Try 100 free Cisco CCNA 200-301 v2.0 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length Cisco CCNA 200-301 v2.0 practice exam includes 100 original IT Mastery questions across the exam domains.
These questions are for self-assessment. They are not official exam questions and do not imply affiliation with the exam sponsor.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Need concept review first? Read the Cisco CCNA 200-301 v2.0 cheat sheet for switching, routing, services, security, operations, and troubleshooting cues before starting another diagnostic.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Cisco CCNA 200-301 v2.0 on Web View full Cisco CCNA 200-301 v2.0 practice page
| Domain | Weight |
|---|---|
| Network Infrastructure and Connectivity | 25% |
| Switching and Network Access | 25% |
| IP Routing | 20% |
| Network Services and Security | 20% |
| AI, Network Operations and Management | 10% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Network Infrastructure and Connectivity
A laptop user reports that they can see the corporate SSID but cannot reach any internal resources after attempting to connect. Other users on the same SSID are working normally.
Exhibit:
Client: LAP-23
SSID selected: Corp-Staff
SSID security required: WPA2-Enterprise / 802.1X
Client profile security: WPA2-Personal / PSK
802.1X state: failed
IPv4 address: 0.0.0.0
Default gateway: none
Ping 10.20.30.1: not attempted; no IPv4 address
What is the best next action?
Options:
A. Renew the DHCP lease on the laptop
B. Change the access point channel
C. Reconfigure the client profile for WPA2-Enterprise
D. Add a static default gateway
Best answer: C
Explanation: The exhibit shows a wireless security mismatch before IP connectivity can begin. The SSID requires WPA2-Enterprise with 802.1X, but the client profile is configured for WPA2-Personal with a pre-shared key. Because 802.1X authentication failed, the laptop has no IPv4 address or default gateway, so DHCP renewal and ping tests are premature. The first fix is to correct the WLAN profile to use the required enterprise authentication method and valid user or certificate credentials. After successful authentication, the client should obtain IP settings and then reachability can be tested.
Topic: AI, Network Operations and Management
A campus team must keep switch access-port templates and common management settings consistent across 80 access switches. The team wants a central system to coordinate changes, verify device state, and apply approved updates to multiple switches rather than logging in to each switch separately. Which management approach best fits this goal?
Options:
A. Use SNMP polling only to collect interface counters
B. Enable SCP on each switch for secure file transfers
C. Configure each switch independently with local CLI sessions
D. Use a controller to coordinate configuration across managed switches
Best answer: D
Explanation: Controller-based management uses a central controller to coordinate configuration and operations across network devices. Instead of treating each switch as a separate management target, the controller maintains visibility into device state and applies approved changes consistently through its management channels. This fits the requirement for centralized coordination, verification, and multi-device updates. Device-by-device CLI can work for small changes but does not provide the same coordinated control plane for operations. SNMP and SCP are useful management tools, but they do not by themselves provide controller-based configuration coordination.
Topic: Network Infrastructure and Connectivity
An administrator is verifying the subnet for a new DHCP scope on VLAN 20. Use the SVI output to identify the correct subnet information.
Exhibit:
Switch# show running-config interface vlan 20
interface Vlan20
ip address 172.16.37.126 255.255.255.192
no shutdown
Which statement correctly interprets the IPv4 subnet for VLAN 20?
Options:
A. Network 172.16.37.0/25; usable hosts .1 through .126
B. Network 172.16.37.64/26; usable hosts .65 through .126
C. Network 172.16.37.64/26; usable hosts .64 through .127
D. Network 172.16.37.128/26; usable hosts .129 through .190
Best answer: B
Explanation: The subnet mask 255.255.255.192 is /26, which leaves 6 host bits and creates blocks of 64 addresses in the last octet. The /26 subnet boundaries in 172.16.37.0 are .0, .64, .128, and .192. The address 172.16.37.126 falls in the .64 block, so the network address is 172.16.37.64 and the broadcast address is 172.16.37.127. Usable host addresses exclude those two reserved addresses, leaving 172.16.37.65 through 172.16.37.126. The interface IP is valid but is the last usable address in that subnet.
Topic: Network Infrastructure and Connectivity
A printer was moved into VLAN 12, where the documented gateway is 192.168.12.1/25. It was manually configured, but users in the same VLAN cannot reach it.
Exhibit: Printer IPv4 settings
IPv4 address: 192.168.12.130
Subnet mask: 255.255.255.128
Default gateway: 192.168.12.1
DHCP enabled: No
What is the best next action?
Options:
A. Assign an unused 192.168.12.0/25 address
B. Configure a DHCP relay for VLAN 12
C. Change the gateway to 192.168.12.129
D. Change the subnet mask to 255.255.255.0
Best answer: A
Explanation: The key issue is subnet membership. A 255.255.255.128 mask is /25, so 192.168.12.0/25 contains usable host addresses 192.168.12.1 through 192.168.12.126. The printer address 192.168.12.130 belongs to the next /25 subnet, 192.168.12.128/25, so it is not in the same subnet as the documented gateway 192.168.12.1. For a static host setting, the next action is to assign an unused address from the correct subnet while keeping the documented mask and gateway. Changing the mask or gateway can hide the symptom while violating the intended addressing plan.
Topic: Switching and Network Access
Users in VLAN 20 on SW2 cannot reach the DHCP server connected behind SW1. Users in VLAN 10 on the same switches work normally. The link between SW1 and SW2 is Gi0/1 on both switches.
Exhibit: trunk check
SW1# show interfaces trunk
Port Mode Status Native vlan
Gi0/1 on trunking 99
Port Vlans allowed on trunk
Gi0/1 10,20,99
SW2# show interfaces trunk
Port Mode Status Native vlan
Gi0/1 on trunking 99
Port Vlans allowed on trunk
Gi0/1 10,99
Options:
A. Add VLAN 20 to the allowed VLAN list on SW2 Gi0/1.
B. Configure SW2 Gi0/1 as a routed Layer 3 interface.
C. Change SW1 Gi0/1 from trunk mode to dynamic auto.
D. Change the native VLAN on SW1 Gi0/1 to VLAN 20.
Best answer: A
Explanation: The evidence points to an allowed-VLAN issue, not a trunk formation or native VLAN problem. Both sides show Gi0/1 in trunking status, so the trunk is operational. Both sides also use native VLAN 99, so there is no native VLAN mismatch shown. VLAN 10 works because it is allowed on both trunks. VLAN 20 fails because it is allowed on SW1 but missing from SW2’s allowed VLAN list. Restoring VLAN 20 to the allowed list on SW2 Gi0/1 permits VLAN 20 frames to traverse the trunk.
Topic: Switching and Network Access
A multilayer switch connects directly to router R1 over interface Gi1/0/24. The link must be a point-to-point Layer 3 connection using 10.10.10.0/30 and must not carry tagged or untagged VLAN traffic. Which configuration decision should be applied on the switch interface?
Options:
A. Configure an access port in a dedicated VLAN
B. Use no switchport and assign an IP address
C. Configure an 802.1Q trunk toward R1
D. Create only an SVI for the transit subnet
Best answer: B
Explanation: On a multilayer switch, a physical interface can operate as a routed port when the link should carry Layer 3 traffic directly instead of switching frames within a VLAN. The no switchport command changes the interface from Layer 2 mode to Layer 3 mode, allowing an IP address such as 10.10.10.1/30 to be configured directly on the physical interface. This matches a point-to-point routed connection to a router with no VLAN tagging requirement.
Access ports, trunks, and SVIs are VLAN-based designs. They are appropriate when the link participates in Layer 2 switching or router-on-a-stick, not when the physical switch interface itself must be the routed endpoint.
Topic: Network Infrastructure and Connectivity
A multilayer switch provides inter-VLAN routing. The DHCP server is 10.10.50.5 and has a scope for 192.168.20.0/24 with default gateway 192.168.20.1. VLAN 20 clients are not receiving DHCP addresses.
Exhibit:
SW1# show ip interface brief
Interface IP-Address Status Protocol
Vlan10 192.168.10.1 up up
Vlan20 192.168.20.1 up up
Vlan50 10.10.50.1 up up
SW1# show running-config interface vlan20
interface Vlan20
ip address 192.168.20.1 255.255.255.0
SW1# show running-config interface vlan50
interface Vlan50
ip address 10.10.50.1 255.255.255.0
ip helper-address 10.10.50.5
SW1# ping 10.10.50.5 source vlan20
Success rate is 100 percent
What is the best next action?
Options:
A. Configure ip helper-address 10.10.50.5 on Vlan10.
B. Change the VLAN 20 default gateway in the DHCP scope.
C. Configure ip helper-address 10.10.50.5 on Vlan20.
D. Add a static route from SW1 to 10.10.50.5.
Best answer: C
Explanation: An IOS DHCP relay uses ip helper-address on the interface where the client DHCP broadcast enters the router or multilayer switch. In this case, VLAN 20 clients broadcast from the 192.168.20.0/24 subnet, so the helper belongs on interface Vlan20, the client default-gateway SVI. The helper shown on Vlan50 is on the server-side VLAN and does not relay VLAN 20 client broadcasts. The successful source ping to 10.10.50.5 shows Layer 3 reachability to the server, and the scope gateway matches 192.168.20.1, so routing and scope gateway settings are not the primary issue.
192.168.20.1, matching the VLAN 20 SVI.Vlan20.Topic: Network Infrastructure and Connectivity
A wired client receives 10.10.20.51/24 and default gateway 10.10.20.1 from DHCP, but the user cannot access internal servers or the Internet. Before changing switch or router configuration, what is the first validation step?
Options:
A. Ping 10.10.20.1 from the client
B. Run DNS lookup for an internal server
C. Clear the DHCP binding for the client
D. Add a static route on the access switch
Best answer: A
Explanation: When a client already has an IP address, subnet mask, and default gateway, the next basic validation is local gateway reachability. The default gateway is the client’s first-hop router for off-subnet traffic, so a failed ping to that address points to a local connectivity issue such as VLAN membership, switchport state, cabling, host firewall, ARP, or gateway interface problems. If the gateway responds, then testing DNS, remote routes, ACLs, or upstream connectivity becomes more appropriate. Start with the nearest dependency before troubleshooting remote services.
Topic: Network Services and Security
A network engineer must create an IPv4 ACL on an IOS XE router to identify the policy as WEB-FILTER in the running configuration. The ACL must match TCP traffic from 10.10.20.0/24 to a specific web server on destination port 443. Which ACL configuration approach best meets these requirements?
Options:
A. Create a numbered extended IPv4 ACL
B. Create a numbered standard IPv4 ACL
C. Create a named extended IPv4 ACL
D. Create a named standard IPv4 ACL
Best answer: C
Explanation: IPv4 ACLs can be either numbered or named, and either standard or extended. The descriptive label requirement points to a named ACL, while the need to match TCP traffic to a specific destination port points to an extended ACL. Standard ACLs match only the source IPv4 address, so they cannot directly match the destination server or TCP port. A numbered extended ACL could match the traffic characteristics, but it would not satisfy the requirement to identify the policy as WEB-FILTER in the configuration. The key distinction is that naming and matching scope are separate ACL design choices.
Topic: Switching and Network Access
A desktop connected to SW1 in VLAN 20 cannot ping its default gateway, which is an SVI on SW2. Hosts in VLAN 10 on SW1 can reach their gateway on SW2.
Exhibit: SW1 output
SW1# show interfaces status | include Fa0/10|Gi0/1
Fa0/10 connected 20 a-full a-100 10/100BaseTX
Gi0/1 connected trunk a-full a-1000 1000BaseSX
SW1# show mac address-table vlan 20
Vlan Mac Address Type Ports
20 0011.2233.4455 DYNAMIC Fa0/10
SW1# show interfaces trunk
Port Mode Status Native vlan
Gi0/1 on trunking 1
Port Vlans allowed and active in management domain
Gi0/1 1,10,30
Which conclusion is best supported by the evidence?
Options:
A. The desktop has an incorrect default gateway
B. VLAN 20 is missing from the trunk
C. The desktop access port is administratively down
D. The SW1-to-SW2 trunk is physically down
Best answer: B
Explanation: The evidence supports a Layer 2 trunk VLAN issue. Fa0/10 is connected in VLAN 20, and SW1 learns the desktop MAC address on that access port, so the local access link is functioning. Gi0/1 is physically up and trunking, and VLAN 10 traffic works across the same trunk. However, the trunk output lists only VLANs 1, 10, and 30 as allowed and active, so VLAN 20 frames cannot cross from SW1 to the gateway SVI on SW2.
The key takeaway is to match the conclusion to the visible evidence: the failure is specific to VLAN 20 across an otherwise working trunk.
Topic: IP Routing
A router must forward a packet with destination IPv4 address 10.20.30.130. Use the routing table excerpt to determine the best forwarding match.
Exhibit: show ip route excerpt
Gateway of last resort is 203.0.113.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.1
O 10.20.0.0/16 [110/20] via 192.0.2.1, GigabitEthernet0/0
O 10.20.30.0/24 [110/30] via 192.0.2.5, GigabitEthernet0/1
S 10.20.30.128/25 [1/0] via 192.0.2.9, GigabitEthernet0/2
O 10.20.31.0/24 [110/25] via 192.0.2.13, GigabitEthernet0/3
Which routing table entry will the router use?
Options:
A. 10.20.30.0/24 via 192.0.2.5
B. 0.0.0.0/0 via 203.0.113.1
C. 10.20.0.0/16 via 192.0.2.1
D. 10.20.30.128/25 via 192.0.2.9
Best answer: D
Explanation: Routers choose a forwarding entry by longest prefix match, meaning the matching route with the most prefix bits is preferred. The address 10.20.30.130 matches several entries: the default route, 10.20.0.0/16, 10.20.30.0/24, and 10.20.30.128/25. The /25 route covers addresses 10.20.30.128 through 10.20.30.255, so it includes the destination and is more specific than the /24 and /16 routes. Administrative distance and metric are used only after the router compares routes to the same prefix length for the same destination match.
/24 match fails because 10.20.30.0/24 matches the destination but is less specific than the /25 route./16 match fails because 10.20.0.0/16 covers many more addresses and loses to longer matching prefixes.Topic: Network Services and Security
A company wants Cisco IOS XE routers and switches to use a centralized server for administrator logins. The security team also requires per-command authorization and accounting for management sessions. If the server is unreachable, devices should fall back to local usernames. Which management authentication approach best meets these requirements?
Options:
A. AAA with RADIUS only
B. Local usernames with SSH only
C. AAA with TACACS+ and local fallback
D. VTY line passwords with enable secret
Best answer: C
Explanation: For Cisco device administration, AAA with TACACS+ is the best fit when the requirement includes centralized login control plus per-command authorization and accounting. TACACS+ separates authentication, authorization, and accounting functions, which makes it well suited for network-device management. IOS XE can also be configured to use local usernames as a fallback method if the TACACS+ server is unavailable. RADIUS is commonly used for network access authentication, but it is not the preferred choice for detailed command authorization on Cisco management sessions. The key distinction is centralized device administration with command-level control, not just secure transport or a shared line password.
Topic: Switching and Network Access
VLAN 20 users on access switch SW2 cannot reach their default gateway after an uplink change. The recorded topology says SW2 Gi1/0/48 connects to DIST1 Gi1/0/3 and carries VLANs 10, 20, and 30.
Exhibit:
SW2# show cdp neighbors interface gi1/0/48
Device ID Local Intrfce Capability Port ID
DIST2 Gi1/0/48 S I Gi1/0/7
SW2# show interfaces trunk
Port Status Native vlan Vlans allowed
Gi1/0/48 trunking 1 10,20,30
DIST2# show interfaces trunk
Port Status Native vlan Vlans allowed
Gi1/0/7 trunking 1 10,30
Which root cause is best supported by the evidence?
Options:
A. DIST1 has an OSPF adjacency failure with SW2.
B. SW2 Gi1/0/48 is configured as an access port in VLAN 20.
C. CDP is disabled, so the physical neighbor cannot be validated.
D. The topology record is stale; SW2 uplinks to DIST2, where VLAN 20 is missing.
Best answer: D
Explanation: CDP/LLDP neighbor output is useful for validating whether documentation matches the live cabling and switchport relationships. Here, the documentation says SW2 connects to DIST1, but the live CDP evidence shows SW2 Gi1/0/48 connects to DIST2 Gi1/0/7. The VLAN symptom also matches the actual path: SW2 allows VLAN 20 on its trunk, but DIST2 does not allow VLAN 20 on the connected trunk. The stale topology record could cause an engineer to troubleshoot the wrong distribution switch or apply the VLAN fix in the wrong place. The key validation step is to trust the current neighbor evidence over the recorded topology, then correct the actual trunk or update the documentation.
show interfaces trunk shows SW2 Gi1/0/48 is actively trunking.Topic: Network Infrastructure and Connectivity
A wireless AP connected to Gi1/0/24 has intermittent connectivity. VLAN assignment and port security are correct. The AP supports auto-negotiation and normally runs at 1000/full, but the switch port was reused from an older device.
Exhibit:
Switch# show interfaces gi1/0/24
GigabitEthernet1/0/24 is up, line protocol is up
Half-duplex, 100Mb/s
5 minute input rate 12000 bits/sec
5 minute output rate 18000 bits/sec
0 input errors, 0 CRC, 0 frame
893 output errors, 427 collisions, 391 late collisions
Which configuration decision should be made first?
Options:
A. Set speed and duplex to auto and retest
B. Replace the patch cable to the AP
C. Disable PortFast on the switch port
D. Move the AP to a new access VLAN
Best answer: A
Explanation: The decisive clue is the combination of Half-duplex, output errors, collisions, and especially late collisions. Late collisions occur after the normal collision window and commonly indicate a duplex mismatch, incorrect speed/duplex settings, or an Ethernet physical-layer constraint. Because the AP is expected to auto-negotiate 1000/full and the reused switch port is operating at 100/half, the first operational fix is to correct speed and duplex negotiation on that interface, then verify that counters stop increasing.
A bad cable can cause CRC or input errors, but the visible counter pattern and half-duplex state make speed/duplex the better first check.
Topic: Switching and Network Access
After a switch replacement, access switch SW3 forwards VLAN 10 toward Core2. The design requires Core1 to be the Rapid PVST+ root bridge for VLAN 10 and Core2 to act as backup. VLAN 10 is passing on both uplinks.
SW3# show interfaces trunk
Port Status Vlans allowed
Gi1/0/1 trunking 10,20
Gi1/0/2 trunking 10,20
SW3# show spanning-tree vlan 10
Root ID Address 00bb.bbbb.bbbb (Core2)
Root port Gi1/0/2
Core1# show running-config | include spanning-tree vlan 10
spanning-tree vlan 10 root secondary
Which corrective action best fixes the root-bridge role?
Options:
A. Enable PortFast on Core1 trunk interfaces for VLAN 10.
B. Configure Core1 with spanning-tree vlan 10 root primary.
C. Configure Core1 with spanning-tree vlan 10 root secondary.
D. Add VLAN 10 to the allowed trunk list on SW3.
Best answer: B
Explanation: Rapid PVST+ elects a separate root bridge for each VLAN using the lowest bridge ID. The root primary macro is used to make a switch become the preferred root for the specified VLAN by lowering its spanning-tree priority as needed. The root secondary macro is meant for the backup root role, not the active root role. In the exhibit, SW3 sees Core2 as the VLAN 10 root and Core1 is explicitly configured as root secondary, which matches the observed symptom. Since VLAN 10 is already allowed on both trunks, this is not a trunk pruning issue. The key takeaway is to use root primary on the intended active root bridge and root secondary on the intended backup bridge.
Topic: Switching and Network Access
A user reports that an access-port connection stopped working after they connected a small unmanaged switch under their desk. The port is intended for a single endpoint, and the team wants to preserve loop protection.
Exhibit: show logging excerpt
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on Gi1/0/18 with BPDU Guard enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/18, putting Gi1/0/18 in err-disable state
Which configuration decision best matches the evidence and goal?
Options:
A. Convert Gi1/0/18 to an 802.1Q trunk.
B. Disable spanning tree on the access switch.
C. Keep BPDU Guard; re-enable the port after removing the switch.
D. Remove PortFast from all access ports.
Best answer: C
Explanation: The log messages identify a BPDU Guard event, not an IP addressing or physical-layer failure. BPDU Guard is commonly used with PortFast on access ports that should connect only to endpoints. If that port receives a BPDU, it likely has a switch or bridge attached, so IOS XE places the interface in the err-disabled state to prevent a potential Layer 2 loop. Because the goal is to preserve loop protection, the right response is to remove the unauthorized downstream switch and then re-enable the interface. Making the port a trunk or weakening spanning-tree protection would conflict with the intended single-endpoint access-port design.
Topic: Network Services and Security
An access switch port connects one badge reader in VLAN 40. The requirement is to allow only the currently connected reader’s MAC address and to err-disable the port if any other device is connected. The exhibit was captured while the authorized reader was the only connected device. What is the best next action?
SW1# show port-security interface gi1/0/12
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 9c57.ad1c.8820:40
Options:
A. Enable DHCP snooping on VLAN 40.
B. Change the violation mode to protect only.
C. Set maximum 1, add 9c57.ad1c.8820, use shutdown.
D. Keep the settings because only one MAC is learned.
Best answer: C
Explanation: Port security can limit how many source MAC addresses are allowed on an access port and can define what happens when another MAC address appears. In the exhibit, port security is enabled, but the configuration still allows up to two MAC addresses, has no configured or sticky secure MAC address, and uses restrict, which drops violating frames and logs/counts violations but does not err-disable the interface. To meet the stated requirement, the port should allow only one secure MAC address, bind the authorized reader MAC as a secure address, and use the shutdown violation action. Static secure MAC configuration or sticky learning can satisfy the allowed-MAC part when applied intentionally.
Topic: IP Routing
R1 and R2 are the only OSPF routers on a dedicated Ethernet transit VLAN using area 0. The engineer wants this link to operate without a DR/BDR election.
Exhibit:
R1# show ip ospf interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.12.0.1/30, Area 0
Network Type BROADCAST, Cost: 1
Designated Router (ID) 2.2.2.2, Address 10.12.0.2
Backup Designated router (ID) 1.1.1.1, Address 10.12.0.1
Neighbor Count is 1, Adjacent neighbor count is 1
R1# show ip ospf neighbor
Neighbor ID Pri State Address Interface
2.2.2.2 1 FULL/DR 10.12.0.2 GigabitEthernet0/0
Which next action best meets the goal?
Options:
A. Change the OSPF router ID on R1 to a higher value.
B. Set the OSPF priority to 0 on both router interfaces.
C. Configure ip ospf network point-to-point on both router interfaces.
D. Configure passive-interface g0/0 on both routers.
Best answer: C
Explanation: OSPF treats Ethernet interfaces as broadcast by default, so it elects a DR and BDR even when the Ethernet segment is being used as a two-router transit link. The exhibit shows a healthy adjacency, but the interface network type is BROADCAST and a DR/BDR has been elected. Because only R1 and R2 share this transit VLAN, configuring the OSPF interface network type as point-to-point on both ends is appropriate. This changes OSPF neighbor behavior so no DR/BDR election is used on that link. The key is to make the network type consistent on both neighbors.
Topic: Switching and Network Access
A switch stack must allow VLAN 20 across an existing EtherChannel trunk to an access switch. Before changing the configuration, an engineer checks the bundle status.
Exhibit:
SW1# show etherchannel summary
Flags: S - Layer2 U - in use P - bundled in port-channel
Group Port-channel Protocol Ports
1 Po1(SU) LACP Gi1/0/1(P) Gi1/0/2(P)
Based on the exhibit, which configuration decision should the engineer make?
Options:
A. Apply the VLAN change separately under each member interface.
B. Create interface Vlan20 to add VLAN 20 to the trunk.
C. Reconfigure both links with channel-group 1 mode on.
D. Apply the VLAN change under interface Port-channel1.
Best answer: D
Explanation: The exhibit shows a healthy Layer 2 LACP EtherChannel. Po1(SU) means Port-channel1 is Layer 2 and in use, and each member interface marked (P) is bundled into the port-channel. For trunk parameters that apply to the bundle, such as adding an allowed VLAN, the change should be made on the logical port-channel interface. Configuring shared trunk settings only on individual member links can create inconsistencies and may cause links to leave the bundle. Static mode on is also unnecessary because the bundle is already operating with LACP.
Topic: Network Infrastructure and Connectivity
A wired user reports that web pages and internal applications are unreachable. The PC has an active link and received this DHCP lease:
IPv4 address: 10.20.30.58
Mask: 255.255.255.0
Gateway: 10.20.30.1
DNS server: 10.10.10.10
Which validation step should the technician perform first?
Options:
A. Ping 10.20.30.1 from the PC
B. Renew the DHCP lease on the PC
C. Check OSPF neighbors on the router
D. Trace the route to an Internet address
Best answer: A
Explanation: When a client has an IP address but cannot reach applications or remote networks, the first validation step is to test connectivity to the default gateway. The gateway is the client’s Layer 3 exit point from the local subnet. If the PC cannot ping 10.20.30.1, the problem is likely local, such as VLAN assignment, switchport status, cabling, ARP, or the gateway interface. If the gateway responds, then the technician can move outward to routing, ACLs, DNS, or application reachability.
Start with the nearest required hop before testing remote destinations.
Topic: Switching and Network Access
SW2 has two 802.1Q uplinks to SW1. VLAN 20 clients on SW2 can reach their default gateway, but a packet capture on Gi1/0/2 shows no forwarded user frames for VLAN 20. Both uplink interfaces are up/up.
Exhibit:
SW2# show spanning-tree vlan 20
Interface Role Sts Cost Type
Gi1/0/1 Root FWD 4 P2p
Gi1/0/2 Altn BLK 4 P2p
SW2# show interfaces trunk
Port Vlans allowed and active
Gi1/0/1 20
Gi1/0/2 20
Which root cause is best supported by the output?
Options:
A. Rapid PVST+ is blocking Gi1/0/2 for VLAN 20.
B. The VLAN 20 default gateway is misconfigured.
C. The Gi1/0/2 physical link is administratively down.
D. VLAN 20 is not allowed on the Gi1/0/2 trunk.
Best answer: A
Explanation: Rapid PVST+ calculates a separate spanning-tree instance per VLAN. In the exhibit for VLAN 20, Gi1/0/1 is the root port in FWD state, so it forwards VLAN 20 traffic toward the root bridge. Gi1/0/2 is an alternate port in BLK state, so it remains available as a backup path but does not forward user frames for VLAN 20. The trunk output shows VLAN 20 is allowed and active on both trunks, so the absence of forwarded frames on Gi1/0/2 is explained by STP, not trunk pruning or VLAN removal. A blocked alternate port can start forwarding if the active path fails and STP reconverges.
Gi1/0/2.Topic: Switching and Network Access
A user in VLAN 10 reports that a server in another building is unreachable. The PC has a valid DHCP address, can ping its default gateway, and the access switch trunk shows VLAN 10 allowed. OSPF between R1 and R2 is FULL.
Exhibit: Traceroute from the PC to 10.30.30.20
Tracing route to 10.30.30.20
1 10.10.10.1 2 ms 1 ms 1 ms
2 192.0.2.2 4 ms 4 ms 5 ms
3 * * *
4 * * *
Which routed segment is the most likely place to investigate first?
Options:
A. R1-to-R2 routed segment
B. Access switch-to-R1 VLAN 10 path
C. PC-to-access-switch segment
D. R2-to-next-hop routed segment
Best answer: D
Explanation: Traceroute identifies each Layer 3 hop that returns a TTL-expired message. Because hop 1, the default gateway, replies, the local VLAN and gateway path are working. Because hop 2 replies, traffic is reaching R2 across the R1-to-R2 routed path. The first missing hop is hop 3, so the investigation should begin after R2: the R2 outbound interface, the next-hop router, or the routed segment between them.
A timeout after a hop does not prove the last responding router is faulty, but it narrows the likely failure point to the path beyond that router.
Topic: Network Infrastructure and Connectivity
A PC connected to access VLAN 20 on an IOS XE Layer 3 switch fails to obtain a DHCPv4 address from the centralized server at 10.10.50.10. The VLAN 20 default gateway is interface Vlan20 with address 10.10.20.1/24. Routing between VLAN 20 and the server subnet is working, and no ACL blocks DHCP. The switch must not lease addresses locally. Which configuration decision should be made?
Options:
A. Create a local DHCP pool for 10.10.20.0/24 on the switch.
B. Configure ip helper-address 10.10.50.10 under the server-facing interface.
C. Configure ip helper-address 10.10.50.10 under interface Vlan20.
D. Configure ip address dhcp under interface Vlan20.
Best answer: C
Explanation: A DHCPv4 client initially sends broadcasts because it does not yet have a usable IPv4 address or know the server’s location. When the DHCP server is on a different subnet, the router or Layer 3 switch interface that receives those client broadcasts must act as the DHCP relay. On Cisco IOS XE, that means placing ip helper-address on the client VLAN SVI, not on the server-facing interface. The helper converts the client broadcast into a unicast message toward the configured DHCP server address. Since routing and ACLs are already working and the switch should not provide leases locally, the missing configuration is relay on interface Vlan20.
ip address dhcp makes the SVI request its own address.Topic: Network Services and Security
A company wants portal.example.com to be an alias for app-gw.corp.example.net. The canonical name already has a valid A record in its own DNS zone. Users report that portal.example.com still reaches the old service.
Exhibit: DNS lookup
portal.example.com. 300 IN CNAME old-web.example.com.
old-web.example.com. 300 IN A 198.51.100.20
Which configuration change should be made?
Options:
A. Add an A record for portal.example.com with the gateway IP address.
B. Create a PTR record for app-gw.corp.example.net.
C. Change the portal.example.com CNAME target to app-gw.corp.example.net.
D. Create a CNAME from app-gw.corp.example.net to portal.example.com.
Best answer: C
Explanation: A CNAME record makes one DNS name an alias for another name. In the lookup, portal.example.com already has a CNAME, but it points to old-web.example.com instead of the intended canonical name, app-gw.corp.example.net. Because the canonical name already resolves correctly in its own zone, the needed fix is to update the alias record’s target. Adding a separate A record for the alias is not the right fix and can conflict with proper CNAME use. The key diagnostic step is to verify the alias points to the intended canonical name, not just whether DNS returns an address.
Topic: Network Infrastructure and Connectivity
An administrator checks PAT on an edge router after a user browses to a website. Which interpretation of the addressing in the output is best?
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 64.100.20.5:50644 10.10.30.25:50644 93.184.216.34:443 93.184.216.34:443
Options:
A. 10.10.30.25 is public; 64.100.20.5 is private.
B. Both addresses are public because they appear in NAT output.
C. Both addresses are private and need another translation.
D. 10.10.30.25 is private; 64.100.20.5 is public.
Best answer: D
Explanation: Private IPv4 addresses are defined by RFC1918: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. In Cisco NAT output, the inside local address is the address used by the internal host before translation, and the inside global address is the address representing that host after translation. Here, 10.10.30.25 is private because it falls within 10.0.0.0/8. The address 64.100.20.5 is not in an RFC1918 private range, so it is used as the public translated address for PAT. The key is to classify the address by its range, not merely by where it appears in the NAT table.
Topic: Switching and Network Access
SW1 Gi1/0/12 is a lobby access port in VLAN 10 used only for end-user PCs. PortFast is already enabled on the interface. A network admin checks the port after a user temporarily connected a small switch.
Exhibit:
SW1# show spanning-tree interface gi1/0/12 detail
Port 12 (GigabitEthernet1/0/12) of VLAN0010 is designated forwarding
The port is in the portfast edge mode
BPDU: sent 48, received 19
Which Rapid PVST+ feature is the safest next action for this risk?
Options:
A. Enable Loop Guard on Gi1/0/12
B. Enable Root Guard on Gi1/0/12
C. Enable BPDU Guard on Gi1/0/12
D. Leave only PortFast enabled
Best answer: C
Explanation: A PortFast edge port should connect only to an end host, not another switch. The exhibit shows that Gi1/0/12 is in PortFast edge mode but has received BPDUs, which means a bridging device was connected. BPDU Guard is the safest Rapid PVST+ protection for this edge-port risk because it shuts the port when BPDUs are received, preventing an accidental or unauthorized switch from participating in STP or creating a Layer 2 loop.
Root Guard protects ports where a superior BPDU should not make another switch become root. Loop Guard protects against missing BPDUs on non-edge STP ports. PortFast alone speeds forwarding but does not protect against a switch being connected.
Topic: IP Routing
R1 must send all unknown IPv6 destinations to the ISP over GigabitEthernet0/0. The ISP provided only its link-local next-hop address, FE80::2, on that link. R1 already has IPv6 forwarding enabled and can reach the ISP link-local address when the outgoing interface is specified. Which IOS XE configuration should be used on R1?
Options:
A. ip route ::/0 GigabitEthernet0/0 FE80::2
B. ipv6 route ::/0 GigabitEthernet0/0 FE80::2
C. ipv6 route ::/0 FE80::2
D. ipv6 route 2001:db8:10::/64 GigabitEthernet0/0 FE80::2
Best answer: B
Explanation: IPv6 link-local addresses are only unique on a single link, so IOS XE needs the outgoing interface to resolve a static route that uses a link-local next hop. For an IPv6 default route, the destination prefix is ::/0, and the next hop can be the ISP router’s link-local address only when paired with the correct exit interface. Since R1 already has IPv6 forwarding enabled, the missing decision is the static route format, not a global IPv6 routing prerequisite. The key takeaway is that link-local next hops require interface context.
FE80::2 is link-local and cannot be resolved without the outgoing interface.ip route is for IPv4 static routes, not IPv6 routes.Topic: AI, Network Operations and Management
A network monitoring server polls SW1 every 5 minutes. The NMS graphs interface counters and CPU normally, but it did not alert when uplink Gi1/0/48 went down for 2 minutes.
Exhibit: SW1 clues
show running-config | include snmp-server
snmp-server community MON ro
show logging | include Gi1/0/48
%LINK-3-UPDOWN: Interface Gi1/0/48, changed state to down
%LINK-3-UPDOWN: Interface Gi1/0/48, changed state to up
Which action best addresses the supported root cause?
Options:
A. Change the SNMP community used for polling.
B. Configure SW1 to send SNMP notifications to the NMS.
C. Add a static route from SW1 to the NMS subnet.
D. Increase the NMS polling interval to 30 minutes.
Best answer: B
Explanation: SNMP monitoring uses two complementary behaviors. An SNMP manager polls an agent on a device to read MIB values such as interface counters and CPU usage. SNMP notifications, such as traps or informs, are agent-initiated messages sent to a configured manager when an event occurs. In this case, polling succeeds, so basic SNMP read access and reachability are already working. The syslog proves the link-down and link-up events occurred, but the configuration shown only has a read-only community and no notification destination. To receive immediate event alerts between polling cycles, the switch must be configured to send SNMP notifications to the NMS.
Topic: Network Services and Security
R1 routes between VLAN 10 and a server VLAN. An extended ACL named USERS-IN will be applied inbound on Gi0/0.10, the VLAN 10 gateway. VLAN 10 uses 10.10.10.0/24; server WEB1 is 172.16.30.10. The requirement is to block VLAN 10 SSH access to WEB1 only, while still allowing HTTPS, DNS, and all other routed traffic. Which ACL contents meet the requirement?
Options:
A. deny tcp 10.10.10.0 0.0.0.255 host 172.16.30.10 eq 22; permit ip any any
B. deny ip 10.10.10.0 0.0.0.255 host 172.16.30.10; permit ip any any
C. deny tcp 10.10.10.0 0.0.0.255 host 172.16.30.10 eq 22
D. permit ip any any; deny tcp 10.10.10.0 0.0.0.255 host 172.16.30.10 eq 22
Best answer: A
Explanation: Extended IPv4 ACLs are processed from top to bottom, and the first match is used. Because the ACL is applied inbound on the VLAN 10 gateway, it can match traffic sourced from 10.10.10.0/24 before it is routed. The requirement is narrow: block only TCP destination port 22 to WEB1. A specific deny tcp entry for that flow must appear before a broad permit. The final permit ip any any is required because ACLs have an implicit deny ip any any at the end. Without that explicit permit, HTTPS, DNS, and other allowed traffic would be blocked.
Topic: Network Services and Security
R1 filters traffic entering Gi0/0 from user VLAN 192.168.10.0/24. A server is at 172.16.20.10. The goal is to allow only host 192.168.10.50 to SSH to the server while allowing all other non-SSH traffic from the user VLAN. Which extended ACL entry order should be used before applying the ACL inbound on Gi0/0?
Options:
A. Deny 192.168.10.0/24 SSH to 172.16.20.10; permit 192.168.10.50 SSH to 172.16.20.10; permit IP any any.
B. Permit 192.168.10.50 SSH to 172.16.20.10; deny other SSH to 172.16.20.10; permit IP any any.
C. Permit 192.168.10.50 SSH to 172.16.20.10; deny IP any any.
D. Permit 172.16.20.10 SSH to 192.168.10.50; deny other SSH to 172.16.20.10; permit IP any any.
Best answer: B
Explanation: Extended IPv4 ACLs are processed top-down, and the first matching ACE decides the action. For an SSH connection initiated by 192.168.10.50, the packet entering Gi0/0 has source 192.168.10.50, destination 172.16.20.10, protocol TCP, and destination port 22. The specific permit for that flow must appear before the broader deny for other SSH traffic to the same server. A final permit ip any any is needed because ACLs have an implicit deny ip any any at the end, which would otherwise block unrelated traffic from the user VLAN.
Topic: IP Routing
A technician reports that no DR or BDR appears on the link between R1 and R2, but both routers can ping each other. The OSPF area is single area 0.
Exhibit: R1 output
R1# show ip ospf interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.12.0.1/30, Area 0
Network Type POINT_TO_POINT
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/- 00:00:34 10.12.0.2 Gi0/0
Which conclusion is best supported by the output?
Options:
A. The adjacency is normal for point-to-point OSPF.
B. The link is stuck before database exchange.
C. R2 must raise its OSPF priority above zero.
D. The subnet mask must be changed to /24.
Best answer: A
Explanation: On an OSPF point-to-point interface, routers do not elect a DR or BDR. The neighbor state FULL/- means the adjacency is fully established, and the dash indicates there is no DR/BDR role for that neighbor on this network type. The interface is up/up, the routers are in area 0, and the neighbor is reachable at the expected /30 address. Those facts support that OSPF behavior is normal on this link, not a failure. A DR/BDR election is expected on broadcast multiaccess segments, not on point-to-point OSPF links.
FULL, not EXSTART, EXCHANGE, or 2-WAY.Topic: Switching and Network Access
VLAN 20 users on SW1 cannot reach their default gateway or obtain DHCP leases. VLAN 10 users on SW1 work normally, and VLAN 20 users connected directly to SW2 work normally. The SW1-to-SW2 link is shown below.
SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 10,20
SW2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 10
What is the best corrective action?
Options:
A. Change the native VLAN to 20 on both switches.
B. Configure SW1 Gi0/1 as an access port in VLAN 20.
C. Add VLAN 20 to SW2 Gi0/1 allowed VLANs.
D. Create a new DHCP pool for VLAN 20 on SW1.
Best answer: C
Explanation: An 802.1Q trunk carries only the VLANs that are allowed on the trunk. Both ends show the link is trunking with the same native VLAN, so the trunk itself is up and VLAN 10 passing confirms basic connectivity. The mismatch is in the allowed VLAN list: SW1 allows VLANs 10 and 20, but SW2 allows only VLAN 10. As a result, VLAN 20 traffic from SW1 is filtered at the trunk and cannot reach the gateway or DHCP service on the SW2 side.
The key fix is to make the allowed VLAN list include VLAN 20 on the SW2 trunk interface.
Topic: Switching and Network Access
DSW1 and DSW2 must use Gi1/0/1 and Gi1/0/2 as one aggregated routed link. The routed adjacency will use IP address 10.12.12.1/30 on DSW1. DSW1 currently shows this output:
DSW1# show etherchannel summary
Group Port-channel Protocol Ports
10 Po10(SU) LACP Gi1/0/1(P) Gi1/0/2(P)
DSW1# show interfaces port-channel10 switchport
Name: Po10
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
What is the best next configuration action on DSW1?
Options:
A. Assign 10.12.12.1/30 to Gi1/0/1 and Gi1/0/2.
B. Change one member interface to LACP passive mode.
C. Create an SVI for VLAN 10 and address the SVI.
D. Convert Po10 and its members to routed ports, then address Po10.
Best answer: D
Explanation: A Layer 3 EtherChannel uses the port-channel as the routed interface. The physical member links and the port-channel must be configured as routed ports with no switchport, and the IP address belongs on the logical Port-channel interface, not on each physical member. The exhibit shows Po10(SU) with LACP bundled successfully, but show interfaces port-channel10 switchport confirms it is still operating as a Layer 2 trunk. Since the requirement is routed connectivity over aggregated physical links, the next action is to convert the bundle to a Layer 3 port-channel and assign 10.12.12.1/30 to Port-channel10. LACP mode is already working, so changing negotiation is not the issue.
Topic: AI, Network Operations and Management
An engineer must verify the same NTP setting on several access switches after a maintenance window. The engineer runs a job from a management workstation and reviews this output.
Exhibit:
TASK [show running-config | include ntp server]
SW1 | SUCCESS => ntp server 10.10.10.20
SW2 | SUCCESS => ntp server 10.10.10.20
SW3 | FAILED => SSH authentication failed
SW4 | SUCCESS => ntp server 10.10.10.20
What is the best interpretation of this management approach?
Options:
A. It is cloud-based management because multiple devices are listed.
B. It is automation-based management for a repeatable operation.
C. It is manual device-based management over the console.
D. It is controller-based management using a centralized control plane.
Best answer: B
Explanation: Automation-based management uses scripts or automation tools to perform repeatable network operations consistently across devices. In the exhibit, one task is run against several switches, producing per-device success or failure results. The failed SSH authentication on SW3 is an execution issue for that device, not a change in the management model.
The key takeaway is that repeatable, tool-driven command execution across multiple devices is automation-based management, even when one target fails.
Topic: AI, Network Operations and Management
A network operations dashboard receives these syslog messages from switch SW1. The team wants to categorize and prioritize the event based on syslog facility and severity. What is the best interpretation?
May 25 10:14:07.112: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/12, changed state to down
May 25 10:14:07.118: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/12, changed state to down
Options:
A. Prioritize it as a LINK facility error for Gi1/0/12.
B. Deprioritize it because severity 3 is lower than severity 5.
C. Treat it as a LINEPROTO facility critical event.
D. Categorize it as informational because UPDOWN is routine.
Best answer: A
Explanation: Cisco syslog messages commonly use the format %FACILITY-SEVERITY-MNEMONIC. The facility categorizes the source or subsystem, and the severity number indicates urgency. Lower severity numbers are more urgent: 0 is emergency, 3 is error, 5 is notification, and 7 is debugging. In the exhibit, %LINK-3-UPDOWN shows a physical link-related facility with severity 3, so it should be prioritized above the %LINEPROTO-5-UPDOWN notification message for the same interface. The key takeaway is to read both the facility and the numeric severity, not just the mnemonic text.
UPDOWN does not override the numeric severity.Topic: Network Services and Security
A new branch office can reach Internet sites, but users cannot reach the HQ file server at 10.10.20.50. The branch has printers, VoIP phones, and PCs that all need access to HQ resources.
Clues:
| Item | Evidence |
|---|---|
| Branch LAN | 10.30.10.0/24, DHCP working |
| Branch WAN | Public IP, interface up/up |
| Routing | Default route points to ISP |
| Current workaround | Only laptops with remote-access VPN clients can reach HQ |
What is the best corrective action?
Options:
A. Configure PAT only on the branch edge router.
B. Add a CNAME record for the HQ file server.
C. Install remote-access VPN software on every branch device.
D. Configure an IPsec site-to-site VPN between the edge routers.
Best answer: D
Explanation: An IPsec site-to-site VPN is appropriate when two locations need secure network-to-network connectivity over an untrusted network such as the Internet. In this case, the branch LAN has working DHCP, an up WAN link, and a default route for Internet access, but many device types need private access to HQ resources. Remote-access VPN works only for endpoints that can run a client, which does not fit printers, phones, and other shared devices. A site-to-site tunnel between the branch and HQ edge devices can protect traffic between the two private subnets transparently to the hosts.
Topic: IP Routing
R1 and R2 are connected on Gi0/0 in OSPF area 0. IPv4 LAN-to-LAN traffic works, but IPv6 clients on the two LANs cannot reach each other. The router-to-router interfaces are up/up and have IPv6 global unicast addresses.
Exhibit:
R1# show ip ospf neighbor
Neighbor ID State Address Interface
2.2.2.2 FULL/DR 10.0.12.2 Gi0/0
R1# show ip route ospf
O 192.168.20.0/24 [110/2] via 10.0.12.2, Gi0/0
R1# show ipv6 route ospf
% No OSPFv3 routes found
Which corrective action best matches the facts?
Options:
A. Enable OSPFv3 for the IPv6 interfaces in area 0.
B. Configure DHCPv6 relay on the router-to-router link.
C. Move the existing OSPFv2 process to area 1.
D. Add IPv6 prefixes to OSPFv2 network statements.
Best answer: A
Explanation: The key distinction is that OSPFv2 is used for IPv4 routing, while OSPFv3 is used for IPv6 routing at CCNA scope. The exhibit shows a working OSPFv2 neighbor relationship and an IPv4 OSPF-learned route, so the IPv4 OSPF process is not the problem. The IPv6 interfaces are up and addressed, but R1 has no OSPFv3-learned IPv6 routes. That points to missing OSPFv3 participation for the IPv6 topology, not a physical link, VLAN, or IPv4 OSPF issue.
The practical fix is to enable OSPFv3 for the relevant IPv6-enabled interfaces in the intended area.
network statements match IPv4 interfaces and do not advertise IPv6 prefixes.Topic: Switching and Network Access
Users in VLAN 20 report that they cannot reach server 10.10.50.10. On multilayer switch SW1, SVIs Vlan10 and Vlan20 are up/up. An engineer runs these tests:
SW1# ping 10.10.50.10
Success rate is 100 percent (5/5)
SW1# ping
Target IP address: 10.10.50.10
Source address or interface: Vlan10
Success rate is 100 percent (5/5)
SW1# ping
Target IP address: 10.10.50.10
Source address or interface: Vlan20
Success rate is 0 percent (0/5)
What is the best interpretation?
Options:
A. Disable extended ping because SVIs cannot be used as sources.
B. Check routing or filtering for the VLAN 20 source subnet.
C. Replace the server uplink because the server is unreachable.
D. Troubleshoot DNS because name resolution is failing.
Best answer: B
Explanation: Extended ping lets an engineer specify the source interface or source IP address, which is useful when testing reachability from a particular VLAN or subnet. In this output, SW1 can reach 10.10.50.10 generally, and traffic sourced from Vlan10 succeeds. Only the test sourced from Vlan20 fails. That points to a source-specific issue, such as an ACL, firewall policy, missing return route, or routing problem affecting the VLAN 20 subnet. It does not prove that the server itself is down.
Vlan10 both reach the server.Topic: IP Routing
A campus VLAN uses HSRP for its default gateway. The intended design is for R1 to be active, R2 to be standby, and hosts to use 10.10.10.1 as the default gateway.
Exhibit:
R1# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vlan10 10 110 P Active local 10.10.10.3 10.10.10.1
R2# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vlan10 10 100 P Standby 10.10.10.2 local 10.10.10.1
What is the best interpretation of the output?
Options:
A. The routers are using different virtual IP addresses.
B. HSRP is operating as intended.
C. Both routers are active for VLAN 10.
D. R2 should become active because its priority is lower.
Best answer: B
Explanation: The HSRP status matches the stated design. R1 shows State Active with local as the active router, while R2 shows State Standby and lists R1’s interface address as the active router. Both routers are in group 10 and both use the same virtual IP, 10.10.10.1, which is the default gateway address hosts should configure. The priority values also support the result: R1 has priority 110 and R2 has priority 100, so R1 is preferred when both routers are available. A lower priority does not make a router active in HSRP.
Topic: Switching and Network Access
SW1 connects to SW2 on Gi1/0/24. VLAN 10 hosts on SW2 can reach their gateway on SW1, but VLAN 20 hosts cannot. The requirement is to carry VLANs 10 and 20 over this single switch-to-switch link; routing is done by SVIs on SW1.
Exhibit:
SW1# show interfaces gi1/0/24 switchport
Name: Gi1/0/24
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 10
Trunking Native Mode VLAN: 1
SW1# show vlan brief | include 10|20
10 USERS active
20 VOICE active
What is the best next action?
Options:
A. Create an SVI for VLAN 20 on Gi1/0/24.
B. Configure Gi1/0/24 as an 802.1Q trunk.
C. Convert Gi1/0/24 to a routed Layer 3 interface.
D. Keep Gi1/0/24 as a Layer 2 access port in VLAN 10.
Best answer: B
Explanation: The exhibit shows Gi1/0/24 is operating as a static access port in VLAN 10. An access port carries traffic for one VLAN only, so it can explain why VLAN 10 works while VLAN 20 does not traverse the inter-switch link. Because the requirement is to carry VLANs 10 and 20 across one physical Ethernet connection between switches, the interface should be a Layer 2 802.1Q trunk. The SVIs on SW1 provide Layer 3 gateway functions for the VLANs, but the physical link between switches must still transport the VLAN-tagged Layer 2 traffic.
Topic: Network Infrastructure and Connectivity
A campus switch routes between VLANs using SVIs. Users in VLAN 20 use interface Vlan20 with IP address 10.20.20.1/24 as their default gateway. The only DHCPv4 server is 10.10.10.50/24 in the data center, and routing between the VLANs works. New VLAN 20 clients send DHCPDISCOVER messages but do not receive leases. Which configuration decision meets the goal?
Options:
A. Configure ip default-gateway 10.10.10.50 on the switch.
B. Configure the VLAN 20 access ports as 802.1Q trunks.
C. Configure ip helper-address 10.10.10.50 on interface Vlan20.
D. Configure ip helper-address 10.10.10.50 on the data center SVI.
Best answer: C
Explanation: DHCPv4 clients initially use broadcasts, and routers do not forward broadcasts between IP networks by default. When the client subnet and DHCP server are on different networks, the Layer 3 interface closest to the client subnet must act as a DHCP relay. On Cisco IOS XE, ip helper-address is applied to the client-facing routed interface or SVI, so interface Vlan20 forwards VLAN 20 DHCP broadcasts as unicast packets to 10.10.10.50. Normal routing must already exist between the relay interface and the server, which the stem provides. Configuring the server-side interface or changing Layer 2 port mode does not relay the client broadcasts from VLAN 20.
Topic: Switching and Network Access
Two access switches should form an LACP EtherChannel trunk on Port-channel1 using Gi1/0/1 and Gi1/0/2. Only one physical link is bundling, so the uplink bandwidth is lower than expected.
Exhibit:
SW1 Gi1/0/1-2: channel-group 1 mode active, switchport mode trunk
SW2 Gi1/0/1: channel-group 1 mode passive, switchport mode trunk
SW2 Gi1/0/2: channel-group 1 mode passive, switchport mode access
SW2# show etherchannel summary
Group Port-channel Protocol Ports
1 Po1(SU) LACP Gi1/0/1(P) Gi1/0/2(s)
Options:
A. Change both switches to channel-group 1 mode on.
B. Configure Gi1/0/2 on SW2 as a trunk.
C. Assign IP addresses to both physical member interfaces.
D. Change SW2 from passive to active LACP mode.
Best answer: B
Explanation: EtherChannel member interfaces must have compatible Layer 2 settings, including trunk/access mode, native VLAN, and allowed VLANs. The exhibit shows a valid LACP pairing: SW1 is active and SW2 is passive, so LACP negotiation can occur. The problem is that Gi1/0/2 on SW2 is configured as an access port while the other participating links are trunks. That mismatch prevents the interface from joining the bundle, shown by Gi1/0/2(s) instead of (P). Matching the trunk configuration on the nonbundling member addresses the supported root cause.
Topic: IP Routing
A branch router should use OSPF to reach 10.20.0.0/16 and use a static route only if OSPF fails. Users report that traffic is taking the slower backup link even while the OSPF neighbor is up.
Exhibit:
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address
2.2.2.2 1 FULL/DR 00:00:33 10.1.12.2
R1# show ip route 10.20.0.0
Routing entry for 10.20.0.0/16
Known via "static", distance 1, metric 0
* 203.0.113.2
R1# show running-config | include ^ip route
ip route 10.20.0.0 255.255.0.0 203.0.113.2
What is the best corrective action?
Options:
A. Configure the static route with administrative distance 200.
B. Shut down the backup next-hop interface.
C. Clear the OSPF process to reinstall the OSPF route.
D. Lower the OSPF interface cost toward 10.20.0.0/16.
Best answer: A
Explanation: A floating static route is a backup route that becomes active only when its administrative distance is worse than the primary route. In this case, OSPF is working because the neighbor is FULL, but the routing table selects the static route with distance 1. OSPF routes have an administrative distance of 110, so the default static route is preferred before OSPF is even compared by metric. Setting the static route to a higher distance, such as 200, makes it inactive while the OSPF route exists and active only if the OSPF route is removed.
Topic: Network Services and Security
A company cannot receive inbound email for example.com from external senders. The mail gateway is mail.example.com and uses public IPv4 address 198.51.100.25. The DNS administrator verifies that the host record is correct.
Exhibit: Current public DNS records
| Name | Type | Value |
|---|---|---|
example.com | MX | 10 198.51.100.25 |
mail.example.com | A | 198.51.100.25 |
Which DNS record correction should be made?
Options:
A. Add a PTR record for 198.51.100.25.
B. Replace the MX record with an A record for example.com.
C. Change mail.example.com from an A record to a CNAME.
D. Change the MX target to mail.example.com.
Best answer: D
Explanation: For inbound mail delivery, the domain’s MX record identifies the mail exchanger by host name, not directly by IP address. In this case, mail.example.com already has a valid A record pointing to 198.51.100.25, so the correction is to make the example.com MX record reference mail.example.com. External mail servers can then look up the MX target and resolve that target to the gateway’s IP address. A PTR record may help with reverse DNS reputation checks, but it does not replace a valid MX-to-A lookup path.
Topic: IP Routing
R1 and R2 are directly connected on 10.12.12.0/30 and can ping each other. They must form a single-area OSPFv2 adjacency in area 0. The neighbor table is empty.
Exhibit:
R1
router ospf 10
network 10.12.12.0 0.0.0.3 area 0
R2
router ospf 20
network 10.12.12.0 0.0.0.3 area 1
Which correction should be made?
Options:
A. Configure both OSPF interfaces as passive.
B. Move the R2 link network into area 0.
C. Advertise 10.12.12.0/24 on R2.
D. Change the R2 OSPF process ID to 10.
Best answer: B
Explanation: For single-area OSPFv2 adjacency, the two routers must place the shared link in the same OSPF area. In the exhibit, R1 advertises the connected /30 into area 0, but R2 advertises the same link into area 1, so the routers will not become neighbors on that interface. The OSPF process ID, such as 10 or 20, is only locally significant on each router and does not need to match between neighbors. The best correction is to configure R2 so the connected link participates in area 0.
Topic: IP Routing
R1 and R2 should exchange IPv4 routes using single-area OSPFv2 in area 0. Users behind R1 cannot reach 10.2.2.0/24 behind R2. The R1-R2 link is up, and R1 can ping R2 at 10.0.12.2.
Exhibit:
R1# show ip ospf neighbor
<no neighbors>
R1# show running-config | section router ospf
router ospf 10
network 10.0.12.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
R2# show running-config | section router ospf
router ospf 10
network 10.2.2.0 0.0.0.255 area 0
Which corrective action is best supported by the evidence?
Options:
A. Add R2 network 10.0.12.0 0.0.0.255 area 0
B. Change R1 and R2 to the same OSPF process ID
C. Move R2 LAN 10.2.2.0/24 to area 1
D. Configure a static route on R1 to 10.2.2.0/24
Best answer: A
Explanation: In OSPFv2, a network statement enables OSPF on matching IPv4 interfaces and assigns those interfaces to an area. The R1-R2 link is physically and IP-reachable because R1 can ping 10.0.12.2, but show ip ospf neighbor on R1 shows no neighbor. R1 has a network statement for the transit link, while R2 only enables OSPF on its LAN. Adding the transit subnet to R2 under OSPF area 0 allows R2 to send and receive OSPF hellos on that interface and form the single-area adjacency. A static route might restore one prefix temporarily, but it does not meet the dynamic routing requirement.
Topic: Network Infrastructure and Connectivity
An access VLAN uses R1 GigabitEthernet0/0 as the default gateway. PC-A cannot reach any off-subnet destinations after a manual IPv4 change. Choose the configuration decision that restores PC-A connectivity without changing the VLAN subnet.
Exhibit:
R1 G0/0: 192.168.50.1/24
R1 log: %IP-4-DUPADDR: Duplicate address 192.168.50.1 on GigabitEthernet0/0
PC-A IPv4: 192.168.50.1
PC-A mask: 255.255.255.0
PC-A gateway: 192.168.50.1
Options:
A. Set PC-A gateway to 192.168.50.254
B. Change PC-A mask to 255.255.0.0
C. Set PC-A to an unused 192.168.50.0/24 address
D. Change R1 G0/0 to 192.168.50.254/24
Best answer: C
Explanation: The visible facts show a duplicate IPv4 address: both PC-A and R1 G0/0 are using 192.168.50.1. Because R1 G0/0 is the default gateway for the VLAN, that address should remain on the router interface. PC-A must use a different, unused host address in the same 192.168.50.0/24 subnet and continue using 192.168.50.1 as its default gateway.
Changing the mask or gateway does not remove the duplicate address, and changing the router gateway address would unnecessarily affect the VLAN.
192.168.50.1 as their default gateway.192.168.50.1 address.Topic: Network Infrastructure and Connectivity
A user’s laptop can reach internal web apps when docked to Ethernet, but it cannot reach any network resources when using the corporate Wi-Fi SSID. The help desk confirms the laptop shows “Connected” to the SSID.
Exhibit: Client connectivity summary
Ethernet adapter:
IPv4 address: 10.20.30.44/24
Default gateway: 10.20.30.1
Ping gateway: success
Wi-Fi adapter - SSID CorpWiFi:
IPv4 address: 169.254.18.72/16
Default gateway: none
Signal: strong
Security: authenticated
Which troubleshooting action is the best next step?
Options:
A. Replace the Ethernet cable on the docking station.
B. Change the DNS server on the Wi-Fi adapter.
C. Verify DHCP service or relay for the wireless VLAN.
D. Reconfigure the Wi-Fi security credentials.
Best answer: C
Explanation: The core clue is the Wi-Fi adapter’s 169.254.x.x address with no default gateway. That address is self-assigned when a DHCP-enabled client cannot obtain a valid lease. Because the wireless client is already authenticated with strong signal, the first useful validation is the DHCP path for the wireless VLAN, such as the DHCP scope, relay address, or reachability to the DHCP server. The Ethernet adapter works and has a valid address, so the issue is not general laptop connectivity. DNS troubleshooting comes later only after the client has a valid IP address, mask, gateway, and Layer 3 reachability.
Topic: Switching and Network Access
A technician is validating a switchport-to-device map after users report that the conference-room AP label in the documentation is wrong. On access switch ASW1, these clues are visible:
ASW1# show interfaces gi1/0/18 status
Port Name Status Vlan Duplex Speed
Gi1/0/18 Conf-Rm connected 30 a-full a-1000
ASW1# show cdp neighbors gi1/0/18
Device ID Local Intrfce Holdtme Capability Platform Port ID
ASW1# show lldp neighbors gi1/0/18
Device ID Local Intf Hold-time Capability Port ID
AP-Conf-2 Gi1/0/18 120 W eth0
Which evidence is the best basis for updating the documentation for Gi1/0/18?
Options:
A. Use the interface status only to document an AP.
B. Use the empty CDP output to mark the port unused.
C. Use the VLAN assignment to identify the device model.
D. Use the LLDP neighbor entry for AP-Conf-2.
Best answer: D
Explanation: CDP and LLDP both discover directly connected neighbors, but their roles differ. CDP is Cisco proprietary, so a missing CDP neighbor does not prove that no device is attached. LLDP is standards-based and commonly used by non-Cisco devices such as third-party APs, phones, and switches. In the exhibit, the interface is connected, and LLDP reports AP-Conf-2 on the exact local interface with a wireless capability. That makes LLDP the strongest discovery evidence for correcting the port-to-device documentation. Interface status and VLAN membership help describe the port, but they do not identify the attached endpoint.
Topic: AI, Network Operations and Management
A network team is reviewing a proposed VLAN change for two access switches. Based on the exhibit, which interpretation best describes the management approach?
Exhibit: Change pipeline excerpt
Repository: net-iac
Branch: change/vlan-30-voice
File: group_vars/access_switches.yml
Change:
vlans:
- id: 30
name: VOICE
Pipeline: plan generated; awaiting approval
Targets: SW1, SW2
Options:
A. SNMP-based monitoring of switch configuration state
B. Manual CLI configuration with post-change documentation
C. Syslog-based configuration auditing
D. Infrastructure as code using a version-controlled desired state
Best answer: D
Explanation: Infrastructure as code represents infrastructure configuration as files or other artifacts that can be reviewed, version controlled, and applied consistently. In the exhibit, the VLAN is defined in a repository file, the change is on a branch, and a pipeline has generated a plan before approval. Those clues show a desired-state workflow rather than an operator manually typing commands on each switch. The repository artifact becomes the source of truth for the intended configuration, and the pipeline controls how it is deployed to SW1 and SW2. Monitoring and logging may help validate the result, but they are not the management approach shown here.
Topic: AI, Network Operations and Management
A small branch has one IOS XE router and two access switches. The administrator must change only the router hostname during a maintenance window. The site does not use a controller, cloud dashboard, or automation platform. Which management decision matches a device-based approach?
Options:
A. Update the hostname in a cloud management portal
B. SSH to the router and enter IOS XE configuration commands
C. Run an Ansible playbook against the inventory group
D. Push a controller template to the branch site
Best answer: B
Explanation: Device-based management configures or operates each network device directly. In this scenario, the administrator needs a one-device change and has no controller, cloud dashboard, or automation platform available. Connecting to the router with SSH or console access and entering IOS XE configuration commands applies the change directly on that device.
A controller template, Ansible playbook, or cloud portal can be valid in other management models, but they do not match the stated constraint that the router is managed directly.
Topic: IP Routing
A branch router cannot reach the HQ subnet 10.20.20.0/24. The WAN interface G0/0 is up/up with IP address 198.51.100.2/30, and ping 198.51.100.1 succeeds.
Exhibit:
R1# show ip route static
Gateway of last resort is not set
R1# show running-config | include ^ip route
ip route 10.20.20.0 255.255.255.0 198.51.100.6
Which conclusion is best supported by the evidence?
Options:
A. OSPF has a lower administrative distance.
B. The WAN interface is administratively down.
C. The static route uses an unreachable next hop.
D. The HQ subnet mask is too specific.
Best answer: C
Explanation: A static route must have a valid forwarding path before it can be used. Here, G0/0 is 198.51.100.2/30, so the directly connected subnet is 198.51.100.0/30, with usable addresses 198.51.100.1 and 198.51.100.2. The configured next hop, 198.51.100.6, is outside that connected subnet, and there is no installed static route shown. Because the router can ping 198.51.100.1, the WAN link itself is working. The supported fix would be to point the static route to the reachable WAN next hop, 198.51.100.1.
10.20.20.0/24 is a valid destination network and the failure is next-hop reachability.up/up interface state and successful ping to the WAN neighbor.Topic: Switching and Network Access
A user connects a Cisco IP phone to switch port Gi1/0/12 and connects a workstation through the phone. The site standard is data VLAN 20 for workstations and voice VLAN 30 for phones.
Exhibit:
SW1# show interfaces gi1/0/12 switchport
Name: Gi1/0/12
Operational Mode: static access
Access Mode VLAN: 20 (DATA)
Voice VLAN: none
SW1# show cdp neighbors gi1/0/12
Device ID Local Intrfce Platform
SEP001122334455 Gi1/0/12 Cisco IP Phone 8841
What is the best next action?
Options:
A. Add Gi1/0/12 to a port channel
B. Configure voice VLAN 30 on Gi1/0/12
C. Change the access VLAN to VLAN 30
D. Convert Gi1/0/12 to an 802.1Q trunk
Best answer: B
Explanation: An IP phone with a downstream workstation normally uses an access port with two edge-host attributes: the access VLAN for untagged workstation traffic and the voice VLAN for tagged phone voice traffic. The exhibit shows Gi1/0/12 is already an access port in VLAN 20, which satisfies the workstation requirement. CDP identifies the connected device as a Cisco IP phone, but the port has no voice VLAN configured. Adding voice VLAN 30 allows the phone to place voice traffic in the correct VLAN while keeping the workstation in VLAN 20.
A trunk is not required for the typical phone-plus-PC edge port; the key mismatch is the missing voice VLAN.
Topic: IP Routing
R1, R2, and R3 run single-area OSPFv2. An administrator expects R1 to use R2 to reach 10.30.30.0/24, but traceroute from R1 goes through R3.
Exhibit: R1 output
R1# show ip ospf neighbor
Neighbor ID Pri State Address Interface
2.2.2.2 0 FULL/- 10.0.12.2 Gi0/0
3.3.3.3 0 FULL/- 10.0.13.3 Gi0/1
R1# show ip route 10.30.30.0
Routing entry for 10.30.30.0/24
Known via "ospf 1", distance 110, metric 20
* 10.0.13.3, from 3.3.3.3, GigabitEthernet0/1
Documented total OSPF costs:
R1-R2-destination: 30
R1-R3-destination: 20
Which explanation is best supported by the facts?
Options:
A. R3 has a lower administrative distance than R2.
B. The R2 OSPF adjacency is down.
C. R1 is using a default route instead of OSPF.
D. OSPF selected the lower-cost path through R3.
Best answer: D
Explanation: OSPF chooses the best route by comparing OSPF cost after the route is learned from valid neighbors. The neighbor table shows both R2 and R3 in FULL state, so the R2 adjacency is not the immediate problem. The routing table shows the prefix learned by OSPF with metric 20 via 10.0.13.3, which is R3. Because the documented R3 path cost is 20 and the R2 path cost is 30, R1 is behaving normally by installing the lower-cost OSPF route. If the design requires R2 to be preferred, adjust OSPF interface costs so the R2 path has the lower total cost.
FULL state in the OSPF neighbor table.Topic: Network Infrastructure and Connectivity
Users report very slow file transfers across a recently connected Ethernet link between SW1 and R1. Review the interface counters from both ends.
SW1# show interfaces gi1/0/24
GigabitEthernet1/0/24 is up, line protocol is up
Full-duplex, 100Mb/s
18,432 input errors, 18,432 CRC
0 collisions, 0 late collisions
R1# show interfaces gi0/0
GigabitEthernet0/0 is up, line protocol is up
Half-duplex, 100Mb/s
21,901 collisions, 683 late collisions
0 input errors, 0 CRC
What is the best next action?
Options:
A. Increase the interface MTU on both devices
B. Clear the counters and wait for another report
C. Make the duplex settings match on both interfaces
D. Replace the copper patch cable between the devices
Best answer: C
Explanation: A duplex mismatch occurs when the two ends of an Ethernet link use different duplex modes. In this exhibit, SW1 is full-duplex while R1 is half-duplex at the same speed. The half-duplex side shows collisions and late collisions because it still uses CSMA/CD behavior, while the full-duplex side often records CRC or input errors from corrupted frames. The safest correction is to verify the intended settings and configure both ends consistently, such as auto-negotiation on both sides or matching manual settings on both sides. Replacing the cable may be reasonable for physical errors, but the displayed duplex difference is the primary fault.
Topic: AI, Network Operations and Management
A network team must add the same NTP server configuration to 45 Cisco IOS XE switches during a maintenance window. The switches are reachable by SSH, and the team wants a repeatable method that records which devices succeeded or failed. Which operational decision is most appropriate?
Options:
A. Ask an AI assistant to generate the final configuration only
B. Use an Ansible playbook against a switch inventory
C. Poll each switch with SNMP before making changes
D. Configure each switch manually from the console
Best answer: B
Explanation: Ansible fits repeatable command execution when the same operational change must be applied consistently to many network devices. In this scenario, the switches are reachable by SSH, the change is identical, and the team needs success/failure visibility. An Ansible inventory defines the device scope, and a playbook defines the tasks to run, which is more scalable and auditable than manual device-by-device configuration.
SNMP is useful for monitoring and inventory data, but it is not the right mechanism for pushing IOS XE configuration changes. AI can help draft or review a change, but generated text still needs a tool or operator to apply and validate it.
Topic: Network Services and Security
After a management ACL change, engineers can SSH to switch S1 only with the local break-glass account. Corporate AAA usernames fail, but S1 can ping the AAA server.
Exhibit:
aaa authentication login VTY group tacacs+ local
line vty 0 4
login authentication VTY
S1 source IP: 10.20.30.5
AAA server: 10.20.30.10
MGMT-TO-AAA ACL:
permit udp host 10.20.30.5 host 10.20.30.10 eq 1812
permit udp host 10.20.30.5 host 10.20.30.10 eq 1813
deny ip any any log
Syslog: TACACS server 10.20.30.10 not responding
What is the best corrective action?
Options:
A. Permit TCP port 49 to the AAA server
B. Change the VTY method list to local only
C. Permit UDP ports 1812 and 1813 to the AAA server
D. Remove the local username from S1
Best answer: A
Explanation: The configured VTY authentication method list tries the TACACS+ group first and then falls back to the local database if the TACACS+ servers are unavailable. The ACL permits RADIUS authentication and accounting ports, UDP 1812 and UDP 1813, but the device is configured for TACACS+, which uses TCP port 49. The ping only proves basic IP reachability; it does not prove the required AAA application port is allowed. Because the syslog reports the TACACS server is not responding and local login succeeds, the best fix is to allow TACACS+ traffic through the management ACL.
Topic: IP Routing
An engineer must apply an outbound policy only on the interface R1 will use to forward packets to destination 10.20.30.90. Use only the routing table excerpt; do not assume any physical topology beyond what is shown.
R1# show ip route | include 10.20|0.0.0.0
O 10.20.0.0/16 [110/20] via 192.0.2.2, GigabitEthernet0/0
S 10.20.30.0/24 [1/0] via 198.51.100.2, GigabitEthernet0/1
O 10.20.30.0/25 [110/30] via 192.0.2.6, GigabitEthernet0/2
S 10.20.30.64/26 [1/0] via 198.51.100.6, GigabitEthernet0/3
S* 0.0.0.0/0 [1/0] via 203.0.113.1, GigabitEthernet0/4
Which interface should be selected?
Options:
A. GigabitEthernet0/1
B. GigabitEthernet0/0
C. GigabitEthernet0/4
D. GigabitEthernet0/3
Best answer: D
Explanation: Routers choose the forwarding route by longest prefix match among routes installed in the routing table. The destination 10.20.30.90 falls within 10.20.30.64/26, which covers addresses 10.20.30.64 through 10.20.30.127. That prefix is more specific than the /25, /24, /16, and default route entries, so R1 forwards the packet toward next hop 198.51.100.6 out GigabitEthernet0/3. Administrative distance does not override a longer matching prefix when both routes are present in the table. The safest conclusion is the one directly supported by the route entry, not by assumed topology.
10.20.0.0/16 matches but is less specific than the /26 route.Topic: IP Routing
R1 and R2 are directly connected on GigabitEthernet0/0 in the same IPv4 subnet. Both interfaces are up/up, but neither router learns OSPF routes from the other. On R1, the engineer sees this output:
R1# show ip ospf neighbor
<no entries>
R1# show ip ospf interface g0/0 | include State|Passive
State POINT_TO_POINT
No Hellos (Passive interface)
R1# show ip route ospf
<no OSPF routes>
Which correction best addresses the root cause?
Options:
A. Increase the OSPF priority on R1 G0/0
B. Add a static route on R1 to R2’s LAN
C. Change R1 G0/0 to area 1
D. Remove passive mode from R1 G0/0
Best answer: D
Explanation: The decisive clue is No Hellos (Passive interface) on the OSPF-enabled link between routers. A passive OSPF interface can still advertise its connected network, but it suppresses OSPF Hello packets and does not form neighbor adjacencies on that interface. Because R1 and R2 are directly connected and the physical interface is up/up, the best correction is to allow OSPF Hellos on that router-to-router interface, typically with no passive-interface g0/0 under the OSPF process. This restores the chance for a normal single-area adjacency and route exchange. Changing areas, tuning priority, or adding static routes does not address the visible reason the adjacency is missing.
Topic: Network Infrastructure and Connectivity
A workstation on VLAN 30 is statically configured for IPv6 but cannot reach any IPv6 resources outside its subnet. Other hosts on VLAN 30 can reach the same resources.
Evidence:
| Item | Value |
|---|---|
| Workstation address | 2001:db8:30:5::42/64 |
| Workstation default gateway | 2001:db8:30:6::1 |
| R1 VLAN 30 interface | 2001:db8:30:5::1/64 |
| Ping from workstation to R1 | Fails |
Which configuration change should fix the problem?
Options:
A. Change the workstation prefix length to /48.
B. Configure an IPv6 static route on the workstation.
C. Change R1 VLAN 30 to 2001:db8:30:6::1/64.
D. Set the workstation gateway to 2001:db8:30:5::1.
Best answer: D
Explanation: The workstation has a valid IPv6 address for the VLAN 30 prefix, 2001:db8:30:5::/64, and R1 also has an address in that same prefix. The configured default gateway, 2001:db8:30:6::1, is in a different /64, so the workstation cannot use it as the next hop on the local link. Because other VLAN 30 hosts can reach outside resources, the router and upstream path are likely working. The fix is to point the workstation to R1’s on-link IPv6 address for VLAN 30. Changing the subnet size or router interface would disrupt the working addressing plan instead of correcting the bad host gateway.
2001:db8:30:5::/64 prefix.Topic: AI, Network Operations and Management
A wireless AP connected to SW1 port Gi1/0/24 stopped serving clients. The DHCP server has no new lease requests from that AP after 09:18. The NOC sees these syslog messages from SW1:
09:18:02 SW1 %LINK-3-UPDOWN: Interface Gi1/0/24, changed state to down
09:18:03 SW1 %LINEPROTO-5-UPDOWN: Line protocol on Interface Gi1/0/24, changed state to down
09:19:10 SW1 %SYS-5-CONFIG_I: Configured from console by netadmin
Which event should be prioritized first for escalation?
Options:
A. %SYS-5-CONFIG_I from console
B. %LINK-3-UPDOWN on Gi1/0/24
C. %LINEPROTO-5-UPDOWN on Gi1/0/24
D. The DHCP lease absence only
Best answer: B
Explanation: Cisco syslog messages commonly use the format %FACILITY-SEVERITY-MNEMONIC. The facility categorizes the source or function of the event, while the severity number indicates urgency; lower numbers are more severe. In this case, %LINK-3-UPDOWN is a link-related error for the exact switchport connected to the failed AP. The %LINEPROTO-5-UPDOWN message supports the outage, but severity 5 is a notification, not the highest-priority event. The DHCP clue confirms impact but does not categorize the switch event. Prioritize the link error because it is both more severe and directly tied to the affected interface.
Topic: Network Services and Security
A branch router must publish an internal HTTPS server at 192.168.20.50 to Internet users as https://203.0.113.10. Internal clients can reach the server on TCP 443. The WAN and LAN interfaces are up/up, and the router has a default route to the ISP.
Exhibit:
ip nat inside source static tcp 192.168.20.50 443 203.0.113.10 8443
!
ip access-list extended OUTSIDE-IN
permit tcp any host 203.0.113.10 eq 443
Which action best corrects the reachability problem?
Options:
A. Add a default route toward the LAN interface
B. Map public TCP 443 to the internal server TCP 443
C. Reverse the NAT inside and outside interface roles
D. Replace the extended ACL with a standard ACL
Best answer: B
Explanation: Static PAT for an inside server must match the public address and public port that outside clients use. In the exhibit, the inside local service is 192.168.20.50:443, but it is translated to public port 8443 on 203.0.113.10. Users are browsing to HTTPS on the default port, TCP 443, and the outside ACL also permits TCP 443. Because no static PAT entry is listening on public TCP 443, the router cannot translate those inbound connections to the server.
The supported fix is to change the static PAT mapping so 203.0.113.10:443 translates to 192.168.20.50:443.
Topic: Network Services and Security
Users can send mail, but external senders receive delivery failures when sending to sales.example.com. The firewall permits SMTP to the mail server, and the server is listening on TCP 25.
DNS lookup results:
sales.example.com. MX 10 mail.sales.example.com.
mail.sales.example.com. A <no record found>
smtp.sales.example.com. A 203.0.113.25
Which action best corrects the root cause?
Options:
A. Update the MX record to reference smtp.sales.example.com.
B. Add a PTR record for 203.0.113.25.
C. Change the MX priority from 10 to 0.
D. Create a CNAME from sales.example.com to smtp.sales.example.com.
Best answer: A
Explanation: An MX record tells other mail systems which hostname accepts mail for a domain. That hostname must resolve to an address record so senders can connect to the mail server. In the lookup results, sales.example.com correctly has an MX record, but it points to mail.sales.example.com, which has no A record. The working host appears to be smtp.sales.example.com at 203.0.113.25, so the MX record should reference that valid mail exchanger name. A PTR record may help with reputation checks, but it does not fix a missing address resolution path for the MX target.
Topic: IP Routing
R1 connects to R2 on G0/0 and has an IPv6 LAN on G0/1. Both R1 interfaces are up and have valid IPv6 addresses. R2 is already configured for OSPFv3 area 0 on the link to R1. You must configure R1 for dynamic IPv6 routing with OSPFv3 process 10 in a single area, without redistribution. Which configuration decision meets the goal?
Options:
A. Enable IPv6 routing and apply OSPFv3 process 10 to G0/0 and G0/1 in area 0.
B. Configure OSPFv2 process 10 with IPv6 network statements for both prefixes.
C. Apply OSPFv3 to G0/0 in area 0 and G0/1 in area 1.
D. Configure only OSPFv3 process 10 and rely on automatic interface advertisement.
Best answer: A
Explanation: Single-area OSPFv3 for IPv6 on IOS XE is an IPv6 routing feature that is activated on the participating Layer 3 interfaces. R1 must have IPv6 unicast routing enabled, an OSPFv3 process for IPv6, and OSPFv3 enabled on both the R2-facing link and the LAN-facing interface in area 0. That lets R1 form the neighbor relationship with R2 and advertise the LAN prefix through OSPFv3. Using OSPFv2 or only creating the router process does not place IPv6 interfaces into OSPFv3. Placing one interface in a different area also violates the single-area requirement.
Topic: Network Services and Security
A security report says an internal user connected to an external web server from source 203.0.113.10:30002 to destination 198.51.100.80:443. On R1, Gi0/0 is the inside interface and Gi0/1 is the outside interface. Which internal session matches the report?
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.10:30002 10.10.20.25:51544 198.51.100.80:443 198.51.100.80:443
tcp 203.0.113.10:30003 10.10.20.30:51544 198.51.100.80:443 198.51.100.80:443
tcp 203.0.113.10:30004 10.10.30.25:49160 198.51.100.90:443 198.51.100.90:443
Options:
A. 10.10.20.25:51544
B. 10.10.20.30:51544
C. 198.51.100.80:443
D. 10.10.30.25:49160
Best answer: A
Explanation: PAT identifies sessions by translating the inside local source address and source port to an inside global address and port. In the NAT table, the reported source 203.0.113.10:30002 is the inside global value. The same row shows the original inside local endpoint as 10.10.20.25:51544, while the outside global value is the external server. When multiple clients share one public address, the translated source port is what separates their sessions.
10.10.20.30:51544 maps to translated port 30003, not 30002.198.51.100.80:443 is the destination, not the internal client.10.10.30.25:49160 maps to another outside server and translated port.Topic: Network Infrastructure and Connectivity
A switch SVI is the default gateway for a small IPv6 user VLAN. Users report they receive only link-local IPv6 addresses and cannot reach off-link IPv6 destinations. Based on the output, what is the best next action?
Exhibit:
SW1# show ipv6 interface vlan 30
Vlan30 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
Global unicast address(es):
2001:DB8:30:30::1, subnet is 2001:DB8:30:30::/80
ND DAD is enabled, number of DAD attempts: 1
Hosts use stateless autoconfig for addresses
ND router advertisements are sent every 200 seconds
Options:
A. Disable duplicate address detection on the SVI
B. Change the VLAN prefix to /64
C. Configure a default IPv6 route on each client
D. Change the SVI link-local address manually
Best answer: B
Explanation: The output shows that the VLAN relies on stateless autoconfiguration, which means hosts use router advertisements to build their own IPv6 addresses. For normal IPv6 SLAAC on an Ethernet LAN, the advertised prefix must be /64. Because the SVI is using and advertising 2001:DB8:30:30::/80, clients can receive router advertisements but fail to create valid global unicast addresses from that prefix. The gateway is up and sending RAs, so the prefix length is the key fault.
A default route or link-local address change would not fix address assignment when the advertised SLAAC prefix size is wrong.
Topic: Network Services and Security
A company is adding secure connectivity between a new branch and headquarters. Review the assessment excerpt and choose the VPN type that best fits the requirement.
Exhibit: VPN assessment log
Peer A: HQ-R1 outside 203.0.113.10
Peer B: BR1-R1 outside 198.51.100.20
Protected traffic: 10.10.0.0/16 <-> 10.30.0.0/24
Users affected: all branch LAN users
Client software on PCs: not allowed
Tunnel requirement: persistent LAN-to-LAN encryption
Options:
A. Remote-access IPsec VPN
B. Clientless SSL VPN
C. Site-to-site IPsec VPN
D. GRE tunnel without IPsec
Best answer: C
Explanation: The exhibit describes two fixed edge routers, each representing an internal network, with protected traffic between LAN prefixes. That is a site-to-site IPsec VPN use case: the gateways build an encrypted tunnel so branch users can reach headquarters resources without each endpoint running a VPN client. Remote-access VPNs are better for individual users connecting from variable locations, while clientless SSL VPNs typically provide browser-based access to selected applications. GRE alone can tunnel traffic but does not provide encryption by itself.
Topic: Network Services and Security
A company delegates branch.example.com from the parent zone example.com. The branch DNS server was replaced, and Internet clients can no longer resolve names in the branch zone. The new server is authoritative for branch.example.com.
Current parent-zone delegation:
| Name | Type | Value |
|---|---|---|
| branch.example.com | NS | ns-old.example.com |
New authoritative server: ns1.branch.example.com at 203.0.113.10
Which configuration decision fixes the delegation issue?
Options:
A. Change only the NS record inside branch.example.com
B. Configure clients to use 203.0.113.10 as their DNS resolver
C. Update the parent-zone NS delegation and glue A record
D. Add a CNAME from branch.example.com to ns1.branch.example.com
Best answer: C
Explanation: For a delegated DNS zone, resolvers first consult the parent zone to learn which name servers are authoritative for the child zone. In this case, the parent zone still delegates branch.example.com to ns-old.example.com, so public resolvers are sent to the wrong authoritative server before they can use any records inside the child zone. Because the new name server name, ns1.branch.example.com, is inside the delegated child zone, the parent also needs glue address information so resolvers can reach it without a circular lookup. The fix belongs at the delegation point in example.com, not only inside the child zone.
Topic: Network Infrastructure and Connectivity
A help desk reports that several older laptops cannot join the corporate SSID after a wireless security change. Newer laptops connect normally. A network assistant recommends increasing AP transmit power.
Exhibit: Troubleshooting notes
SSID: Corp-WiFi
Band/channel: 5 GHz, channel 40
Client RSSI near AP: -48 dBm
Client capability: WPA2-Personal only
AP security mode: WPA3-Personal only
Client event: authentication method not supported
Which action is best supported by the evidence?
Options:
A. Move the SSID to the 2.4 GHz band
B. Use WPA2/WPA3 transition mode or update clients
C. Increase AP transmit power on channel 40
D. Troubleshoot DHCP on the wireless VLAN
Best answer: B
Explanation: The strongest evidence points to a wireless security mismatch. The affected laptops support only WPA2-Personal, while the SSID is configured as WPA3-Personal only, and the client event says the authentication method is not supported. The RSSI of -48 dBm near the AP indicates a strong signal, so increasing transmit power does not address the failure. Because the clients fail at authentication, DHCP troubleshooting is also premature; DHCP would occur after successful association and authentication. The practical correction is to support a compatible security mode, such as WPA2/WPA3 transition mode where appropriate, or upgrade/replace the clients so they can use WPA3.
Topic: Switching and Network Access
An engineer is validating a proposed Layer 2 diagram before applying access-switch changes. The current diagram shows SW1 Gi1/0/47 connected to DIST1 Gi1/0/47. Based on the CDP output from SW1, which documentation update should be made?
SW1# show cdp neighbors
Device ID Local Intrfce Holdtme Capability Platform Port ID
DIST1 Gig 1/0/47 151 S I C9300 Gig 1/0/3
AP12 Gig 1/0/10 122 R T AIR-AP Eth0
PHONE23 Gig 1/0/22 168 H P IP Phone Port 1
Options:
A. Show SW1 Gi1/0/3 connected to DIST1 Gi1/0/47.
B. Show SW1 Gi1/0/47 connected to AP12 Eth0.
C. Show SW1 Gi1/0/47 connected to DIST1 Gi1/0/3.
D. Keep DIST1 connected to SW1 Gi1/0/47 on both ends.
Best answer: C
Explanation: CDP neighbor output is used to validate physical and Layer 2 documentation by matching the local interface to the neighbor device and its advertised port. In this output, Local Intrfce is the interface on SW1, and Port ID is the interface on the neighboring device. Therefore, the diagram should show SW1 Gig 1/0/47 connected to DIST1 Gig 1/0/3. The existing diagram likely copied the local interface value to both ends, which is a common documentation error.
Gig 1/0/3 is DIST1’s advertised port, not SW1’s local interface.Gig 1/0/10, not on the uplink to DIST1.Topic: Network Infrastructure and Connectivity
Users in a conference room report intermittent Wi-Fi drops and high latency during meetings. The clients keep their DHCP addresses and can reconnect without changing passwords.
Exhibit: Site survey excerpt
| AP | Band | Channel | RSSI at client |
|---|---|---|---|
| AP-1 | 2.4 GHz | 1 | -47 dBm |
| AP-2 | 2.4 GHz | 4 | -50 dBm |
| AP-3 | 2.4 GHz | 6 | -49 dBm |
| AP-4 | 2.4 GHz | 8 | -52 dBm |
What is the most likely root cause?
Options:
A. Adjacent-channel interference in the 2.4-GHz band
B. Weak RF signal from the nearest AP
C. Incorrect WPA passphrase on the clients
D. DHCP scope exhaustion for the WLAN
Best answer: A
Explanation: The symptoms point to RF interference, not authentication or IP addressing. In the 2.4-GHz band, only channels 1, 6, and 11 are normally treated as non-overlapping in a typical 20-MHz channel plan. The exhibit shows multiple nearby APs using channels 4 and 8, which overlap with adjacent channels and can cause retransmissions, latency, and intermittent drops even when RSSI is strong. Because clients retain DHCP leases and reconnect without password changes, DHCP and WPA are not the best explanations. A better corrective direction would be to redesign the 2.4-GHz channel plan and, where possible, move capable clients to 5 GHz or 6 GHz.
Topic: Switching and Network Access
A network technician is validating switch documentation before replacing a third-party edge firewall. The documentation says FW-EDGE is connected to SW1 Gi1/0/24.
Exhibit:
SW1# show lldp neighbors
Device ID Local Intf Hold-time Capability Port ID
FW-EDGE Gi1/0/23 120 R ge-0/0/1
AP-17 Gi1/0/24 120 B,W eth0
Which interpretation is best supported by the LLDP evidence?
Options:
A. The documentation does not match the current cabling.
B. CDP must be enabled before validating this multi-vendor link.
C. The firewall is unreachable because LLDP reports only Layer 2 neighbors.
D. The documentation is correct because ge-0/0/1 is the firewall port.
Best answer: A
Explanation: LLDP is a standards-based neighbor discovery protocol that is useful for validating multi-vendor physical connectivity. In this output, Local Intf is the interface on SW1, while Device ID and Port ID describe the neighboring device and its interface. The exhibit shows FW-EDGE learned on SW1 Gi1/0/23, not Gi1/0/24. It also shows AP-17 on Gi1/0/24, so the documented firewall connection is inconsistent with the observed neighbor evidence. The next operational step would be to correct or investigate the cabling documentation before making the firewall change.
ge-0/0/1 is the neighbor’s port, not the local switch interface.Topic: AI, Network Operations and Management
A digital network assistant reports: “DHCP server outage likely; reboot the DHCP server.” Users in VLAN 20 receive APIPA addresses, but VLAN 10 users receive DHCP addresses normally. The distribution switch can ping the DHCP server at 10.10.10.5.
Exhibit:
DSW1# show ip interface vlan 20 | include helper|line protocol
Vlan20 is up, line protocol is up
Helper address is 10.10.10.5
DSW1# show interfaces trunk | include Gi1/0/48|Vlans allowed
Port Vlans allowed on trunk
Gi1/0/48 10,30
Which action is best supported by the evidence?
Options:
A. Clear DHCP bindings for VLAN 20
B. Replace the DHCP helper address
C. Reboot the DHCP server
D. Allow VLAN 20 on the trunk
Best answer: D
Explanation: A digital network assistant recommendation should be checked against current network evidence before taking action. Here, the assistant suggests a DHCP server outage, but VLAN 10 clients still receive leases and the distribution switch can ping the DHCP server. VLAN 20 also has an active SVI and the expected helper address. The decisive clue is the trunk output: VLAN 20 is not allowed on Gi1/0/48, so VLAN 20 DHCP traffic cannot traverse that trunk even though the DHCP server is healthy. The evidence supports fixing the VLAN/trunk path, not acting on the assistant’s unsupported server-reboot recommendation.
Topic: Network Services and Security
A host at 10.10.10.25/24 uses R1 at 10.10.10.1 as its default gateway. The host should reach an Internet web server by using PAT on R1’s Gi0/0 address. After a test connection fails, the administrator collects this output:
R1# show running-config | section interface GigabitEthernet0/[01]|ip nat
interface GigabitEthernet0/0
ip address 203.0.113.2 255.255.255.252
ip nat outside
interface GigabitEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip nat inside source list 10 interface GigabitEthernet0/0 overload
R1# show access-lists 10
Standard IP access list 10
10 permit 10.10.20.0, wildcard bits 0.0.0.255 (0 matches)
R1# show ip nat translations
<no active translations>
What is the best next action?
Options:
A. Remove overload from the NAT statement
B. Permit 10.10.10.0/24 in NAT ACL 10
C. Clear the NAT translation table
D. Swap the NAT inside and outside commands
Best answer: B
Explanation: PAT translates inside source addresses only when the packet enters an ip nat inside interface, exits an ip nat outside interface, and matches the ACL referenced by the NAT rule. In the exhibit, the interface roles are correct: Gi0/1 is the inside LAN gateway and Gi0/0 is the outside public interface. The problem is the source match condition. The host is in 10.10.10.0/24, but ACL 10 permits 10.10.20.0/24, so traffic from 10.10.10.25 is not eligible for PAT. With no matching NAT rule, no translation is created. The next action is to correct the NAT ACL so it includes the intended inside subnet.
Topic: Network Services and Security
A dual-stack web server should be reachable as app.corp.example over IPv6. Clients can ping the server’s IPv6 address directly, and the default gateway for the client VLAN is reachable over IPv6. DNS testing shows this result:
Server IPv6 address: 2001:db8:10:20::50
nslookup -type=A app.corp.example -> 192.0.2.50
nslookup -type=AAAA app.corp.example -> No answer
What is the best corrective action?
Options:
A. Change the A record to 2001:db8:10:20::50.
B. Enable DHCPv6 on the client VLAN.
C. Add a PTR record for 2001:db8:10:20::50.
D. Create an AAAA record for app.corp.example.
Best answer: D
Explanation: An AAAA record maps a hostname to an IPv6 address. The network path is already partly validated because clients can ping the server’s IPv6 address directly and can reach their IPv6 default gateway. The failure appears only when resolving the hostname for IPv6: the A query returns an IPv4 address, while the AAAA query returns no answer. The DNS zone needs an AAAA record for app.corp.example that points to 2001:db8:10:20::50. An A record is only for IPv4, and a PTR record supports reverse lookup rather than forward hostname-to-address resolution.
Topic: Switching and Network Access
SW1 connects to SW2 on Gi1/0/24. The requirement is an Ethernet switching link that carries VLANs 10 and 20 between the switches. Based on the exhibit, what is the best next action on SW1?
Exhibit:
SW1# show running-config interface gi1/0/24
interface GigabitEthernet1/0/24
description Link-to-SW2
no switchport
ip address 10.10.12.1 255.255.255.252
no shutdown
SW1# show interfaces gi1/0/24 switchport
Name: Gi1/0/24
Switchport: Disabled
Options:
A. Configure an SVI for VLAN 10 on SW1
B. Assign Gi1/0/24 to access VLAN 10
C. Add a static route to 10.10.12.2
D. Configure Gi1/0/24 as an 802.1Q trunk
Best answer: D
Explanation: The exhibit shows no switchport and Switchport: Disabled, which means Gi1/0/24 is operating as a Layer 3 routed interface. That does not meet a requirement for Ethernet switching between switches. For a switch-to-switch link that must carry VLANs 10 and 20, the physical interface should be converted back to a Layer 2 switchport and configured as an 802.1Q trunk, with the required VLANs allowed as appropriate. An SVI can provide Layer 3 gateway services for a VLAN, but it does not make this physical link carry multiple VLANs. The key distinction is routed port for Layer 3 forwarding versus switchport trunk for Layer 2 VLAN transport.
Topic: Network Infrastructure and Connectivity
A desktop connected to switch port Gi1/0/12 should receive an IPv4 address from VLAN 20, which uses subnet 192.168.20.0/24. After renewing DHCP, the desktop receives 192.168.30.57/24 with default gateway 192.168.30.1.
Exhibit:
SW1# show interfaces gi1/0/12 status
Port Status Vlan
Gi1/0/12 connected 30
SW1# show interfaces trunk
Port Vlans allowed on trunk
Gi1/0/48 20,30
Which action best addresses the root cause?
Options:
A. Change the desktop default gateway to 192.168.20.1.
B. Exclude 192.168.30.57 from the DHCP scope.
C. Add 192.168.20.0/24 to the trunk allowed VLAN list.
D. Configure Gi1/0/12 as an access port in VLAN 20.
Best answer: D
Explanation: The DHCP-assigned address matches the VLAN where the switch port currently belongs. Gi1/0/12 is connected but assigned to VLAN 30, so DHCP broadcasts from the desktop reach the VLAN 30 DHCP scope and return a 192.168.30.0/24 lease. Because the expected subnet is 192.168.20.0/24, the corrective action is to place the access port in VLAN 20 and then renew the client DHCP lease.
The trunk already permits VLAN 20, so the problem is not trunk filtering. The key takeaway is to validate the local switchport VLAN before changing DHCP scopes or host IP settings.
Topic: IP Routing
R1 and R2 provide the default gateway for VLAN 10 using HSRP group 10. R1 uses 10.10.10.2, R2 uses 10.10.10.3, and the virtual gateway is 10.10.10.1.
Exhibit: R1 output
R1# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vl10 10 110 P Standby 10.10.10.3 local 10.10.10.1
Which device is currently forwarding traffic sent to the virtual gateway?
Options:
A. Both routers, because HSRP load-balances by default
B. R1, because it is local
C. R1, because it has priority 110
D. R2, because 10.10.10.3 is Active
Best answer: D
Explanation: HSRP uses one Active router to forward traffic for the virtual IP address and one Standby router to take over if the Active router fails. The show standby brief output is from R1, but R1’s state is Standby. The Active column lists 10.10.10.3, which the stem identifies as R2. Therefore, R2 is the device currently forwarding traffic sent to 10.10.10.1. Priority matters during election, but the current operational state in the output is the deciding evidence.
local appears under the Standby column, not the Active column.Topic: IP Routing
Users behind R1 cannot reach IPv4 destinations outside the local site. The ISP handoff is on R1 G0/1, and the ISP next-hop address is 203.0.113.1.
Exhibit:
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.10.1 YES manual up up
GigabitEthernet0/1 203.0.113.2 YES manual up up
R1# show running-config | include ^ip route
ip route 0.0.0.0 0.0.0.0 10.0.0.2
R1# show ip route | include Gateway|0.0.0.0
Gateway of last resort is not set
What is the best next action?
Options:
A. Change G0/0 to use 203.0.113.1 as its address
B. Configure an IPv6 default route toward the ISP
C. Change the default route next hop to 203.0.113.1
D. Reload R1 to reinstall the static route
Best answer: C
Explanation: A static IPv4 default route must be usable by the router before it can provide gateway-of-last-resort behavior. The running configuration points the default route to 10.0.0.2, but the visible connected interfaces are 192.168.10.1 and 203.0.113.2, and the known ISP next hop is 203.0.113.1. Because show ip route says the gateway of last resort is not set, R1 has not installed a working default route. The appropriate fix is to remove or replace the bad static route with one that points to the reachable ISP next hop. The interface status is already up/up, so this is a next-hop reachability/configuration problem, not a physical link problem.
Topic: Switching and Network Access
A distribution switch, D1, should remain the Rapid PVST+ root bridge for VLAN 20. After a new downstream access switch is connected to D1 interface Gi1/0/24 as an 802.1Q trunk, VLAN 20 users report unstable connectivity. D1 shows:
D1# show spanning-tree vlan 20
Root ID Priority 20
Address 001b.2a00.2222
Bridge ID Priority 24596
Address 00d1.a100.1111
Interface Gi1/0/24 Role Root Sts FWD
Which corrective action best prevents the downstream switch on Gi1/0/24 from taking over as root for VLAN 20?
Options:
A. Configure spanning-tree guard root on Gi1/0/24.
B. Configure spanning-tree bpduguard enable on Gi1/0/24.
C. Configure spanning-tree guard loop on Gi1/0/24.
D. Configure spanning-tree portfast trunk on Gi1/0/24.
Best answer: A
Explanation: Root guard is used on ports where a downstream switch is allowed to participate in STP but must not become the root bridge. The output shows D1 is no longer the root for VLAN 20, and Gi1/0/24 is D1’s root port toward the downstream switch. Applying root guard on that interface causes the port to move to a root-inconsistent state if it receives superior BPDUs, protecting the intended root placement. This is different from BPDU guard, which is intended mainly for edge ports where BPDUs should not appear at all.
Topic: Network Infrastructure and Connectivity
A technician connects a desktop PC to switch SW1 on Gi1/0/12, but the PC reports that the network cable is unplugged. The switch port is enabled and assigned to the correct access VLAN.
Exhibit:
SW1# show interfaces gi1/0/12 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/12 PC-7 notconnect 20 auto auto 10/100/1000BaseTX
Cable tag: RJ-45 rollover console cable
Tester pin map: 1->8 2->7 3->6 4->5 5->4 6->3 7->2 8->1
What is the best interpretation or next action?
Options:
A. Replace it with an Ethernet crossover cable.
B. Replace it with a straight-through Ethernet patch cable.
C. Configure PortFast on the switch port.
D. Manually set both ends to full duplex.
Best answer: B
Explanation: The exhibit points to a physical cabling problem, not a VLAN, spanning-tree, or duplex problem. The switch shows notconnect, and the cable tag plus tester pin map identify a rollover console cable, where pin 1 maps to pin 8, pin 2 to pin 7, and so on. A rollover cable is used for console connections, not for Ethernet data links. For a typical desktop PC connected to a switch access port, use a normal straight-through Ethernet patch cable. The key clue is the reversed pinout before the link ever establishes.
notconnect physical link.Topic: Switching and Network Access
A network technician is validating an EtherChannel after adding a third uplink between two Cisco switches. Based only on the exhibit, what is the best interpretation?
Exhibit:
SW1# show etherchannel summary
Flags: S - Layer2 U - in use P - bundled in port-channel
I - stand-alone s - suspended
Group Port-channel Protocol Ports
------+-------------+---------+-----------------------------
1 Po1(SU) LACP Gi1/0/1(P) Gi1/0/2(P) Gi1/0/3(I)
Options:
A. All three links are forwarding in Po1
B. Po1 is up; Gi1/0/3 is not bundled
C. The bundle is using PAgP, not LACP
D. Po1 is down because one member is stand-alone
Best answer: B
Explanation: In show etherchannel summary, the port-channel flags and member-link flags must be read separately. Po1(SU) means the port-channel is a Layer 2 EtherChannel and is currently in use. The member ports marked (P) are successfully bundled into that port-channel. The added link Gi1/0/3(I) is stand-alone, so it is not participating in the bundle even though the port-channel itself remains operational with Gi1/0/1 and Gi1/0/2. The next troubleshooting focus would be the configuration and LACP compatibility of Gi1/0/3, such as mode, VLAN/trunk settings, speed, duplex, or allowed VLAN consistency.
(P) are bundled into the port-channel.Topic: Network Infrastructure and Connectivity
Two routers are connected to the same Layer 2 segment. An engineer checks their IPv6 interface addresses before troubleshooting a failed ping.
Exhibit:
R1# show ipv6 interface brief | include GigabitEthernet0/0|IPv6
GigabitEthernet0/0 [up/up]
2001:DB8:10:20::1/63
R2# show ipv6 interface brief | include GigabitEthernet0/0|IPv6
GigabitEthernet0/0 [up/up]
2001:DB8:10:21::2/63
What is the best interpretation of the IPv6 prefix information?
Options:
A. The interfaces are in different networks because the fourth hextet differs.
B. The interfaces are in different networks because IPv6 links must use /64.
C. Both interfaces are in the same IPv6 network.
D. The interfaces match only if their link-local prefixes are identical.
Best answer: C
Explanation: IPv6 prefix length controls how many leading bits define the network. A /63 uses the first 63 bits, which means the first 48 bits plus the first 15 bits of the fourth hextet are the network portion. The fourth-hextet values 0x0020 and 0x0021 differ only in the final bit, so both addresses fall under 2001:DB8:10:20::/63. If the prefix were /64, those two fourth-hextet values would be separate networks. Based on the exhibit, the failed ping should be investigated as something other than an IPv6 prefix mismatch.
Topic: Switching and Network Access
A host on SW1 in VLAN 20 cannot reach a server on SW2 in VLAN 20. The host access port is up, and Po1 is the only Layer 2 link between the switches. What is the best next action?
Exhibit:
SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1,10,30
SW1# show etherchannel summary
Group Port-channel Protocol Ports
1 Po1(SU) LACP Gi1/0/1(P) Gi1/0/2(P)
SW1# show mac address-table vlan 20
Vlan Mac Address Type Ports
20 aaaa.bbbb.0010 DYNAMIC Gi1/0/10
Options:
A. Move Gi1/0/10 to VLAN 30
B. Rebuild the LACP port channel
C. Configure VLAN 20 as the native VLAN
D. Allow VLAN 20 on the Po1 trunk
Best answer: D
Explanation: The evidence points to a trunk VLAN pruning or allowed-list problem, not an EtherChannel or access-port problem. Po1(SU) means the port channel is Layer 2 and in use, and both member links are bundled. The MAC table shows SW1 is learning the local host MAC in VLAN 20 on Gi1/0/10, so the access port is operating in VLAN 20. However, show interfaces trunk shows Po1 allows only VLANs 1, 10, and 30. Because VLAN 20 is not permitted across the interswitch trunk, frames for that VLAN cannot cross to SW2. The best action is to permit VLAN 20 on the port-channel trunk and verify the peer switch matches.
Topic: Network Services and Security
A remote employee on a company laptop cannot reach an internal HR application from a hotel network. The application is reachable from branch offices. Review the exhibit and choose the best next action.
Exhibit: VPN and firewall summary
User source: dynamic public IP from hotel Wi-Fi
Internal app: 10.20.30.15 TCP/443
Site-to-site VPNs: HQ-BR1 up, HQ-BR2 up
Remote-access VPN sessions: 0
Remote-access VPN profile: not configured
Firewall event: denied outside to inside 10.20.30.15:443
Options:
A. Add another site-to-site VPN tunnel
B. Publish the HR application directly to the Internet
C. Configure an IPsec remote access VPN profile
D. Configure CDP to verify the hotel connection
Best answer: C
Explanation: An IPsec remote access VPN is used when individual users need secure connectivity to private network resources over an untrusted network, such as home, hotel, or public Wi-Fi. The exhibit shows that branch site-to-site VPNs are already working, so the branch connectivity model is not the problem. It also shows the user has a dynamic public IP and no remote-access VPN profile exists, while direct outside-to-inside access is denied. That combination points to deploying a client-based remote access VPN rather than creating a fixed network-to-network tunnel or exposing the internal application. The key distinction is user-to-network access for one roaming endpoint versus site-to-site connectivity for fixed locations.
Topic: Network Infrastructure and Connectivity
A user reports that a Windows laptop can see the CorpStaff SSID but cannot join it. Other users are connected to the same SSID. Review the wireless event excerpt.
SSID: CorpStaff
WLAN security: WPA2-Personal, AES-CCMP
Client association: accepted
Client authentication: failed
Reason: 4-way handshake failed; key/encryption mismatch suspected
Client profile: WPA-Personal, TKIP
What is the best next action?
Options:
A. Renew the client DHCP lease
B. Change the AP channel to reduce interference
C. Update the client profile to WPA2-Personal AES and the correct passphrase
D. Add a static default gateway on the client
Best answer: C
Explanation: The failure occurs during wireless authentication, before the client can use normal IP connectivity. The exhibit shows that the WLAN expects WPA2-Personal with AES-CCMP, but the client profile is set to WPA-Personal with TKIP. A 4-way handshake failure also commonly points to a passphrase mismatch. The appropriate response is to correct the client’s wireless security profile so the authentication method, encryption type, and passphrase match the SSID configuration.
DHCP, default gateway, and IP routing checks are later-stage troubleshooting steps after the client successfully associates and authenticates to the WLAN.
Topic: Network Services and Security
Users in VLAN 30 report intermittent DHCP failures and short connectivity drops. SW1 shows that Gi1/0/12 connects to an unmanaged conference-room switch. The operations policy says to limit broadcast, multicast, and unknown unicast storms to 1% rising and 0.5% falling on edge ports.
Exhibit:
SW1# show interfaces gi1/0/12
GigabitEthernet1/0/12 is up, line protocol is up
5 minute input rate 94,000,000 bits/sec
621,440 broadcasts, 418,905 multicasts
377,118 unknown unicasts
SW1# show run interface gi1/0/12
switchport mode access
switchport access vlan 30
spanning-tree portfast
Which corrective action best addresses the supported root cause?
Options:
A. Apply storm control for broadcast, multicast, and unknown unicast on Gi1/0/12.
B. Configure Gi1/0/12 as an 802.1Q trunk.
C. Remove PortFast from Gi1/0/12.
D. Trust Gi1/0/12 for DHCP snooping.
Best answer: A
Explanation: Storm control protects a Layer 2 segment by limiting broadcast, multicast, and unknown unicast traffic on an interface. The port is up, is an access edge port, and shows very large counts of all three flood traffic types while users experience DHCP and connectivity disruption. That supports a Layer 2 traffic storm sourced through or behind Gi1/0/12, not a routing or VLAN trunking issue. Configure storm control on that edge port using the stated rising and falling thresholds, and optionally pair it with the required violation action if the local policy specifies one.
The key distinction is that storm control limits excessive flooding; DHCP snooping, STP tuning, and trunking solve different problems.
Topic: IP Routing
Three IOS XE routers share VLAN 100 on a single Ethernet segment and run single-area OSPFv2 in area 0. The network team wants R3 to form OSPF adjacencies on GigabitEthernet0/0 but never become the DR or BDR for that broadcast network. The segment must remain an OSPF broadcast network. Which configuration should be applied on R3?
Options:
A. Set a lower OSPF router ID on R3.
B. Set ip ospf priority 0 under GigabitEthernet0/0.
C. Set passive-interface GigabitEthernet0/0 under OSPF.
D. Set ip ospf network point-to-point under GigabitEthernet0/0.
Best answer: B
Explanation: On an OSPF broadcast network, routers elect a DR and BDR using interface priority first, then router ID as the tiebreaker. To keep R3 participating in OSPF while preventing it from becoming DR or BDR, configure the OSPF priority to 0 on the participating interface. This changes only R3’s eligibility for the election on that link; it does not disable OSPF hellos or route exchange. Router ID only influences the election among eligible routers, so it is not a reliable way to make a router permanently ineligible.
Topic: Switching and Network Access
An access switch port for a user workstation stopped forwarding after a small unmanaged switch was connected at the desk. Review the log excerpt.
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on Gi1/0/10 with BPDU Guard enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/10, putting Gi1/0/10 in err-disable state
What is the best interpretation?
Options:
A. BPDU guard protected an edge port by err-disabling it.
B. Loop guard blocked the port after BPDUs stopped arriving.
C. Root guard blocked a superior BPDU in root-inconsistent state.
D. Root guard shut down the port because PortFast was enabled.
Best answer: A
Explanation: BPDU guard is used on edge ports, typically with PortFast, where BPDUs should not be received. If a BPDU arrives, BPDU guard treats that as evidence that a switch or bridge has been connected and places the port into the err-disabled state to protect the Layer 2 topology. Root guard has a different goal: preventing a port from becoming a root port when superior BPDUs are received, usually by moving it to root-inconsistent. Loop guard also differs: it protects against loops caused by a port unexpectedly stopping receipt of BPDUs, placing the port into loop-inconsistent rather than err-disabled. The key clue is the bpduguard err-disable message.
bpduguard err-disable condition.Topic: Switching and Network Access
A network team added VLAN 20 for new workstations on SW2. Hosts in VLAN 20 can reach each other on SW2, but they cannot reach the router-on-a-stick gateway connected through SW1. VLAN 10 hosts on SW2 can reach their gateway normally.
Exhibit:
SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/1 10
SW2# show vlan brief
VLAN Name Status Ports
10 Users active Gi0/2
20 NewUsers active Gi0/3
Which action best resolves the VLAN 20 connectivity problem?
Options:
A. Create an SVI for VLAN 20 on SW2
B. Add VLAN 20 to the allowed VLAN list on Gi0/1
C. Change Gi0/1 to an access port in VLAN 20
D. Change the native VLAN on Gi0/1 to VLAN 20
Best answer: B
Explanation: An 802.1Q trunk carries traffic for multiple VLANs only when those VLANs are permitted on the trunk. The exhibit shows Gi0/1 is already trunking with 802.1Q, and VLAN 10 works across the same path. That makes the physical link and trunk status less likely to be the issue. The decisive clue is the allowed VLAN list: Gi0/1 permits only VLAN 10, while VLAN 20 exists on SW2 and needs to cross the trunk toward SW1 and the router-on-a-stick gateway. Adding VLAN 20 to the allowed list preserves the trunk and permits VLAN 20 tagged frames. Changing the native VLAN would not allow VLAN 20 tagged traffic unless VLAN 20 is also permitted.
Topic: IP Routing
R1 and R2 are connected directly on Gi0/0. Both interfaces are up/up and can ping each other. The goal is to form a single-area OSPFv2 adjacency in area 0 without changing IP addressing.
Exhibit:
R1# show ip ospf interface gi0/0 | include Internet|Area
Internet Address 10.12.0.1/30, Area 0
R2# show ip ospf interface gi0/0 | include Internet|Area
Internet Address 10.12.0.2/30, Area 1
R1# show ip ospf neighbor
<no neighbors displayed>
Which configuration decision should fix the adjacency?
Options:
A. Configure a static route to 10.12.0.0/30 on R2.
B. Configure ip ospf network point-to-point on R1 only.
C. Move R1 Gi0/0 into OSPF area 1.
D. Configure ip ospf 10 area 0 on R2 Gi0/0.
Best answer: D
Explanation: OSPF neighbors on a directly connected link must agree on key interface parameters, including the OSPF area. The exhibit shows that Layer 3 reachability exists because the interfaces can ping, and the IPv4 addresses are in the same /30 subnet. The mismatch is that R1 places Gi0/0 in area 0 while R2 places its connected interface in area 1. Configuring OSPF area 0 on R2’s connected interface aligns the area with the stated single-area design and allows the adjacency process to proceed. Changing only the network type or adding static routing does not correct the area mismatch.
Topic: Network Services and Security
A branch router currently uses local SSH logins. The security team now requires centralized administrator authentication, centralized command authorization, command accounting, and a local break-glass login if the AAA server is unreachable.
Exhibit:
R1# show running-config | include aaa|username|line vty|login authentication|transport input
aaa new-model
aaa authentication login VTY local
username netadmin privilege 15 secret <redacted>
line vty 0 4
login authentication VTY
transport input ssh
Which next action best meets the requirement?
Options:
A. Keep local usernames on every router
B. Use a shared enable secret for admins
C. Configure TACACS+ AAA with local fallback
D. Configure RADIUS authentication only
Best answer: C
Explanation: For Cisco device management, TACACS+ is the best fit when the requirement includes centralized administrator login plus command authorization and accounting. TACACS+ separates authentication, authorization, and accounting functions, which makes it well suited for controlling and recording administrative CLI activity. The exhibit shows that VTY access currently uses only a local AAA method list, so the next step is to move the VTY method list to a TACACS+ server group while retaining local as a fallback method for break-glass access.
RADIUS is common for network access authentication, but TACACS+ is typically preferred for administrative command control on network devices.
Topic: IP Routing
R1 is an IOS XE router with IP routing enabled. Its LAN is 10.10.10.0/24, and its ISP-facing interface is GigabitEthernet0/0 with IP address 198.51.100.2/30. R1 can ping the ISP next hop 198.51.100.1, but LAN users cannot reach off-net destinations. show ip route displays Gateway of last resort is not set. Which configuration change should be applied?
Options:
A. ip default-gateway 198.51.100.1
B. ip route 10.10.10.0 255.255.255.0 198.51.100.1
C. ip route 0.0.0.0 255.255.255.255 198.51.100.1
D. ip route 0.0.0.0 0.0.0.0 198.51.100.1
Best answer: D
Explanation: An IPv4 default route uses destination 0.0.0.0 with mask 0.0.0.0. It becomes the gateway of last resort and is used when no more specific route matches the destination. Because R1 can already reach the ISP next hop, the missing piece is the default static route pointing to 198.51.100.1. The ip default-gateway command is not the right fix for a router performing Layer 3 routing.
0.0.0.0/32, not a default route.Topic: Network Infrastructure and Connectivity
A branch access switch uplink to the distribution switch is documented as a 1-Gbps Cat6 connection. Users in VLAN 20 receive DHCP leases and can reach server subnets, but transfers through this uplink are much slower than expected.
Exhibit:
SW1# show interfaces gi1/0/48 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/48 Uplink-DSW connected trunk a-full a-100 10/100/1000BaseTX
SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/48 on 802.1q trunking 99
Options:
A. Native VLAN mismatch
B. Incorrect client default gateway
C. Missing DHCP relay
D. Uplink negotiated at 100 Mbps
Best answer: D
Explanation: A speed mismatch can exist even when an interface is physically up and forwarding traffic. In the exhibit, the uplink is connected, operates as an 802.1Q trunk, and uses full duplex, so the basic Layer 1 and Layer 2 connection is working. However, the speed column shows a-100, meaning the port auto-negotiated 100 Mbps instead of the documented 1 Gbps. That lower operational speed directly explains slow transfers while still allowing DHCP and routed reachability to work. The next checks should focus on both ends of the link, speed settings, and the cable or patch path supporting all required pairs for Gigabit Ethernet.
Topic: Network Infrastructure and Connectivity
A small office has three nearby APs serving the same SSID. Users report slow wireless performance only on 2.4 GHz; 5 GHz clients work normally. The controller shows high retry rates on the 2.4 GHz radios.
Exhibit:
| AP | 2.4 GHz channel | Channel width |
|---|---|---|
| AP-1 | 1 | 20 MHz |
| AP-2 | 3 | 20 MHz |
| AP-3 | 6 | 20 MHz |
Which configuration decision best addresses the likely interference cause?
Options:
A. Configure all APs for channel 6
B. Increase transmit power on all APs
C. Change the SSID security mode
D. Use nonoverlapping channels 1, 6, and 11
Best answer: D
Explanation: The likely cause is overlapping-channel interference in the 2.4 GHz band. With 20 MHz channels, 2.4 GHz Wi-Fi channels overlap unless they are spaced far enough apart; the common nonoverlapping plan is channels 1, 6, and 11. AP-2 on channel 3 overlaps with AP-1 on channel 1 and can contribute to retries and poor throughput. Reassigning nearby APs to a nonoverlapping channel plan directly addresses the RF evidence while leaving the working 5 GHz service unchanged.
Increasing power can make interference worse by expanding cell overlap; channel planning is the key fix here.
Topic: Network Services and Security
R1 routes between a user subnet on G0/0 and a server subnet on G0/1. The goal is to block only PC1 from reaching the server subnet while allowing PC1 to reach other networks. After the change, PC1 cannot reach the Internet or printer subnets, but other users can.
Exhibit:
PC1: 10.20.30.25/24, gateway 10.20.30.1
Server subnet: 172.16.50.0/24 via R1 G0/1
access-list 15 deny host 10.20.30.25
access-list 15 permit any
!
interface GigabitEthernet0/0
ip address 10.20.30.1 255.255.255.0
ip access-group 15 in
!
interface GigabitEthernet0/1
ip address 172.16.50.1 255.255.255.0
Options:
A. Remove access-list 15 permit any
B. Apply ACL 15 outbound on G0/1
C. Add a destination match to ACL 15
D. Apply ACL 15 inbound on G0/1
Best answer: B
Explanation: A standard IPv4 ACL matches only the source IPv4 address, not the destination. In the exhibit, ACL 15 is applied inbound on the user-facing interface, so all traffic sourced from PC1 is denied before R1 can route it to any destination. That explains why PC1 loses access to the Internet and printer subnets, not just the server subnet. To use a standard ACL for this requirement, apply it where the unwanted traffic exits toward the protected destination: outbound on G0/1 toward 172.16.50.0/24. The permit any line is still needed so other sources are not blocked by the implicit deny.
Topic: IP Routing
R1 currently sends all traffic for 10.20.30.0/24 to Router A. You must add a static route so that only the single server 10.20.30.45 is forwarded to next hop 192.0.2.2; all other hosts in 10.20.30.0/24 must continue using the existing route. Which IOS XE command should be used?
Options:
A. ip route 10.20.30.45 255.255.255.0 192.0.2.2
B. ip route 10.20.30.0 255.255.255.0 192.0.2.2
C. ip route 10.20.30.45 255.255.255.255 192.0.2.2
D. ip route 0.0.0.0 0.0.0.0 192.0.2.2
Best answer: C
Explanation: A host route is a static route with a 32-bit mask, written as 255.255.255.255 for IPv4. Because routers use longest-prefix match, a /32 route to 10.20.30.45 is preferred only for that exact destination, while the existing /24 route still handles the rest of 10.20.30.0/24. This solves the scope problem without redirecting traffic for neighboring hosts. A network route or default route would affect more destinations than the single server required.
10.20.30.0/24 would redirect every host in that subnet to the new next hop.10.20.30.45 with a /24 mask does not define a single-host prefix.0.0.0.0/0 can match many destinations, not only the specified server.Topic: Network Infrastructure and Connectivity
A user on VLAN 20 can reach IPv4 sites but cannot reach any IPv6 site. The switch port to the PC is up and learning the PC MAC address in VLAN 20. DNS lookup for app.example.com returns AAAA 2001:db8:50::20.
Exhibit: IPv6 details
PC IPv6 address: 2001:db8:20:5::34/64
PC default gateway: fe80::1
Router VLAN 20 SVI: 2001:db8:20:6::1/64, fe80::1
SVI state: up/up
Which root cause is best supported by the evidence?
Options:
A. The DNS AAAA record is missing.
B. The access port is assigned to the wrong VLAN.
C. The router SVI is administratively down.
D. The PC uses the wrong IPv6 prefix for VLAN 20.
Best answer: D
Explanation: The evidence points to an IPv6 addressing problem, not Layer 2 or DNS. The switch port is up and learning the PC MAC address in VLAN 20, so the visible Layer 2 evidence is healthy. DNS is also resolving the name to an IPv6 AAAA record. The mismatch is between the host prefix and the router SVI prefix: the PC is configured in 2001:db8:20:5::/64, but VLAN 20’s router interface is in 2001:db8:20:6::/64. For normal host connectivity on a VLAN, the host IPv6 address should be in the same on-link prefix advertised or configured for that segment. The best fix is to correct the PC IPv6 addressing for VLAN 20.
up/up.Topic: Network Infrastructure and Connectivity
A clinic deployed a new WLAN for handheld scanners. The scanners can see the SSID but fail to join. A digital network assistant recommends changing the 2.4-GHz channel from 6 to 11 to reduce interference.
Evidence:
Scanner capability: 2.4 GHz only, WPA2-PSK with AES
WLAN ScannerNet: 2.4 GHz enabled, WPA3-Personal SAE required
AP radio: channel 6, utilization 18%, noise -92 dBm, RSSI at scanner -53 dBm
Client event: authentication failed; unsupported AKM suite
Which configuration decision best addresses the issue?
Options:
A. Increase the AP transmit power
B. Move ScannerNet to 5 GHz only
C. Configure ScannerNet for WPA2-PSK with AES
D. Change the 2.4-GHz channel to 11
Best answer: C
Explanation: The visible evidence points to a wireless security compatibility problem, not an RF channel problem. The scanners support only WPA2-PSK with AES, but the WLAN requires WPA3-Personal SAE. The client event also reports an unsupported AKM suite, which is an authentication/key-management mismatch. RF indicators are healthy enough for association: channel utilization is low, noise is low, and the received signal is strong. Changing channels or power would not make a WPA3-only WLAN compatible with WPA2-only clients.
The key takeaway is to validate AI recommendations against the actual band, RF, and security evidence before changing wireless settings.
Topic: AI, Network Operations and Management
A network team uses Ansible to verify port status before a cabling change. The approved scope is read-only command execution on Site-A access switches only. The inventory contains these groups:
[site_a_access]
SW-A1
SW-A2
[site_a_distribution]
DSW-A1
DSW-A2
[all_switches:children]
site_a_access
site_a_distribution
Which Ansible plan best stays within the approved operational scope?
Options:
A. Run ios_command against all_switches for show interfaces status.
B. Run ios_command against site_a_access for show interfaces status.
C. Run ios_command against site_a_distribution for show interfaces status.
D. Run ios_config against site_a_access to set interface descriptions.
Best answer: B
Explanation: An Ansible command execution plan must match both the target scope and the allowed operation type. In this case, the approved scope is limited to Site-A access switches and read-only verification. The site_a_access inventory group contains only SW-A1 and SW-A2, so it matches the device boundary. The ios_command module is appropriate for operational show commands such as show interfaces status; it does not express an intent to change the running configuration. Targeting a broader or different group violates the device scope, and using a configuration module changes the type of operation. The key validation is: correct inventory group plus read-only command module.
all_switches includes distribution switches outside the approved access-switch scope.ios_config is for configuration changes, not read-only verification.site_a_distribution targets devices outside the approved access layer.Use the Cisco CCNA 200-301 v2.0 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Cisco CCNA 200-301 v2.0 on Web View Cisco CCNA 200-301 v2.0 Practice Test
Read the Cisco CCNA 200-301 v2.0 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.