::/64 2001:DB8:3C4D:2::

B. ipv6 router 2001 :DB8:3C4D:1::1 2001 :DB8:3C4D:2::1/64
C. ipv6 route 2001 :DB8:3C4D:1 ::/64 2001:/3
D. ip6 route 2001 :DB8:3C4D:1::/64 2001:DB8:3CD:2::1
Answer: D
QUESTION: 15
What is the correct syntax for an IPv6 default route?
A. ipv6 route 0.0.0.0/0 2001:DB8:3C4D:2::1

B. ipv6 route ::/0 2001:DB8:3C4D:2::1
C. ipv6 route /0 2001:DB8:3C4D:2::/32
D. ipv6 route 2001:DB8:3C4D:2::1 :/0
7|Page
Answer: B
QUESTION: 16
What interface errors are caused by duplex mismatch?
A. collisions
B. runts
C. giants
D. MTU mismatch
Answer: A
Explanation
Collisions occur mostly when there is a duplex setting mismatch between host and switch interfaces. In
addition collisions can occur when there is a bad network interface card (NIC) or cabling error. Giant
frames (1600 bytes) result either from a faulty NIC card or an MTU misconfiguration on an interface. The
output of show interfaces list various layer 2 errors including runts, giants, collisions and CRC errors. The
most common cause of CRC and runts is collisions. Gigabit Ethernet ports do not support half-duplex at
all. The older 10/100/1000 interfaces permitted half-duplex with lower speed settings.
QUESTION: 17
What are three advantages of next-generation firewalls over traditional firewalls?
A. malware protection
B. throughput
C. lower cost
D. real-time monitoring
E. load balancing
F. open standards-based
Answer: A,B,D
Explanation
Cisco has developed Next-Generation Firewalls (NGFW) to enhance security for internet and cloud
connections. It is based on dynamic monitoring, detection and prevention. In addition, there is deep
packet inspection to the application layer and higher throughput.
QUESTION: 18
What are two components of a Virtual Machine (VM)?
A. hypervisor
8|Page
B. application
C. processor
D. firewall
E. operating system
Answer: B,E
Explanation
The components of a virtual machine include application, operating system and configuration settings.
QUESTION: 19
Select two statements that correctly describe frame switching operation?
A. switch only reads destination MAC address

B. switch does frame rewrite
C. switch reads source and destination MAC address
D. switch floods frame out all ports except where frame was
learned when destination MAC address is unknown
Answer: C,D
QUESTION: 20
Select the correct IOS commands to configure a switch access port and assign VLAN 10?
A. switchport mode access

vlan 10
B. switchport access mode
switch port vlan 10
C. switchport mode vlan10
D. switchport mode access
switchport access vian 10
Answer: D
Explanation
The following interface level IOS commands configure an access port and assign any connected host to
VLAN 10 for that interface.
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 10
QUESTION: 21
9|Page
What is the number assigned to the switch management VLAN?
A. 0
B. unassigned
C. 1
D. 4094
Answer: C
QUESTION: 22
What is the only VLAN type permitted on an access port where there is already an existing VLAN
assigned?
A. data
B. voice
C. management
D. extended
Answer: B
QUESTION: 23
What statements correctly describe switch trunking? (Select two)
A. Forward multiple VLANs across Layer 2 domain

B. Enable communication between different VLANs
C. Enable communication between the same VLANs
D. Enable communication between different subnets
Answer: A,C
Explanation
Switch trunks forward multiple VLANs across a Layer 2 domain. They enable communication between
the same VLANs only.
QUESTION: 24
What is the default number assigned to a native VLAN?
A. 1
B. 0
C. 999
10 | P a g e
D. None
Answer: A
Explanation
Cisco switch assigns the default management VLAN 1 to the native VLAN for trunking.
QUESTION: 25
How do you verify all trunk interfaces that are operational on a switch?
A. show trunk interfaces

B. show trunking summary
C. show interfaces trunk
D. show interface brief
Answer: C
QUESTION: 26
What DTP mode supports negotiation of access mode and trunk mode interfaces?
A. dynamic trunk
B. dynamic auto
C. dynamic desirable
D. dynamic on
Answer: B
Explanation
DTP dynamic auto mode listens for DTP packets from neighbors. There is a trunk established when the
neighbor is configured with dynamic desirable mode or is configured for static trunk mode. The switch
port with dynamic auto configured is set to access mode when trunk negotiation fails.
QUESTION: 27
What IOS command enables CDP globally after it is disabled?
A. cdp
B. cdp run
C. cdp enable
D. cdp on
Answer: B
11 | P a g e
Explanation
CDP is enabled on Cisco devices globally by default including the network interfaces. Enable CDP on a
specific interface only with the following IOS interface level command.
switch(config-if)# cdp enable
The following IOS command enables CDP globally on the network device including all interfaces.
switch (config)# cdp run
QUESTION: 28
What IOS command will enable a channel group for LACP?
A. channel-group 10 mode active

B. channel group 1D mode active
C. channel-group 10 lacp active
D. channel-group 10 mode auto
Answer: A
QUESTION: 29
What port type for a switch interface has lowest cost to the root bridge?
A. designated port
B. alternate port
C. rout port
D. bridge port
Answer: C
Explanation
The Spanning Tree election assigns root bridge along with designated, root and alternate ports to
neighbor switches. The root port is a switch port on a neighbor switch that has the least cost path to the
root bridge (switch). It is primary (facing) forwarding link to the root bridge that received the best BPDU.
QUESTION: 30
What is the purpose of STP?
A. create Layer 2 domain

B. improve performance
C. prevent Layer 2 topology loops
D. forward multiple VLANS between switches
E. calculate lowest metric
12 | P a g e
Answer: C
Explanation
The primary purpose of STP is to eliminate Layer 2 loops that create broadcast storms and destabilize
network.
QUESTION: 31
What is an operational mode for Cisco wireless access point?
A. LAP
B. CAPWAP
C. admin
D. broadcast
Answer: A
QUESTION: 32
How does wireless controller LAG interface connect to switch?
A. LACF EtherChannel
B. Static Etherchannel with trunk interface
C. PAgP Etherchannel
D. switch access port
Answer: B
Explanation
Cisco wireless controllers support Link Aggregation Group (LAG) to bundle multiple physical controller
ports into a static Etherchannel (LAG) interface. The advantage is higher bandwidth, redundancy and
load balancing. Cisco appliance-based controllers have multiple Ethernet ports available for switch
connectivity. There is support for only a single LAG group per controller. Link aggregation is static (on
mode) only for controller and switch-side interfaces. There is no support for LACP or PAgP on the
controller port or switch-side interface. EtherChannel is configured with trunking to forward multiple
VLANs across link.
QUESTION: 33
What IOS commands enable Cisco device management from a web browser with an encrypted
connection? (Select two)
13 | P a g e
A. ip http secure-server
B. https secure-server
C. ip http authentication local
D. http sewer-secure
E. ip http local authentication
Answer: A,C
Explanation
Cisco devices can be configured and managed from a web browser. There are various applications such
as Cisco Network Assistant with GUI for easier management.
QUESTION: 34
What two methods enable an encrypted management connection to a wireless controller?
A. SSH
B. Telnet
C. HTTP Server
D. AAA
E. Console
Answer: A,C
QUESTION: 35
The following is an OSPF route entry from a routing table. What is the metric calculation?
A. 128
B. 238
C. 110
D. 0
Answer: B
QUESTION: 36
What route type is selected when 172.16.1.0/26 is advertised from the following route sources?
A. EIGRP route to the same destination

B. OSPF route to the same destination
C. static route to the same destination
D. default route with a next hop address of 172.16.0.1
14 | P a g e
E. host route to destination {Correct}
Answer: E
Explanation
Routes are selected for install into the local routing table based on administrative distance (AD). The
route with the lowest AD is selected when there are multiple routes from different routing sources to
the same destination. Any directly connected interface (host route) has the lowest administrative
distance of all route sources.
QUESTION: 37
What route (prefix) is selected in the routing table to destination IP address 192.168.1.1?
A. 192.168.1.0/28
B. 192.168.1.0/26
C. 192.168.1.0/25
D. 192.168.1.0/27
Answer: A
Explanation
Routers select the longest subnet (prefix) when there are multiple routes to the same destination. It is
called Longest Match Rule. The route selected for packets to destination IP address 192.168.1.1 is
192.168.1.0/28
QUESTION: 38
What attributes determine route and best path selection? (Select three)
A. shortest match rule

B. highest administrative distance
C. highest metric
D. lowest metric (cost)
E. lowest administrative distance
F. longest match rule
Answer: D,E,F
Explanation
The router selects routes to install in the routing table. Sometimes there are multiple routes from
multiple routing protocols to the same destination. The administrative distance of a route determines
the route installed in the routing table. The longest match rule selects the route with the longest subnet
mask (prefix) from routes in the routing table. The metric is used to select best path to destination and
where multiple paths exist.
15 | P a g e
• lowest administrative distance

• longest match (subnet mask)
• lowest metric (cost)
1. Route with lowest administrative distance from among different routing protocols is installed in
routing table.
2. Route with lowest metric is installed in routing table when multiple routes exist from same routing
protocol.
3. Route with longest match is selected from the routing table when multiple routes exist to the same
destination.
QUESTION: 39
When does a router discard a packet? (Select the best answer)
A. no default route exists

B. no static route exist
C. no OSPF route exists
D. no connected route exists
Answer: A
Explanation
The router will discard a packet when there is no route at all. That would include dynamic routes (OSPF
etc.), static route and finally default route.
QUESTION: 40
Refer to the network drawing. Select two commands so that when either are configured on router-1,
would provide a static route to network 172.16.12.0/24 on router-3?
16 | P a g e
A. route-1(config)# ip route 172.16.12.00.0.255 172.16.12

B. route-1(config)# ip route 172.16.1.2 255.255.0 S0/1
C. route-1(config)# ip route 172.16.12.0 255.255.255.0 S0/1
D. route-1(config)# ip route 172.16.12.0 255.255.255.0 S0/1
E. route-1(config)# ip route 172.16.12.0 255.255.255.0 172.16.1.2
Answer: D,E
Explanation
The following are two options for configuring a static route on router-1 to network address
172.16.12.0/24
router-1(config)# ip route 172.16.12.0 255.255.255.0 172.16.1.2
router-1(config)# ip route 172.16.12.0 255.255.255.0 Serial0/1
The first static route command configures the next hop as the IP address of a neighbor router interface
(172.16.1.2). The second static route configures the next hop as an exit interface (Serial0/1) on router-1.
Wildcard masks are not used when configuring static routes. The correct format for a static route is the
following:
ip route [destination IP address] [subnet mask] [next hop IP address] [interface]
QUESTION: 41
Refer to the network drawing. What route when configured on router-1 forwards all traffic destined for
the internet to router-2?
17 | P a g e
A. ip route 0.0.0.0 0.0.0.0 172.16.2.2

B. ip route 0.0.0.0 255.255.255.0 172.16.2.2
C. ip route 0.0.0.0 0.0.0.0 172.16.2.0
D. ip route 0.0.0.0 0.0.0.0 192.168.3.0
Answer: A
Explanation
The default route will forward all traffic to the configured next hop IP address (172.16.2.2). Packets
arriving at Router-1 will use the default route when there is no route in the routing table to the
destination. It is typically configured as a gateway of last resort on a router. Router-1 will forward
packets with an unknown destination to the serial interface of Router-2.
QUESTION: 42
Refer to the network topology drawing. Select the correct IOS command to configure a floating (backup)
static route on router-1 to network address 192.168.3.0/24?
18 | P a g e
A. router-1(config)# ip addresss 192.168.3.0 255.255.255.0 172.16.1.2 200

B. router-1(config)# ip routee 192.168.3.1 255.255.255.0 172.16.2.1 1
C. router-1(config)# ip route 0.0.0.0/0 192.168.3.0 100
D. router-1(config)# ip route 192.168.3.0 255.255.255.0 172.16.2.2 200
Answer: D
Explanation
The following IOS command will configure a backup static route (floating) on router-1 to subnet
192.168.3.0/24 with an administrative distance of 200.
router-1 (config)# ip route 192.168.3.0 255.255.255.0 172.16.2.2 200
• destination subnet (route) = 192.168.3.0
• subnet mask = 255.255.255.0 (/24)
• next hop IP address = 172.16.2.2
• administrative distance = 200
Traffic destined for subnet 192.168.3.0 is forwarded to next hop address 172.16.2.2. The administrative
distance is a local value and affects route selection. The default administrative distance for a static route
is 1. Assigning a value of 200 to the static route makes it a floating static route. That is often used as a
backup route when a primary link fails.
QUESTION: 43
After network convergence has occurred, what standard OSPF packets are sent at regular intervals
between routers?
19 | P a g e
A. hello packet {Correct}

B. link-state request
C. link-state update
D. none
E. topology database descriptor
Answer: A
Explanation
OSPF hello packets are sent at fixed intervals based on the hello timer setting. The purpose of hello
packets are to discover neighbors and establish neighbor adjacency. In addition, hello packets are sent
as keepalives to confirm the connected neighbor is active. The neighbor is declared unreachable when
hello packets are not received for the interval of the dead timer.
QUESTION: 44
What is the purpose of OSPF hello packets? (Select two)
A. neighbor adjacency {Eu rrect}

B. advertise routes to build and maintain topology database [Correct]
C. DR election
D. router ID selection
Answer: A,B
Explanation
The OSPF link-state routing protocol builds and maintains a topology database. The hello packets
discover neighbors and establish neighbor adjacencies first. The routes are exchanged between all OSPF
routers to build the topology database.
QUESTION: 45
What are two primary advantages of deploying a single OSPF area network design?
A. decreases LSA advertisements sent per routing domain

B. permits virtual links
C. scalability
D. faster convergence
E. less CPU utilization on area routers
Answer: A,D
Explanation
The single OSPF area design reduces the number of LSAs advertised between routers. There are Intra-
Area LSAs only comprised of Router (Type 1) and Network (Type 2) links. All areas must be connected
20 | P a g e
directly to the backbone (area 0). The virtual link is not required where there is only a single area. It
connects an area to the backbone area through an already connected area.
QUESTION: 46
What two statements are correct concerning the configuration and feature support of OSPFv2?
A. hop count is unlimited

B. classless routing protocol
C. hop count is 15
D. classful routing protocol
Answer: A,B
Explanation
OSPF is a classless routing protocol and hop count is unlimited.
QUESTION: 47
What are three possible reasons why routers cannot establish an OSPF adjacency?
A. incorrect wildcard mask

B. incorrect router ID
C. OSPF process identifiers do not match
D. hello timer mismatch
E. there is no area 0
Answer: A,B,D
Explanation
OSPF enables routes to advertise based on a subnet and an associated wildcard mask. Any interface that
is not within that subnet range won’t be enabled. OSPF hello timers must match on the interfaces that
connect OSPF neighbors and router ID must be unique. Single-area OSPF allows for assigning any
number to the area. It is only Multi-Area OSPF that requires an area 0.
QUESTION: 48
What router is elected Designated Router (DR) when all are assigned the default priority setting?
A. router-1 (router ID= 172.16.1.1)

B. router-2 (router ID=172.16.1.2)
C. router-3 (router ID=172.16.13)
D. router-4 (router ID=172.16.1.4)
21 | P a g e
Answer: D
QUESTION: 49
What OSPF network type is assigned to an Ethernet network interface?
A. Broadcast
B. Point-to-point
C. Multipoint
D. Point-to-multipoint
Answer: A
Explanation
OSPF network types are configured automatically based on the network interface media. For example,
OSPF automatically assigns Broadcast network type to an Ethernet interface. There are serial interfaces
as well that are assigned Point-to-Point network type. It is not a shared broadcast link as with an
Ethernet segment. The OSPF serial interfaces connect only to a single neighbor.
QUESTION: 50
What is the primary purpose of OSPF router ID?
A. enable router process ID

B. faster convergence
C. send hello packets
D. identify OSPF router to neighbors
Answer: D
Explanation
OSPF routers must be assigned a router ID that is a unique identifier to all connected OSPF neighbors.
The router ID is advertised in routing updates to identify where updates originated. Cisco default OSPF
configuration has no router ID assigned. The following commands configure a router ID from router
configuration mode.
router ospf 1
router-id 192.168.255.1
QUESTION: 51
How are route advertisements enabled between OSPF neighbors ?
A. default route
B. network area command only (router process)
22 | P a g e
C. per interface only

D. network area command or per interface
Answer: D
Explanation
OSPF is enabled with the network area command configured from OSPF router configuration mode.
OSPF can be enabled directly as well on an interface with a command that specifies OSPF process ID and
area assigned. For example assigning an interface to OSPF process 1 and advertise routes to area 0
would require ip ospf 1 area 0 command. The result is that OSPF will advertise the subnet assigned to
that interface to OSPF neighbors. It takes precedence as well when a subnet from the network area
command is within the range of an interface subnet address.
QUESTION: 52
What IOS command is used to display the collection of OSPF link-states?
A. show ip ospf neighbors

B. show ip ospf database
C. show ip ospf link-state
D. show ip ospf Isa database
Answer: B
Explanation
OSPF creates a global topology database with all Link State Advertisements (LSA) sent from all OSPF
neighbors.
QUESTION: 53
What network protocol creates a virtual router for default gateway redundancy?
A. CDP
B. OSPF
C. HSRP
D. PAgP
Answer: C
QUESTION: 54
How are DHCP requests forwarded from clients when the DHCP server is on a different subnet?
A. dhcp option 150
23 | P a g e
B. proxy arp
C. ip helper-address
D. dhcp default-server
Answer: C
Explanation
DHCP relay is a feature configured on either a Layer 3 switch or router. It is required to forward DHCP
requests from client hosts when the DHCP server is on a different subnet that hosts.
QUESTION: 55
What are two primary services provided by Dynamic Host Configuration Protocol (DHCP)?
A. configure default route with IPv6 addressing

B. configure TCP/IP address settings on hosts
C. provide additional network security
D. assign and renew IP addresses from a designated pool
E. detect errors with IP addressing
Answer: B,D
Explanation
The DHCP server is responsible for dynamic configuration of host IP settings. In addition it manages the
renewal of new IP addresses from an address pool.
QUESTION: 56
What IOS command is used to create a static NAT between an inside local IP address and inside global IP
address?
A. ip nat pool
B. ip nat outside
C. ip nat dmz
D. ip nat inside source
Answer: D
Explanation
The static NAT statement creates a 1:1 mapping between a local IP address and a global IP address. The
following configures a static NAT between inside local IP address 192.168.1.1 (private) and inside global
IP address 200.16.1.1 (internet routable).
router(config)# ip nat inside source static 192.168.1.1 200.16.1.1

Inside Local IP Address
24 | P a g e
private IP address assigned to a host on the inside network (RFC 1918)

Inside Global IP Address
public internet routable IP address assigned by the ISP.
Outside Global IP Address
public internet routable IP address assigned to outside (remote) host device
Outside Local IP Address
public internet routable IP address of outside host as appears to inside network
QUESTION: 57
What are two advantages of Network Address Translation (NAT)?
A. enables security of packets while in transit across the internet

B. eliminates the need for DNS requests
C. conceals private IP address assignments from the internet
D. eases management of internet connectivity
E. increases the private IP address space that can be assigned
Answer: C,D
Explanation
The primary advantage of NAT is to map multiple private IP addresses to a single or multiple public
routable IP addresses. The ISP does not have a public routable IP address available for every private IP
address. NAT allows for configuring a pool of public IP addresses. The private IP address is dynamically
mapped for that internet session only. As a result there is no requirement to readdress local hosts for
internet access. The NAT translation has the advantage of protecting the private IP address assignments.
The private addresses are not advertised providing additional security for internet connectivity. The
remote hosts send packets to the public destination IP address.
QUESTION: 58
What IOS command is used to display NTP operational status and stratum level?
A. router# show ntp status/all

B. router# show ntp server
C. router# show ntp detail
D. router# show ntp status
Answer: D
Explanation
The IOS command show ntp status displays NTP operational status such as server synchronization and
stratum level for a Cisco device.
25 | P a g e
QUESTION: 59
What protocol is responsible for resolving hostnames to IP addresses?
A. DHCP
B. ARP
C. DNS
D. NTP
Answer: C
QUESTION: 60
What is the default QoS trust state for Cisco network interfaces?
A. Trusted
B. None
C. Disabled
D. untrusted
Answer: D
Explanation
All network interfaces are untrusted as a global default setting. Switches will remark all frames arriving
at untrusted interfaces to CoS =0. Enabling QoS globally and configuring trust state per interface is
required to trust packet markings. The 802.1q protocol used for trunking has the CoS priority field. The
CoS marking can only be applied to frames traversing trunk links. Untagged packets (native VLAN) are
assigned the default Class of Service (CoS) priority of the ingress switch port. Voice VLAN is the
exception for Cisco IP phones.
QUESTION: 61
What IOS commands are mandatory to enable SSHv2 on a Cisco network device? (Select three)
A. transport input ssh

B. crypto generate rsa key
C. ip ssh version 2
D. cryptu key generate rsa
E. ip domain-name
F. ip ssh v2
Answer: C,D,E
Explanation
26 | P a g e
The transport input command allows Telnet and SSH management traffic as a default. Local
authentication is configured with a username and password.
QUESTION: 62
What are the components of a standard ACL?
A. source IP address, subnet mask, destination subnet

B. source IP address and subnet mask
C. destination IP address, wildcard mask, protocol
D. source IP address and wildcard mask
Answer: D
QUESTION: 63
What IOS command permits Telnet traffic only from host 10.1.1.1/24 to host 10.1.2.1/24?
A. access-list100 permit tcp 10.1.1.1 255.255.255.255 host 10.1.2.1 eq 23

B. access-list100 permit ip 10.1.1.1 0.0.0.0 host 10.1.2.1 eq 23
C. access-list100 permit tcp 10.1.1.1 255.255.255.0 host 10.1.2.1 eq 21
D. access-list100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 23
Answer: D
Explanation
The following IOS command permits Telnet traffic from host 10.1.1.1/24 to host 10.1.2.1/24
access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 23
The access control list (ACL) statement reads from left to right as - permit all tcp traffic from source host
only to destination host that is Telnet (23). The TCP refers to applications that are TCP-based. The UDP
keyword is used for applications that are UDP-based such as SNMP for instance. The 0.0.0.0 wildcard
mask requires a match on all 4 octets of source address (10.1.1.1)
QUESTION: 64
What port number or keyword is assignable within an extended ACL to permit or deny HTTP?
A. 80
B. http
C. 443
D. web
Answer: A
27 | P a g e
Explanation
There are keywords and port numbers that are assignable for different applications. In this example,
web-based applications (HTTP) are represented in an extended ACL with TCP port 80 or www keyword.
There is HTTPS as well, however that is assigned TCP port 443 or https keyword.
QUESTION: 65
What IOS command will configure the local username admin with privileged EXEC mode access and
password cisconet?
A. username admin privilege 15 cisconet

B. username admin privilege level 15 password cisconet
C. username admin privilege 15 password 7 cisconet
D. username admin privilege 15 password cisconet
Answer: D
Explanation
The following IOS command configures username admin and assigns highest privilege level 15 with
password cisconet for local authentication.
device(config)# username admin privilege 15 password cisconet
QUESTION: 66
What global IOS command is used to configure username admin with highest privilege level access and
secret password cisconet?
A. username admin privilege 15 enable secret cisconet

B. username admin privilege 16 secret password cisconet
C. username admin privilege 16 secret 7 cisconet
D. username admin privilege 15 secret cisconet
Answer: D
Explanation
The following IOS command will configure a username called admin with privilege level 15 and secret
password cisconet. The secret password uses an MD5 hash by default to encrypt that is more secure
than type 7 encryption. Note that secret passwords do not require service password encryption. Some
network devices have multiple password types however and would use service password-encryption.
device(config)# username admin privilege 15 secret cisconet
QUESTION: 67
What are three examples of solutions for physical access security?
28 | P a g e
A. biometric scan
B. rack lock
C. swipe card
D. digital certificate
Answer: A,B,C
QUESTION: 68
What services are provided by DHCP snooping? (select two)
A. detect Layer 2 broadcast storms

B. permit DHCP packets to a trusted port only
C. minimize DHCP packet types to a single VLAN
D. prevents rogue DHCP servers from offering IP addresses to hosts
E. provide DHCP server authentication
Answer: B,D
Explanation
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP
servers. The services provided by DHCP snooping include the following:
• Permit DHCP packets to a trusted port only.
• Prevent rogue DHCP servers from offering IP addresses to hosts.
QUESTION: 69
What security solution prevents connecting any unauthorized network device hardware to the
corporate network?
A. VLAN access control list (VACL)

B. access control list (ACL]
C. port security
D. portfast
Answer: C
Explanation
The purpose of port security is to optimize security through network switch access control. For instance
plugging a laptop from home into the Ethernet jack at work could affect network operations. The switch
port enabled with Port Security would deny access based on the unknown MAC address.
29 | P a g e
QUESTION: 70
What statement is NOT correct when comparing authentication and authorization?
A. authorization is before authentication

B. authorization is after authentication
C. authorization is data access
D. authentication is network access
Answer: A
QUESTION: 71
What wireless authentication protocol provides the most security?
A. WPA3
B. WPA2
C. AES
D. Open
E. WPA2-PSK
Answer: A
Explanation
The best wireless security for authentication and encryption of wireless clients is WPA3. Cisco supports
WPA2 (Enterprise) with RADIUS server authentication and AES data encryption. It is currently the best
security available for Cisco wireless devices. There is WPA2-PSK (Personal) as well that is based on a
static passphrase only with no user authentication.
QUESTION: 72
What are four advantages of SDN compared with traditional network architecture?
A. agility
B. open standards
C. dynamic
D. faster deployment
E. distributed control plane
Answer: A,B,C,D
Explanation
SDN controllers are based on a centralized single network control plane.
30 | P a g e
QUESTION: 73
What three statements correctly describe SDN architecture?
A. SDN architecture decouples the control and data plane

B. control plane is a software module
C. SDN controller is a centralized control plane with a policy engine
D. SDN architecture decouples management plane and control plane
Answer: A,B
Explanation
Software Defined Networking (SDN) is an architecture that separates the control plane from the data
plane. The purpose for that is to abstract underlying network infrastructure. That allows
programmability of supported network devices. It is similar to the hypervisor paradigm shift that
abstracts (separates) server hardware from software components including operating systems,
applications and virtual appliances. The same idea is applied to the network infrastructure with overlays
and programmable services.
The following statements correctly describe SDN programmability:
 SDN architecture decouples the control and data plane

 Control plane is a software module instead of a physical processor
 SDN controller is a centralized control plane with a policy engine
 Infrastructure is abstracted from applications
QUESTION: 74
What are four advantages of an SDN Controller?
A. network services are dynamically configurable

B. moves control plane from physical devices to software abstracted layer
C. centralized management and distributed intelligence
D. network appears as a distributed switch
E. centralized management and network intelligence
F. network appears as a single switch
Answer: ABEF
Explanation
The following statements accurately describe SDN Controller.
 centralized management and network intelligence

 network services are dynamically configurable
31 | P a g e
 network appears as a single switch

 moves control plane from physical devices to software abstracted layer
QUESTION: 75
What is the purpose of a southbound API?
A. connect SDN controller and network infrastructure

B. connect SDN controller and control plane
C. connect SDN controller and management plane
D. connect control plane and applications
Answer: A
Explanation
SDN overlay has a separate control plane and management plane. The data plane underlay is
communicated via southbound APIs. The southbound API is a software program that connects physical
network infrastructure (data plane) with an SDN controller.
QUESTION: 76
Select three network overlay components?
A. OSPF
B. VXLAN
C. switch
D. VPN tunnel
E. OTV
Answer: BDE
Explanation
Cisco DNA architecture fabric overlay is a logical topology that creates virtual connections between
endpoints.
QUESTION: 77
How does Cisco DNA enable automation? (select two)
A. CDP
B. Controllers
C. Underlays
D. Open APIs
32 | P a g e
Answer: BD
Explanation
Cisco DNA enables automation and programmability via controllers and open APIs.
QUESTION: 78
What is the corresponding CRUD operation for an HTTP GET verb?
A. READ
B. POST
C. PUT
D. PATCH
Answer: A
Explanation
The purpose of CRUD is primarily manipulation of database records for a variety of traditional
application platforms. Recently, it has been adapted as well for web-based applications. CRUD methods
are mapped to HTTP verbs for creating REST API and compliance with REST architecture.
You can define a REST API for creating web services based on CRUD operations as a result. For example,
consider an online shopping cart where CRUD is used to READ a web page where some CCNA books are
listed. The next operation is CREATE to checkout and send payment for selected item. You could then
change your shipping location with an UPDATE operation. The DELETE operation is used to
remove/cancel a shopping cart session that was started.
QUESTION: 79
What task is not suitable for Puppet, Chef or Ansible?
A. install software
B. configure multiple switches
C. copy (backup) files
D. deploy virtual machines
Answer: D
Explanation
There are various open source configuration management tools that enable automation and
orchestration of basic and complex tasks. They were originally developed for cloud computing however
they are used to manage on-premises infrastructure as well. Some of the most popular automation tools
include Puppet, Chef and Ansible.
QUESTION: 80
33 | P a g e
What are some disadvantages of traditional network management when compared with network
automation? (select three)
A. scripting
B. hardware only
C. CLI
D. manual
E. slower
Answer: CDE
Explanation
The advent of network programmability and automation tools is radically changing how network
infrastructure is managed. In fact, manufacturing automation is an industrial example that caused
production efficiency to multiply. Compared with traditional networking, automation has astonishing
advantages that is transforming the management of wired, wireless and virtualized network
infrastructure. Network automation lowers operational costs, enables deployment agility, and unified
policies.
Previously, traditional networking was based on a silo view where each network device was statically
managed separately. There is much more accomplished, in less time and at a lower cost while
minimizing network outages. Having a centralized, real-time network view is fundamental to
automation. Create unified policies for device configuration, security, wireless and systems
management. The following list of management tasks are common to network automation.
QUESTION: 81
Select the IP address that is publicly assigned from an ISP?
A. 192.168.100.1/24
B. 172.16.1.1/24
C. 200.200.1.1/24
D. 10.100.1.1/24
Answer: C
Explanation
All public addressing is not within RFC 1918 private address space and assigned by ISP.
QUESTION: 82
Select the IP address that is assignable to a router interface?
A. 224.0.0.10
34 | P a g e
B. 127.0.0.1
C. 192.168.1.0
D. 192.168.1255
E. 172.16.1.1
Answer: E
Explanation
There is only IP address 172.16.1.1 option that is assignable to a router interface (host address). You
cannot assign network, broadcast, multicast or test loopback addresses to a network interface.
QUESTION: 83
Select the network address that is part of RFC 1918 private assigned address space?
A. 172.16.0.0/12
B. 172.33.0.0/24
C. 12.0.0.0/7
D. 192.169.0.0/23
Answer: A
Explanation
RFC 1918 defines private IP address space from each address class. The private IP addressing is not
public routable across the internet. The standard practice is for companies to assign private addressing
to all inside hosts. NAT is deployed at the internet edge where private addresses are translated to public
routable addresses. The following are the RFC 1918 private IP address ranges:
10.0.0.0 - 10.255.255.255 /8
172.16.0.0 - 172.31.255.255 /12
192.168.0.0 - 192.168.255.255 /16
QUESTION: 84
What subnet mask is required to assign 15 host IP addresses?
A. 255.255.255.252(/30)
B. 255.255.255.248(/29)
C. 255.255.255.240(/28)
D. 255.255.255.224(/27)
Answer: D
Explanation
Refer to the Class C subnetting table for a subnet mask that enables at least 15 host addresses. The
nearest subnet mask is 255.255.255.224 that allows you to assign a maximum of 30 host IP addresses to
35 | P a g e
network interfaces. It is not only physical interfaces assigned an IP address. There are logical addresses
such as loopback address and SVI as well.
QUESTION: 85
What IP addresses are not in the same subnet?
A. 192.168.1.1/30, 192.168.1.2/30
B. 192.168.1.2/30, 192.168.1.3/30
C. 192.168.1.3/30, 192.168.1.4/30
D. 192.168.1.5/30, 192.168.1.6/30
Answer: C
QUESTION: 86
What IOS command enables IPv6 packet forwarding on a Cisco router?
A. ipv6 enable
B. ipv6 host
C. ipv6 link-local
D. ipv6 unicast
E. ipv6 unicast-routing
Answer: E
Explanation
The following IOS global command enables IPv6 packet forwarding on a Cisco router.
router(config)# ipv6 unicast-routing
QUESTION: 87
What is the maximum length of an SSID?
A. 32 characters
B. 48 characters
C. 12 characters
D. 11 characters
Answer: A
Explanation
SSID is a network name (WLAN) with a maximum 32 characters allowed.
36 | P a g e
QUESTION: 88
Select two characteristics of a wireless RF cell?
A. half-duplex
B. full-duplex
C. CSMA/CA
D. CSMA/CD
E. multiple collision domains
Answer: AC
Explanation
Any wireless RF cell deployed with access points are essentially bridges with half-duplex transmission to
clients. CSMA/CA is enabled for media access contention.
QUESTION: 89
What are four differences between SDN and traditional network architecture?
A. SDN is decoupled from hardware

B. SDN has global visibility
C. SDN has no management plane
D. SDN has policy automation
E. SDN has global visibility
Answer: ABDE
Explanation
SDN overlay has a control plane and a management plane. The data plane underlay is communicated via
southbound APIs.
QUESTION: 90
What are three characteristics of Cisco DNA architecture?
A. performance
B. open platform
C. analytics
D. automation
E. troubleshooting
Answer: BCD
Explanation
37 | P a g e
Cisco DNA architecture is an open platform with analytics and automation.
QUESTION: 91
What is the default encoding standard for JSON?
A. UTF-8
B. UTF-44
C. HTTP
D. ASCII
Answer: A
QUESTION: 92
What are three advantages of JSON?
A. platform independent
B. enable data sharing
C. less bandwidth than XML
D. network security
E. HTML data interchange format
Answer: ABC
Explanation
JSON is an open standard file format that is platform independent. That enables easier integration and
data sharing between web-based applications and lower bandwidth usage.
QUESTION: 93
What configuration management tool is well-suited to quick automation tasks?
A. Ansihle
B. XML
C. JSON
D. UTF
Answer: A
QUESTION: 94
What are three differences between SMF and MMF cabling media?
38 | P a g e
A. SMF has a single narrow beam of light

B. MMF has a larger core diameter
C. SMF is based on modal dispersion
D. SMF supports longer distances
Answer: ABD
QUESTION: 95
What transport protocol is connection-oriented?
A. UDP
B. IP
C. TCP
D. NTP
Answer: C
QUESTION: 96
What interface counter is most often associated with duplex mismatches?
A. runts
B. duplex
C. CRC
D. early collisions
E. late collisions
Answer: E
Explanation
The misconfiguration of duplex setting between switches causes collisions on a switch port. The late
collisions interfaces counter increase as a result. Note that duplex mismatch has no affect on the
operational state of interfaces (up/up). Packets are still forwarded however performance is often
affected.
QUESTION: 97
What is collapsed core architecture?
A. 3-Tier
B. Spine-Leaf
39 | P a g e
C. 2-Tier
D. WAN topology
Answer: C
QUESTION: 98
What host command displays the network interface settings on a Linux computer?
A. ipconfig -a
B. netconfig -a
C. ifconfig -a
D. netstat -a
Answer: C
QUESTION: 99
What is the primary purpose of a router?
A. physical addressing and frame forwarding

B. internet connection
C. traffic aggregation
D. per-hop path selection
Answer: D
QUESTION: 100
What component enables sharing of server hardware among multiple Virtual Machines (VM)?
A. virtual interface
B. vPath
C. supervisor
D. hypervisor
Answer: D
QUESTION: 101
Refer to the network topology. Host-1 has sent data to server-1 on switch-1. What will switch-1 do with
the frame when it arrives?
40 | P a g e
A. send an ICMP host unreachable message to host-1

B. flood the frame out all ports except port Gi1/1
C. send an ARP request to host-1
D. flood the frame out all ports except port Gi1/3
E. send the frame to the nearest router
F. drop the frame
Answer: B
Explanation
The destination MAC address is unknown. The switch will unicast flood (MAC learning) the frame out all
ports except the port where the frame was learned from (Gi1/1). Server-1 with the matching destination
MAC address receives the frame. The switch updates the MAC address table with the MAC address and
associated port (Gi1/3) of server-1. That occurs when data is sent in return path from server-1 to host-1.
QUESTION: 102
What is the default aging timer in seconds for a Cisco switch?
A. 300
B. 0
C. 60
D. 100
Answer: A
41 | P a g e
QUESTION: 103
What are three primary advantages of VLANs?
A. broadcast domains minimize bandwidth usage and multicast traffic

B. fewer collisions domains
C. enable routing on a Layer 2 switch
D. improves network security with traffic segmentation
E. VLANS assign all hosts to the same broadcast domain to prevent broadcast storms
F. increased scalability to support large multi-segment data center deployments
Answer: ADF
Explanation
VLANs do not prevent broadcast storms, they minimize the size and effect of the broadcast storm on
neighbor switches and hosts. The VLAN is a broadcast domain and as such broadcasts are not advertised
outside of the VLAN. Network security is optimized with VLANs by segmenting sensitive traffic and filter
it from other network traffic. Bandwidth efficiency is accomplished through segmenting broadcast
domains with VLANs. Unicasts, broadcasts and multicasts are not forwarded between VLANs minimizing
bandwidth utilization. VLANs ease the adds, moves and deleting of hosts on the network. LANs control
and filter user access to network services based on department for instance.
QUESTION: 104
What command will display all VLANs that are operational (active)?
A. show vlan id
B. show vlan brief
C. show vlan all
D. show ip interface brief
Answer: B
QUESTION: 105
What statements correctly describe Cisco switch VLAN 1? (select three)
A. assigning user traffic to VLAN 1 creates a security vulnerability

B. default VLAN for Cisco switches
C. VLAN 1 only applies to routers
D. Telnet requires VLAN 1 for management access
E. forwards management traffic and cannot be deleted
42 | P a g e
Answer: BE
Explanation
VLAN 1 is assigned as the default VLAN for all switch ports. The purpose of VLAN 1 is to forward
management traffic (CDP, LACP, STP etc.) between switches. The following are correct statements
concerning VLAN 1.
 Cisco switch assigns VLAN 1 as a default to all switch ports.
 Default VLAN 1 is the management VLAN and cannot be deleted.
 Assigning user traffic to VLAN 1 creates a security vulnerability.
 Native VLAN for switch trunk interfaces is assigned to VLAN 1 as default setting.
QUESTION: 106
VLAN 10 is assigned as the native VLAN to switch-1. What happens when frames are sent to neighbor
switch-2 that has a default configuration?
A. VLAN 10 will send tagged frames

B. native VLAN mismatch error
C. frames are dropped
D. Layer 2 broadcast storm
Answer: B
Explanation
Cisco default setting for a switch is to assign the native VLAN to VLAN 1. Any neighbor switch must be
assigned to the same VLAN or a native VLAN mismatch error will occur.
QUESTION: 107
What two statements are characteristic of the 802.1q protocol?
A. open standard
B. prevents VLAN mismatches
C. VLAN membership tag
D. tunnel protocol
E. Cisco proprietary
Answer: AC
Explanation
802.1q protocol is the current Cisco default encapsulation for switch trunks. It is an open standard that
supports multi-vendor switch connectivity. The purpose of 802.1q is to enable forwarding of multiple
VLANs across a trunk link. That is accomplished by tagging each frame with VLAN membership.
Encapsulation and forwarding of frames starts after layer 2 convergence with STP and DTP has
43 | P a g e
established the trunk. The Ethernet frame header is modified as a result of adding the 4-byte VLAN tag
so that the Ethernet frame increases to 1522 bytes. The standard Ethernet MTU size is 1500 bytes + 18
byte header + 4 byte tag (1522 bytes). That requires recalculation of the FCS value used for CRC.
QUESTION: 108
What IOS command will initially allow only VLAN 11 across a trunk for a default switch configuration?
A. switchport trunk allowed vlan 11

B. switchport trunk add vlan 11
C. switchport trunk vlan 11 allowed
D. switchport trunk vlan 11 add
Answer: A
Explanation
Any switch with a default configuration permits all VLANs across an enabled trunk interface. The IOS
command switchport trunk allowed vlan 11 is exclusive and permits only VLAN 11. Cisco IOS command
switchport trunk allowed vlan add 11 for example, is used only after allowing a subset of VLANs across a
trunk interface. The IOS command switchport trunk allowed vlan remove 11 is a similar command that
would remove VLAN/s previously allowed.
QUESTION: 109
What is required to negotiate dynamic trunking between switches?
A. auto mode enabled on connected switch ports

B. desirable mode enabled on at least one switch port
C. passive mode enabled on at least one switch port
D. auto mode enabled on at least one switch port
Answer: C
QUESTION: 110
What is advertised between LLDP neighbors by default?
A. timer interval
B. chassis ID, port ID and TTL
C. VLAN tag
D. IOS version, port ID
Answer: B
44 | P a g e
QUESTION: 111
What is the purpose of a channel group?
A. bind physical interfaces to a logical interface

B. enable redundancy
C. enable VLANS
D. enable a physical interface
Answer: A
Explanation
Layer 2 and Layer 3 port channel interfaces are supported. There is channel-group command that binds
the port channel interface to an EtherChannel. The Layer 2 port channel is a logical interface comprised
of EtherChannel access ports or trunk ports. The Layer 2 port channel is created automatically based on
the channel-group number. The supported channel-group numbers are 1 - 4096.
The Layer 3 port channel is a routed logical interface comprised of EtherChannel access ports or trunk
ports. The following configuration is supported on a Multilayer switch where routed ports are available.
QUESTION: 112
What statements best describe Rapid PVST+ protocol? (select two)
A. faster convergence with a single spanning tree instance per switch

B. defines a single spanning tree instance for all VLANs
C. provides faster RSTP convergence than older STP (802.1d)
D. defines a separate spanning tree instance for each VLAN
Answer: CD
Explanation
Rapid Per VLAN Spanning Tree Plus (RPVST+) enables a spanning tree instance per VLAN with RSTP fast
convergence. It was developed to support 802.1q encapsulation for Cisco devices only. The original
802.1d standard was designed for a single broadcast domain. STP prevents broadcast storms caused by
Layer 2 loops.
QUESTION: 113
What new STP port state is enabled with RSTP (802.1w) for faster convergence?
A. blocking
B. listening
C. forwarding
45 | P a g e
D. discarding
Answer: D
Explanation
The advantage of Rapid Spanning Tree Protocol (RSTP) is faster Layer 2 convergence. It is backward
compatible with 802.1d enabled switches. The newer 802.1w (RSTP) standard is comprised of only three
port states. They include discarding, learning and forwarding. STP will transition switch ports through all
STP port states to arrive at either forwarding or discarding state.
QUESTION: 114
How is a root bridge elected when there are multiple switches with a default configuration?
A. switch with highest priority

B. switch with highest priority
C. switch with lowest MAC address
D. switch with highest MAC address
Answer: C
Explanation
The root bridge elected for a spanning tree instance is the switch with the lowest bridge ID. STP
calculates a unique numerical value for the bridge ID based on the switch priority setting and MAC
address. The switch with the lowest bridge ID is elected as root bridge. The tie breaker is lowest MAC
address, when switches are assigned the same priority. The bridge ID is calculated by STP to assign the
root bridge per VLAN. The priority setting for a Cisco switch with a default configuration is 32768. You
can manually configure a lower switch priority as well to assign root bridge.
QUESTION: 115
What are the three advantages of Wireless LAN Controllers?
A. faster deployment of access points

B. RF cell optimization
C. centralized policy management
D. improve security
E. create VLANS
Answer: ABC
Explanation
The purpose of Wireless LAN Controllers (WLC) is deployment and configuration of access points. In
addition they are responsible for dynamic RF cell optimization.
46 | P a g e
QUESTION: 116
What access point operational mode is required when connecting to a wireless controller?
A. Hybrid
B. Client
C. LAP
D. DCA
E. Autonomous
Answer: C
Explanation
WLC was developed to centralize administration of thousands of access points. The lightweight access
point (LAP) is an operational mode and architecture. You are required to convert any autonomous mode
access points to LAP for use with controllers.
QUESTION: 117
What is not assigned to WLAN ID configuration?
A. security protocol
B. QoS service level
C. SSID name
D. radio settings
E. management protocol
Answer: E
QUESTION: 118
The following is an OSPF route from a routing table. What is the administrative distance?
O 192.168.12.8/30 [110/128] via 192.168.12.5, 00:35:36, Serial0/0
A. 128
B. 110
C. 0
D. 238
Answer: B
QUESTION: 119
47 | P a g e
EIGRP, OSPF and RIPv2 are advertising routes to the same destination. What route is installed based on
the following routing table information?
EIGRP = [90/1252335]
OSPF = [110/10]
RIPv2 = [120/3]
A. RIPv2 route
B. all three routes are installed
C. OSPF route
D. EIGRP route
E. OSPF and RIPv2 routes
Answer: D
QUESTION: 120
Based on the routing table shown below, when the router receives a packet with destination IP address
192.168.1.65, what is the next hop address?
48 | P a g e
A. 192.168.2.2
B. 192.168.2.1
C. 172.33.1.1
D. 192.168.2.3
E. 192.168.2.4
Answer: A
Explanation
The longest match is in effect when there are multiple routes to the same destination (192.168.1.65).
The 192.168.1.64/26 is the correct prefix with the longest match subnet prefix (/26). It is a static route
(S) with 192.168.2.2 as the next hop address. The destination route 192.168.1.65 is within the subnet
192.168.1.128/25 range as well. The /26 prefix is longer than the /25 route.
S 192.168.1.64/26 [1/0] via 192.168.2.2
49 | P a g e
QUESTION: 121
What route is installed in the routing table to destination 192.168.1.0/27 when routes are advertised
from the following sources?
A. OSPF route
B. static route
C. default route
D. RIPv2 route
Answer: B
QUESTION: 122
What two statements are correct concerning static routing?
A. next hop is an IP address or local interface

B. next hop is an IP address only
C. administrative distance =1
D. administrative distance = 0
Answer: AC
QUESTION: 123
What IOS command advertises a local default route to all connected neighbors?
A. ip route
B. default-network
C. default-information originate
D. default-gateway
Answer: C
Explanation
The purpose of default-information originate is to advertise the default route configured on the local
router to all connected neighbors. It is often configured on a data center router for advertising a route
to the internet.
QUESTION: 124
How is a floating static route configured?
50 | P a g e
A. assign lower AD than static route in routing table

B. assign higher AD than static route in routing table
C. assign lower AD than default route in routing table
D. assign higher AD than default route in routing table
Answer: C
QUESTION: 125
What is the valid connected host route?
A. 172.16.1.1/32
B. 192.168.255.254/24
C. 172.16.0.0/32
D. 10.0.0.0/8
Answer: A
QUESTION: 126
What is required for OSPF to establish a neighbor adjacency?
A. connected neighbors are in the same subnet

B. timers match on connected neighbor interfaces
C. network type match on connected neighbor interfaces
D. all of the above
E. none of the above
Answer: D
Explanation
The purpose of OSPF hello packets are to discover neighbors and establish neighbor adjacency. Hello
packets are also sent to maintain neighbor relationships and confirm that a neighbor is still active. OSPF
routers establish adjacency with all connected neighbors for bidirectional communication. That enables
all routers to synchronize database and routing tables. There is a hello timer configured to send hello
packets at fixed intervals.
All timers must match between directly connected neighbor interfaces. OSPF neighbor adjacency is not
formed when there is a mismatch of hello or dead timers. The following describe additional reasons why
neighbor adjacency would not occur between neighbors.
• Subnet mismatch
• Network type mismatch
• Timers mismatch
• MTU mismatch
51 | P a g e
• Area ID mismatch
QUESTION: 127
How is designated router (DR) elected when all routers have a default configuration?
A. router with highest loopback address

B. router with highest priority
C. router with highest router ID address
D. router with lowest priority
E. router with lowest router ID address
Answer: C
Explanation
• Router default OSPF priority = 1
• Router with highest configured OSPF priority is elected DR
• Router with highest router ID address is elected DR when priorities are equal. First preference is
an explicitly configured router ID.
QUESTION: 128
What OSPF network type elects a Designated Router (DR)?
A. broadcast
B. point-to-point
C. multicast
D. unicast
Answer: A
Explanation
It is only OSPF broadcast network type that elects a Designated Router (DR) and Backup Designated
Router (BDR). An example of a broadcast network is Ethernet.
QUESTION: 129
What addressing is assigned to an OSPF broadcast network? (select two)
A. Subnet
B. VLAN
C. Loopback
D. Multiple subnets
E. SVI
52 | P a g e
Answer: AB
QUESTION: 130
What is selected as router ID first when configured on a router?
A. highest MAC address of a physical interface

B. highest IP address on any physical interface
C. highest IP address on a loopback interface
D. manually configured 32-bit dotted decimal address
E. manually configured 128-bit dotted decimal address
Answer: D
Explanation
OSPF Router ID Selection
1. Unique 32-bit IPv4 dotted-decimal address.
2. Purpose is to identify each router for routing updates and adjacency.
3. Manually configured router ID is preferred first.
4. The highest IP address on a loopback interface is assigned when no router ID is configured.
5. The highest IP address of any active physical interface is assigned if no loopback interface exists.
QUESTION: 131
What is the default OSPF reference bandwidth?
A. 100 Mbps
B. 1000 Mbps
C. 10000 Mbps(10 GE)
D. 10 Mbps
Answer: A
QUESTION: 132
What field in the IP header prevents routing loops by limiting the maximum number of hops possible?
A. TTL
B. ICMP
C. MTU
D. CRC
E. ToS
53 | P a g e
Answer: A
Explanation
The IP header has a field called Time-to-Live (TTL) that has a default value of 255. The purpose of TTL is
to prevent packets from infinitely looping as a result of a routing loop. The TTL field is decremented by
one with each router hop. That guarantees the packet will be discarded after 255 hops.
QUESTION: 133
What IOS command will display OSPF adjacency state?
A. show ip ospf neighbor

B. show ospf interface
C. show ip ospf database
D. show ip protocol
Answer: A
QUESTION: 134
What design feature is required to create a single virtual router from two separate routers?
A. create a port channel between routers with a virtual IP address

B. routers must share a virtual MAC address only
C. routers must share a virtual IP address and MAC address
D. assign a loopback IP address to each router
Answer: C
Explanation
The virtual router is based on a shared virtual IP address and MAC address. The virtual addressing is
assigned to the active router. The standby router is assigned the virtual addressing when the active
router isn't available. The redundancy feature allows for fast failover to the standby router.
QUESTION: 135
What is required to configure a router as a DHCP client?
A. Enable DHCP on the client router interface

B. Enable DHCP on all connected router interfaces
C. Enable DHCP option 150 on all router interfaces
D. add address pool to router interface
54 | P a g e
Answer: A
QUESTION: 136
What service is provided by DHCP?
A. sending ARP requests to network devices

B. assign MAC addresses to hosts
C. dynamic address configuration of TCPIIP host settings
D. forward host requests to multiple DHCP servers
Answer: C
QUESTION: 137
What IP address translation technique allows for the most internet connections based on a single public
IP address?
A. dynamic NAT pool

B. NAT with no overload
C. inside source NAT
D. static NAT
E. NAT overload
Answer: E
Explanation
NAT overload is referred to as Port Address Translation is an IP address translation technique that
translates the most internal (private) IP addresses to a single or multiple public IP addresses. It is an
enhancement to NAT that assigns a unique source port number to each translated IP address. The host
IP address for instance could be identified with 200.200.1.1:10 as the translated source IP address. The
10 is the unique source port making the translated IP address unique. The 16 bit source port field allows
for translating 65,535 private (internal) IP addresses to a a public IP address. There is support for a pool
of addresses or single interface.
192.168.1.1:10 -> 200.200.1.1:10
192.168.1.2:11 -> 200.200.1.1:11
192.168.1.3:12 -> 200.200.1.1:12
QUESTION: 138
What two statements accurately describe the operation of static NAT?
A. enable host sessions to be started from an inside host only
55 | P a g e
B. optimize use of the available public assigned IP addresses

C. allow host sessions to be started from an internet host
D. persistence in the translation table while the router is operational
Answer: CD
Explanation
The static NAT translation is a 1:1 configured mapping between local and global addresses. As a result
they are a permanent entry in the NAT translation table. They enable a remote host connection from an
outside (external) network.
QUESTION: 139
What statements correctly describe Network Time Protocol (NTP)? (select four)
A. time source for logging and time stamp transactions

B. reference is UTC coordinated universal time
C. DNS is required for resolving time sewer IP address
D. ntp server command configures private time server
E. N+1 sewer redundancy supported
Answer: ABC
Explanation
The following are all correct statements concerning NTP network protocol.
• Provides time source for logging and time stamp transactions
• N+1 server redundancy supported (NTP master + failover)
• Reference is UTC coordinated universal time
• DNS is required for resolving time server IP address
QUESTION: 140
What is NTP stratum?
A. distance from NTP server to data center

B. distance from client to nearest NTP server
C. distance from NTP authoritative time source to internet
D. distance from client to NTP authoritative time source
Answer: D
QUESTION: 141
What IOS command forwards DNS requests originating from a Cisco device to a DNS server?
56 | P a g e
A. ip-server
B. ip dns-server
C. ip name sewer
D. ip name-server
Answer: D
Explanation
This feature is often enabled to allow network administrators to start a Telnet/SSH session based on a
hostname instead of IP address.
QUESTION: 142
What SNMP traps generated from the Cisco device are logged when the following IOS command is
configured? (select four)
device(config)# logging trap 4
A. warnings
B. alerts
C. informational
D. errors
E. notices
F. emergencies
Answer: ABDF
Explanation
The IOS command enables a Cisco device to log SNMP trap from 0 (zero) up to and including level 4. The
traps are logged to the Syslog server. The Syslog servers receive informational (trap 6) and lower
numbered messages as a default. The logging facility default setting is local7 for switches and routers.
device (config)# logging trap 4
The following alert level traps are generated with level 4 logging:
• Emergencies (level 0)
• Alerts (level 1)
• Errors (level 3)
• Warnings (level 4)
QUESTION: 143
What statement does NOT correctly describes Syslog server?
A. Syslog is UDP-based
57 | P a g e
B. Syslog is an external server store for system messages

C. Syslog is enabled by default and stores system messages locally
D. Syslog server enables management of messages for troubleshooting
Answer: C
QUESTION: 144
Select the network interface type where Class of Service (CoS) marking is supported?
A. any switch interface

B. switch access port
C. any network interface
D. Layer 3 interface
E. switch trunk interface
Answer: E
Explanation
The only network interface that supports Class of Service (CoS) marking is an Ethernet switch trunk. The
802.1q tag is added to an Ethernet frame when trunking is enabled. The 802.1q field is used for VLAN
membership tagging. That allows forwarding of multiple VLANs between switches. There is a 3 bit field
used for CoS marking and prioritization (queuing) of traffic. Routers can only examine the CoS marking
of a frame and trust or remark the layer 3 packet. The router would specifically strip off the original
frame and rewrite MAC addressing. In addition the router would either trust the CoS value or rewrite a
DSCP value equal to the CoS marking. Serial interfaces do not use frames and have no MAC address.
Layer 2 switches are configured with a trust state that determines frame handling. Cisco IP phones mark
all voice traffic to the switch with default CoS 5. In addition a trunk is created from the IP phone to the
switch when the voice VLAN feature is enabled. The trunk tags voice packets from the phone and data
from the host to an access port on the switch.
QUESTION: 145
What is the primary advantage of SSH over Telnet for remote management of Cisco devices?
A. encryption
B. local authentication
C. AAA authentication
D. performance
Answer: A
58 | P a g e
QUESTION: 146
What are two services that are suitable for TFTP server?
A. download IP phone configuration

B. backup IOS software
C. backup application software
D. network clock source
E. update software to client machines
Answer: AB
QUESTION: 147
Refer to the following router configuration. ACL 100 is not configured correctly and denying all traffic
from all subnets. What interface level IOS command immediately removes the effect of ACL 100?
access-list 100 deny tcp 172.16.0.0 0.0.255.255 any eq 80

access-list 100 deny ip any any
A. no ip access group 100 in

B. no ip access-group 100 out
C. no ip access-class 100 in
D. no ip access-list 100 in
E. no ip access-class 100 out
Answer: B
Explanation
The ACL must be applied to an interface for it to inspect and filter any traffic. In addition the in | out
keywords specify the direction to filter packets at the interface. The output from show ip interface
command lists the ACL and direction configured for the interface.
The ACL is applied with interface level IOS command ip access-group 100 out. To remove filtering
requires deleting the ip access- group from the interface, whether inbound or outbound. The ip access-
group in | out command refers to an ACL by name or number. The access-class in | out command filters
VTY line access only.
router(config-if)# no ip access-group 100 out

Any ACL with a single deny statement would deny all traffic outbound on a particular interface. The ACL
adds an implicit deny statement at the end of each ACL effectively denying any traffic that does not
match.
59 | P a g e
QUESTION: 148
What last statement is required for proper IPv6 operation when deploying multiple ACL deny
statements?
A. deny ipv6 any any

B. permit ipv6 any
C. permit icmp any any nd-na
D. deny ipv6 any any log
E. permit ipv6 any any
Answer: E
Explanation
Proper IPv6 operation requires ACL permit ipv6 any any (all traffic) as a last statement when there are
multiple ACL deny statements.
QUESTION: 149
What extended ACL will deny access to all applications on a server?
A. access-list100 deny tcp192.168.0.0 0.0.255.255 any eq www

B. access-list100 deny tcp192.168.0.0 0.0.255.255 any
C. access-list 100 deny tcp host 192.168.1.1 host 192.168.3.1
D. access-list100 deny tcp host 192.168.1.1 any
E. access-list100 deny ip 192.168.0.0 0.0.255.255 host 192.168.3.1
Answer: E
Explanation
The command deny ip is used to deny access to all applications. IP is Layer 3 and includes all TCP/UDP
application ports that are at a higher (less specific) OSI layer.
QUESTION: 150
What is the only extended ACL that will NOT deny client access to web-based applications on a server?
A. access-list 100 deny tcp192.168.0.0 0.0.255.255 any eq www

B. access list 100 deny tcp192.168.0.0 0.0.255.255 host 192.168.3.1 eq 80
C. access-list 100 deny tcp host 192.168.1.1 host 192.168.3.1 eq www
D. access-list 100 deny tcp host 192.168.1.1 host 192.168.3.1 eq web
E. access-list 100 deny ip host 192.168.1.1 any
Answer: D
60 | P a g e
QUESTION: 151
What two statements are correct concerning the following IOS command?
device(config)# service password-encryption
A. service password-encryption command is not supported on routers

B. secret passwords are not encrypted
C. secret passwords are encrypted
D. service password-encryption command is a user EXEC mode command
E. encrypts passwords in configuration script
Answer: BE
Explanation
The purpose of service password-encryption command is to encrypt passwords in the running and
startup configuration scripts. It applies to all passwords except secret passwords.
QUESTION: 152
What command enables VTY lines with local authentication?
A. login
B. login local
C. local login
D. login authentication default
Answer: B
QUESTION: 153
What is not a component of Multi-Factor Authentication (MFA)?
A. knowledge (something you know)

B. possession (something you have)
C. inherence (something you are)
D. authorization (permissions you have)
Answer: D
QUESTION: 154
What is the purpose of dynamic ARP inspection?
61 | P a g e
A. prevent man-in-the-middle attacks

B. prevents DDOS attacks
C. prevent MAC spoofing
D. prevent DHCP snooping
E. prevent malware attacks
Answer: A
Explanation
The primary purpose for configuring Dynamic ARP Inspection (DAI) is to prevent man-in-the-middle
(MITM) hacker attacks. They are Layer 2 attacks that cause ARP table poisoning.
QUESTION: 155
What is the effect of configuring the following commands on a switch interface?
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address sticky
A. dynamically learned MAC addresses are added to the VLAN database

B. static and dynamically learned MAC addresses are added to the switch ARP table only
C. dynamically learned MAC addresses are added to the startup configuration file
D. dynamically learned MAC addresses are added to the running configuration file
E. statically configured MAC addresses are added to the startup configuration file
Answer: D
Explanation
The IOS commands enable port security on a switch port interface. In addition the sticky keyword saves
the dynamically learned MAC address to the running configuration script. The sticky MAC addresses do
not age out of the MAC address table. The switch does have to relearn the MAC addresses after every
reboot unless the running configuration is saved to startup configuration file. Removing the sticky
keyword causes dynamically learned the MAC addresses to persist in the MAC address table only for the
connected session.
QUESTION: 156
What encryption cipher is currently supported when deploying WPA Enterprise (WPA2)?
A. AES
B. MD5
C. TKIP
D. SAE
Answer:
62 | P a g e
QUESTION: 157
How is wireless security enabled with WPA2-PSK?
A. dynamically
B. passphrase
C. SSID
D. MD5
Answer: B
QUESTION: 158
Select three network underlay components?
A. OSPF
B. VXLAN
C. Switch
D. Router
E. VPN
Answer: A,C,D
Explanation
Cisco DNA architecture describes an underlay and virtual fabric overlay. The underlay is physical
hardware and network protocols.
QUESTION: 159
Select three characteristics of network overlays?
A. routing protocols
B. encapsulation
C. IP address isolation
D. data plane forwarding
E. virtual topology
Answer: B,C,E
Explanation
Network overlays use encapsulation to enable virtual topology connections and address isolation.
63 | P a g e
QUESTION: 160
What configuration and maintenance events are best suited for automation? (select three)
A. backup IOS system image

B. push device configuration
C. install security update
D. troubleshoot errors
E. hardware compliance
Answer: A,B,C
Explanation
Automation tasks are often deployed for software compliance, initial device configuration, and
repeatable tasks.
QUESTION: 161
Select the valid host IP address from the following options?
A. 172.16.1.255/24
B. 192.168.1.0/24
C. 192.168.1.3.1/30
D. 10.10.1.1/30
Answer: D
Explanation
All addresses are either a network address or broadcast address except 10.10.1.1/30 host address.
QUESTION: 162
What subnet mask would allow you to create at least 60 subnets for connecting 60 branch offices to the
data center?
A. 255.255.255.252 (/30)
B. 255.255.255.248 (/29)
C. 255.255.255.240 (/28)
D. 255.255.255.0 (/24)
Answer: A
Explanation
Refer to the Class C subnetting table and subnet column for at least 60 subnets. There is subnet mask
255.255.255.252 that allows a maximum of 64 subnets. The same subnet mask also allows you to assign
a maximum of 2 host IP addresses to interfaces. Any point-to-point link connecting two routers for
64 | P a g e
example only requires two host IP addresses. Each router has a Layer 3 interface that is assigned an IP
address.
QUESTION: 163
What subnet mask is required to assign 127 host IP addresses from network address 192.168.100.0?
A. 255.255.255.0
B. 255.255.255.192
C. 255.255.255.128
D. 255.255.255.255
Answer: A
Explanation
Most subnets often require less than 127 hosts that are assigned to a single VLAN. You have probably
noticed that class C subnetting applies to class A, B, C addresses. Refer to the class C subnetting table
and host column for at least 127 hosts. The nearest is 254 hosts with the default class C subnet mask
255.255.255.0 (classful). There is only a single subnet available. The key to understanding class C
subnetting is the wasted number of host addresses that are available with default subnet masks for all
class addresses.
QUESTION: 164
Select two advantages of IPv4 private addressing?
A. enable intranet (private) connectivity

B. DHCP support
C. enable public internet connectivity
D. private domain management
Answer: AD
Explanation
The deployment of private addressing enables intranet (private) connectivity and management of
private routing domains.
QUESTION: 165
What prefix is assigned to any IPv6 link local address?
A. FD00::/8
B. FE80::/64
C. 2000::/3
65 | P a g e
D. ::/128
Answer: B
QUESTION: 166
What IPv6 addressing method is most similar to DHCPv4?
A. stateful DHCPv6
B. SLAAC
C. stateless DHCPv6
D. static
Answer: A
Explanation
Stateful DHCPv6 is most similar to DHCPv4 for IPv4 addressing. The IPv6 client sends a broadcast request
to the nearest DHCPv6 server for IP address configuration. The DHCPv6 server assigns the IPv6 address
and any additional required addressing configuration such as default gateway and DNS server.
QUESTION: 167
How do you extend RF cell range and cell coverage? (select three)
A. antenna
B. repeater
C. higher data rate
D. higher frequency
E. transmit power
Answer: ABE
Explanation
The primary techniques for extending RF cell range to clients include stronger gain antenna, signal
repeater and higher transmit power. Extending the cell range is often at a lower data rate however.
QUESTION: 168
What are three common sources of RF interference in 2.4 GHz frequency band?
A. laptop wifi adapter

B. wireless video camera
C. cell phone
D. Bluetooth devices
66 | P a g e
E. microwave oven
Answer: BDE
Explanation
There is notably a lot of RF environmental interference in the 2.4 GHz band and a primary reason for
promoting 5 GHz access points.
QUESTION: 169
What are the default PoE settings for a Cisco switch? (select two)
A. power inline auto

B. disabled
C. maximum power
D. minimum power
E. power inline static
Answer: AC
Explanation
Cisco default switch port settings for PoE are auto-enabled and maximum power per device based on
the negotiation.
QUESTION: 170
What are the advantages of Power over Ethernet? (select two)
A. cost effective
B. extend wireless network
C. performance
D. security
E. automation
Answer: AB
QUESTION: 171
What are the default settings on a switch port for duplex and speed?
A. autonegotiation
B. none
C. fulI-1000
D. auto-1000
67 | P a g e
Answer: A
QUESTION: 172
What two commands can verify the MAC address of a Windows client?
A. Ipconfig /all
B. show mac address-table
C. show mac-address-table
D. show hosts
Answer: AB
QUESTION: 173
What will a network switch do when a frame arrives and there is no table entry for the destination MAC
address?
A. drop the frame

B. flood it out all active ports
C. send an ARP request
D. send frame out of all switch ports
E. forward frame out all switch ports except the port where it was learned
Answer: E
Explanation
MAC learning is activated on a switch when there is no destination MAC address for a frame in the MAC
address table. The switch floods frame out of all switch ports except where the frame was learned. The
server with matching destination MAC address responds to switch with a frame. The switch examines
frame and adds the destination MAC address to MAC address table.
QUESTION: 174
What Layer 2 interface errors are caused by collisions? (select two)
A. CRC
B. TTL
C. giants
D. runts
E. UDLD
68 | P a g e
Answer: AD
Explanation
The output of show interfaces list various layer 2 errors including runts, giants, collisions and CRC errors.
The most common cause of CRC and runts is collisions. Gigabit Ethernet switch ports have eliminated
collisions unless there is a configuration error or hardware issue. Collisions occur mostly when there is a
duplex setting mismatch between host and switch interfaces. In addition collisions can occur when there
is a bad network interface card (NIC) or cabling error. Giant frames (1600 bytes) result either from a
faulty NIC card or an MTU misconfiguration on an interface.
QUESTION: 175
What application is not TCP-based?
A. SNMP
B. SSH
C. Telnet
D. HTTP
Answer: A
QUESTION: 176
What primary service does a Layer 2 access switch provide?
A. per-hop path selection

B. stateful packet inspection
C. malware detection
D. traffic aggregation
E. frame forwarding
Answer: E
Explanation
The primary purpose of a Layer 2 access switch is to make forwarding decisions based on destination
MAC address. The MAC address table is created with a list of destination MAC address for each
connected device. In addition, the switch port assigned and VLAN membership. Layer 3 switches also
provide per-hop routing services and traffic aggregation.
The following is a summary of network services:
• Layer 2 switch only read Ethernet frame header and forward traffic.
• All switches create and maintain the MAC address table.
• There is a separate collision domain per Gigabit port.
• There is a separate broadcast domains per VLAN.
69 | P a g e
QUESTION: 177
How many broadcast domains are created with 10 VLANs and 40 switch ports?
A. 1
B. 10
C. 40
D. 50
Answer: B
QUESTION: 178
What VLANs cannot be deleted? (select the best answer)
A. 2, 1005
B. 1, 1 002-1 005
C. 1, 1006-4094
D. 1002-1005
Answer: B
QUESTION: 179
What three options correctly describe VLAN configuration on a switch?
A. VLAN 1, 1002-1005 cannot be deleted

B. normal range VLANs include 1-1005
C. there is a limit of 5 VLANS per switch port
D. VLAN configuration of a switch is stored in local vlan.dat file
Answer: ABD
Explanation
The following are the guidelines for deploying VLANs to a Cisco switch.
• Normal Range VLANs = 1-1005
• VLAN 1, 1002 -1005 are automatically created and cannot be deleted
QUESTION: 180
How many VLANs are configured on a default switch configuration?
A. 1
70 | P a g e
B. 2
C. 1005
D. 4094
Answer: A
QUESTION: 181
What is the correct IOS command to enable the voice VLAN on a switch port?
A. switch port access voice vlan 10

B. switch port mode access voice 10
C. switch port voice vlan 10
D. switch port access voice 10
Answer: C
QUESTION: 182
What VLANs are allowed across a trunk by default?
A. 1
B. 1-4094
C. None
D. 1, 1002-1005
Answer: B
Explanation
Cisco default is to allow all VLANs (1-4094) across a trunk interface.
QUESTION: 183
What is the purpose of the native VLAN?
A. forward CDP frames only

B. forward tagged frames only
C. prevent VLAN mismatch
D. forward management frames untagged
Answer: D
Explanation
The native VLAN forwards management frames untagged across trunk interface.
71 | P a g e
QUESTION: 184
How is the IP address of a TFTP server communicated to Cisco IP phones?
A. DHCP option 43
B. DHCP option 150
C. DHCP option 82
D. not supported
Answer: B
QUESTION: 185
What options are available for enabling DHCP services to clients? (select two)
A. third party server

B. IOS server
C. access point
D. host client
Answer: AB
QUESTION: 186
What IOS command displays IP address, MAC address and lease expiration of all DHCP enabled hosts?
A. router# show ip dhcp binding

B. router# show ip dhcp pool
C. router# show ip dhcp address
D. router# show ip config
Answer: A
Explanation
The following IOS command lists the bindings for all DHCP enabled hosts.
router# show ip dhcp binding
IP Address Hardware Address Lease Expire Type
172.16.1.1 0000.000a.aaaa Aug 16 2021 17:00 PM Auto
172.16.1.2 0000.000b.bbbb Aug 16 2021 17:00 PM Auto
172.16.1.3 0000.000c.cccc Aug 16 2021 17:00 PM Auto
172.16.1.4 0000.000d.dddd Aug 16 2021 17:00 PM Auto
72 | P a g e
QUESTION: 187
What are two primary services provided by Network Address Translation?
A. translate public routable IP address to private IP addressing

B. decrease the number of subnets required on a private network
C. provides packet filtering
D. translate private IP addressing to a public routable IP address
Answer: AD
Explanation
Network Address Translation (NAT) translates private IP addressing (RFC1918) to a public routable IP
address for outbound internet traffic. The inbound traffic from the internet is translated (mapped) to a
private IP address.
QUESTION: 188
What is the purpose of Network Time Protocol (NTP)?
A. synchronize software clocks for all desktops within a subnet

B. provide time source for timestamp transactions and messages
C. support automation of IOS upgrades and network monitoring
D. provide time source to internet servers only
E. provide failover time source for software clock
Answer: B
QUESTION: 189
What IOS command is required to disable DNS services on a Cisco device?
A. no ip name-sewer
B. no ip domain-lockup
C. no ip domain-server
D. no ip host
E. no ip dns-server
Answer: B
Explanation
The following IOS command disables DNS services on a Cisco device. It is enabled as a default setting
and required for DNS services. Client endpoints already have a DNS server configured where they send
requests typically from DHCP.
73 | P a g e
router(config)# no ip domain-lookup
QUESTION: 190
What network protocol monitors and communicates the operational state of network devices?
A. CDP
B. SNMP
C. Syslog
D. HTTP server
Answer: B
QUESTION: 191
What message type is sent from an SNMP agent to communicate operational status?
A. Trap
B. CDP
C. MIB and Trap
D. Inform only
Answer: A
QUESTION: 192
What is the Syslog default facility level?
A. local7
B. local1
C. local5
D. none
Answer: A
QUESTION: 193
What is the default messaging severity level for Syslog?
A. debug
B. notice
C. informational
74 | P a g e
D. alert
Answer: C
Explanation
Informational (Level 6) severity messages and lower are enabled as a default.
QUESTION: 194
What per-hop behavior (PHB) occurs first when QoS is enabled?
A. queuing
B. marking
C. classification
D. shaping
E. congestion avoidance
Answer: C
QUESTION: 195
What are two examples of Exploits?
A. default password
B. misconfigured firewall rule
C. phishing
D. spoofing
E. software error
Answer: CD
Explanation
Exploit - Attack strategy that leverages an existing security vulnerability. The exploit is software designed
to attack a specific vulnerability. (malware, root kit etc.) email phishing, MITM, spoofing, DDoS.
QUESTION: 196
What are two examples of mitigation techniques?
A. awareness training
B. Man-In-The-Middle (MITM)
C. software update
D. root kit
75 | P a g e
Answer: AC
Explanation
Mitigation - Specific techniques employed to decrease or eliminate the security threat level of a
vulnerability. Some examples include awareness training, software updates, IPS, firewall inspection,
Incident response and vulnerability assessment testing.
QUESTION: 197
What is recommended as part of any security awareness training? (select two)
A. clean desk policy

B. social media policy
C. firewall course
D. web browser version
E. virus software update
Answer: AB
QUESTION: 198
What is the ONLY extended ACL that will permit access to web-based applications on a server?
A. access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.3.1 eq web

B. access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.3.1 eq 80
C. access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.3.1 eq http
D. access-list100 permit ip 192.168.0.0 0.0.255.255 host 192.168.3.1 eq 80
Answer: B
Explanation
A. ACL is incorrect. The keyword web is not valid.
C. ACL is incorrect. The keyword HTTP is not valid.
D. ACL is incorrect. It is true that permit ip would allow all applications, however it not correctly
configured here. Any ACL with either permit ip or deny ip does not support any protocol number or ACL
keyword for an application. You would get an error message. When you configure permit ip or deny ip
there is only an IP address, subnet, or subnet range specified.
QUESTION: 199
What extended ACL will permit SSH traffic from host 192.168.1.1 to any network device?
A. access-list 100 permit tcp host 192.168.1.1 any eq ssh

B. access-list 100 permit tcp any host 192.168.1.0 eq ssh
76 | P a g e
C. access-list 100 permit tcp host 192.168.1.0 any eq ssh

D. access-list 100 permit tcp host 192.168.1.1 host any eq ssh
Answer: A
Explanation
ACL permits SSH (TCP port 22) session from host 192.168.1.1 to any destination. Cisco permits either a
keyword or port number for ACL.
B. This ACL is incorrect. There is a subnet address configured instead of a host address and any refers to
all source traffic.
C. This ACL is incorrect. There is subnet address instead of host address.
D. This ACL is incorrect. The destination host is not valid.
QUESTION: 200
Why should you apply a standard ACL near the destination?
A. eliminate wildcard masks

B. performance issues
C. prevent excessive filtering
D. minimize traffic
Answer: C
Explanation
There is only a source IP address or subnet specified with a standard ACL and no destination address.
The effect of applying it near the destination prevents excessive unwanted traffic filtering.
QUESTION: 201
What last statement is mandatory for IPv4 extended access lists?
A. permit ip any any

B. permit ip any
C. deny ip any any
D. deny any
E. permit any
Answer: A
Explanation
This statement is mandatory since all Cisco ACLs have an implicit deny as a last statement. It permits all
traffic that does not match any ACL filtering statements.
77 | P a g e
QUESTION: 202
What IOS command enables trunking on a switch port interface?
A. switchport mode trunk

B. switch port trunk mode
C. switchport
D. interface mode trunk
Answer: A
Explanation
Cisco switches will use default settings unless explicitly configured.
QUESTION: 203
What statement is correct concerning the native VLAN?
A. assigned to trunk port only

B. EDP is not forwarded
C. prevent broadcast storms
D. can be assigned to access port or trunk port
Answer: A
Explanation
The native VLAN is only operational on a trunk interface.
QUESTION: 204
What is the purpose of switchport nonegotiate command on a switch port?
A. disable DTP request frames on switch port

B. disable static trunking on switch port
C. disable autonegotiation of duplex mode
D. enable DTP request frames on switch port
Answer: A
Explanation
Configuring switchport nonegotiate command on a switch port explicitly configured as access mode or a
static trunk disables DTP frames. The command prevents advertising DTP frames and recommended for
security purposes. The following are methods for disabling DTP frames on a switch interface.
• switchport mode access command
• switchport mode trunk command
• switchport nonegotiate command on access port or static trunk
78 | P a g e
QUESTION: 205
How do you enable LLDP globally and disable per interface? (select three)
A. lldp enable
B. no lldp receive
C. no lldp transmit
D. lldp run
E. lldp send
Answer: BCD
QUESTION: 206
What protocol is responsible for power negotiation between PoE switch port and IP phone?
A. ARP
B. DHCP
C. CDP
D. 802.1q
Answer: C
Explanation
CDP is enabled by default on a switch for a variety of management features including detection and
power negotiation.
QUESTION: 207
What will NOT disable EtherChannel operation?
A. duplex mismatch
B. protocol mode mismatch
C. protocol mismatch
D. 6 switch ports per channel group
Answer: D
QUESTION: 208
What switch port modes are assignable to an EtherChannel?
A. access mode or trunk mode
79 | P a g e
B. trunk mode only

C. access mode only
D. channel mode only
Answer: A
QUESTION: 209
How is STP information communicated between switches?
A. BPDU
B. ARP
C. CDP
D. LLDP
Answer: A
QUESTION: 210
What route is installed in the routing table to 172.16.3.0/24 when routes are advertised from the
following sources?
A. EIGRP route
B. OSPF route
C. static route
D. default route
E. host route
Answer: E
Explanation
This example includes a dynamic routing protocols, static routes and a connected host route. The route
with lowest administrative distance of zero is the connected host route.
QUESTION: 211
What route is selected when multiple routes exist from the same routing protocol to the same
destination?
A. longest match route

B. lowest administrative distance route
C. lowest metric route
D. default route
80 | P a g e
E. highest metric route
Answer: C
Explanation
The administrative distance and metric assigned to a route will determine what route is installed in the
routing table. Metric is a path cost assigned to a specific route. Metric is only considered after
administrative distance. The route with the lowest metric is installed when there are multiple routes
from the same routing protocol to the same destination.
Each dynamic routing protocol calculates metric differently. For example, OSPF calculates metric for
each route that is based exclusively on link bandwidth. Some routing protocols such as OSPF and EIGRP
support equal cost load balancing. That is enabled automatically when multiple routes exist from the
same routing protocol with the same lowest metric. All routes are installed in the routing table and
packets are forwarded across multiple paths to a destination.
QUESTION: 212
What is the administrative distance of OSPF?
A. 90
B. 110
C. 100
D. 120
E. 170
Answer: B
Explanation
The administrative distance of OSPF is 110.
QUESTION: 213
The following is an OSPF route entry from a routing table. What is the destination subnet?
O 192.168.12.8/30 [110/128] via 192.168.12.5 00:35:36, Serial0/0
A. 192.168.12.8/24
B. 192.168.12.0/30
C. 192.168.12.0/24
D. 192.168.12.8/30
Answer: D
QUESTION: 214
81 | P a g e
What is the primary difference between static and default routes?
A. static route is more specific

B. default route is more specific
C. administrative distance
D. metric
Answer: A
QUESTION: 215
What route type is often configured as a failover to a primary link?
A. static route
B. default route
C. floating static route
D. OSPF default route
Answer: C
QUESTION: 216
How are OSPF routing updates sent from non-DR routers to DR/BDR routers?
A. send routing updates to multicast address 224.0.0.5

B. send routing updates to multicast address 224.0.0.10
C. send routing updates to multicast address 224.0.0.12
D. send routing updates to multicast address 224.0.0.6
Answer: D
Explanation
OSPF uses reserved multicast address 224.0.0.6 for sending routing updates from Non-DR routers to
DR/BDR routers. All OSPF routers send hello packets to multicast address 224.0.0.5 and listen for routing
updates from Designated Router (DR).
QUESTION: 217
What router is elected Backup Designated Router (BDR) from the following where priorities are equal?
A. router-1 (router ID = 172.16.1.1)

B. router-2 (router ID = 172.16.1.2)
C. router-3 (router ID = 172.16.1.3)
82 | P a g e
D. router-4-(router ID = 172.16.1.4)
Answer: C
QUESTION: 218
What router is elected Designated Router (DR) from the following?
A. router-1 (priority = 1)
B. router-2 (priority = 3)
C. router-3 (priority = 10)
D. router-4 (priority = 5)
Answer: C
Explanation
OSPF designated router (DR) advertises routing updates to all connected spokes on a shared (broadcast)
network. The most common example of a broadcast network type is Ethernet. OSPF DR minimizes
routing updates between OSPF neighbors on a broadcast network. It is a hub router that advertises
routing updates via 224.0.0.6 multicast addresses. Consider that a network broadcast segment refers to
a common subnet or VLAN.
Designated Router (DR) Election
1. Router default OSPF priority = 1
2. Router with highest configured OSPF priority is elected DR
3. Router with highest router ID address is elected DR when priorities are equal. First preference is an
explicitly configured router ID.
4. When no router ID is explicitly configured, the highest loopback address is assigned as router ID for a
router. DR election then compares that router ID with neighbors for DR election.
5. Router assigns the highest physical interface address as router ID for OSPF when no loopback
interface exists. DR election then compares that router ID with neighbors for DR election.
6. Router with second highest priority is elected BDR.
7. Router with second highest router ID is elected BDR.
QUESTION: 219
How do you configure the OSPF network type?
A. per interface
B. OSPF router process
C. network area command
D. interface priority command
Answer: A
83 | P a g e
QUESTION: 220
What wildcard mask is required to ONLY advertise subnet 172.16.1.0/24 to OSPF neighbors?
A. network 172.16.1.0 0.0.0.255 area 0

B. network 172.16.1.0 0.255.255.255 area 0
C. network 172.16.0.0 0.0.255.255 area 0
D. network 172.16.1.0 255.0.0.0 area 0
E. network 172.16.1.0 0.0.7.255 area 0
Answer: A
Explanation
OSPF and access control lists (ACL) use wildcard masks to select subnets or a range of subnet addresses.
In this example, advertising only 172.16.1.0/24 to neighbors requires 0.0.0.255 wildcard mask. That will
mask off the first three octets (172.16.1) and advertise subnet 172.16.1.0 to neighbors.
QUESTION: 221
Refer to the network topology drawing. Router-1 cannot establish an OSPFv2 neighbor adjacency with
router-2. What is the most probable cause based on the options provided?
A. hello timer mismatch between routers

B. network interfaces are directly assigned to area 0
84 | P a g e
C. process ID mismatch between neighbor routers

D. both routers are configured as broadcast network type
E. router ID for each router is not in the same subnet
F. loopback IP addresses are not assigned the same subnet mask
Answer: A
Explanation
OSPF enabled routers establish adjacency with neighbors for communicating operational status and
routing updates. The routing messages use timers that must match between directly connected
neighbors. OSPF neighbor adjacency is not formed when there is a mismatch of hello or dead timers.
The following describe some additional reasons why a neighbor adjacency would not occur between
OSPF enabled neighbors.
• network type mismatch
• interface MTU mismatch
• area ID mismatch
• timer mismatch
• OSPF neighbor physical interfaces not in the same subnet
QUESTION: 222
Refer to the network topology drawing. What is the source MAC address and destination MAC address
of the packet at P1 when it is forwarded to Router-2?
A. source MAC address = 0000.000a.aaaa
85 | P a g e
destination MAC address = 000a.1234.5678
B. source MAC address = 0000.000c.cccc

destination MAC address = 000a.1234.5678
C. source MAC address = 0000.000a.aaaa

destination MAC address = 0000.000d.dddd
D. source MAC address = 0000.000c.cccc

destination MAC address = 0000.000d.dddd
Answer: D
Explanation
The router is the only network device that rewrites source and destination MAC address. The source
MAC address is derived from router-1 exit interface. The destination MAC address is derived from the
next hop router-2 interface. As a result, router-1 rewrites the MAC address of the Ethernet interface
(Gi1/1) where the frame was learned as source MAC address. Router-1 also rewrites the MAC address of
router-2 Ethernet interface Gi1/1 as destination MAC address. The MAC address of router-2 interface
Gi1/1 is obtained from the ARP table of router-1.
• source MAC address = 0000.000c.cccc
• destination MAC address = 0000.000d.dddd
QUESTION: 223
What three statements accurately describe the TTL field of an IP header?
A. default value for the TTL count in the IP header =1

B. prevents routing loops as packet is dropped after TTL value decrements to zero
C. default value for the TTL count in the IP header = 255
D. IP header field decrements each time a packet traverses a router
E. support for layer 2 switches
Answer: B,C,D
Explanation
The purpose of Time-to-Live (TTL) is to limit the number of hops an IP packet can traverse. The TTL field
of the IP header is decremented by one for each router hop. The packet is discarded after 255 hops to
prevent a routing loop.
QUESTION: 224
What are Cisco proprietary First Hop Redundancy Protocols? (select two)
86 | P a g e
A. HSRP
B. VRRP
C. GLBP
D. ESRP
E. DMVRP
Answer: A,C
Explanation
Cisco proprietary protocols are only supported on Cisco network devices.
QUESTION: 225
What two network interface types are configurable for First Hop Redundancy Protocols (FHRP)?
A. loopback interface
B. management interface
C. physical interface
D. VLAN interface
E. trunk interface
Answer: C,D
QUESTION: 226
There is a local router interface assigned IP address 192.168.12.1/24. What IOS commands would enable
that interface to ONLY advertise 192.168.12.0/24 subnet to OSPF neighbors in area 0?
A. router ospf 1
network 192.168.1211 0.0.0.255 area 0
B. router ospf 1
network 192.168.12.0 0.0.255.255 area 0
C. router ospf1
network 192.168.12. 255.255.255.0 area 0
D. router ospf1
network 192.168.12.1 255.255.255 0 area 0
Answer: A
Explanation
87 | P a g e
There is a local router interface with 192.168.12.1/24 assigned IP address. What IOS commands would
enable that interface to ONLY advertise 192.168.12.0/24 subnet to OSPF neighbors in area 0?
OSPF is a classless routing protocol and wildcard masks are required to define subnets for route
advertisements. OSPF network area command enables OSPF routing on all local interfaces that are
assigned an address within the subnet range specified. The routes are advertised to the area assigned
and all neighbor/s assigned to that area.
For example, an interface assigned 192.168.1.1 is enabled for OSPF when network area command is
configured with 192.168.0.0/16 or 192.168.1.0/24 network address. The subnet (route) is then
advertised to the area assigned. OSPF can be enabled directly on an interface as well. For example,
assigning interface Fa0/1 to OSPF process 1 and area 0 would require interface command ip ospf 1 area
0. The result is OSPF will advertise the subnet assigned to that local interface to OSPF neighbors. It takes
precedence as well when a subnet from the network area command is within the same range of an
interface subnet address.
QUESTION: 227
What OSPF network type is assigned to a serial interface?
E. Broadcast
F. Point-to-point
G. WAN
H. Multicast
Answer: B
Explanation
Serial interfaces on a router are assigned OSPF point-to-point network type.
QUESTION: 228
What statements are correct concerning DR/BDR communication with spoke routers? (select two)
A. BDR sends routing updates to spoke routers

B. DR router sends routing updates to spoke routers and BDR router
C. DR router sends routing updates to spoke routers
D. spoke routers send routing updates to only DR router
E. spoke routers send routing updates to both DR router and BDR router
Answer: C
QUESTION: 229
Select the correct statement concerning OSPF operation?
88 | P a g e
A. process ID is only assigned per interface

B. process ID is globally significant
C. process ID is assigned from number range 0-199
D. process ID is only locally significant
Answer: D
QUESTION: 230
What host command on a Windows client is used to manually delete and request a new IP address from
a DHCP server?
A. host/release/renew
B. ipconfig/release/renew
C. ip address/release/renew
D. dhcp/renew/release
Answer: B
QUESTION: 231
What IOS command will configure a local user account with privileged EXEC mode security access?
A. username ccna privilege 1 password cisconet

B. username ccna privilege 16 password cisconet
C. username ccna privilege 10 password cisconet
D. username ccna privilege 15 password cisconet
Answer: D
QUESTION: 232
What is NOT a Cisco security default setting?
A. VTY lines disabled

B. enable password disabled
C. privilege level 1
D. privilege level 15
E. password encryption disabled
Answer: C
89 | P a g e
QUESTION: 233
What client authentication method is supported with Cisco WPA2 Enterprise brand wireless security?
A. Open
B. SSID
C. RADIUS
D. Passphrase
E. SAE
Answer: C
QUESTION: 234
Select the option that enables the most wireless security from the following?
A. SSID broadcast
B. Open authentication
C. WPA2-PSK
D. WPA2
Answer: D
QUESTION: 235
What are two examples of biometric authentication methods?
A. Hair color
B. Fingerprint
C. Height
D. Voice recognition
Answer: B,D
QUESTION: 236
What three statements are correct concerning SDN architecture?
A. SDN controller relays information via southbound APIs to network devices

B. data plane supports virtual (VM) network devices only
C. Cisco DNA includes SDN controller
90 | P a g e
D. Cisco SDN controller provides routing and switching services

E. SDN applications requests are sent via northbound APIs
Answer: A,C,E
Explanation
The southbound API provides connectivity between SDN Controller and data plane. The data plane
includes the physical and virtual (VM) network devices. The SDN Controller relays information via
southbound APIs to network devices. It is the translation point between the SDN policy engine and
network infrastructure. Network equipment vendors such as Cisco now support OpenFlow southbound
API.
The policy engine is defined at SDN applications where requests are sent via northbound APIs. There are
Cisco extensible network controller and agent for switches and routers and APIs. The following
statements correctly describe the purpose of SDN APIs.
• SDN applications requests are sent via northbound APIs.
• SDN Controller relays information via southbound APIs to network devices
• Cisco DNA Center has an SDN Controller.
QUESTION: 237
What is a northbound API?
A. device abstraction layer

B. JSON
C. REST API
D. SDN controller
Answer: C
Explanation
SDN applications communicate with the SDN controller via northbound APIs such as REST API programs.
SDN architecture defines a services abstraction layer where REST API software modules communicate
with SDN controller. There is a device abstraction layer as well that defines communication between
SDN controller and network infrastructure (southbound API).
QUESTION: 238
What are CRUD acronym events?
A. Create, Remove, Update, Delete

B. Configure, Remove, Undelete, Delete
C. Create, Read, Update, Delete
D. Configure, Run, Undelete, Drop
91 | P a g e
Answer: C
QUESTION: 239
What is the equivalent HTTP operation mapped to CRUD Create operation?
A. GET
B. POST
C. GET, POST
D. PUT
Answer: B
Explanation
HTTP CRUD
POST = CREATE
GET = READ
PUT = UPDATE
DELETE = DELETE
QUESTION: 240
Select the option that is NOT an HTTP verb from the following?
A. GET
B. POST
C. PUT
D. PATCH
E. UPDATE
Answer: E
QUESTION: 241
How many IPv4 addresses are not assignable to network interfaces within any subnet?
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation
92 | P a g e
Each network interface is assigned a single host IP address. There are logical interfaces as well such as
loopback interfaces and SVIs assigned an IP address. Each subnet is assigned a reserved network address
and broadcast address that cannot be assigned to any physical or logical network interface.
QUESTION: 242
Select the only valid network address from the following?
A. 192.168.1.254/30
B. 172.33.1.2/24
C. 192.168.1.4/30
D. 10.10.255.254/24
Answer: C
Explanation
The only network address is 192.168.1.4/30 based on subnetting rules. All other options are host range
addresses and are assignable to network interfaces. Contrast that with host IP addresses that are
assignable to a network interface.
Subnet 1
Network address = 192.168.1.0
Host range = 192.168.1.1 - 192.168.1.2
Broadcast address = 192.168.1.3
Subnet 2
Network address = 192.168.1.4
Host range = 192.168.1.5 - 192.168.1.6
Broadcast address = 192.168.1.7
QUESTION: 243
Select the class C address from the following?
A. 172.16.1.1
B. 192.168.1.1
C. 10.10.10.1
D. 191.200.1.1
Answer: B
Explanation
Class C address range extends from 192.0.0.0 - 223.255.255.255 with a default subnet mask of
255.255.255.0 (/24).
93 | P a g e
QUESTION: 244
Select the IP address within RFC 1918 private range addressing?
A. 192.168.100.124
B. 172.33.1.1/24
C. 200.200.1.1/27
D. 12.10.1.1/25
Answer: A
Explanation
The only RFC 1918 private address is 192.168.100.1/24 from the options available. All other listed IP
addresses are not within private address range and are public range addresses.
QUESTION: 245
Select the classless IP address from the following?
A. 192.168.1.1/24
B. 172.16.1.1/16
C. 10.10.10.1/8
D. 172.33.1.1/27
Answer: D
Explanation
Classful addresses use a default subnet mask for a specific address class. Classless addresses use a
nondefault subnet mask for a specific address class. All options are default subnet masks for that
address class except 172.33.1.1/27 address.
QUESTION: 246
What wildcard mask is required to select 172.33.0.0/16 subnet?
A. 0.0.255.255
B. 0.255.255.255
C. 0.0.0.255
D. 0.0.3.255
Answer: A
Explanation
The wildcard mask is a technique for matching specific IP address or range of IP addresses. It is used by
routing protocols to advertise subnets and access control lists (ACL) for packet filtering. The wildcard
94 | P a g e
mask is an inverted mask where the matching IP address or range is based on 0 bits. The additional bits
are set to 1 as no match required. The wildcard 0.0.0.0 is used to match a single IP address.
QUESTION: 247
What IPv6 addresses are not routable outside the local subnet? (select two)
A. link local
B. unique local
C. local link
D. local unicast
Answer: AB
QUESTION: 248
How do you assign the host identifier portion of an IPv6 address from an Ethernet MAC address?
A. eui-64 keyword
B. static address
C. stateful DHCPv6
D. eui-128 keyword
Answer: A
QUESTION: 249
What IOS command enables IPv6 autoconfiguration on an interface?
A. ipv6 autoconfig
B. ipv6 address slaac
C. ipv6 address autoconfig
D. ipv6 unicast-routing
Answer: C
QUESTION: 250
What wireless standard natively supports both 2.4 GHz and 5 GHz spectrum (dual-band)?
A. 802.11a
B. 802.11b
95 | P a g e
C. 802.11g
D. 802.11n
Answer: D
Explanation
The only wireless standard that natively supports dual band 2.4 GHz and 5 GHz is 802.11n access points.
There is 802.11ac wireless as well that is designed only for 5 GHz band. It does have backward
compatibility with 802.11n in 2.4 GHz band however at a lower rate.
QUESTION: 251
What two wireless standards provide more than three non-overlapping channels?
A. 802.11a
B. 802.11b
C. 802.11
D. 802.11n
Answer: AC
Explanation
The 5 GHz band has less interference and provides 23 non-overlapping channels.
QUESTION: 252
What factors contribute to lower throughput across an RF cell? (select four)
A. number of clients
B. multiple radio standards
C. building structure
D. co-channel interference
E. adding more access points
Answer: ABCD
Explanation
There are various factors that contribute to lower throughput between clients and access point. Adding
more access points is an option provided there is not overlapping or co-channel interference.
QUESTION: 253
What duplex settings minimize interface errors?
96 | P a g e
A. hard code
B. auto/auto
C. on/auto
D. on/on
E. full/full
Answer: B
Explanation
Best practice is to configure auto-negotiation of duplex (auto) on both switches. In addition there is an
option to manually configure (hard code) matching duplex settings.
QUESTION: 254
What services do Layer 3 switches provide? (select two)
A. automation
B. examine packet only
C. malware detection
D. traffic aggregation
E. default gateway
Answer: DE
QUESTION: 255
What three statements correctly describe Power over Ethernet (PoE)?
A. copper-based cabling media

B. automatic power detection
C. defines power source equipment and powered device
D. does not support IP phone or card reader
E. maximum cabling distance of 40 feet
Answer: ABC
QUESTION: 256
What are primary considerations when selecting Cisco hardware for PoE deployment? (select two)
A. IOS version support

B. PoE standards compliance of network switch only
C. Maximum power (wattage) requirement of connected device
97 | P a g e
D. PoE standards compliance of endpoints and switch
Answer: CD
Explanation
The primary considerations when selecting hardware include power requirements and PoE standards
compliance. For example, IP phones and wireless access points specify a wattage rating for each model
and PoE standards (or pre-standard) supported. The network switch also specifies PoE standards
support for connecting devices. Consider as well with access points the maximum wattage required for
full functionality such as all radios operational.
QUESTION: 257
What are two services provided with a switch trunk?
A. Forward all active VLANs configured between switches

B. Create a logical interface for connecting switches
C. Fonrvard multiple VLANs between switches
D. Forward traffic between different VLANs
E. Manage VLANs allowed between switches
Answer: CE
Explanation
The purpose of a switch trunk is to forward traffic from multiple VLANs between neighbor switches. In
addition, network administrators can limit the VLANs permitted across trunk interface. Switch trunk
interfaces do not route traffic between different VLANs.
QUESTION: 258
You have a switch with a default configuration and asked to enable trunking on an interface. What IOS
command will initially allow only VLAN 10 and VLAN 100 across a trunk?
A. switchport trunk allowed vlan 10,100

B. switchport trunk add vlan10,100
C. switchport trunk allowed vlan add 10-100
D. switchport trunk allowed vlan add 10,100
Answer: A
Explanation
The default trunk configuration allows all VLAN traffic from range 1-4094 across the trunk. To allow a
range of consecutive VLANs such as VLAN 1 to VLAN 100 for example, use hyphen (1-100). For a non-
consecutive list such as VLAN 9 and 100 to 200 use commas and hyphens (9,100-200). The following IOS
interface command will only allow VLAN 10 and VLAN 100 across the trunk.
98 | P a g e
switch(config-if)# switchport trunk allowed vlan 10,100

The previous command is issued first on a default trunk configuration to limit the number of VLANs. The
network administrator can add or remove VLANs after that based on requirements. Configure IOS
command switchport trunk allowed vlan all to reset and allow all VLANs.
QUESTION: 259
What statements are correct concerning the native VLAN? (select two)
A. Telnet requires VLAN 1 for management access

B. native VLAN is assigned to VLAN 1 as a default
C. fomrards management traffic and cannot be deleted
D. native VLAN cannot be assigned VLAN 1
Answer: BC
Explanation
The native VLAN is used to forward untagged frames across a switch trunk. Layer 2 control plane traffic
such as DTP and STP protocols are always sent across native VLAN. The native VLAN is assigned to VLAN
1 as a default. That VLAN is also the Cisco management VLAN for switches. The native VLAN should not
be assigned to VLAN 1 to prevent security or STP issues. Cisco security best practice is to assign the
native VLAN to any available nondefault VLAN.
The following are correct statements for the native VLAN:
• The native VLAN must match between connected switches.
• The native VLAN forwards untagged management frames across a switch trunk.
• The native VLAN for switch trunk is assigned to VLAN 1 by default.
QUESTION: 260
What DTP mode ONLY listens for request frames from a switch neighbor?
A. passive mode
B. on mode
C. desirable mode
D. auto mode
Answer: D
QUESTION: 261
What two statement are correct concerning Cisco Discovery Protocol (CDP)?
A. CDP requires an IP address to be assigned to network devices
99 | P a g e
B. CDP is enabled globally as a default

C. EDP is disabled by default on all network interfaces
D. CDP can detect native VLAN mismatches
Answer: BC
Explanation
CDP is enabled globally as a default and can detect native VLAN mismatches.
QUESTION: 262
What option is NOT a Cisco default?
A. CDP frames enabled

B. LLDP frames disabled
C. Power over Ethernet (PoE) enabled
D. DTP desirable mode enabled
Answer: D
QUESTION: 263
What IOS command disables CDP frames globally on a switch?
A. no cdp run
B. no cdp enable
C. cdp disable
D. cdp none
Answer: A
QUESTION: 264
What is an advantage of LACP over PAgP?
A. open standard {Correct}

B. bandwidth
C. security
D. dynamic channel
Answer: A
QUESTION: 265
100 | P a g e
What LACP mode is required on at least one switch interface to enable dynamic EtherChannel?
A. passive
B. desirable
C. active
D. On
E. auto
Answer: C
QUESTION: 266
What is the difference between Layer 2 and Layer 3 EtherChannel?
A. Layer 3 channel assigns loopback address

B. Layer 3 channel is LACP only
C. Layer 3 channel assigns IP address
D. Layer 3 channel is VLAN-based
Answer: C
QUESTION: 267
What are the maximum number of switch ports assignable to LACP EtherChannel?
A. 8
B. 16
C. 4
D. 32
Answer: B
Explanation
There is support for assigning 8 operational switch ports and 8 standby switch ports for redundancy.
QUESTION: 268
What is the default priority on a Cisco switch?
A. 1
B. 0
C. 4094
D. 32768
101 | P a g e
E. 26765
Answer: D
QUESTION: 269
Select the IPv6 unique local address?
A. 2000::/3
B. FE80::/8
C. FD00::/8
D. ::1/128
Answer: C
QUESTION: 270
How do you change the root bridge selected for Rapid PVST+?
A. increase priority per VLAN

B. decrease priority per VLAN
C. increase switch priority
D. decrease switch priority
Answer: B
Explanation
This is Cisco proprietary protocol that is based on the newer RSTP standard. It is designed with all the
advantages of RSTP for a switching domain with multiple VLANs. Most switches are configured with
multiple VLANs that each define a broadcast domain. STP is a Layer 2 protocol that is only enabled per
VLAN. Rapid Per VLAN Spanning Tree (RPVST+) enables a separate spanning tree instance per VLAN. It
was developed to support trunking and 802.1q encapsulation for Cisco devices.
The root bridge elected for a spanning tree instance is the switch with the lowest bridge ID. STP
calculates a unique numerical value for the bridge ID based on the switch priority setting and MAC
address. The switch with the lowest bridge ID is elected as root bridge. The tie breaker is lowest MAC
address, when switches are assigned the same priority. There is a root bridge elected per VLAN for Rapid
PVST+ (RPVST+). Assign a lower priority to a VLAN on a switch to elect that switch as root bridge for that
VLAN.
QUESTION: 271
What port type is assigned to all switch interfaces of a root bridge?
102 | P a g e
A. Root
B. Alternate
C. Bridge
D. designated
Answer: D
QUESTION: 272
What switch port mode is recommended for PortFast?
A. trunk mode only

B. access port between switches
C. Ether Channe|
D. access port mode for host endpoints
Answer: D
QUESTION: 273
What is the advantage of PortFast?
A. transitions switch port to forwarding state immediately

B. transitions switch port to learning state immediately
C. enables full-duplex on all switch ports
D. eliminates Layer 2 topology loops between switches
Answer: A
QUESTION: 274
What are three mandatory components of Cisco Unified Wireless Network (CUWN) architecture?
A. network switch
B. Autonomous mode access points
C. wireless controller
D. Lightweight mode access points
E. RADIUS server
Answer: ACD
Explanation
103 | P a g e
Cisco Unified Wireless Network (CUWN) architecture is comprised of lightweight access points, wireless
controller and network switch. The RADIUS server is an optional security feature.
QUESTION: 275
What routing protocol uses bandwidth exclusively to calculate path metric?
A. EIGRP
B. RIPv2
C. OSPF
D. BGP
Answer: C
Explanation
OSPF uses a single cost metric that is based exclusively on link bandwidth between neighbor routers.
QUESTION: 276
What network performance metric/s are used to calculate OSPF cost?
A. bandwidth, MTU, reliability, delay and load

B. bandwidth and delay
C. bandwidth
D. bandwidth, delay and MTU
E. hop count
Answer: C
Explanation
Each routing protocol has a unique method for calculating route metrics (cost). OSPF calculates cost
based on link bandwidth. The default cost of an OSPF enabled Fast Ethernet link = 1 (100 Mbps/100
Mbps). The lowest link cost assignable to a link is 1 even though the calculation could arrive at a lower
number. The reference bandwidth is configurable for OSPF with the following IOS commands.
router(config)# router ospf 1
router(config-router)# auto-cost reference-bandwidth 1000
The reference bandwidth must match for all routers in the same OSPF routing domain. Route
redistribution advertises routes between different routing domains (OSPF, BGP etc).
QUESTION: 277
The following is an OSPF route entry from a routing table. What is the next hop address?
O 192.168.12.8/30 [110/128] via 192.168.12.5, 00:35:36, Serial0/0
104 | P a g e
A. 192.168.12.8
B. 192.168.12.5/30
C. Serial0/0
D. 192.168.12.0
E. 192.168.12.5
Answer: E
QUESTION: 278
What are three characteristics of Single-Area OSPF?
A. event-triggered routing updates

B. global view database topology
C. fixed interval routing updates
D. only backbone area 0 is supported
E. assign any number to area
Answer: ABE
QUESTION: 279
What route (prefix) is selected to destination IP address 10.10.100.1?
A. 10.10.100.0/24
B. 10.10.100.0/25
C. 10.10.100.0/26
D. 10.10.100.0/27
Answer: D
Explanation
Routers select the longest subnet (prefix) when there are multiple routes to the same destination. It is
called Longest Match Rule. The route selected to destination IP address 10.10.100.1 is 10.10.100.0/27
QUESTION: 280
What attribute determines the route installed in the routing table when multiple routes exist from
different routing protocols to the same destination?
A. highest administrative distance

B. highest metric
C. lowest administrative distance {Correct}
105 | P a g e
D. longest match rule
Answer: C
Explanation
The router selects what routes to install in the routing table. Sometimes there are multiple routes from
multiple routing protocols to the same destination. The route with lowest administrative distance
determines the route that is installed in the routing table. The route sources would include static,
default and connected host routes.
QUESTION: 281
What static routes when configured on router-1 and router-2 provide bidirectional forwarding between
192.168.1.0/24 and 172.16.3.0/24 subnets? (select two)
A. router-1(config)# ip route 172.16.3.00.0.0.255 192.168.2.2

B. router-1(config)# ip route 172.16.3.0 255.255.255.0 192.168.2.2
C. router-1(config)# ip route 172.16.3.0 255.255.255.0 192.168.2.0
D. router-2(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.0
E. router-2(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.1
Answer: BE
Explanation
There are no dynamic routing protocols such as OSPF that automatically advertise routes between
neighbors. All routes between endpoints must have a return or reverse path. The solution is to configure
a static route on each router for both directions.
When hosts send data to the server, router-1 will use the static route with next hop address to reach the
server subnet. Conversely, when the server returns data, router-2 will use the static route with next hop
to the host subnet. The following describes router logic for all packets that are originating at a host.
106 | P a g e
Source Path
The first IOS command reads - to reach server destination subnet 172.16.3.0 forward packets to next
hop 192.168.2.2 address.
Reverse Path
The second IOS command reads - to reach host destination subnet 192.168.1.0 forward packets to next
hop 192.168.2.1 address.
QUESTION: 282
What default route will forward all traffic to next hop address of 172.33.1.2?
A. ip route 0.0.0.0 0.0.0.0 172.33.1.2

B. ip route 0.0.0.0/0 172.33.1.0
C. ip route 0.0.0.0 255.255.255.255 172.33.l.2
D. ip route 172.33.1.2 255.255.255.0
Answer: A
Explanation
The default route configured on an internet router for example will forward all traffic to the configured
next hop IP address (172.33.1.2). That is typically the public interface of an ISP router. Packets arriving at
the internet router will use the default route when there is no route in the routing table to the
destination. It is configured as a gateway of last resort on a router.
internet-1(config)# ip route 0.0.0.0 0.0.0.0 172.33.1.2
QUESTION: 283
Select the correct IOS command to configure a floating (backup) static route on router-1 to destination
172.16.10.0/24 with next hop address 192.168.2.1?
A. router-1(config)# ip route 172.16.10.0 0.0.0.255192.168.2.1 I00

B. router-1(config)# ip route 172.16.10.0 255.255.255.0192.168.2.1 1
C. router-1(config)# ip route 0.0.0.0/0 172.16.10.0/24
D. router-1(config)# ip route 172.16.10.0 255.255.255.0 192.168.2.1
200
Answer: D
Explanation
router-1(config)# ip route 172.16.10.0 255.255.255.0 192.168.2.1 200
• destination IP address (route) = 172.16.10.0
• subnet mask = 255.255.255.0 (/24)
107 | P a g e

Traffic destined for subnet 172.16.10.0/24 is forwarded to next hop 192.168.2.1 with administrative
distance of 200. That is higher than the default administrative distance for a static route of one (1).
Assigning a value of 200 to the static route makes it a floating static route. That is higher than all routing
protocols so that it is only installed when the static route is removed. The static route is removed when
primary link fails for example, and floating static route is a failover.
QUESTION: 284
What router is elected Designated Router (DR) when all are assigned the default priority setting?
A. router-1 (router ID = 10.10.1.1)

B. router-2 (router ID = 172.16.1.2)
C. router-3 (router ID = 192.168.1.3)
D. router-4 (router ID = 172.33.1.4)
Answer: C
Explanation
The router with the highest numerical router ID address is elected Designated Router (DR) when all
routers have default OSPF priority (1). In this example, from left to right, 192.168.1.3 is highest IP
address and router-3 is elected DR.
QUESTION: 285
What IOS interface command is used to change the OSPF network type to broadcast on a network
interface?
A. ip ospf network broadcast

B. ip ospf network type broadcast
C. ip ospf network-type broadcast
D. ip ospf network ethernet
Answer: A
QUESTION: 286
What statement is correct concerning OSPF router ID?
A. router ID cannot be assigned to a loopback address

B. router ID must only be locally unique
108 | P a g e
C. router ID must be unique across routing domain

D. router ID can be 32-bit or IPv6 address
Answer: C
QUESTION: 287
What statement is correct concerning OSPF configuration?
A. classless subnet mask supported only

B. classful wildcard mask supported only
C. classless wildcard mask supported only
D. does not use wildcard masks
Answer: C
QUESTION: 288
What statement best describes where traffic policing is most effective?
A. minimize network latency

B. ingress interface only
C. delay sensitive traffic
D. Layer 3 switch
E. conform traffic to a data rate
Answer: E
Explanation
router-1(config)# ip route 172.16.10.0/24 255.255.255.0 192.168.2.1 2
• destination IP address (route) = 172.16.10.0
• subnet mask = 255.255.255.0 (/24)
Traffic destined for subnet 172.16.10.0/24 is forwarded to next hop 192.168.2.1 with administrative
distance of two. That is higher than the default administrative distance for a static route of one (1).
Assigning a value of 2 to the static route makes it a floating static route. That is often used as a backup
route when a primary link fails.
109 | P a g e
QUESTION: 289
What three options best describe where traffic shaping is most effective?
A. prevents ISP from dropping packets that exceed maximum data rate
B. delay sensitive traffic
C. minimizes effect of any single user or application traffic on network performance
D. provides multiple packet handling options
E. shapes traffic to lower rate than what is available with customer physical interface
Answer: ACE
Explanation
The primary purpose of traffic shaping is to limit the maximum data rate on an egress network interface.
The queuing of packets is used to prevent packet forwarding from exceeding CIR. There is support for
applying traffic shaping to a single user or application. That minimizes the effect of any internet traffic
and bandwidth hogging for instance. The queuing of packets can affect delay sensitive traffic with higher
latency. The following is a list of the correct features and operation of shaping.
• Minimize the effect of any single user traffic on network performance.
• Prevent ISP from dropping packets that exceed maximum data rate (CIR)
• Shape traffic to lower rate than what is available with customer physical interface.
QUESTION: 290
What is NOT an example of a QoS marking technique?
A. CoS
B. DSCP
C. IP Precedence
D. PHB
Answer: D
QUESTION: 291
What is NOT a service provided by TFTP server?
A. download IP phone configuration

B. load IOS system image
C. backup configuration script
D. download running configuration
Answer: D
110 | P a g e
QUESTION: 292
What are two differences between TFTP and FTP?
A. TFTP is more secure

B. FTP is more secure
C. TFTP is UDP-based
D. TFTP is TCP-based
Answer: BC
QUESTION: 293
What authentication method is used by SNMPv2?
A. local authentication
B. MD5 hash
C. community string
D. AES-SHA
Answer: C
QUESTION: 294
What is the difference between dynamic NAT pool and NAT overload?
A. dynamic NAT pool is comprised of only one public address

B. dynamic NAT pool is comprised of multiple public addresses
C. dynamic NAT pool is comprised of public and private addresses
D. NAT overload is comprised of multiple interfaces
Answer: B
Explanation
Dynamic NAT pool translates each private IP address to an available public IP address in the NAT pool.
The network administrator assigns a range of public addresses to a pool. All public IP addresses in the
pool are shared by all inside private IP addresses. They are allocated for the session on a first come first
served basis. The maximum number of simultaneous internet connections at any time is limited by the
number of public IP addresses in the NAT pool. NAT overload assigns only a single public IP address or
outside interface to translate private IP addresses.
QUESTION: 295
111 | P a g e
How does NAT enable private host addresses for internet access? (select the best answer)
A. Standard access list

B. extended access list
C. standard or extended access list
D. NAT pool
Answer: C
QUESTION: 296
What is NOT required when configuring SSH access on a router?
A. local authentication
B. RSA encryption key
C. transport input all
D. ip domain-name command
Answer: C
Explanation
Cisco default setting is to allow all management protocols however it is recommended you only allow
SSH. That is accomplished with transport input ssh command.
QUESTION: 297
Select three correct statements that are recommended best practices for creating and applying ACLs?
A. order ACL with multiple statements from most specific to least

specific
B. apply standard ACL near source
C. apply extended ACL near destination
D. apply extended ACL near source
E. order ACL with multiple statements from least specific to most specific
Answer: AD
Explanation
There are some recommended best practices when creating and applying access control lists (ACL). The
network administrator should apply a standard access list closest to the destination. The standard access
list is comprised of a source IP address and wildcard mask.
It is very general and can inadvertently filter traffic incorrectly. Applying the standard access list near the
destination where filtering is required prevents possible over filtering. The extended access list should
112 | P a g e
be applied closest to the source. The extended access list is granular (specific) and filters traffic based on
stringent requirements. It includes source address, destination address, protocols and port numbers.
Applying an extended access list closest to the source prevents traffic that should be filtered from
traversing the network. That conserves bandwidth and additional processing required at each router
hop from source to destination.
Some access control lists (ACL) are comprised of multiple statements. The ordering of statements is key
to the ACL working as expected. The router starts from the top (first) and cycles through all statements
until a matching statement is found. The packet is dropped where no match exists. The administrator
should order ACL statements from most specific to least specific. Assigning least specific statements first
will sometimes cause a match to occur with an ACL that wasn't intended for that packet. As a result the
match on the intended ACL statement never occurs.
The more specific ACL statement is characterized by source and destination address with shorter
wildcard masks (more zeros). In addition, protocols and port numbers are often specified. The first ACL
statement is more specific than the second ACL statement. There is an implicit deny any any statement
added to the end of each ACL.
permit tcp 192.168.1.0 0.0.0.255 host 10.10.64.1 eq 23

deny tcp any any eq 23
QUESTION: 298
Refer to the network topology drawing. Router-1 is configured with the following access control list
(ACL) configuration. The purpose is to deny all access from 192.168.0.0/16 subnets to server-1. Select
the correct network device, interface and direction to apply the ACL?
router-1(config)# ip access-list extended hosts-deny

router-1(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 host 172.16.3.1
113 | P a g e
A. router-1, Gi1/0, outbound

B. route r-1, GI0/0, inbound
C. route r-2, Gi1/0, outbound
D. router-2, Gi1/1, inbound
E. route r-1, Gi1/1, outbound
Answer: E
Explanation
The named ACL denies all traffic from all 192.168.0.0/16 subnets to server-1. That is accomplished with
the wildcard mask 0.0.255.255. The host portion for a Class C address is the 4th octet. ACL is applied
outbound on router-1 interface Gi1/1. That filters traffic nearest to the source and from all
192.168.0.0/16 connected subnets. Applying the ACL inbound on router-1 interface Gi0/0
(192.168.1.0/24) or Gi1/0 (192.168.2.0/24) would only deny hosts access from that connected subnet
and not both
QUESTION: 299
Select the correctly configured standard ACL?
A. access-list 110 permit ip any any

B. access-list 99 deny host 172.33.1.1
C. access-list 199 deny tcp any host 172.16.1.1
D. access-list 100 deny tcp any host 192.1 68.34.1 eq 22
114 | P a g e
Answer: B
Explanation
The standard access list (ACL) has a number range from 1-99 and 1300-1999. It specifies permit/deny
traffic from a source address with a wildcard mask. The extended access list (ACL) number range is 100-
199 and 2000-2699. It specifies permit/deny with source and destination IP address, IP/TCP/UDP
protocols and destination ports.
QUESTION: 300
What number is not assignable to a standard ACL?
A. 1
B. 99
C. 100
D. 1300
Answer: C
Explanation
Standard ACL numbering range includes 1-99 and 1300-1999
QUESTION: 301
Select the statement that correctly describes how an ACL is applied?
A. only one ACL can be applied per interface, inbound or outbound, per Layer 3 protocol
B. only one ACL can be applied per interface, inbound per protocol
C. multiple ACL can be applied per interface, inbound or outbound, per Layer 3 protocol
D. only one ACL can be applied per interface
Answer: A
Explanation
The access lists are characterized by a single or multiple permit/deny statements. The purpose is to filter
traffic inbound or outbound on a selected interface. The result is a single ACL can be applied in one
direction only per Layer 3 protocol. There is support for a maximum of two ACLs per interface per
protocol. That would include for instance a single IP ACL applied inbound and single IP ACL applied
outbound.
QUESTION: 302
What IOS command applies an extended ACL to an interface outbound?
A. ip access—class 100 out
115 | P a g e
B. ip access-group 100 out

C. ip access-list 100 out
D. ip access-group 100 interface out
Answer: B
QUESTION: 303
What IOS command applies an extended ACL to a VTY line?
A. ip access-group
B. ip access-list
C. ip access class
D. ip access-class
Answer: D
Explanation
It is common to apply an access-list to VTY lines for security purposes. For example denying all access
from a specific subnet/s. The correct command is "ip access-class" for applying named ACL to VTY lines.
QUESTION: 304
What are equivalent CRUD events mapped to HTTP operations for RESTful API?
A. GET, PUT/PATCH, POST, DELETE

B. POST, DELETE, PUT, PATCH
C. GET, POST, PUT/PATCH, DELETE
D. POST, GET, PUT, DELETE
Answer: D
QUESTION: 305
What extended ACL will deny Telnet traffic from hosts on subnet 192.168.10.0/24 to any network
device?
A. access-list 100 deny tcp host 192.168.10.0 any eq telnet

B. access-list 100 deny tcp192.168.10.0 0.0.0.255 any eq 21
C. access-list I00 deny tcp 192.168.10.0 0.0.0.255 any eq telnet
D. access-list 100 deny tcp host 192.168.10.0 any eq 23
Answer: C
116 | P a g e
Explanation
A. ACL is incorrect. host is not correct for a subnet and wildcard mask is missing.
B. ACL is incorrect. TCP port number 21 is FTP application.
D. ACL is incorrect. host is not correct for a subnet and wildcard mask is missing.
QUESTION: 306
What extended ACL will deny TFTP traffic from host 192.168.1.1 to host 192.168.3.1?
A. access-list 100 deny udp host 192.168.1.0 any eq tftp

B. access-list 100 deny udp host 192.168.3.1 host 192.168.1.1 any eq tftp
C. access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq tftp
D. access-list 100 deny udp host 192.168.1.1 host 192.163.3.1 any
eq tftp
Answer: D
Explanation
A. ACL is incorrect. The host should not refer to a subnet address. The any command permits access to
all destination addresses.
B. ACL is incorrect. The source IP address (192.168.1.1) should be first and destination IP address
(192.168.3.1) last in any extended ACL configuration.
C. ACL is incorrect. TFTP is UDP-based and the ACL references a subnet to all destinations instead of
source and destination host IP addresses.
QUESTION: 307
What IOS command will configure the console port with a password?
A. line console 0
login local
B. line console 0
password cisconet
login
C. console line0
password cisconet
enable login
D. console 0
password cisconet
login
117 | P a g e
Answer: B
QUESTION: 308
What are three differences between SSL and IPsec VPN?
E. SSL does not encrypt data

F. SSL is network layer
G. SSL is complex to setup
H. SSL is dynamic
I. SSL is application layer
J. SSL is easy to setup
Answer: HIJ
QUESTION: 309
What are three password alternatives to the traditional text string?
A. biometric
B. digital certificate
C. sotware token
D. RADIUS server
E. local authentication
Answer: ABC
QUESTION: 310
What is the length of WPA2-PSK wireless passphrase key?
A. 8-63 characters
B. 10-64 characters
C. 1-48 characters
D. 12-32 characters
Answer: A
QUESTION: 311
What are three standard layers of SDN architecture?
118 | P a g e
A. Application Layer
B. Control Layer
C. Infrastructure Layer
D. Network Layer
E. Access Layer
Answer: ABC
Explanation
SDN architecture is comprised of the following three primary layers.
Application Layer
SDN applications communicate with the SDN controller via northbound APIs.
Control Layer
SDN Controller provides control plane services and manage network service requests from applications
to infrastructure devices. Cisco APIC-EM is an example of an SDN controller.
Infrastructure Layer
Comprised of data plane network devices such as switches. They communicate with the SDN controller
via southbound APIs at the service abstraction layer
QUESTION: 312
What are the advantages of automation compared with traditional network management? (select three)
A. faster
B. scripting
C. dynamic
D. CLI
E. error-free
Answer: ABC
QUESTION: 313
What tasks are well suited to configuration tools such as Puppet, Chef and Ansible? (select three)
A. push new/update device configuration

B. software compliance
C. repeating single task to multiple network devices
D. on-premises tasks only
E. CLI configuration
F. single tasks that are complex
119 | P a g e
Answer: ABC
QUESTION: 314
What automation tool is based on an agentless architecture?
A. Ansible
B. Chef
C. Puppet
D. DNA
Answer: A
QUESTION: 315
What network protocol is required by Puppet server for communication with agents?
A. SSH
B. JSON
C. HTTPS
D. REST API
Answer: C
QUESTION: 316
Select the statement that is incorrect?
A. HTTP GET request retrieves data

B. HTIP POST reads new data
C. HTIP DELETE is used to delete data
D. HTTP PUT replaces data
Answer: B
QUESTION: 317
What is not a data encoding method for HTTP?
A. ISO-8859-1
B. ASCII
C. UTF-8
120 | P a g e
D. JSON
Answer: D
QUESTION: 318
What tool is best suited to verify and maintain state consistency for configuration and security
compliance?
A. Ansible
B. Chef
C. Puppet
D. YAML
E. XML
Answer: C
QUESTION: 319
What configuration tool supports features such as “test before deploy” and verify changes?
A. HTML
B. JSON
C. REST API
D. XML
E. Puppet
Answer: E
QUESTION: 320
What are the keys represented with the following JSON object? (select two)
{
"ccna" : {
"name" : "shaun",
"age" : "35",
}
}
A. Ccna
B. Name
121 | P a g e
C. Shaun
D. Age
E. “name” : “shaun”
Answer: BD
QUESTION: 321 Simulation

Start Packet Tracer lab named configuration sim 1
Access Ports and VLANs

SW-1 Configuration
Configure VLANs and assign to access ports for different traffic types.
Step 1: Create VLAN 9, VLAN 10, and VLAN 11
Step 2: Assign VLAN name voice to VLAN 9 on SW-1
Step 3: Configure interface Fa0/3 as an access port
Step 4: Assign interface Fa0/3 to VLAN 10
Step 5: Assign interface Fa0/3 to voice VLAN 9
Step 6: Configure interface Fa0/4 as an access port
Step 7: Assign interface Fa0/4 to VLAN 11
Step 8: Verify that your configuration is correct
Step 9: Verify VLAN 9 is operational (active) and assigned to switch interface Fa0/3
Step 10: Verify VLAN 10 is active and assigned to switch interface Fa0/3
Step 11: Verify VLAN 11 is active and assigned to switch interface Fa0/4
Answer:
SW-1 Configuration
SW-1(config)# vlan 9
SW-1(config-vlan)# vlan 10
SW-1(config-vlan)# name voice
SW-1(config)# interface Fa0/3
SW-1(config-if)# switchport mode access
SW-1(config-if)# switchport access vlan 10
SW-1(config-if)# switchport voice vlan 9
SW-1(config-if)# switchport mode access
SW-1(config-if)# switchport access vlan 11
SW-1# show running-config
SW-1# show vlan brief
122 | P a g e

Link Autonegotiation
Configure autonegotiation on a switch port for Cisco best practice recommendations.
Step 1: Verify the configuration of SW-1 interface Fa0/3
Step 2: Verify the operational status of all switch interfaces on SW-1 and specifically Fa0/3
Step 3: Configure SW-1 interface Fa0/3 for autonegotiation of duplex and speed
Step 4: Verify that SW-1 interface Fa0/3 is configured correctly
Step 5: Verify that SW-1 interface Fa0/3 is now operational
Answer:
SW-1# show ip interface brief
SW-1(config-if)# duplex auto
SW-1(config-if)# speed auto
Cisco IOS command show-running config does not display Cisco default settings in the running
configuration. That is a Cisco convention. Operational commands however will verify if default settings
are active on an interface or network device.

Static Trunking
Configure a static trunk (manual) to forward multiple VLANs between SW-1 and SW-3.
SW-1 Configuration
Step 1: Configure static trunk mode on interface Fa0/2
Step 2: Assign native VLAN 999 on trunk interface
Step 3: Allow only VLAN 9, VLAN 10, VLAN 11 and VLAN 12 on trunk interface
SW-3 Configuration
Step 4: Configure static trunk mode on interface Fa0/1
Step 5: Assign native VLAN 999 on trunk interface
Step 6: Allow only VLAN 9, VLAN 10, VLAN 11 and VLAN 12 on trunk interface
Step 7: Verify that your static trunk is configured correctly on SW-1 and SW-3
Step 8: Verify that your static trunk is operational between SW-1 and SW-3
123 | P a g e
Step 9: Ping from host-1 to server-1 (192.168.1.2) and verify network connectivity
Answer:
SW-1(config-if)# switchport mode trunk
SW-1(config-if)# switchport trunk native vlan 999
SW-1(config-if)# switchport trunk allowed vlan 9-12
SW-3(config-if)# switchport trunk native vlan 999
SW-3(config-if)# switchport trunk allowed vlan 9-12
SW-1# show interfaces trunk

Layer 2 EtherChannel
Configure an EtherChannel interface between SW-2 and SW-4 based on LACP.
SW-2 Configuration
Step 1: Assign interface Fa0/3 to channel group 1 and to send LACP negotiation frames
Step 2: Assign interface Fa0/4 to channel group 1 and to send LACP negotiation frames
Step 3: Configure port channel 1 interface as a static trunk with Cisco default settings
Step 4: Disable DTP frames across the port channel interface
Step 5: Verify that EtherChannel is configured correctly on SW-2
SW-4 Configuration
Step 1: Assign interface Fa0/3 to channel group 1 and listen for LACP negotiation frames
Step 2: Assign interface Fa0/4 to channel group 1 and listen for LACP negotiation frames
Step 3: Configure port channel 1 interface as a static trunk with Cisco default settings
Step 4: Disable DTP frames across the port channel interface
Step 5: Verify that EtherChannel is configured correctly on SW-4
Step 6: Verify that EtherChannel is operational between SW-2 and SW-4
Step 7: Ping from host-2 to server-2 and verify network connectivity.
Step 8: Ping from wireless host-3 to server-3 and verify network connectivity.
Answer:
124 | P a g e
SW-2(config-if)# channel-group 1 mode active

SW-2(config-if)# channel-group 1 mode active
SW-2(config)# interface port-channel 1
SW-2(config-if)# switchport nonegotiate
SW-4(config-if)# channel-group 1 mode passive
SW-4(config-if)# channel-group 1 mode passive
SW-4(config)# interface port-channel 1
SW-4(config-if)# switchport nonegotiate
SW-4# show etherchannel summary

Local Authentication
Configure a local account on SW-3 for user authentication security access.
Step 1: Configure a local account on SW-3 with privilege level 15 security access
username: ccna password: ccnalabs
Step 2: Configure VTY 0 4 lines for local authentication
Step 3: Enable password encryption so passwords are not readable in configuration script
Step 4: Verify that your configuration is correct and passwords are now unreadable as well
Answer:
SW-3(config)# username ccna privilege 15 password ccnalabs
SW-3(config)# line vty 0 4
SW-3(config-line)# login local
SW-3(config-line)# exit
SW-3(config)# service password-encryption

125 | P a g e
Answer:

Enable Secret Password

Step 1: Configure enable secret password ccnalabs on SW-1
Step 2: Configure enable secret password ccnalabs on SW-2
Step 4: Login to SW-1 and verify enable secret password is operational
Step 5: Login to SW-2 and verify enable secret password is operational
Wrap It Up
Step 1: Save running configuration to startup configuration on SW-1
Answer:
SW-1(config)# enable secret ccnalabs
SW-1# exit
SW-1> enable
Password: ccnalabs
SW-1#
SW-2(config)# enable secret ccnalabs
SW-2# exit
SW-2> enable
Password: ccnalabs
Wrap It Up
SW-2# copy running-config startup-config

Start Packet Tracer lab named configuration sim 2 so that it is active.
126 | P a g e
Single-Area OSPFv2
router-3
Enable OSPFv2 globally on router-3 and advertise a connected subnet to neighbors.
Step 1: Enable OSPFv2 with process ID 1.
Step 2: Assign router ID 192.168.255.3
Step 3: Advertise 192.168.0.0/16 connected subnet to area 0.
Step 4: Verify that your configuration is correct.
router-2
Enable OSPFv2 globally on router-2 and advertise all connected subnets to neighbors.
Step 3: Advertise 192.168.0.0/16 connected subnets to area 0.
Step 4: Advertise subnet 172.16.3.0/24 to area 0.
router-1
Enable OSPFv2 globally on router-1 and advertise all connected subnets to neighbors.
Step 3: Advertise 192.168.0.0/16 connected subnets to area 0.
Step 4: Advertise host subnet 172.16.1.0/24 to area 0.
Step 5: Advertise wireless host subnet 172.16.2.0/24 to area 0.
Step 7: Click [Fast Forward Time] to speed up network convergence.
Step 8: Verify that OSPF routes from neighbors are now in the local routing table.
Step 9: Verify neighbor adjacency is established between each router.
Step 10: Ping from host-1 to server-1 (172.16.3.1) and verify routing is working correctly.
Step 11: Ping from Guest to server-1 (172.16.3.1) and verify routing is working correctly.
Step 12: Ping from host-1 to router-3 (192.168.1.2) and verify routing is working correctly.
Step 13: Ping from Guest to router-3 (192.168.1.2) and verify routing is working correctly.
Answer:
router-3(config)# router ospf 1
router-3(config-rtr)# router-id 192.168.255.3
router-3(config-rtr)# network 192.168.0.0 0.0.255.255 area 0
router-3# show running-config
127 | P a g e

router-1# show ip route
router-1# show ip ospf neighbor
OSPF is a classless routing protocol and wildcard masks are required to define subnets for advertising
routes. OSPF network area command enables OSPF routing on all local interfaces that are assigned an
address within the subnet range specified. For example, an interface that is assigned 192.168.1.1 is
enabled for OSPF when network area command is configured with 192.168.0.0/16 or 192.168.1.0/24
network address. The subnet (route) is then advertised to the area assigned. OSPF can be enabled
directly on an interface as well. For example, assigning interface Fa0/1 to OSPF process ID 1 and area 0 is
configured with ip ospf 1 area 0 interface command. OSPF will advertise the subnet assigned to
interface Fa0/1 to OSPF neighbors. It takes precedence as well when a subnet from network area
command is configured.

IPv4 Default Route

Configure a default route to the internet on router-3 and advertise to all OSPF neighbors.
Step 1: Verify there is no route to ISP router (172.33.1.0/24) in the routing table of router-1.
Step 2: Verify there is no route to ISP router (172.33.1.0/24) in the routing table of router-2.
Step 3: Configure a default route on router-3 with ISP router interface Fa0/0 as next hop IP address.
Step 4: Advertise that default route as an OSPF route to all downstream routers.
Step 6: Verify the default route is in the routing table of router-3.
Step 7: Ping from host-1 to 172.33.1.2 (ISP) and verify default route to internet is working.
Step 8: Ping from Guest to 172.33.1.2 (ISP) and verify default route to internet is working.
Answer:
128 | P a g e
router-3(config-rtr)# default-information originate

router3# show ip route

IPv4 Static Route

Configure static routing to AWS cloud subnet (200.200.2.0/24) for wireless guests to access AWS cloud
servers.
Step 1: Configure a static route on router-1 to AWS (200.200.2.0/24) with next hop address of
192.168.2.2 (router-2).
Step 3: Verify the static route is installed in the routing table of router-1.
Step 4: Configure a static route on router-2 to AWS subnet (200.200.2.0/24) with 200.200.1.2 as next
hop address.
Step 5: Click [Fast Forward Time] several times for network routing convergence.
Step 7: Verify the static route is installed in the routing table of router-2.
Step 8: Ping from router-1 to AWS cloud server (200.200.2.1) and verify static route is working correctly.
Step 9: Start a browser session from wireless Guest to AWS cloud server (200.200.2.1)
Answer:

Port Address Translation (PAT)

Enable internet access for wireless Guests and hosts assigned to VLAN 10 with NAT overload.
Step 1: Configure outside NAT interface to router-3 interface Fa2/0.
Step 2: Configure inside NAT interface to router-3 interface Fa0/0.
Step 3: Define NAT pool named internet with 172.33.1.1/24 - 172.33.1.1/24 public address.
Step 4: Configure ACL 100 to enable internet access for all 172.16.0.0/16 subnets.
Step 5: Assign NAT overload (Port Address Translation) to pool internet.
129 | P a g e
Step 6: Configure outside NAT interface to ISP router interface Fa0/0.

Step 7: Configure inside NAT interface to ISP router interface Fa1/0.
Step 8: Configure static NAT mapping on ISP router between ISP (172.33.1.2) and public internet server
(10.10.1.1) for TCP port 80.
Step 10: Ping from wireless Guest to www internet server (172.33.1.2) and verify port address
translation is working correctly.
Step 11: Verify translation table is operational for private and public addressing on router-3.
Step 12: Verify static NAT is operational on ISP router between public and www server .
Step 13: Start a browser session from Guest to www internet server (http://172.33.1.2)
Step 14: Start a browser session from host-1 to www internet server (http://172.33.1.2)
Answer:
router-3(config)# interface Fa2/0
router-3(config-if)# ip nat outside
router-3(config-if)# ip nat inside
router-3(config)# ip nat pool internet 172.33.1.1 172.33.1.1 netmask 255.255.255.0
router-3(config)# access-list 100 permit ip 172.16.0.0 0.0.255.255 any
router-3(config)# ip nat inside source list 100 pool internet overload
ISP(config)# interface Fa0/0
ISP(config-if)# ip nat outside
ISP(config)# interface Fa1/0
ISP(config-if)# ip nat inside
ISP(config)# ip nat inside source static tcp 10.10.1.1 80 172.33.1.2 80
ISP# show running-config
router-3# show ip nat translation
ISP# show ip nat translation

Secure Shell (SSHv2)

Configure SSHv2 on router-3 for remote management with session encryption.
Step 1: Configure local authentication with privilege level 15 (highest) on router-3:
username: admin password: ccnaexam
Step 2: Configure domain name ccna.cisconet.com
Step 3: Configure SSH version 2
Step 4: Create 768-bit RSA key
Step 5: Configure VTY 0 4 lines on router-3 to enable local authentication.
130 | P a g e
Step 6: Configure VTY 0 4 lines so that only SSH protocol is permitted inbound.
Step 8: Start SSH session from host-1 to router-3 and verify that it is working correctly.
c:/> ssh –l admin 192.168.1.2
Password: ccnaexam
router-3# exit
Step 9: Verify that Telnet session is not permitted on VTY lines from host-1 to router-3.
c:/> telnet 192.168.1.2
Answer:
router-3(config)# username admin privilege 15 password ccnaexam
router-3(config)# ip domain-name ccna.cisconet.com
router-3(config)# ip ssh version 2
router-3(config)# crypto key generate rsa
The name for the keys will be: router-3.ccna.cisconet.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 768
router-3(config)# line vty 0 4
router-3(config-line)# login local
router-3(config-line)# transport input ssh

Standard ACL
Step 1: Start browser on host-1 and connect to AWS cloud server (200.200.2.1) to verify it is permitted.
Step 2: Configure standard ACL 99 on AWS router.
Step 3: Deny access from hosts in subnet 172.16.1.0/24 (VLAN 10) to AWS cloud server.
Step 4: Permit all other traffic that does not match any ACL statement.
Step 5: Apply standard ACL 99 to the correct interface and direction on AWS router.
Step 7: Ping from Guest to AWS cloud server and verify access is permitted.
Step 8: Ping from host-1 to AWS cloud server and verify access is denied.
Step 9: Ping from host-2 to AWS cloud server and verify access is denied.
Answer:
AWS(config)# access-list 99 deny 172.16.1.0 0.0.0.255
AWS(config)# access-list 99 permit any
AWS(config)# interface Fa0/0
131 | P a g e
AWS(config)# ip access-group 99 in
AWS# show running-config
AWS# copy running-config startup-config

Extended ACL
Step 1: Configure extended ACL 100 on router-1.
Step 2: Deny host-1 from starting web-based applications (HTTP) on server-1.
Step 3: Permit all other traffic that does not match any ACL statement.
Step 4: Apply ACL 100 to the correct interface and direction on router-1.
Step 6: Start browser from host-1 to server-1 (172.16.3.1) and verify access is denied.
Step 7: Start browser from host-2 to server-1 (172.16.3.1) and verify access is permitted.
Answer:
router-1(config)# access-list 100 deny tcp host 172.16.1.1 host 172.16.3.1 eq www
router-1(config)# access-list 100 permit ip any any
router-1(config-if)# ip access-group 100 in

Extended Named ACL

Step 1: Configure named ACL guest-access on router-1
Step 2: Configure ACL description: security filter for wireless guests
Step 3: Deny wireless guests from web-based applications (HTTP) on server-1
Step 4: Deny wireless guests from starting Telnet session
Step 5: Deny wireless guests from starting an SSH session
Step 6: Permit all other traffic that does not match any ACL statement
Step 7: Apply named ACL to the correct interface and direction on router-1
Step 9: Start a web browser from wireless Guest to server-1 and verify access is denied
Step 10: Start SSH session from wireless Guest to router-3 and verify access is denied
c:/> ssh –l admin 192.168.1.2
Step 11: Start Telnet session from wireless Guest to router-3 and verify access is denied.
c:/> telnet 192.168.1.2
132 | P a g e
Answer:
router-1(config)# ip access-list extended guest-access
router-1(config-ext-nacl)# remark security filtering for wireless guests
router-1(config-ext-nacl)# deny tcp 172.16.2.0 0.0.0.255 host 172.16.3.1 eq www
router-1(config-ext-nacl)# deny tcp 172.16.2.0 0.0.0.255 any eq telnet
router-1(config-ext-nacl)# deny tcp 172.16.2.0 0.0.0.255 any eq 22
router-1(config-ext-nacl)# permit ip any any
router-1(config-if)# ip access-group guest-access in
c:/> ssh –l admin 192.168.1.2
c:/> telnet 192.168.1.2

DHCP Relay
Switch to dynamic addressing on all host endpoints with a DHCP server on a different subnet.
Step 1: Enable DHCP on host-1, host-2 and Guests to request dynamic addressing.
Step 2: Verify that all hosts are now assigned local APIPA addressing (169.254.x.x) only.
Step 3: Configure DHCP relay feature on router-1 interface Fa3/0 for Guest subnet.
Step 4: Configure DHCP relay feature on router-1 interface Fa0/0 for VLAN 10 subnet.
Step 5: Verify that your configuration is correct on router-1.
Step 6: Click [Fast Forward Time] several times for network convergence and verify that all hosts are
now assigned a valid IP address.
Wrap It Up
Step 1: Save running configuration to startup configuration on AWS router.
Step 2: Save running configuration to startup configuration on router-1.
Answer:
DHCP Relay
Host-1 / Host-2: Select Config Folder / Fastethernet0 / IP Configuration DHCP
Guest: Select Config Folder / Wireless0 / IP Configuration DHCP
c:/> ipconfig /all
router-1(config-if)# ip helper-address 172.16.3.2
router-1(config-if)# ip helper-address 172.16.3.2
133 | P a g e

c:/> ipconfig /all
Wrap it Up
router-1# copy running-config startup-config

Please Read Instructions:
This operational simulation (Part 1) includes 12 questions and has a time limit of 40 minutes. Select
suitable IOS command/s to answer each question and verify the operational state of network devices.
Step 1. Start Packet Tracer lab named operational sim 1 so that it is active.
Step 2. Packet Tracer --> Options menu --> Preferences --> uncheck always show port labels.
 Do NOT use show running-config command for this operational simulation.
 Cisco CLI help facility (?) is available to search IOS commands.
What switch ports are currently trunking on SW-1?
A. Fa0/1, Fa0/2
B. Fa0/1
C. Fa0/3, Fa0/4
D. Fa0/2
Answer: A
Explanation
Correct Answer: Fa0/1, Fa0/2
134 | P a g e

What does n-802.1q represent from show interfaces trunk command on SW-1?
A. non-trunk
B. negotiated trunk
C. non-802.1q trunk
D. native VLAN disabled on trunk
Answer: B
Explanation
Correct Answer: n-802.1q indicates that Fa0/1 is a dynamically negotiated (DTP) trunk.
135 | P a g e

What switch ports are assigned to the management VLAN on SW-1?
A. Gig0/1, Gig0/2
B. all switch ports
C. Fa0/1, Fa0/2, Fa0/3, Fa0/4
136 | P a g e
D. Fa0/24, Gig0/1, Gig0/2
Answer: D
Explanation
SW-1# show vlan brief
Answer: Fa0/24, Gig0/1, Gig0/2
* Cisco default VLAN is the management VLAN 1.

What is the native VLAN number configured on SW-3 interface Fa0/1?
A. VLAN 999
B. VLAN 1
C. NONE
D. VLAN 1005
Answer: A
Explanation
Answer: native VLAN 999

Display the operational status of ONLY VLAN 12 on SW-3 and verify the switch port assigned?
137 | P a g e
A. VLAN 12 = admin down on Fa0/3

B. VLAN 12 = err-disabled on Fa0/2
C. VLAN 12 = down on Fa0/1
D. VLAN 12 = active on Fa0/3
Answer: D
Explanation
SW-3# show vlan id 12

What is the EtherChannel protocol enabled on SW-4?
A. LACP
B. PAgP
C. DTP
D. NONE
E. static
Answer: A
Explanation

138 | P a g e
What switch interfaces are sending EtherChannel negotiation frames to a neighbor?
A. SW-2, Fa0/1 and Fa0/4, EC-State = Active

B. SW-3, Fa0/1 and Fa0/3, EC-State = Active
C. SW-2, Fa0/3 and Fa0/4, EC-State = Active
D. SW-4, Fa0/3 and Fa0/4, EC-State = Active
Answer: C
Explanation
SW-2# show etherchannel port-channel

What is the root bridge for VLAN 12?
A. SW-1
B. SW-2
C. SW-3
D. SW-4
Answer: C
Explanation
SW-3# show spanning-tree vlan 12

139 | P a g e
What is the Spanning Tree Protocol (STP) that is operational for the switching domain?
A. pvst+
B. rstp
C. rapid pvst+
D. 802.1d
Answer: C
Explanation
SW-1# show spanning-tree summary
Correct Answer: switch is in rapid-pvst mode (RPVST+)
* Issue command on any switch within the same switching domain.

SW-1 interface Fa0/4 is assigned to host-2. Ping from host-2 to server-2 (192.168.2.2).
Identify the MAC address of host-2 in the MAC address table of SW-1?
A. 0001.1077.16AB
B. 0001.1707.16BA
C. 0012.1607.15BA
D. 0002.1707.16BA
Answer: D
Explanation
SW-1# show mac address-table

140 | P a g e
Identify the interface on SW-1 that has port security enabled?
A. Fa0/1
B. Fa0/4
C. Fa0/3
D. Fa0/2
E. NONE
Answer: B
Explanation
SW-1# show port-security

What is the violation action?
A. shutdown
B. restrict
C. protect
D. disable
Answer: A
Explanation
Violation mode shutdown (switch port is shutdown when there is a port security violation)
141 | P a g e

This operational simulation (Part 2) includes 12 questions and has a time limit of 40 minutes. Select IOS
command/s to answer each question and verify the operational state of network devices.
Step 1. Close active Packet Tracer lab named operational sim 1 first.
Step 4. Click [Fast Forward Time] when lab first starts for faster network convergence.
Step 5. Answer each question and proceed to end of simulation score and answer review.
Operational State vs Administrative State

Cisco IOS command show running-config displays how a network device is configured. It is commonly
referred to as administrative state. The running state of a network device is called operational state. For
example, status of network interfaces and active VLANs is operational state. There are operational
commands as well to display routes installed in a routing table or router neighbor adjacency established.
• Use show running-config command only when requested for this simulation.
• Cisco CLI help facility (?) is available to search IOS commands.
Verify that unknown route 172.33.1.0/24 is not installed in the routing table of router-1. Ping from host-
2 to 172.33.1.1 address and verify routing to that subnet is working correctly. Identify the default route
installed in the routing table of router-3?
A. D* 0.0.0.0[1/1] via 172.33.1.2

B. S* 0.0.0.0[1/0] via 172.33.1.1
C. S* 0.0.0.0[1/0] via 172.33.1.0
D. S* 0.0.0.0[1/0] via 172.33.1.254
Answer: D
Explanation
S* 0.0.0.0/0 [1/0] via 172.33.1.254 (default route)

142 | P a g e

Identify the OSPF network type assigned to router-1 interface Fa1/0?
A. point-to-point
B. broadcast
C. ethernet
D. multipoint
Answer: B
Explanation
router-1# show ip ospf interface Fa1/0
BROADCAST


What VLAN is common to all OSPF area 0 interfaces?
143 | P a g e
A. 1
B. 10
C. NONE
D. 12
Answer: D
Explanation
switch-4# show vlan brief
VLAN 12


What route source is selected in the routing table of router-1 for packets destined to server-1 subnet
(172.16.3.0/24) at the data center?
A. static
B. default
C. OSPF
D. connected
Answer: C
Explanation
O 172.16.3.0 [110/2] via 192.168.3.2, 00:10:42, FastEthernet1/0
Route Source = OSPF
144 | P a g e
Administrative Distance = 110

OSPF Metric (path cost) = 2
Next hop address = 192.168.3.2
Local exit interface = FastEthernet1/0


Display the running configuration on router-1. What is the purpose of Extended ACL 100?
A. ACL 100 will deny access from wireless guests to all applications on server-1
B. ACL 100 will deny access from all hosts to web-based applications on server-1.
C. ACL 100 will deny access from wireless guests to web-based applications on server-1.
D. ACL 100 will deny access from wireless guests to the internet.
Answer: C
Explanation
router-1# show access-lists
ACL will deny access from host-1 to the cloud server and permit host-2 access to the cloud server.
Applying named ACL inbound on router interface Fa0/0 only affects hosts assigned to 192.168.1.0/24
subnet.

145 | P a g e

Display the running configuration on router-1. What is the purpose of Extended named ACL http-filter?
A. ACL will deny access from all hosts to the cloud server.
B. ACL will deny access from host-1 and host-2 to the cloud server.
C. ACL will deny access from all 192.168.0.0/16 subnets to the cloud server
D. ACL will deny access from host-1 to the cloud server and permit host-2 access to the cloud
server.
Answer: D
Explanation
router-1# show access-lists
ACL will deny access from host-1 to the cloud server and permit host-2 access to the cloud server.
Applying named ACL inbound on router interface Fa0/0 only affects hosts assigned to 192.168.1.0/24
subnet.

146 | P a g e

Ping from host-2 to cloud server (172.33.1.254) and verify that NAT is operational on router-3. Display
the running configuration on router-3 with show running-config and identify all subnets permitted
internet access?
A. All 192.168.0.0/32 private subnets are permitted internet access

B. All 192.168.1.0/24 private subnets are permitted internet access
C. All 192.168.0.0/16 private subnets are permitted internet access
D. All 192.168.0.0/24 private subnets are permitted internet access
Answer: C
Explanation
router-3# show ip nat translation
Private (inside) subnets permitted internet access (all 192.168.0.0/16 subnets)


147 | P a g e
Why is 172.33.1.254 address used instead of 172.16.1.1 to access the cloud server?
A. 172.16.1.1 is a private IP address [RFC 1918) and not routable across the internet.
B. 172.16.1.1 is a global outside IP address and not assignable to static NAT
C. 172.16.1.1 is a public IP address and not assignable to static NAT.
D. 172.16.1.1 is a global inside IP address and already assigned to NAT pool
Answer: A
Explanation
172.16.1.1 is a private IP address (RFC 1918) and not routable across the internet. There is a static NAT
statement on ISP to map between private and public address zones with TCP port 80 (www) for web-
based applications.


Identify the elected OSPF Designated Router (DR) with an IOS command issued from router-1?
A. router-1
B. router-2
C. router-3
D. none
Answer: C
Explanation
148 | P a g e


What next hop address does router-2 use to forward packets to the wireless Guest subnet?
A. 192.168.3.0
B. 192.168.3.1
C. 192.168.3.2
D. 192.168.3.3
E. 192.168.2.254
F. Fa0/0
149 | P a g e
Answer: B
Explanation
S 192.168.2.0/24 [1/0] via 192.168.3.1
Next hop address = 192.168.3.1
Local exit interface = FastEthernet0/0


What network interfaces on router-2 are currently operational?
A. Fa1/0, Fa2/0
B. Fa1/0, Fa3/0
C. Fa0/0
D. Fa0/0, Fa1/0
Answer: D
Explanation
router-2# show ip interface brief
Fa0/0, Fa1/0

150 | P a g e

Router-1 interface Fa1/0 is connected to SW-4. Identify the router ID assigned to router-1?
A. 192.168.1.3
B. 192.168.255.3
C. 192.168.255.1
D. 192.168.255.2
E. 192.168.3.1
Answer: C
Explanation
router-1# show ip ospf interface Fa1/0
router-ID = 192.168.255.1
_______________________________________________________________________________
Thanks for using our product.

(Please note: keep visiting our website’s ccna 200-301 exam page for update/new questions. And,
whenever see more questions than you bought then login to client area to download updated file.)
151 | P a g e

200-301 Cisco Certified Network Associate: (Version 3.0)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

200-301 Cisco Certified Network Associate: (Version 3.0)

Uploaded by

Copyright:

Available Formats

Cisco Certified Network Associate – 200-301

Cisco Certified Network Associate

A. conserve address space

A. show ip interface brief

Default Gateway : 0.0.0.0

A. alternative to older SIP designs

A: P1:source MAC address = 0000.000a.aaaa

B: P1:source MAC address = 0000.000a.aaaa

C: P1:source MAC address = 0000.000a.aaaa

P2:source IP address =192.168.1.1

D: P1:source MAC address = 0000.000a.aaaa

A. ip route 2001:DB8:3C4D:1 ::/64 2001:DB8:3C4D:2::

A. ipv6 route 0.0.0.0/0 2001:DB8:3C4D:2::1

A. switch only reads destination MAC address

A. switchport mode access

What is the number assigned to the switch management VLAN?

A. Forward multiple VLANs across Layer 2 domain

A. show trunk interfaces

A. channel-group 10 mode active

A. create Layer 2 domain

A. EIGRP route to the same destination

E. host route to destination {Correct}

A. shortest match rule

• lowest administrative distance

A. no default route exists

A. route-1(config)# ip route 172.16.12.00.0.255 172.16.12

A. ip route 0.0.0.0 0.0.0.0 172.16.2.2

A. router-1(config)# ip addresss 192.168.3.0 255.255.255.0 172.16.1.2 200

A. hello packet {Correct}

A. neighbor adjacency {Eu rrect}

A. decreases LSA advertisements sent per routing domain

A. hop count is unlimited

A. incorrect wildcard mask

A. router-1 (router ID= 172.16.1.1)

A. enable router process ID

C. per interface only

A. show ip ospf neighbors

A. dhcp option 150

A. conﬁgure default route with IPv6 addressing

router(config)# ip nat inside source static 192.168.1.1 200.16.1.1

private IP address assigned to a host on the inside network (RFC 1918)

A. enables security of packets while in transit across the internet

A. router# show ntp status/all

A. transport input ssh

A. source IP address, subnet mask, destination subnet

A. access-list100 permit tcp 10.1.1.1 255.255.255.255 host 10.1.2.1 eq 23

A. username admin privilege 15 cisconet

A. username admin privilege 15 enable secret cisconet

A. detect Layer 2 broadcast storms

A. VLAN access control list (VACL)

A. authorization is before authentication

A. SDN architecture decouples the control and data plane

The following statements correctly describe SDN programmability:

 SDN architecture decouples the control and data plane

A. network services are dynamically conﬁgurable

 centralized management and network intelligence

 network appears as a single switch

A. connect SDN controller and network infrastructure

A. SDN is decoupled from hardware

Cisco DNA architecture is an open platform with analytics and automation.

A. SMF has a single narrow beam of light

A. physical addressing and frame forwarding

A. send an ICMP host unreachable message to host-1