CCNA – New Questions Part 15

August 15th, 2024Go to comments

Premium Members: You can practice these questions first via this link:
+ Question 1 to 23
+ Question 24 to 46
+ Question 47 to 68
+ Question 69 to 90
+ Question 91 to 110
+ Question 111 to 121

Or practice all 68 questions of this part 15 at:

+ All CCNA Questions – Part 15 (all questions in one page; shuffled)
+ All CCNA Questions – Part 15 Practice Mode (one question per page, unshuffled)

Note: There are some repeated questions from other sections in this part. They are the questions
that still appear recently. We marked them with “(repeated)” after the question number.

Question 1

Refer to the exhibit.

A network engineer is configuring a WLAN to use a WPA2 PSK and allow only specific clients to join.
Which two actions must be taken to complete the process? (Choose two)

A. Enable the CCKM option for Authentication Key Management

B. Enable the 802.1X option for Authentication Key Management
C. Enable the WPA2 Policy option
D. Enable the OSEN Policy option
E. Enable the MAC Filtering option
Answer: C E

Explanation

We need to choose “Layer 2 Mac Filtering” so that only clients with specific MAC addresses are
allowed to join. And the “WPA2 Policy” option to instruct WLC to use WPA2 only with one of WPA2
Encryption (AES or TKIP).

Question 2

What is the RFC 4627 default encoding for JSON text?

A. UTF-8
B. GB18030
C. UCS-2
D. Hex

Answer: A

Explanation

Data is encoded as defined by JSON in RFC4627. The default encoding for APIs is UTF-8.

Question 3

Refer to the exhibit.

["red", "one"]

Which type of JSON data is represented?

A. number
B. array
C. object
D. string

Answer: B

Question 4

A network engineer is configuring a new router at a branch office. The router is connected to an
upstream WAN network that allows the branch to communicate with the head office. The central
time server with IP address 172.24.54.8 is located behind a firewall at the head office. Which
command must the engineer configure so that the software clock of the new router synchronizes
with the time server?

A. ntp client 172.24.54.8

B. ntp master 172.24.54.8
C. ntp peer 172.24.54.8
D. ntp server 172.24.54.8

Answer: D

Explanation
To configure the local device as a NTP client and use a remote NTP clock source, use the
command ntp server {IP address}

Question 5

Refer to the exhibit.

Router-WAN1#show interface g0/0

GigabitEthernet0/0 is up, line protocol is up
Hardware is CSR NIC, address is 5000.0001.0000 (bia 5000.0001.0000)
Internet address is 192.168.0.0/31
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1000Mbps, link type is auto, media type is NIC
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size /max)
5 minute input rate 1000 bits/sec, 0 packets/sec
5 minute output rate 2000 bits/sec, 1 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 110 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
100 input errors, 100 CRC, 100 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
260 packets output, 89070 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 100 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output

Router-WAN1 has a new connection via Gi0/0 to the ISP. Users running the web applications
indicate that connectivity is unstable to the internet. What is causing the interface issue?

A. Broadcast packets are rejected because ARP timeout is enabled

B. The receive buffer is full due to a broadcast storm
C. Frames are discarded due to a half-duplex negotiation
D. Small frames less than 64 bytes are rejected due to size
Answer: C

Explanation

This interface has “input errors” (100) and high “collision” (100) so the most likely cause of this
problem is the other end was configured in half-duplex, which creates a duplex mismatched
problem.

Question 6

Refer to the exhibit.

All routers in the network are configured correctly, and the expected routes are being exchanged
among the routers. Which set of routes are learned from neighbors and installed on router 2?

Option A Option B
10.40.1.0/30 10.129.9.0/23
10.139.2.0/30 10.139.2.0/30
10.12.191.0/30 10.129.9.0/25
10.129.9.0/25 10.22.1.0/24

Option C Option D
10.129.9.0/23 10.129.9.0/23
10.40.1.0/30 10.139.2.0/30
10.12.191.0/30 10.12.191.0/30
10.129.9.0/25 10.129.9.0/25

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation
This question asks “Which set of routes are learned from neighbors” so only EIGRP routes are
advertised and learned from the neighbors. Routes 10.40.1.0/30 and 10.22.1.0/24 are learned
from local so they are not correct.

Question 7

Refer to the exhibit.

Which switch in this configuration will be elected as the root bridge?

A. SW1: 0C:4A:82.:65:62:72
B. SW2: 0C:0A:A8:1A:3C:9D
C. SW3: 0C:0A:18:81:B3:19
D. SW4: 0C:0A:05:22:05:97

Answer: D

Explanation

The switch with lowest bridge priority will be chosen the root bridge. If many switches have the
same bridge priority then the lowest MAC address would be chosen.

In this question, SW3 and SW4 have lowest (and same) bridge priority. But SW4 has lower MAC
address so it would be elected root bridge.

Question 8

Refer to the exhibit.

100.0.0.0/8 is variably subnetted, 4 subnets, 4 masks

R 100.0.0.0/8 [120/2] via 192.168.3.1, 00:00:13, Ethernet0/3
S 100.100.0.0/16 [1/0] via 192.168.4.1
D 100.100.100.0/24 [90/435200] via 192.168.2.1, 00:00:13, Ethernet0/2
O 100.100.100.100/32 [110/21] via 192.168.1.1, 00:05:57, Ethernet0/1

How will the device handle a packet destined to IP address 100.100.100.100?

A. It will always prefer the static route over dynamic routes and choose the route
S 100.100.0.0/16 [1/0] via 192.168.4.1
B. It will choose the route with the lowest metric
R 100.0.0.0/8 [120/2] via 192.168.3.1, 00:00:13, Ethernet0/3

C. It will choose the route with the highest metric

D 100.100.100.0/24 [90/435200] via 192.168.2.1, 00:00:13, Ethernet0/2

D. It will choose the route with the longest match

O 100.100.100.100/32 [110/21] via 192.168.1.1, 00:05:57, Ethernet0/1

Answer: D

Question 9

Refer to the exhibit.

Network services must be enabled on interface Gi1/0/34. Which configuration meets the needs for
this implementation?

Option A Option B
interface Gi1/0/34 interface Gi1/0/34
switchport mode trunk switchport mode access
switchport trunk allowed vlan 400, 4041 switchport access vlan 4041
switchport voice vlan 4041 switchport voice vlan 400

Option C Option D
interface Gi1/0/34 interface Gi1/0/34
switchport mode trunk switchport mode access
switchport trunk allowed native vlan 400 switchport access vlan 400
switchport voice vlan 4041 switchport voice vlan 4041

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. You can
configure a voice VLAN with the “switchport voice vlan …” command under interface mode.

==================== New Questions (added on 31st-Aug-2024)

====================

Question 10

Refer to the exhibit.

Which configuration parameter is preventing host С from reaching the internet?

A. IP address assignment
B. default gateway
C. IP network mask
D. automatic DNS

Answer: B

Explanation

From the topology we see the IP address of interface Gi0/0/0 of Router A is 192.168.1.254 and this
is also the default gateway of our hosts. But in the IPv4 Properties box, the default gateway of host
C is set to 192.168.1.1 which is not correct.

Question 11

Refer to the exhibit.

Which switch in this configuration will be elected as the root bridge?

SW1 0С:0A:05:22:05:97
SW2 0С:4A:82:07:57:58
SW3 0C:0A:A8:1A:3C:9D
SW4 0С:0A:18:A1:B3:19

A. SW1
B. SW2
C. SW3
D. SW4

Answer: D

Explanation

SW3 & SW4 have the bridge priority of 8192 which is better than SW1 & SW2. Between SW3 &
SW4, SW4 has lower MAC address so it will be chosen the root bridge.

Question 12

Refer to the exhibit.

An engineer is creating a secure preshared key based SSID using WPA2 for a wireless network
running on 2.4 GHz and 5 GHz. Which two tasks must the engineer perform to complete the
process? (Choose two)

A. Select the 802.1x option for Auth Key Management

B. Select the AES (CCMP128) option for WPA2 WPA3 Encryption
C. Select the AES option for Auth Key Management
D. Select the PSK option for Auth Key Management
E. Select the WPA Policy option.

Answer: B D

Question 13

Which Rapid PVST+ port state does a port operate in without receiving BPDUs from neighbors or
updating the address database?

A. listening
B. forwarding
C. disabled
D. blocking

Answer: C

Explanation
There are only three port states left in RSTP that correspond to the three possible operational
states. The 802.1D disabled, blocking, and listening states are merged into the 802.1w discarding
state.

* Discarding (Blocking)– the port does not forward frames, process received frames, or learn
MAC addresses – but it does listen for BPDUs (like the STP blocking state)
* Learning – receives and transmits BPDUs and learns MAC addresses but does not yet forward
frames (same as STP).
* Forwarding – receives and sends data, normal operation, learns MAC address, receives and
transmits BPDUs (same as STP).

In fact, there is another state which is Disabled state.

Disabled State
A LAN port in the disabled state does not participate in frame forwarding or STP. A LAN port in the
disabled state is virtually nonoperational.
A disabled LAN port performs as follows:
+ Discards frames received from the attached segment.
+ Discards frames switched from another port for forwarding.
+ Does not incorporate the end station location into its address database. (There is no learning, so
there is no address database update.)
+ Does not receive BPDUs from neighbors.
+ Does not receive BPDUs for transmission from the system module.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521
_n1_1/b_Nexus_5000_Layer2_Config_521N1.html

Question 14

Which protocol should be used to transfer large files on a company intranet that allows TCP 20 and
21 through the firewall?

A. FTP
B. REST API
C. TFTP
D. SMTP

Answer: A

Question 15

Which alternative to password authentication is implemented to allow enterprise devices to log in

to the corporate network?

A. digital certificates
B. magic links
C. one-time passwords
D. 90-day renewal policies

Answer: A

==================== New Questions (added on 2nd-Sep-2024)

====================

Question 16
Which guideline helps to create a secure password policy?

A. forbidding users from storing passwords in a password manager

B. allowing passwords used by service accounts to never expire
C. requiring complex, lengthy passwords instead of simple, short ones
D. restricting password sharing to a very small group

Answer: C

Question 17

Refer to the exhibit.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#enable password test!2E
SW1(config)#line con 0
SW1(config-line)#password Labtest32!
SH1(config-line)#exit
SW1(config)#

A network engineer started to change default settings on SW1 to allow remote access and has
entered the following in the configuration mode:

SW1#(config)#line vty 0 15
SW1#(config-line)#password
Labtest32!

Which set of commands are needed to allow only SSH access and hide passwords in the running
configuration?

Option A Option B
SW1(config-line)#login local SW1(config-line)#transport input ssh
SW1(config-line)#exit SW1(config-line)#exit
SW1(config)#enable secret test!2E SW1(config)#service password-encryption

Option C Option D
SW1(config-line)#login local SW1(config-line)#exit
SW1(config-line)#exit SW1(config)#aaa new-model

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Question 18

How does machine learning contribute to the effectiveness of intrusion detection systems?
A. It assigns security clearance levels.
B. It dictates security policy updates.
C. It monitors for outdated software.
D. It identifies patterns indicating intrusions.

Answer: D

Question 19

Refer to the exhibit.

Router-Y#show ip route
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted

B 10.220.100.96/27 [20/0] via 10.224.1.3, 1w6d

The route for 10.220.100.96/27 has been very unstable. The same route has four backups to
routers A, B, C, and D via the respective methods. The routing protocol defaults for router Y have
not been changed. When the current route for 10.220.100.96/27 becomes unavailable, which
router will router Y use to route traffic to 10.220.100.96/27?

A. router A
B. router B
C. router C
D. router D

Answer: B

Explanation

The current route is learned via BGP (Router D). Among three routing protocols left, the “static
route with AD of 105” has the best AD (OSPF AD is 110 and External EIGRP AD is 170).
Question 20

What must be considered when planning an IPsec VPN deployment?

A. IPsec transport mode allows intermediate devices to see the final destination of the packet
B. In IPsec tunnel mode, only the IP payload is encrypted
C. IPsec transport mode increases GRE tunnel security over tunnel mode.
D. IPsec transport mode does not encrypt the Layer 4 header, which allow full examination of the
packet

Answer: A

Explanation

In tunnel mode, the entire original IP packet is encapsulated to become the payload of a new IP
packet. Additionally, a new IP header is added on top of the original IP packet. -> Answer B and
answer C are not correct.

In IPsec Transport mode, the original IP header is retained (-> answer A is correct) and just the
Layer 4 payload carried by the IP packet is encrypted -> Answer D is not correct.

Question 21

Where are the real-time control functions processed in a split MAC architecture?

A. central WLC
B. individual AP
C. centralized cloud management platform
D. client device

Answer: B

Explanation

In a split MAC architecture, the control and data plane functions are divided between the access
points (APs) and a central controller, typically a Wireless LAN Controller (WLC).

+ Real-time control functions, such as beacon generation, frame acknowledgment, and packet
queuing, are processed locally at the individual AP.
+ The central WLC (Wireless LAN Controller) handles non-real-time functions like security policies,
configuration management, and mobility management.

Question 22

Which group of channels in the 802.11b/g/n/ac/ax 2.4 GHz frequency bands are nonoverlapping
channels?

A. channels 1,6, and 10

B. channels 1,5, and 11
C. channels 1,6, and 11
D. channels 1,5, and 10

Answer: C

Explanation
The 2.4 GHz band is subdivided into multiple channels each allotted 22 MHz bandwidth and
separated from the next channel by 5 MHz.
-> A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non-overlapping
channels such as 1, 6, and 11.

Question 23

Which IPsec mode encapsulates the entire IP packet?

A. tunnel
B. transport
C. SSL VPN
D. Q-in-Q

Answer: A

Explanation

In tunnel mode, the entire original IP packet is encapsulated to become the payload of a new IP
packet. Additionally, a new IP header is added on top of the original IP packet.

==================== New Questions (added on 3rd-Oct-2024)

====================

Question 24

Which mechanism allows WPA3 to provide a higher degree of security than its predecessors?

A. automatic device pairing

B. special-character support in preshared keys
C. certificate-based authentication
D. SAE password-based key exchange

Answer: D

Explanation

WPA3 provides improvements to the general Wi-Fi encryption, thanks to Simultaneous

Authentication of Equals (SAE) replacing the Pre-Shared Key (PSK) authentication method used in
prior WPA versions. SAE enables individuals or home users to set Wi-Fi passwords that are easier
to remember and provide the same security protection even if the passwords are not complex
enough.
Question 25

Refer to the exhibit.

Which switch in this configuration will be elected as the root bridge?

SW1 0С:B4:86:22:42:37
SW2 0С:0B:15:22:05:97
SW3 0C:0B:15:1A:3C:9D
SW4 0С:B0:18:A1:B3:19

A. SW1
B. SW2
C. SW3
D. SW4

Answer: C

Explanation

The switch with lowest bridge priority will be chosen the root bridge. If many switches have the
same bridge priority then the lowest MAC address would be chosen.

In this question, SW3 and SW4 have lowest (and same) bridge priority of 4096. But SW3 has lower
MAC address so it would be elected root bridge.

Question 26
Refer to the exhibit.

Which switch in this configuration will be elected as the root bridge?

SW1 0С:E4:85:71:03:80
SW2 0С:0E:1A:22:05:97
SW3 0C:E0:A1:1A:3C:9D
SW4 0С:00:18:A1:B3:19

A. SW1
B. SW2
C. SW3
D. SW4

Answer: B

Explanation

SW2 has lowest bridge priority (4096) so surely it will be elected as the root bridge regardless of
its MAC address.

Question 27

Which authentication method requires the user to provide a physical attribute to authenticate
successfully?

A. certificate
B. password
C. multifactor
D. biometric

Answer: D

Explanation

Biometric authentication requires the user to provide a physical attribute, such as a fingerprint,
facial recognition, or iris scan, to authenticate successfully. This method relies on unique biological
characteristics to verify identity.
Question 28

Refer to the exhibit.

An engineer is using the Cisco WLC GUI to configure a WLAN for WPA2 encryption with AES and
preshared key Cisc0123456. After the engineer selects the WPA + WPA2 option from the Layer 2
Security drop-down list, which two tasks must they perform to complete the process? (Choose two)

A. Select PSK from the Auth Key Mgmt drop-down list, set the PSK Format to ASCII, and enter
the key
B. Select CCKM from the Auth Key Mgmt drop-down list, set the PSK Format to Hex, and enter the
key
C. Select ASCII from the PSK Format drop-down list, enter the key, and leave the Auth Key Mgmt
setting blank
D. Select the WPA2 Policy, AES, and TKIP check boxes
E. Select the WPA2 Policy and AES check boxes.

Answer: A E

Explanation

We need to choose “PSK” from Auth Key Mgmt:

Next choose “ASCII” from PSK Format and type the password:

Question 29

Which protocol does Ansible use to push modules to nodes in a network?

A. SSH
B. Kerberos
C. SNMP
D. Telnet

Answer: A

Explanation

Ansible uses an agentless architecture to manage network devices. Agentless means that the
managed device does not need any code (agent) to be installed on it. Therefore Ansible uses SSH
(NETCONF over SSH in particular) to “push” changes and extract information to managed devices.
Question 30

Which function does an iterative DNS query serve in the domain name resolution process?

A. Encrypt communication automatically between DNS clients and servers.

B. Allow a DNS client to contact several DNS servers until the correct information is found.
C. Obtain information directly from all root DNS servers configured within the scope.
D. Update records dynamically across multiple DNS servers at the same time.

Answer: B

Explanation

An iterative DNS query is a request for a website name or URL. However, with this query type, the
DNS server does not fetch the complete answer for the query. Rather, it provides a referral to
other DNS servers that might have the answer. Thus, if the queries server does not have the IP
address requested, it forwards it to another DNS server until the answer is found.

Question 31

What is the difference between controller-based networks and traditional networks as they relate to
control-plane and/or data-plane functions?

A. Controller-based networks centralize all important control-plane functions, and traditional

networks distribute control-plane functions.
B. Traditional networks centralize all important control-plane functions, and controller-based
networks distribute control-plane functions.
C. Traditional networks centralize all important data-plane functions, and controller-based networks
distribute data-plane functions.
D. Controller-based networks centralize all important data-plane functions, and traditional networks
distribute data-plane functions.

Answer: A

Explanation
In controller-based networks, the control-plane functions (such as routing decisions) are
centralized in a controller, which can manage and configure the entire network. In contrast,
traditional networks distribute control-plane functions across individual network devices, where
each device makes its own decisions about routing and forwarding.

Question 32

Which factor must be considered during the implementation of an IPsec VPN?

A. IPsec transport mode leaves the Layer 4 header unencrypted for inspection.
B. IPsec transport mode increases GRE tunnel security over tunnel mode.
C. In IPsec tunnel mode, only the IP payload is encrypted.
D. In IPsec tunnel mode, the entire original IP datagram is encrypted.

Answer: D

Explanation

In tunnel mode, the entire original IP packet is encapsulated to become the payload of a new IP
packet. Additionally, a new IP header is added on top of the original IP packet. -> Answer D is
correct.

Note: In IPsec Transport mode, the original IP header is retained and just the Layer 4 payload
carried by the IP packet is encrypted.

Question 33

What is the default interface for in-band wireless network management on a WLC?

A. wireless management
B. redundant port
C. service port
D. out-of-band

Answer: A

Explanation

Wireless Management Interface (WMI) is also the default interface for in-band management and
connectivity to enterprise services, such as, AAA, syslog, SNMP, and so on. You can use the WMI IP
address to remotely connect to the device using SSH or Telnet (or) access the Graphical User
Interface (GUI) using HTTP or HTTPs by entering the wireless
management interface IP address of the controller in the address field of your browser.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config-
guide/b_wl_16_12_cg/m_config-wmi.pdf

Question 34

Why choose Cisco DNA Center for automated lifecycle management?

A. to perform upgrades without service interruption

B. to provide software redundancy in the network
C. to provide fast and accurate deployment of patches and updates
D. to allow SSH access to all nodes in the network

Answer: C

Explanation

Cisco DNA Center is used for automating lifecycle management, including the fast and accurate
deployment of patches, updates, and configuration changes across the network. It helps streamline
network management tasks, reducing errors and improving operational efficiency.

==================== New Questions (added on 5th-Nov-2024)

====================

Question 35

What are the two main capabilities of tunnel mode in IPsec site-to-site VPNs ? (Choose two.)

A. It authenticates the data field in original packet.

B. It encrypts the complete IP packet with the data field.
C. It secures only the data field in the packet.
D. It transmits with the original packet header visible.
E. It inserts a new IPsec header with new IP address.

Answer: B E

Explanation

In tunnel mode, IPsec encrypts the entire original IP packet, including the header and data. It then
adds a new IP header so the packet can be routed through the network to its destination, providing
a higher level of security and privacy.

Question 36

How does AI contribute to network traffic analysis?

A. It simplifies traffic route mapping.
B. It enhances data packet delivery speeds.
C. It analyzes patterns for anomaly detection.
D. It eliminates network threats.

Answer: C

Explanation

AI contributes to network traffic analysis by examining patterns in network data to identify

anomalies, which could indicate security threats, unusual activity, or performance issues. Machine
learning algorithms can learn from historical network data to detect deviations from normal
behavior, enabling proactive threat detection and response.

Question 37

Which type of traffic is sent with pure IPsec?

A. spanning-tree updates between switches that are at two different sites

B. unicast messages from a host at a remote site to a server at headquarters
C. broadcast packets from a switch that is attempting to locate a MAC address at one of several
remote sites
D. multicast traffic from a server at one site to hosts at another location

Answer: B

Explanation

IPsec is designed primarily for securing unicast traffic, providing encryption, integrity, and
authentication. It is commonly used to secure unicast messages (one-to-one communication)
between two endpoints, such as a host at a remote site and a server at headquarters.

IPsec does not natively support broadcast or multicast traffic, as these require additional handling
mechanisms that IPsec does not inherently provide.

Question 38

Refer to the exhibit.

With a reference bandwidth of 100 Gb on all routers, which path does router Y use to get to
network 192.168.1.0/24?

A. router C > D > A > F

B. router E > B > F
C. router E > F
D. router C > D > A > B > F

Answer: D

Explanation

This question did not say what routing protocol it is using but maybe it is using OSPF. For OSPF,
the cost is calculated as follows:

Cost = Reference Bandwidth / Interface Bandwidth

Therefore with a reference bandwidth of 100Gb then:

+ The cost of 100Gig link: cost = 100 / 100 = 1
+ The cost of 10Gig link: cost = 100 / 10 = 10

The cost of the path C > D > A > B > F is 10 + 1 + 1 + 1 + 1 = 14 which is lowest so this path will
be chosen.

Question 39

What is a characteristic of RSA?

A. It requires both sides to have identical keys.

B. it is a private-key gencryption algorithm.
C. It uses preshared keys for encryption.
D. it is a public-key cryptosystem.

Answer: D

Explanation

RSA (Rivest-Shamir-Adleman) is a public-key cryptosystem that uses a pair of keys: a public

key for encryption and a private key for decryption. This key pair allows secure data transmission
without requiring both parties to have identical keys. Public-key cryptography like RSA enables one
party to encrypt data using the recipient’s public key, which only the recipient can decrypt with
their private key.

Question 40

What is a functionality of the control plane in the network?

A. It provides CLI access to the network device.

B. It exchanges topology information with other routers.
C. It looks up an egress interface in the forwarding information base.
D. It forwards traffic to the next hop.

Answer: B

Explanation

The control plane is responsible for managing and exchanging routing and topology information
within the network. This information allows routers to make decisions about the best paths across
the network. The control plane handles functions like routing protocols (OSPF, EIGRP, BGP…),
which are essential for building and maintaining routers’ routing table.
Question 41

What is the purpose of the URI string in a REST request?

A. to specify the way in which a remote resource is modified

B. to identify a resource on a target server
C. to respond with the data content encoding for a request
D. to transport data or payload to a remote resource

Answer: B

Explanation

In a RESTful request, the URI (Uniform Resource Identifier) is used primarily to identify the specific
resource on a server that the client wants to interact with. The URI typically includes information
about the path to the resource and any query parameters needed to locate it. For example, this is
the URI of an online library system:

https://api.library.com/books/12345

In this URI:

 https://api.library.com : This part is the base URL, which points to the library’s API
server.
 /books : This path identifies the collection of resources, in this case, “books.”
 /12345 : This is the unique identifier (ID) for a specific book. By adding this ID to the end
of the URI, we’re identifying a single resource within the “books” collection.
Question 42

Refer to the exhibit.

Router1#show ip route
Gateway of last resort is 10.10.11.2 to network 0.0.0.0

209.165.200.0/27 is subnetted, 1 subnets

B 209.165.200.224 [20/0] via 10.10.12.2, 03:03:03
209.165.201.0/27 is subnetted, 1 subnets
B 209.165.201.0 [20/0] via 10.10.12.2, 03:03:03
209.165.202.0/27 is subnetted, 1 subnets
B 209.165.202.128 [20/0] via 10.10.12.2, 03:03:03
 10.0.0.0/8 is variably subnetted, 8 subnets, 4 masks
C 10.10.10.0/28 is directly connected, GigabitEthernet0/0
C 10.10.11.0/30 is directly connected, FastEthernet2/0
C 10.10.12.0/30 is directly connected, GigabitEthernet0/1
O 10.10.13.0/25 [110/2] via 10.10.10.1, 00:00:03, GigabitEthernet0/0
O 10.10.13.128/28 [110/2] via 10.10.10.1, 00:00:03, GigabitEthernet0/0
O 10.10.13.144/28 [110/2] via 10.10.10.1, 00:00:03, GigabitEthernet0/0
O 10.10.13.160/29 [110/2] via 10.10.10.1, 00:00:03, GigabitEthernet0/0
O 10.10.13.208/29 [110/2] via 10.10.10.1, 00:00:03, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.10.11.2

What is the prefix length for the route that router1 will use to reach host A?

A. /25
B. /27
C. /28
D. /29

Answer: D

==================== New Questions (added on 25th-Nov-2024)

====================

Question 43

Under what condition would a FlexConnect wireless architecture be preferable over other
architectural choices?

A. when the connection latency to several remote offices is anticipated to surpass 300 milliseconds
B. when there is a need for high-precision location-based services at various remote offices
C. when centralized management is needed for several remote offices that lack individual WLCs
D. when each remote office necessitates its own local WLC for network management

Answer: C

Explanation

FlexConnect is designed for environments where remote sites (such as branch offices) do not have
a local WLC but require centralized management. It allows access points to function in
“FlexConnect mode,” enabling them to switch traffic locally at the remote site while still being
managed by a centralized WLC at the main office.

Question 44

Refer to the exhibit.

Inter-VLAN routing is configured on SW1. Client A is running Linux as an OS in VLAN 10 with a
default gateway IP 10.0.0.1 but cannot ping client B in VLAN 20 running Windows. What action
must be taken to verify that client A has the correct IP settings?

A. Run the ifconfig command on client A to confirm that its IP and subnet mask fall within
255.254.0.0.
B. Run the ipconfig command on client A and ensure that the IP address is within the host range
of 10.0.0.1 – 10.0.255.254.
C. Run the ipconfig command on client A to confirm that the correct 10.0.0.1 default gateway is
used.
D. Run the ifconfig command on client A to confirm that the subnet mask is set to 255.255.128.0

Answer: A

Explanation

We need to use the “ifconfig” on Linux to find out the IP address and subnet mask of an interface.
For example:
Question 45

Refer to the exhibit.

CPE# show ip access-list Services

Extended IP access list Services
10 permit tcp 10.0.0.0 0.255.255.255 any eq www
20 permit tcp 10.0.0.0 0.255.255.255 any eq 443
30 permit udp 10.0.0.0 0.255.255.255 host 198.51.100.11 eq domain
40 deny ip any any log

This ACL is configured to allow client access only to HTTP, HTTPS, and DNS services via UDP. The
new administrator wants to add TCP access to the DNS service. Which configuration updates the
ACL efficiently?

Option A Option B

ip access-list extended Services no ip access-list extended Services

permit tcp 10.0.0.0 0.255.255.255 ip access-list extended Services
host 198.51.100.11 eq domain 30 permit tcp 10.0.0.0
0.255.255.255 host 198.51.100.11 eq
domain

Option C Option D

no ip access-list extended ip access-list extended Services

Services 35 permit tcp 10.0.0.0
ip access-list extended Services 0.255.255.255 host 198.51.100.11 eq
permit udp 10.0.0.0 0.255.255.255 domain
any eq 53
permit tcp 10.0.0.0 0.255.255.255
host 198.51.100.11 eq domain
deny ip any any log

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

If we remove the ACL with “no ip access-list extended Services”, all configs will be lost. We should
use a higher sequence number (mean smaller value) than 40 to write the new rule above the “40
deny ip any any log” statement.

Question 46

Refer to the exhibit.

An engineer must document all Wi-Fi services on a new wireless LAN controller. The Wi-Fi SSID
“Office_WLan” has Layer 2 Security. What is determined by this configuration?

A. There is Galois cache algorithm configured that provides strong encryption and authentication.
B. There is a strong mutual authentication used between NAC and the network devices using x.509
standard.
C. There is an extra layer of security that ensures only authorized devices with known MAC
addresses connect to the network.
D. There is a robust security mechanism configured to protect against various Layer 2 and Layer 3
attacks.

Answer: C

Explanation

From the exhibit, we see “MAC Filtering” is being chosen. This option allows to control access to a
network based on the MAC address of a device -> Answer C is correct.

Answer A is not correct as Galois/Counter Mode Protocol (GCMP) is an encryption, not

authentication method.

Answer B is not correct as x.509 cert is not related to this config.

Answer D is not correct as we only see “Layer 2” tab, not “Layer 3” tab so we cannot say anything
about Layer 3 protection.

==================== New Questions (added on 10th-Jan-2025)

====================

Question 47

What are two reasons to configure PortFast on a switch port attached to an end host? (Choose two)

A. to enable the number of MAC addresses learned on the port to 1

B. to protect the operation of the port from topology change processes
C. to enable the pod to enter the forwarding state immediately when the host boots up
D. to prevent the port from participating in Spanning Tree Protocol operations
E. to block another switch or host from communicating through the port

Answer: B C

Explanation

PortFast is a feature of the Spanning Tree Protocol (STP) that allows ports to quickly transition to
the forwarding state. This reduces the time it takes for devices to connect to a network and
communicate.

Answer A is not correct as limiting MAC addresses is related to security features like port security,
not PortFast.

Answer B is correct as a switch will never generate a topology change notification for an interface
that has PortFast enabled.

Answer D is not correct as the port which runs PortFast still participate into STP process.

Answer E is not correct as it is not the function of PortFast.

Question 48

Refer to the exhibit.

C:\Users\ADMIN>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

<...>
Physical Address . . . . . . . . . . . : 04-42-1A-EE-AA-5E
DHCP Enabled . . . . . . . . . . . . . : Yes
Autoconfiguration Enabled. . . . . . . : Yes
Link-local IPv6 Address. . . . . . . . :
fe80::8a79:bcde:34dc:c11e35%(Preferred)
Ipv4 Address . . . . . . . . . . . . . : 192.168.3.20(Preferred)
Subnet Mask. . . . . . . . . . . . . . : 255.255.255.0
Lease Obtained . . . . . . . . . . . . : Thursday, 16 March 2023
6:25:01 AM
Lease Expires. . . . . . . . . . . . . : Sunday, 26 March 2023
4:17:26 PM
Default Gateway. . . . . . . . . . . . : 192.168.3.1
DHCP Server. . . . . . . . . . . . . . : 192.168.3.1
DHCPv6 IAID. . . . . . . . . . . . . . : 201605658
DHCPv6 Client DUID . . . . . . . . . . : 00-01-00-01-2A-3F-45-34-03-
13-23-EE-AD-5E
DNS Servers. . . . . . . . . . . . . . : 10.10.1.254
 NetBIOS over Tcpip . . . . . . . . . . : Enabled

The user has connectivity to devices on network 192.168.3.0/24 but cannot reach users on the
network 10.10.1.0/24. What is the first step to verify connectivity?

A. Is the internet reachable?

B. Is the default gateway reachable?
C. Is the DNS server reachable?

Answer: B

Explanation

If the local host can access local network but cannot reach outside then we must check the default
gateway first as it is always the first hop between our host and outside network.

Question 49

Which solution is appropriate when mitigating password attacks where the attacker was able to
sniff the clear-text password of the system administrator?

A. next-generation firewall to keep stateful packet inspection

B. multifactor authentication using two separate authentication sources
C. ACL to restrict incoming Telnet sessions “admin” accounts
D. IPS with a block list of known attack vectors

Answer: B

Explanation

If an attacker is able to sniff a clear-text password, it suggests the authentication process is not
secure enough. Multifactor authentication (MFA) enhances security by requiring an additional
authentication factor, such as:

+ Something you know (password or PIN…).

+ Something you have (a hardware token or mobile app…).
+ Something you are (biometric authentication like a fingerprint…).

Even if the attacker captures the password, they would still need the second factor to gain access,
effectively mitigating the risk.

Question 50

A network engineer starts to implement a new wireless LAN by configuring the authentication
server and creating the dynamic interface. What must be performed next to complete the basic
configuration?

A. Install the management interface and add the management IP.

B. Configure high availability and redundancy for the access points.
C. Enable Telnet and RADIUS access on the management interface.
D. Create the new WLAN and bind the dynamic interface to it.

Answer: D

Explanation
A dynamic interface is simply an interface that maps a WLAN to a wired vlan or subnet. To create a
new interface, Choose Controller > Interfaces > New to open the Interfaces page:

Next, enter the IP address, subnet mask, and gateway address… for the interface.

Next, while creating a new WLAN, we assign above interface to it:

Question 51

Drag and drop the TCP and UDP characteristics from the left onto the supporting protocols on the
right. Not all options are used.

Answer:

TCP
+ uses sequence numbers
+ relies on acknowledgement packets
+ ensures data integrity

UDP
+ supports real-time applications
+ connectionless at transport layer
+ minimal error checking

Explanation

TCP (Transmission Control Protocol) ensures data integrity by utilizing a checksum field within its
header, which allows for error detection during transmission, and by implementing mechanisms
like sequence numbers and retransmission of lost data to guarantee that data arrives at the
destination in the correct order and without corruption; this makes TCP a reliable protocol for data
transfer where data integrity is crucial.

User Datagram Protocol (UDP) uses checksums to detect errors in data packets. However, UDP
doesn’t correct errors or resend lost packets. This makes UDP sometimes known as the Unreliable
Data Protocol.

==================== New Questions (added on 6th-Mar-2025)

====================

Question 52

Which advantage does machine learning offer for network security?

A. It improves real-time threat detection.

B. It manages firewall rule sets.
C. It enforces password complexity requirements.
D. It controls VPN access permissions.

Answer: A

Explanation

Machine learning detects threats by constantly monitoring the behavior of the network for
anomalies. Machine learning engines process massive amounts of data in near real time to
discover critical incidents. These techniques allow for the detection of insider threats, unknown
malware, and policy violations.

Reference: https://www.cisco.com/c/en/us/products/security/machine-learning-security.html

Question 53

Which AP feature provides a captive portal for users to authenticate register and accept terms
before accessing the internet?

A. One-Click
B. Hotspot
C. Enhanced Bluetooth
D. Whole Home

Answer: B

Explanation

Hotspot (captive portal) – uses web-proxy and it is capable of using only the default routing table.
Reference: https://help.mikrotik.com/docs/spaces/ROS/pages/56459266/HotSpot+-
+Captive+portal

Hotspot feature in an Access Point provides a captive portal, which forces users to authenticate,
register, or accept terms before accessing the internet. It is commonly used in public Wi-Fi
networks, such as those in hotels, cafes, and airports.

Question 54

What does the term “split MAC” refer to in a wireless architecture?

A. divides data link layer functions between the AP and WLC

B. combines the management and control functions from the data-forwarding functions
C. uses different MAC addresses for 2.4 GHz and 5 GHz bands on the same AP
D. leverages two APs to handle control and data traffic

Answer: A

Explanation

With Split MAC , the 802.11 protocol functionality is divided between AP & WLC. General rule is all
real-time tasks are handled by AP (such as Probe Response, Packet buffering, Fragmentation,
Queuing) & non real-time tasks handled by WLC (Such as Association / Di-association, Classifying,
802.1x/EAP authentication, etc)

Question 55

Which plane is centralized in software-defined networking?

A. application
B. services
C. control
D. data

Answer: C

Explanation

Software-Defined Networking (SDN) is an approach to networking that centralizes the control plane
into an application called a controller. Therefore a big advantage of SDN is we do not have to
manually configure each device or each interface. We just plan a policy framework, and the SDN
controller configures all related underlying devices. This approach is faster, more reliable and
reduces errors.
Question 56

How does machine learning improve the detection of unauthorized network access?

A. It monitors for outdated software.

B. It dictates security policy updates.
C. It identifies patterns indicating intrusions.
D. It assigns security clearance levels.

Answer: C

Explanation

In security, machine learning continuously learns by analyzing data to find patterns so we can
better detect malware in encrypted traffic, find insider threats, predict where “bad neighborhoods”
are online to keep people safe when browsing, or protect data in the cloud by uncovering
suspicious user behavior.

Reference: https://www.cisco.com/c/en/us/products/security/machine-learning-security.html

==================== New Questions (added on 25th-Apr-2025)

====================

Question 57

Refer to the exhibit.

The My_WLAN wireless LAN was configured with WPA2 Layer 2 PSK security. Which additional
configuration must the administrator perform to allow users to connect to this WLAN on a different
subnet called Data?

A. Enable Broadcast SSID and select data from the Interface/Interface Group drop-down list.
B. Enable Status and select data from the Interface/Interface Group drop-down list.
C. Enable Status and set the NAS-ID to data.
D. Enable Status and enable Broadcast SSID.

Answer: B

Explanation

Answer A and answer D are not correct as “Enable Broadcast SSID” just makes the SSID visible to
clients scanning for networks, but doesn’t place clients into a specific subnet.

Answer C is not correct as NAS-ID is used for RADIUS identification in AAA, not for assigning
subnets.

The Interface or Interface Group assigned to the WLAN determines the subnet or VLAN that the
clients will be placed into upon connecting.

In this case, the subnet is called “Data”, so the administrator must assign the “Data” interface (or
interface group) to the WLAN.

Question 58

Refer to the exhibit.

Company A wants to use a RADIUS server to service all user and device authentication attempts
with a more secure and granular authentication approach. Not all client devices support dot1x
authentication. Which two configuration changes must be made to accomplish the task? (Choose
two)

A. Enable AutoConfig iPSK under the Layer 2 tab.

B. Select Authentication server under the AAA servers tab.
C. Configure Enterprise Security type under the Layer 2 tab.
D. Set Authentication under the Layer 3 tab.
E. Enable WPA2 Policy under the Layer 2 tab.

Answer: A B

Explanation

Answer A is correct as it enables Identity PSK (iPSK), allowing the WLC to assign different pre-
shared keys to different users or devices based on RADIUS responses. iPSK also supports devices
that do not support 802.1X

Answer B is correct as it is required to specify the RADIUS server that will handle the
authentication process for both 802.1X and iPSK clients.

Question 59

A network architect planning a new Wi-Fi network must decide between autonomous, cloud-based,
and split MAC architectures. Which two facts should the architect consider? (Choose two)

A. Lightweight access points are solely used by split MAC architectures.

B. Cloud-based architectures uniquely use the CAPWAP protocol to communicate between access
points and clients.
C. Each of the three architectures must use WLCs to manage their access points.
D. All three architectures use access points to manage the wireless devices connected to the wired
infrastructure.
E. Autonomous architectures exclusively use tunneling protocols to manage access points remotely.

Answer: A D

Explanation

The three architectures are summarized as follows:

+ Autonomous – Access points are standalone and make their own decisions.

+ Cloud-based – Management and control are handled in the cloud; APs are usually lightweight
and cloud-managed.

+ Split MAC – APs split the MAC-layer processing: some tasks are done on the AP, others on a
WLC (used in centralized deployments with lightweight APs and WLCs).

Answer A is correct as Split MAC architecture specifically uses lightweight APs which rely on a WLC
to perform control functions like authentication, roaming…

Answer D is correct as regardless of architecture, all APs provide wireless access to client devices
and bridge them to the wired network.

Answer B is not correct as CAPWAP is used in split MAC architectures (between AP and WLC), not
uniquely in cloud-based ones.

Answer C is not correct as Autonomous APs and cloud-based APs don’t require traditional WLCs.

Answer E is not correct as Autonomous APs are managed individually and do not require tunneling
protocols for remote management. They use standard management protocols like SSH or HTTPS.

Question 60

Which AP mode serves as the primary hub in a point-to-multipoint network topology?

A. bridge
B. SE-Connect
C. FlexConnect
D. local

Answer: A

Explanation

An AP in bridge mode becomes a dedicated point-to-point or point-to-multipoint bridge between

networks. Two bridge mode wireless access points can be used to link two remote locations.

Reference: https://study-ccnp.com/cisco-wireless-access-point-ap-modes-explained/

Question 61

How does network automation help reduce network downtime?

A. Emails can be generated based on when a network admin performs a network change, which
increases visibility.
B. Configuration templates and testing can be built into implementation, which increases the
success rate of a network change.
C. Changes can be implemented in parallel across multiple devices at once, which increases the
speed of the change rate.
D. By using automation platforms with intent-based configuration, all changes are checked for
possible outages before being implemented.

Answer: B

Explanation

Using standardized templates reduces human error in configuration, and incorporating testing into
the implementation process allows for identifying and fixing potential issues before they impact the
live network. This directly contributes to reducing downtime by preventing failed or faulty changes.

An example of using templates in DNA Center:

Note: Although answer D is also correct but we believe answer B is clearer and better.

Question 62

Drag and drop the network topology architecture types from the left onto the corresponding
function on the right. Not all architecture types are used.
Answer:

+ end user connectivity: access

+ top-of-rack: spine-leaf
+ provide routing, filtering, and WAN access: distribution
+ switch packets as fast as possible: core

Explanation

In today’s leaf-spine topology, the Top-of-Rack (ToR) switches are the leaf switches and they are
attached to the spine switches.

Question 63

What is the difference between SNMP traps and SNMP polling?

A. SNMP traps are initiated using a push model at the network device, and SNMP polling is initiated
at the server.
B. SNMP traps are used for proactive monitoring, and SNMP polling is used for reactive monitoring.
C. SNMP traps are initiated by the network management system, and network devices initiate
SNMP polling.
D. SNMP traps send periodic updates via the MIB, and SNMP polling sends data on demand.

Answer: A

Explanation

In SNMP Polling, the SNMP manager initiates the conversation asking the network devices for
information:
SNMP traps are the opposite where the network devices are sending information to the SNMP
Manager right away when something happens:

Question 64

Refer to the exhibit.

Which functionalities will this SSID have while being used by wireless clients?

A. decreases network security against air sniffing attacks and discourages the use of complex
passwords
B. increases network security against offline dictionary attacks and discourages time-consuming
brute force attacks
C. increases network security against man in the middle attacks and discourages denial of service
attacks
D. decreases network security against offline dictionary attacks and encourages easy access to the
network

Answer: B

Explanation

In the exhibit, we see that the option “FT + SAE” in “Auth key Mgmt” tab was chosen.

WPA3 provides improvements to the general Wi-Fi encryption, thanks to Simultaneous

Authentication of Equals (SAE) replacing the Pre-Shared Key (PSK) authentication method used in
prior WPA versions. With SAE, the user experience is the same (choose a passphrase to connect),
but SAE automatically adds a step to the handshake, which makes brute force attacks
ineffective. SAE enables individuals or home users to set Wi-Fi passwords that are easier to
remember and provide the same security protection even if the passwords are not complex
enough.

Question 65
What is the role of syslog level 7 in network device health monitoring?

A. It provides information about error conditions visible on the network device.

B. It shares normal operational messages from the network equipment.
C. It sends outputs from various debug commands on the device.
D. It warns about emergency conditions on the network appliance.

Answer: C

Explanation

Syslog level 7 corresponds to the “Debugging” severity level. If you specify a level, that level and
all the higher levels will be displayed. Therefore in this case, all levels (from 0 to 7) will be
displayed.

==================== New Questions (added on 23rd-May-2025)

====================

Question 66

Which architecture is best for small offices with minimal wireless needs and no central
management?

A. cloud-based AP
B. split MAC
C. autonomous AP
D. mesh network

Answer: C

Explanation

Autonomous AP: self-sufficient and standalone. Used for small wireless networks. Each
autonomous AP must be configured with a management IP address so that it can be remotely
accessed using Telnet, SSH, or a web interface. Each AP must be individually managed and
maintained unless you use a management platform such as Cisco DNA Center.

Note: Split-MAC (architecture) refers to Lightweight AP, which requires a Wireless LAN Controller
(WLC) to control.

Question 67

Drag and drop the TCP and UDP characteristics from the lett onto the corresponding protocols on
the right.
Answer:

TCP

+ Sends data in a specific order

+ Requires an established connection
+ Supports web browsing

UDP

+ Suited for live streaming

+ Retransmission is unsupported
+ Tolerates packet loss

Question 68

What is a valid IPv6 address record in DNS?

A. A
B. MX
C. AAAA
D. CNAME

Answer: C

Explanation

An AAAA record type is a foundational DNS record when IPv6 addresses are used. AAAA records
are assigned the IPv6 address for a destination which makes communication between the source
and destination possible. The purpose of this record type is to map a hostname (e.g.,
www.example.com) to its corresponding IPv6 address (e.g., 2001:db8::1).

==================== New Questions (added on 31st-Jul-2025)

====================

Question 69

Refer to the exhibit.

The routers R1-LAB and R2-LAB are configured with link-local addresses. What command must be
applied to interface Gi0/0 on R1-LAB for an automated address self-assignment on the IPv6
network?

A. ipv6 address 2001:db8:0:0FFA::/64 eui-64

B. ipv6 address 2001:db8:0:0FFA::1/64
C. ipv6 address 2001:db8:1:0FFA:0::/64
D. ipv6 address 2001:db8:0:0FFA::/64 anycast

Answer: A

Explanation

Cisco devices use the EUI-64 (Extended Unique Identifier) process to automatically generate the
interface identifier portion of an IPv6 address. This process takes the device’s 48-bit MAC address,
inserts the hexadecimal value “FFFE” in the middle, and then flips the 7th bit (the universal/local
bit) of the resulting 64-bit value to create the interface identifier. This identifier is then combined
with a network prefix to form a complete IPv6 address.

Question 70

Which header must be included in a REST request from an application that requires JSON-
formatted content?

A. Content-Type: application/json
B. Accept-Encoding: application/json
C. Accept: application/json
D. Accept-Language: application/json

Answer: A
Explanation

When making a REST request with JSON-formatted content in the request body, the Content-
Type HTTP header must be set to application/json. This header informs the server that the data
being sent in the request body is in JSON format, allowing the server to correctly parse and
process the payload.

Question 71

Why would a network administrator choose to implement RFC 1918 address space?

A. to route traffic on the internet

B. to limit the number of hosts on the network
C. to provide overlapping address space with another network
D. to provide flexibility in the IP network design

Answer: D

Explanation

RFC 1918 defines private IP address ranges (e.g., 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/24)
which are not routable on the public internet. These are used within private networks. There are
several advantages to using the RFC 1918 addresses on your private network:

+ Administrators can assign IP addresses freely without coordinating with IANA or an ISP.
+ It allows for efficient subnetting, reuse of addresses, and isolation of internal networks.

-> Answer D is correct.

Question 72

What is the total number of users permitted to simultaneously browse the controller management
pages when using the AireOS GUI?

A. 2
B. 5
C. 8
D. 9

Answer: B

Explanation

Using the Controller GUI

A browser-based GUI is built into each controller.
It allows up to five users to simultaneously browse into the controller HTTP or HTTPS (HTTP + SSL)
management pages to configure parameters and monitor the operational status for the controller
and its associated access points.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-
guide/b_cg85/administration_of_cisco_wlc.html

Note: The Cisco AireOS GUI refers to the web-based interface used to manage and configure Cisco
Wireless LAN Controllers (WLCs) running the AireOS operating system.

Question 73

What is the main purpose of SSH management access?

A. To validate management access with username and domain name only
B. To allow passwords protected with HTTPS encryption to be sent
C. To support DES 56-bit and 3DES (168-bit) ciphers
D. To enable secured access to the inbound management interface

Answer: D

Explanation

Answer A is not correct as SSH (Secure Shell) authentication using a domain name, username, and
password involves connecting to a remote server using its domain name instead of its IP address,
and then authenticating with a username and password.

Answer B is not correct as SSH is different from HTTPS. HTTPS secures web traffic, while SSH
secures terminal/CLI access.

Answer C is not correct as this is not the main purpose of SSH.

Answer D is correct as the main purpose of SSH is secure management.

Question 74

How does automation leverage data models to reduce the operational complexity of a managed
network?

A. Reduces the response time for specific requests to devices with many interfaces
B. Allows the controller to be vendor-agnostic
C. Categorizes traffic and provides insights
D. Streamlines monitoring using SNMP and other polling tools

Answer: B

Explanation

Network automation uses the logical network model to define network policies, configurations and
topologies in a vendor-agnostic manner. Network engineers can use automation libraries, such
as NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor
support), to work in multivendor environments without worrying about proper command syntax for
each vendor. Python scripts and orchestration workflows can use this logical model to deploy
consistent network configurations, manage virtualized network functions, and ensure network
scalability and agility.

Reference: https://www.techtarget.com/searchnetworking/tip/How-network-data-models-work-
with-automation

Question 75

What is the function of generative AI in network operations?

A. It creates synthetic network configurations.

B. It deploys network firmware updates.
C. It disables unused services.
D. It computes optimal data storage solutions.

Answer: A
Explanation

Generative AI refers to algorithms capable of generating new content or solutions by learning

patterns from existing data. Unlike traditional AI that focuses on classification or
prediction, generative AI can create new configurations, automate processes, and simulate
various scenarios in network environments.

Reference: https://www.netbraintech.com/blog/ai-in-network-operations/

Question 76

An organization developed new security policies and decided to print the policies and distribute
them to all personnel so that employees review and apply the policies. Which element of a security
program is the organization implementing?

A. Asset identification
B. User training
C. Physical access control
D. Vulnerability control

Answer: B

Explanation

User training: All users should be required to participate in periodic formal training so that they
become familiar with all corporate security policies -> Answer B is the best choice for this question.

Note:

In CCNA, security program only includes user awareness, user training and physical access control.

Physical access control: Infrastructure locations, such as network closets and data centers, should
remain securely locked.

Asset identification is the systematic process of discovering, mapping, and documenting every
single IT asset within an organization’s ecosystem.

Question 77

Which feature, when used on a WLC, allows it to bundle its distribution system ports into one
802.3ad group?

A. QinQ
B. ISL
C. PAgP
D. LAG

Answer: D

Explanation

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It
bundles all of the controller’s distribution system ports into a single 802.3ad port channel.

Question 78

What is represented by the word “switch” within this JSON schema?

1 [
2 {"IDS": "IPS22", "port":"te3/46"},
3 {"load balancer": "LB12", "port":"te6/38"},
4 {"switch": "SW18", "port":"ge2/41"},
5 ]

A. array
B. value
C. key
D. object

Answer: C

Explanation

JSON syntax structure:

+ A key/value pair consists of a key (must be a string in double quotation marks "" ), followed by
a colon : , followed by a value. For example: “name”:”John”

Therefore in this question, “switch” is the key while “SW18” is the value.

Question 79

What is the maximum length of characters used in an SSID?

A. 16
B. 32
C. 48
D. 64

Answer: B

Explanation

The WLAN name and SSID can have up to 32 characters.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-
guide/b_cg85/wlans.html

Question 80

Which statement describes virtualization on containers?

A. It is a type of operating system virtualization that allows the host operating system to control
the different CPU memory processes.
B. It emulates a physical computer and enables multiple machines to run with many operating
systems on a physical machine.
C. It separates virtual machines from each other and allocates memory, processors, and storage to
compute.
D. It contains a guest operating system and virtual partition of hardware for OS and requires
application libraries.
Answer: A

Explanation

Each VM requires different Operating Systems (OS) while containers share a single host OS:

In a container, the host OS manages CPU, memory, and process isolation using container engines
like Docker or container runtimes like containerd -> Answer A is correct.

Question 81

Why would a network administrator implement the HSRP protocol?

A. To provide network redundancy in the case of a router failure

B. To use an open standard protocol that is configured on Cisco and third-party routers
C. To allow hosts in a network to use the same default gateway virtual IP when load-balancing
traffic
D. To allow clients to be configured with multiple default gateway IPs

Answer: A

Question 82

Refer to the exhibit.

SW1#show etherchannel summary

Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by auto LAG
Number of channel-groups in use: 1
Number of aggregators: 2

Group Port-channel Protocol Ports

------+-------------+-----------+------------------------------------------
-----
1 Po1 (RU) LACP Et0/0(P) Et0/1(P)

A network engineer is adding another physical interface as a new member to the existing Port-
Channel1 bundle. Which command set must be configured on the new interface to complete the
process?

A. switchport mode trunk

channel-group 1 mode active

B. no switchport
channel-group 1 mode active

C. no switchport
channel-group 1 mode on

D. switchport
switchport mode trunk

Answer: B

Explanation

From the last line of the output “Po1 (RU)”, we learn that this is a Layer 3 port (with letter “R”) so
we need the command “no switchport” to make the new interface a Layer 3 interface.

The protocol in used is LACP so we use mode “active” or “passive” -> Only answer B is correct.

Question 83

Refer to the exhibit.

Configurations for the switch and PCs are complete. Which configuration must be applied so that
VLANs 2 and 3 communicate back and forth?

A. interface GigabitEthernet0/0
ip address 10.10.2.10 255.255.252.0

B. interface GigabitEthernet0/0.3
encapsulation dot1Q 10
ip address 10.10.2.10 255.255.255.252

C. interface GigabitEthernet0/0.10
encapsulation dot1Q 3
ip address 10.10.2.10 255.255.254.0

D. interface GigabitEthernet0/0.3
encapsulation dot1Q 3 native
ip address 10.10.2.10 255.255.252.0

Answer: C

Explanation

We had a tutorial of how to configure interVLAN routing at https://www.9tut.com/intervlan-

routing-tutorial so please check it.

Question 84

Refer to the exhibit.

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz
Physical Address. . . . . . . . . : AC-63-DA-AC-B4-AD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : ::70D6:5432:6D8A:90B2(Preferred)
Temporary IPv6 Address. . . . . . : ::dc3f:a66c:f996:bdb9(Preferred)
Link-local IPv6 Address . . . . . : fe80::7096:5693:6d8a:90ba%8(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.1.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 172.16.1.1
DHCPv6 IAID . . . . . . . . . . . : 116155351
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-BE-0A-47-3C-15-AB-80-
12-F6
DNS Servers . . . . . . . . . . . : 172.16.1.3
172.16.1.4
NetBIOS over Tcpip. . . . . . . . : Enabled

During initial configuration testing, the Windows workstation PC1 cannot connect with the
172.16.2.0/24 network. Which set of actions corrects the configuration?

A. Change the IP address to 172.16.1.9 and change the DNS server to 172.16.1.12 only.
B. Change the IP address to 172.16.1.6 and change the DNS servers to 172.16.1.12 and
172.16.1.13.
C. Change the IP address to 172.16.1.9 and change the default gateway to 172.16.1.7.
D. Change the IP address to 172.16.1.6 and change the subnet mask to 255.255.255.248.

Answer: D
Explanation

The IPv4 address of PC1 should be in the subnet 172.16.1.0/29 (usable IPs range from 172.16.1.1
to 172.16.1.6) -> Answer D is correct.

Question 85

Refer to the exhibit.

Which configuration is needed to configure a WLAN with WPA2 only and with a password that is 63
characters long?

A. Disable WPA Encryption and then enable FT PSK.

B. Enable PSK using Hex format and then disable WPA Policy.
C. Disable WPA Policy and WPA Encryption and then enable PSK using ASCII.
D. Enable PSK and FT PSK and then disable WPA Policy.

Answer: C

Explanation
Enter the Pre-Shared Key in hexadecimal characters.
+ If you selected the PSK format as HEX, the key length must be exactly 64 characters.
+ If you selected the PSK format as ASCII, the key length must be in the range of 8-63 characters.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-3/config-
guide/ewc_cg_17_3/private_psk.html

Therefore we need to choose PSK using ASCII so that the password can be 53 characters long.

Question 86

Refer to the exhibit.

AA#show ip route

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.0.0.0/30 is directly connected, GigabitEthernet0/0
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0
C 10.10.0.0/30 is directly connected, GigabitEthernet0/1
L 10.10.0.1/32 is directly connected, GigabitEthernet0/1
O 10.20.0.0/30 [110/2] via 10.0.0.2, 00:00:40, GigabitEthernet0/0
O 10.30.0.0/30 [110/2] via 10.0.0.2, 00:00:40, GigabitEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
S 172.16.10.0 [1/0] via 10.0.0.2
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/2
L 192.168.10.1/32 is directly connected, GigabitEthernet0/2
S 192.168.20.0/24 [1/0] via 192.168.10.2

What is the administrative distance for the advertised prefix that includes the host IP address
10.30.0.1?

A. 10.0.0.2
B. 110
C. 30
D. 2

Answer: B

Explanation

From the line “O 10.30.0.0/30 [110/2] via 10.0.0.2, 00:00:40, GigabitEthernet0/0”, the first
parameter is the AD (110) while the second one is the metric (2).

Question 87

What is the term used to describe a method of connecting multiple switches in a network to allow
traffic to flow between them, typically used for larger networks to increase bandwidth?

A. LAG
B. trunk
C. EtherChannel
D. access

Answer: B

Explanation

This question is a bit unclear but maybe it does not mention about LAG or EtherChannel or we will
have two correct answers. Therefore answer B is the best choice here.

Question 88

What is an advantage of using SDN versus traditional networking when it comes to security?

A. SDN creates a unified control point making security policies consistent across all devices, and
traditional networking must be configured device by device, leaving room for error.
B. SDN exposes an API to configure locally per device for security policies, and traditional
networking uses northbound API for network admin interface for configuring security policies.
C. SDN security is managed near the perimeter of the network with firewalls, VPNs, and IPS, and
traditional networking security policies are created based on telemetry data.
D. SDN devices communicate with each other to establish a security policy, and in traditional
networking, devices communicate upstream to a central location to establish a security policy.

Answer: A

Explanation

Software-Defined Networking (SDN) is an approach to networking that centralizes the control plane
into an application called a controller. Therefore a big advantage of SDN is we do not have to
manually configure each device or each interface. We just plan a policy framework, and the SDN
controller configures all related underlying devices. This approach is faster, more reliable and
reduces errors.

Question 89 (repeated)

What is a difference between RADIUS and TACACS+?

A. RADIUS is most appropriate for dial authentication, but TACACS+ can be used for multiple types
of authentication
B. TACACS+ encrypts only password information and RADIUS encrypts the entire payload
C. TACACS+ separates authentication and authorization, and RADIUS merges them
D. RADIUS logs all commands that are entered by the administrator, but TACACS+ logs only start,
stop, and interim commands

Answer: C

Question 90 (repeated)

An engineer is tasked with verifying network configuration parameters on a client workstation to

report back to the team lead. Drag and drop the node identifiers from the left onto the network
parameters on the right.
Answer:

+ broadcast address: 192.168.1.255

+ default gateway: 192.168.1.1
+ host IP address: 192.168.1.20
+ MAC address: B8-76-3F-7C-57-DF
+ last assignable IP address in the subnet: 192.168.1.254

Explanation
In the output above, three lines under “Link-local IPv6 Address” line have been blacked out so we
have to figure out what they are. They are the IP address of the Wireless card and the Default
gateway of this computer.

Question 91

Refer to the exhibit.

R1#show ip route
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
C 10.0.0.0/24 is directly connected, FastEthernet0/0
L 10.0.0.1/32 is directly connected, FastEthernet0/0
C 10.0.1.0/24 is directly connected, FastEthernet0/1
L 10.0.1.1/32 is directly connected, FastEthernet0/1
C 10.0.2.0/24 is directly connected, FastEthernet1/0
L 10.0.2.1/32 is directly connected, FastEthernet1/0
C 10.0.3.0/24 is directly connected, FastEthernet1/1
L 10.0.3.1/32 is directly connected, GigabitEthernet1/l
O 10.0.4.0/29 [110/2] via 10.0.4.2 00:00:03, GigabitEthernet1/1
S 10.1.0.0/16 [1/0] via 10.0.3.2
S 10.1.3.0/24 [1/0] via 10.0.3.2
S* 0.0.0.0/0 [1/0] via 10.0.0.2

How does router R1 forward packets destined to 10.0.4.10?

A. via 10.0.4.2
B. via FastEthernet1/1
C. via FastEthernet0/1
D. via 10.0.0.2

Answer: D

Explanation

For 10.0.4.10 destination, we only have to check if this destination falls into the range of the entry
“O 10.0.4.0/29 [110/2] via 10.0.4.2 00:00:03, GigabitEthernet1/1″.

Subnet 10.0.4.0/29
-> Increment: 8 -> This subnet ranges from 10.0.4.0 to 10.0.4.7 only. Therefore 10.0.4.10 does
not belong to this subnet. R1 will use the default route (S* 0.0.0.0/0 [1/0] via 10.0.0.2) for this
destination -> R1 will forward packets to the next-hop 10.0.0.2.

Question 92 (repeated)

Which configuration management mechanism uses TCP port 22 by default when communicating
with managed nodes?

A. Ansible
B. Python
C. Puppet
D. Chef
Answer: A

Explanation

TCP port 22 is SSH, which is used by Ansible when communicating with the managed nodes.

Question 93 (repeated)

How do AAA operations compare regarding user identification, user services and access control?

A. Authorization provides access control and authentication tracks user services

B. Authentication identifies users and accounting tracks user services
C. Accounting tracks user services, and authentication provides access control
D. Authorization identifies users and authentication provides access control

Answer: B

Question 94 (repeated)

Refer to the exhibit.

What are two conclusions about this configuration? (Choose two)

A. The designated port is FastEthernet 2/1

B. This is a root bridge
C. The spanning-tree mode is Rapid PVST+
D. The spanning-tree mode is PVST+
E. The root port is FastEthernet 2/1

Answer: C E

Explanation

This bridge is not the root bridge because it does not have the statement “This bridge is the root”.
When the local switch is not the root bridge, the port it shows would be the root port to the root
bridge. Therefore in this case FastEthernet2/1 is the root port that is connected to the root bridge.

Question 95 (repeated)

Refer to the exhibit. An extended ACL has been configured and applied to router R2. The
configuration failed to work as intended. Which two changes stop outbound traffic on TCP ports 25
and 80 to 10.0.20.0/26 from the 10.0.10.0/26 subnet while still allowing all other traffic? (Choose
two)

R2#config t
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq smtp
R2(config)#access-list 101 deny tcp 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.63 eq www
R2(config)#int gi0/2
R2(config-if)#ip access-group 101 in

A. Add a “permit ip any any” statement to the beginning of ACL 101 for allowed traffic
B. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic
C. The source and destination IPs must be swapped in ACL 101
D. The ACL must be configured the Gi0/2 interface inbound on R1
E. The ACL must be moved to the Gi0/1 interface outbound on R2

Answer: B C

Question 96 (repeated)

R1 has learned route 10.10.10.0/24 via numerous routing protocols. Which route is installed?

A. route with the lowest cost

B. route with the next hop that has the highest IP
C. route with the shortest prefix length
D. route with the lowest administrative distance
Answer: D

Question 97 (repeated)

Which command must be entered to configure a DHCP relay?

A. ip helper-address
B. ip address dhcp
C. ip dhcp relay
D. ip dhcp pool

Answer: A

Explanation

If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure the
router on the DHCP client side to act as a DHCP Relay Agent so that it can forward DHCP messages
between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent, simply put the “ip
helper-address <IP-address-of-DHCP-Server>” command under the interface that receives the
DHCP messages from the DHCP Client.

As we know, router does not forward broadcast packets (it drops them instead) so DHCP messages
like DHCPDISCOVER message will be dropped. But with the “ip helper-address …” command, the
router will accept that broadcast message and cover it into a unicast packet and forward it to the
DHCP Server. The destination IP address of the unicast packet is taken from the “ip helper-address
…” command.

Question 98

Refer to the exhibit.

Which settings must be verified on workstation 1 to establish IP connectivity to server 1 using the
server’s fully qualified domain name?

Option A Option B
IP address: 10.0.63.80 IP address: 10.0.71.16
Subnet mask: 255.255.255.224 Subnet mask: 255.255.255.224
Default gateway: 10.0.71.0 Default gateway: 10.0.71.1
DHCP server: 10.0.63.8 DNS server: 10.0.63.5

Option C Option D
IP address: 10.0.63.80 IP address: 10.0.71.16
Subnet mask: 255.255.255.0 Subnet mask: 255.255.255.0
Default gateway: 10.0.71.1 Default gateway: 10.0.71.0
DNS server: 10.0.63.5 DHCP server: 10.0.63.8

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

Workstation1 belongs to VLAN 71 so its IP address should be 10.0.71.x and the subnet mask
should be /27 (255.255.255.224). Moreover, if Workstation 1 wants to connect to server 1 using
the server’s fully qualified domain name then its DNS server must be correctly set to 10.0.63.5 as
shown in the exhibit.
Question 99 (repeated)

Refer to the exhibit. Which path is used by the router for Internet traffic?

R1#show ip route
Gateway of last resort is 10.10.11.2 to network 0.0.0.0
209.165.200.0/27 is subnetted, 1 subnets
B 209.165.200.224 [20/0] via 10.10.12.2, 00:10:34
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.10.10.0/28 is directly connected, GigabitEthernet0/0
C 10.10.11.0/30 is directly connected, FastEthernet2/0
C 10.10.13.0/30 [110/2] via 10.10.10.1, 00:03:34,
GigabitEthernet0/0
C 10.10.12.0/30 is directly connected, GigabitEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.10.11.2

Switch1#show ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/28 is directly connected, FastEthernet0/1
C 10.10.13.0/24 is directly connected, VLAN20

A. 209.165.200.0/27
B. 10.10.10.0/28
C. 0.0.0.0/0
D. 10.10.13.0/24

Answer: C

Question 100 (repeated)

Refer to the exhibit. If the network environment is operating normally, which type of device must
be connected to interface FastEthernet 0/1?

ip arp inspection vlan 2-10

interface fastethernet 0/1
ip arp inspection trust
A. DHCP client
B. access point
C. router
D. PC

Answer: C

Explanation

To configure DHCP snooping feature, at least three steps must be done:

Sequence and Description Command

1. Configure global DHCP snooping Switch(config)# ip dhcp snooping

2. Configure trusted ports (as least on 1 Switch(config-if)# ip dhcp snooping trust

port).
By default, all ports are untrusted

3. Configure DHCP snooping for the Switch(config)# ip dhcp snooping vlan {VLAN-
selected VLANs ID | VLAN range}

Note: To configure DHCP snooping with Dynamic ARP Inspection we need to add the command “ip
arp inspection vlan vlan-id” in global configuration mode and “ip arp inspection trust” in interface
mode.

In a normal network environment, we should trust interfaces that are connected to routers, not
end points.

Question 101 (repeated)

Refer to the exhibit. To which device does Router1 send packets that are destined to host
10.10.13.165?

Router1#show ip route
Gateway of last resort is 10.10.11.2 to network 0.0.0.0
209.165.200.0/27 is subnetted, 1 subnets
B 209.165.200.224 [20/0] via 10.10.12.2,03:32:14
 209.165.201.0/27 is subnetted, 1 subnets
B 209.165.201.0 [20/0] via 10.10.12.2,02:26:53
209.165.202.0/27 is subnetted, 1 subnets
B 209.165.202.128 [20/0] via 10.10.12.2,02:46:03
10.0.0.0/8 is variably subneted, 10 subnets, 4 masks
O 10.10.13.0/25 [110/2] via 10.10.10.1,00:00:04, GigabitEthernet0/0
O 10.10.13.128/28 [110/2] via 10.10.10.5,00:00:12, GigabitEthernet0/1
O 10.10.13.144/28 [110/2] via 10.10.10.9,00:01:57, GigabitEthernet0/2
O 10.10.13.160/29 [110/2] via 10.10.10.5,00:00:12, GigabitEthernet0/1
O 10.10.13.208/29 [110/2] via 10.10.10.13,00:01:57, GigabitEthernet0/3
S* 0.0.0.0/0 [1/0] via 10.10.11.2

A. Router2
B. Router3
C. Router4
D. Router5

Answer: B

Explanation

The destination of 10.10.13.165 matches the entry “O 10.10.13.160/29 [110/2]…” because of the
longest prefix length rule so the packet will be forwarded to 10.10.10.5, which is Router3.

Question 102 (repeated)

Refer to the exhibit. Router R1 is running three different routing protocols. Which route
characteristic is used by the router to forward the packet that it receives for destination IP
172.16.32.1?

A. longest prefix
B. metric
C. cost
D. administrative distance

Answer: A

Explanation

A router evaluates routes in the following order.

1. Prefix Length – The longest-matching route is preferred first. Prefix length trumps all other route
attributes.
2. Administrative Distance – In the event there are multiple routes to a destination with the same
prefix length, the route learned by the protocol with the lowest administrative distance is preferred.
3. Metric – In the event there are multiple routes learned by the same protocol with same prefix
length, the route with the lowest metric is preferred. (If two or more of these routes have equal
metrics, load balancing across them may occur.)
Question 103 (repeated)

Drag and drop the attack-mitigation techniques from the left onto the types of attack that they
mitigate on the right.

Answer:

+ 802.1q double-tagging VLAN-hopping attack: configure the native VLAN with a nondefault VLAN
ID
+ MAC flooding attack: configure 802.1x authenticate
+ man-in-the-middle spoofing attack: configure DHCP snooping
+ switch-spoofing VLAN-hopping attack: disable DTP

Explanation

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device
can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping
can be accomplished by switch spoofing or double tagging.

a. Switch spoofing:

The attacker can connect an unauthorized Cisco switch to a Company switch port. The
unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the
attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through
the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

To mitigate this type of attack, we can disable DTP.

b. Double-Tagging attack:
In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag
matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the
VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it
matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all
links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it
removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the
attacker.

To mitigate this type of attack, we can use VLAN access control lists (VACLs, which applies to all
traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers) or
implement Private VLANs.

Question 104 (repeated)

When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum
number of characters that is required in ASCII format?

A. 6
B. 8
C. 12
D. 18

Answer: B

Explanation

WPA/WPA2 preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal

characters.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-
4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01
010001.html

Question 105 (repeated)

Which purpose does a northbound API serve in a controller-based networking architecture?

A. communicates between the controller and the physical network hardware

B. reports device errors to a controller
C. generates statistics for network hardware and traffic
D. facilitates communication between the controller and the applications

Answer: D
Question 106

Drag and drop the IPv6 addresses from the left onto the corresponding address types on the right.

Answer:

Global Unicast
+ 2001:db8:600d:cafe::123
+ 3ffe:e54d:620:a87a::f00d

Unique Local
+ fd6d:c83b:5cef:b6b2::1
+ fcba:926a:e8e:7a25:b1:c6d2:1a76:8fdc

Explanation

Note:

Unique Local is the counterpart of private IPv4 addresses so it is not routable on the global
Internet. A Unique Local is an IPv6 address in the block FC00::/7. They start with FC00::/7 (for
used in private networks) -> The first octet can be FC or FD.

Question 107 (repeated)

Refer to the exhibit. A packet is being sent across router R1 to host 172.16.3.14. To which
destination does the router send the packet?
A. 207.165.200.246 via Serial0/1/0
B. 207.165.200.254 via Serial0/0/0
C. 207.165.200.254 via Serial0/0/1
D. 207.165.200.250 via Serial0/0/0

Answer: C

Question 108 (repeated)

Refer to the exhibit. An engineer must add a subnet for a new office that will add 20 users to the
network. Which IPv4 network and subnet mask combination does the engineer assign to minimize
wasting addresses?

A. 10.10.225.48 255.255.255.240
B. 10.10.225.32 255.255.255.240
C. 10.10.225.48 255.255.255.224
D. 10.10.225.32 255.255.255.224

Answer: D

Explanation

We need a subnet with 20 users so we need 5 bits 0 in the subnet mask as 25 – 2 = 30 > 20.
Therefore the subnet mask should be /27 (with last octet is 1110 0000 in binary). The increment is
32 so the valid network address is 10.10.225.32.

Question 109 (repeated)

What are two recommendations for protecting network ports from being exploited when located in
an office space outside of an IT closet? (Choose two)

A. shut down unused ports

B. enable the PortFast feature on ports
C. implement port-based authentication
D. configure ports to a fixed speed
E. configure static ARP entries

Answer: A C

Question 110 (repeated)

Which technology must be implemented to configure network device monitoring with the highest
security?

A. SNMPv3
B. IP SLA
C. NetFlow
D. syslog
Answer: A

Explanation

SNMPv3—The most up-to-date protocol focuses on security. SNMPv3 defines a security model,
user-based security model (USM), and a view-based access control model (VACM). SNMPv3 USM
provides data integrity, data origin authentication, message replay protection, and protection
against disclosure of the message payload.

Reference: https://www.juniper.net/documentation/us/en/software/junos/network-
mgmt/topics/topic-map/network-monitoring-by-using-snmp.html

Question 111 (repeated)

Which API is used in controller-based architectures to interact with edge devices?

A. overlay
B. northbound
C. underlay
D. southbound

Answer: D

Explanation

The Southbound API is used to communicate with network devices.

Question 112 (repeated)

Which IPv6 address block forwards packets to a multicast address rather than a unicast address?

A. 2000::/3
B. FC00::/7
C. FE80::/10
D. FF00::/12

Answer: D

Explanation

Well-known multicast addresses have the prefix ff00::/12.

FE80::/10 range is used for link-local addresses. Link-local addresses only used for
communications within the local subnetwork (automatic address configuration, neighbor discovery,
router discovery, and by many routing protocols). It is only valid on the current subnet. It is
usually created dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier
(based on 48-bit MAC address).

Question 113 (repeated)

R1 has learned route 192.168.12.0/24 via IS-IS, OSPF, RIP and Internal EIGRP. Under normal
operating conditions, which routing protocol is installed in the routing table?

A. IS-IS
B. RIP
C. Internal EIGRP
D. OSPF

Answer: C

Explanation

With the same route (prefix), the router will choose the routing protocol with lowest Administrative
Distance (AD) to install into the routing table. The AD of Internal EIGRP (90) is lowest so it would
be chosen. The table below lists the ADs of popular routing protocols.

Note: The AD of IS-IS is 115. The “EIGRP” in the table above is “Internal EIGRP”. The AD of
“External EIGRP” is 170. An EIGRP external route is a route that was redistributed into EIGRP.

Question 114

Which type of traffic is sent with pure IPsec?

A. multicast traffic from a server at one site to hosts at another location

B. spanning-tree updates between switches that are at two different sites
C. broadcast packets from a switch that is attempting to locate a MAC address at one of several
remote sites
D. unicast messages from a host at a remote site to a server at headquarters

Answer: D

Explanation

Pure IPsec refers to using IPsec directly for securing network traffic without additional
encapsulation protocols like GRE. It does not support:
+ Broadcast
+ Multicast
+ Non-IP traffic (e.g., STP)

“Unicast” is the correct answer as this is exactly what IPsec is designed for: secure, point-to-point
IP communication.

Question 115

Refer to the exhibit.

R1# show ip route | begin gateway

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.16.1.0/24 is directly connected, FastEthernet0/0
L 172.16.1.3/32 is directly connected, FastEthernet0/0
EX 172.16.2.0/24 [170/2] via 207.165.200.250, 00:00:25, Serial0/0/0
O 192.168.1.0/24 [110/84437] via 207.165.200.254, 00:00:17,
Serial0/0/1
D 192.168.2.0/24 [90/184437] via 207.165.200.254, 00:00:15,
Serial0/0/1
E1 192.168.3.0/24 [110/1851437] via 207.165.200.254, 00:00:19,
Serial0/0/1

207.165.200.0/24 is variably subnetted, 4 subnets, 2 masks

C 207.165.200.248/30 is directly connected, Serial0/0/0
L 207.165.200.249/32 is directly connected, Serial0/0/0
C 207.165.200.252/30 is directly connected, Serial0/0/1
L 207.165.200.253/32 is directly connected, Serial0/0/1

Which prefix did router R1 learn from internal EIGRP?

A. 192.168.1.0/24
B. 192.168.3.0/24
C. 192.168.2.0/24
D. 172.16.1.0/24

Answer: C

Explanation

Interal EIGRP learned routes are symbolized by letter “D” and there is only one entry with this
letter in the output above: “D 192.168.2.0/24 [90/184437] via 207.165.200.254, 00:00:15,
Serial0/0/1″. Therefore answer C is correct.

Question 116 (repeated)

An engineer is configuring NAT to translate the source subnet of 10.10.0.0/24 to any one of three
addresses: 192.168.3.1, 192.168.3.2, or 192.168.3.3. Which configuration should be used?
 Option A Option B
enable enable
configure terminal configure terminal
ip nat pool mypool 192.168.3.1 192.168.3.3 ip nat pool mypool 192.168.3.1
prefix-length 30 192.168.3.3 prefix-length 30
route-map permit 10.10.0.0 255.255.255.0 access-list 1 permit 10.10.0.0 0.0.0.255
ip nat outside destination list 1 pool mypool ip nat outside destination list 1 pool
interface g1/1 mypool
ip nat inside interface g1/1
interface g1/2 ip nat inside
ip nat outside interface g1/2
ip nat outside

Option C Option D
enable enable
configure terminal configure terminal
ip nat pool mypool 192.168.3.1 192.168.3.3 ip nat pool mypool 192.168.3.1
prefix-length 30 192.168.3.3 prefix-length 30
access-list 1 permit 10.10.0.0 0.0.0.255 access-list 1 permit 10.10.0.0 0.0.0.254
ip nat inside source list 1 pool mypool ip nat inside source list 1 pool mypool
interface g1/1 interface g1/1
ip nat inside ip nat inside
interface g1/2 interface g1/2
ip nat outside ip nat outside

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

The command “ip nat inside source list 1 pool mypool” (notice the keyword “inside”, not “outside”).

This command translates all source addresses that pass access list 1, which means a source
address from 10.10.0.0/24, into an address from the pool named mypool (the pool contains
addresses from 192.168.3.1 to 192.168.3.3).

Question 117 (repeated)

Drag the characteristics of network architectures from the left onto the type of architecture on the
right.
Answer:

Collapsed Core
+ most appropriate for small network designs
+ single device handles the core and the distribution layer
+ more cost-effective than other options

Three-Tier
+ separate devices handle the core and the distribution layer
+ enhances network availability

Explanation

The three-tier hierarchical design maximizes performance, network availability, and the ability to
scale the network design.
However, many small enterprise networks do not grow significantly larger over time. Therefore, a
two-tier hierarchical design where the core and distribution layers are collapsed into one layer is
often more practical. A “collapsed core” is when the distribution layer and core layer
functions are implemented by a single device. The primary motivation for the collapsed core
design is reducing network cost, while maintaining most of the benefits of the three-tier
hierarchical model.

Reference: https://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

A collapsed core network is shown below. The collapsed core network may be deployed with
redundant core/distribution router, or consolidated core/distribution router.
Question 118 (repeated)

How does HSRP provide first hop redundancy?

A. It load-balances traffic by assigning the same metric value to more than one route to the same
destination in the IP routing table
B. It load-balances Layer 2 traffic along the path by flooding traffic out all interfaces configured
with the same VLAN
C. It forwards multiple packets to the same destination over different routed links and data path
D. It uses a shared virtual MAC and a virtual IP address to a group of routers that serve as the
default gateway for hosts on a LAN

Answer: D

Question 119 (repeated)

What is a function of TFTP in network operations?

A. transfers a configuration files from a server to a router on a congested link

B. transfers IOS images from a server to a router for firmware upgrades
C. transfers a backup configuration file from a server to a switch using a username and password
D. transfers files between file systems on a router

Answer: B

Question 120

Drag and drop the protocol characteristics from the left onto the corresponding types on the right.
Not all characteristics are used.
Answer:

TCP
+ acknowledgement mechanism
+ guaranteed transmission

UDP
+ low overhead
+ connectionless

Explanation

Note: UDP has error checking through a checksum. But it doesn’t recover from errors. It only
detects them.

Question 121

Refer to the exhibit.

Router#show ip route

Gateway of last resort is 172.17.0.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.17.0.2

10.0.0.0/8 is variably subnetted, 412 subnets, 10 masks
O E2 10.0.0.0/16 [110/10] via 10.2.24.1, 7w0d, Vlan82
O 10.2.17.0/24 [110/6] via 10.2.24.1, 6w4d, vlan82
O 10.2.17.0/24 [110/6] via 10.2.24.1, 6w4d, vlan82
O 10.2.23.0/24 [110/6] via 10.2.24.1, 7w0d, vlan82
--output suppressed--
C 10.173.5.0/24 is directly connected, vlan283
L 10.173.5.2/32 is directly connected, vlan283

What is the value of the administrative distance for the default gateway?
A. 110
B. 0
C. 1
D. 10

Answer: C

Explanation

From the line “Gateway of last resort is 172.17.0.2”, we learn that 172.17.0.2 is the default
gateway of this router. And from the line “S* 0.0.0.0/0 [1/0] via 172.17.0.2”, we learn the AD of
this route is 1 (the first parameter).