Free Cisco CCNA 200-301 v2.0 Practice Questions: Network Services and Security
Practice 10 free Cisco CCNA (Cisco CCNA 200-301 v2.0) questions on Network Services and Security, with answers, explanations, and the IT Mastery next step.
Try the IT Mastery web app for a richer interactive practice experience with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Topic snapshot
| Field | Detail |
|---|---|
| Practice target | Cisco CCNA 200-301 v2.0 |
| Topic area | Network Services and Security |
| Blueprint weight | 20% |
| Page purpose | Focused sample questions before returning to mixed practice |
How to use this topic drill
Use this page to isolate Network Services and Security for Cisco CCNA 200-301 v2.0. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 20% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
Sample questions
These are original IT Mastery practice questions aligned to this topic area. They are not official Cisco questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.
Question 1
Topic: Network Services and Security
External users can browse www.example.net, and mail.example.net resolves to 198.51.100.25. However, senders to user@example.net receive a bounce that the domain has no usable mail exchanger.
Exhibit: Public DNS zone excerpt
| Name | Type | Value |
|---|---|---|
example.net | NS | ns1.example.net |
www.example.net | CNAME | web1.example.net |
web1.example.net | A | 198.51.100.10 |
mail.example.net | A | 198.51.100.25 |
example.net | MX | 10 198.51.100.25 |
Which DNS correction best resolves the mail delivery issue?
Options:
A. Change the MX value to
10 mail.example.netB. Change the
www.example.netCNAME to an A recordC. Change
mail.example.netfrom an A record to a CNAME recordD. Add a PTR record for
198.51.100.25
Best answer: A
Explanation: The failure is caused by the MX record value. For mail delivery to user@example.net, external mail servers query the MX record for example.net. The MX record should point to a hostname, not directly to an IP address. That hostname must then resolve through an A or AAAA record. In the exhibit, mail.example.net already resolves to 198.51.100.25, so the best correction is to make the domain MX record reference mail.example.net.
PTR records can support reverse lookup and reputation checks, but they do not replace a valid MX target. The web CNAME is unrelated to mail routing.
- CNAME for mail is unnecessary because the mail host already has a valid A record.
- PTR record may help reverse DNS checks, but it does not tell senders which host accepts mail for the domain.
- Web CNAME change affects web name resolution, not SMTP delivery for
example.net.
Question 2
Topic: Network Services and Security
A network technician reviews the ACLs on R1 before making a change. Which interpretation of the exhibit is best?
Exhibit:
R1# show ip access-lists
Extended IP access list 101
10 permit tcp 192.0.2.0 0.0.0.255 any eq 443 (18 matches)
20 deny ip any any (4 matches)
Standard IP access list MGMT-SOURCES
10 permit 10.10.10.0, wildcard bits 0.0.0.255 (7 matches)
Options:
A. 101 is numbered extended; MGMT-SOURCES is named standard.
B. 101 is numbered standard; MGMT-SOURCES is named extended.
C. Both ACLs are extended because both include wildcard masks.
D. Both ACLs are named because both have sequence numbers.
Best answer: A
Explanation: Cisco IOS output identifies both the ACL type and the ACL identifier. A numeric identifier such as 101 is a numbered ACL, and in common IPv4 ACL ranges, 100–199 are extended ACLs. A text identifier such as MGMT-SOURCES is a named ACL; its type is shown separately as Standard IP access list. The sequence numbers 10 and 20 are ACE ordering values, not ACL identifiers or ACL type indicators.
Wildcard masks can appear in both standard and extended IPv4 ACL entries, so they do not determine whether an ACL is named, numbered, standard, or extended.
- Sequence number confusion fails because ACE sequence numbers do not make an ACL named.
- Number range confusion fails because
101is in an extended numbered ACL range, not a standard range. - Wildcard mask confusion fails because standard ACLs also use wildcard masks to match source addresses.
Question 3
Topic: Network Services and Security
A new branch must reach application servers in the data center over existing public ISP links. The requirement is to connect the branch LAN to the data center LAN without installing a VPN client on each PC.
Exhibit: Branch edge router evidence
Branch-R1# show ip cef 10.10.30.12
0.0.0.0/0
nexthop 203.0.113.1 GigabitEthernet0/0
Packet summary:
10.20.10.25:445 -> 10.10.30.12:445 exits Gi0/0 toward ISP
No IPsec security association is present
Which next action is most appropriate?
Options:
A. Build a site-to-site IPsec VPN between edge routers
B. Configure remote-access VPN clients on every branch PC
C. Add only a static route to the data center subnet
D. Use PAT overload on the branch Internet interface
Best answer: A
Explanation: An IPsec site-to-site VPN is used when two networks or locations need secure connectivity across an untrusted network such as the Internet. In this case, branch hosts need to reach data center servers, the traffic is exiting toward the ISP, and no IPsec security association exists. A site-to-site VPN between the edge routers can encrypt traffic between the private branch and data center prefixes while keeping the VPN function transparent to end hosts.
Remote-access VPN is better for individual users connecting into a network. PAT or a static route alone may help forwarding, but neither provides the encrypted site-to-site protection required over the public ISP path.
- Remote-access VPN is less appropriate because the requirement avoids installing a VPN client on each branch PC.
- PAT overload translates many inside addresses to one public address, but it does not create encrypted private-network connectivity.
- Static route only may direct traffic, but it does not protect the traffic across the ISP.
Question 4
Topic: Network Services and Security
A company wants Cisco IOS XE routers and switches to use a centralized server for administrator logins. The security team also requires per-command authorization and accounting for management sessions. If the server is unreachable, devices should fall back to local usernames. Which management authentication approach best meets these requirements?
Options:
A. Local usernames with SSH only
B. VTY line passwords with enable secret
C. AAA with RADIUS only
D. AAA with TACACS+ and local fallback
Best answer: D
Explanation: For Cisco device administration, AAA with TACACS+ is the best fit when the requirement includes centralized login control plus per-command authorization and accounting. TACACS+ separates authentication, authorization, and accounting functions, which makes it well suited for network-device management. IOS XE can also be configured to use local usernames as a fallback method if the TACACS+ server is unavailable. RADIUS is commonly used for network access authentication, but it is not the preferred choice for detailed command authorization on Cisco management sessions. The key distinction is centralized device administration with command-level control, not just secure transport or a shared line password.
- RADIUS only is weaker for this requirement because it does not best match Cisco command authorization and accounting needs.
- Local usernames can secure SSH access but do not provide centralized administration across devices.
- VTY passwords are an older, shared-password approach and do not provide user-specific AAA authorization or accounting.
Question 5
Topic: Network Services and Security
Users in VLAN 30 report that IPv4 access works, but some Windows clients intermittently lose IPv6 Internet access. The affected clients show a valid IPv4 address from the DHCP server and an IPv6 default gateway learned from an unknown link-local address. The access switch log shows the link-local address arriving on a user-facing port connected to a small unmanaged router. What is the best corrective action?
Options:
A. Configure storm control on the user-facing port
B. Enable DHCP snooping for VLAN 30
C. Enable Dynamic ARP Inspection for VLAN 30
D. Enable RA guard on the user-facing port
Best answer: D
Explanation: The symptom points to a rogue IPv6 Router Advertisement, not an IPv4 DHCP, ARP, or broadcast-rate problem. IPv6 hosts can learn their default gateway from RA messages sent by routers on the local link. Because the unknown link-local gateway is being advertised from a user-facing port connected to an unmanaged router, RA guard is the Layer 2 control that should block those unauthorized RA messages at the access edge. DHCP snooping protects DHCP message trust boundaries, DAI validates ARP, and storm control limits excessive Layer 2 traffic rates. The key is matching the control to the specific Layer 2 threat.
- DHCP snooping helps stop rogue IPv4 DHCP servers, but the clients already have valid IPv4 DHCP leases.
- Dynamic ARP Inspection protects against ARP spoofing, but the failure involves IPv6 default-gateway discovery.
- Storm control limits broadcast, multicast, or unknown unicast floods, but no traffic-flood symptom is shown.
Question 6
Topic: Network Services and Security
A new branch office can reach Internet sites, but users cannot reach the HQ file server at 10.10.20.50. The branch has printers, VoIP phones, and PCs that all need access to HQ resources.
Clues:
| Item | Evidence |
|---|---|
| Branch LAN | 10.30.10.0/24, DHCP working |
| Branch WAN | Public IP, interface up/up |
| Routing | Default route points to ISP |
| Current workaround | Only laptops with remote-access VPN clients can reach HQ |
What is the best corrective action?
Options:
A. Install remote-access VPN software on every branch device.
B. Configure PAT only on the branch edge router.
C. Configure an IPsec site-to-site VPN between the edge routers.
D. Add a CNAME record for the HQ file server.
Best answer: C
Explanation: An IPsec site-to-site VPN is appropriate when two locations need secure network-to-network connectivity over an untrusted network such as the Internet. In this case, the branch LAN has working DHCP, an up WAN link, and a default route for Internet access, but many device types need private access to HQ resources. Remote-access VPN works only for endpoints that can run a client, which does not fit printers, phones, and other shared devices. A site-to-site tunnel between the branch and HQ edge devices can protect traffic between the two private subnets transparently to the hosts.
- DNS change does not create encrypted connectivity to a private HQ subnet.
- PAT only supports outbound Internet access, not secure private network-to-network access.
- Remote-access clients are poorly suited for shared devices and do not connect the whole branch LAN.
Question 7
Topic: Network Services and Security
A company web server should be reachable at www.example.com over IPv6 address 2001:db8:20:10::50. IPv4 resolution for the same host is already working. A DNS check shows this zone entry:
www.example.com. 300 IN A 192.0.2.50
www.example.com. 300 IN CNAME web01.example.com.
web01.example.com. 300 IN AAAA 2001:db8:20:10::50
Which DNS configuration change best fixes IPv6 name resolution for www.example.com?
Options:
A. Add a PTR record for
2001:db8:20:10::50B. Replace the
wwwA record with an NS recordC. Replace the
wwwCNAME with awwwAAAA recordD. Change the
web01AAAA record to an MX record
Best answer: C
Explanation: An AAAA record maps a hostname to an IPv6 address. In the exhibit, www.example.com has an A record and also a CNAME record, which is an invalid DNS design because a name with a CNAME should not have other record types at the same owner name. Since the goal is for www.example.com itself to resolve to 2001:db8:20:10::50, the clean fix is to remove the conflicting CNAME and publish an AAAA record for www.example.com while keeping the existing A record if IPv4 must continue working.
PTR, NS, and MX records serve different DNS purposes and do not provide forward IPv6 host resolution.
- PTR record supports reverse lookup from an address to a name, not forward lookup from
www.example.comto IPv6. - NS record delegates or identifies authoritative name servers and would not map the host to an address.
- MX record identifies mail exchangers and would break the IPv6 host mapping for
web01.
Question 8
Topic: Network Services and Security
A network engineer must create an IPv4 ACL on an IOS XE router to identify the policy as WEB-FILTER in the running configuration. The ACL must match TCP traffic from 10.10.20.0/24 to a specific web server on destination port 443. Which ACL configuration approach best meets these requirements?
Options:
A. Create a numbered standard IPv4 ACL
B. Create a named extended IPv4 ACL
C. Create a named standard IPv4 ACL
D. Create a numbered extended IPv4 ACL
Best answer: B
Explanation: IPv4 ACLs can be either numbered or named, and either standard or extended. The descriptive label requirement points to a named ACL, while the need to match TCP traffic to a specific destination port points to an extended ACL. Standard ACLs match only the source IPv4 address, so they cannot directly match the destination server or TCP port. A numbered extended ACL could match the traffic characteristics, but it would not satisfy the requirement to identify the policy as WEB-FILTER in the configuration. The key distinction is that naming and matching scope are separate ACL design choices.
- Numbered standard fails because standard ACLs match only source IPv4 addresses and use numeric identifiers.
- Named standard satisfies the descriptive-name requirement but cannot match destination address or TCP port.
- Numbered extended can match protocol and port, but it does not meet the named-policy constraint.
Question 9
Topic: Network Services and Security
A network engineer is planning an IOS XE site-to-site VPN between two branch routers over the Internet. The VPN must negotiate security parameters dynamically and then protect the private IPv4 traffic between the sites with confidentiality and integrity. Which configuration decision best meets the goal?
Options:
A. Use AH to encrypt data traffic after GRE tunnel setup
B. Use NAT overload to hide traffic between the branches
C. Use IKE to negotiate SAs and ESP to protect data traffic
D. Use TLS certificates to form the IPsec data tunnel
Best answer: C
Explanation: IPsec site-to-site VPNs use a negotiation/control-plane process and a traffic-protection protocol. IKE negotiates peer authentication, algorithms, keys, and IPsec security associations. After those parameters are established, ESP protects the matched data traffic by providing confidentiality through encryption and integrity/authentication for the protected packets. AH can authenticate packets but does not encrypt them, and GRE can carry traffic but does not secure it by itself. NAT overload changes addresses for Internet access; it is not a VPN protection mechanism.
- AH after GRE fails because AH does not provide encryption, and GRE alone does not secure the payload.
- TLS tunnel confuses HTTPS-style transport security with IPsec VPN negotiation and data protection.
- NAT overload changes source addresses but does not negotiate IPsec SAs or encrypt branch-to-branch traffic.
Question 10
Topic: Network Services and Security
R1 connects a branch LAN to an ISP. GigabitEthernet0/0 is configured as ip nat outside and has address 198.51.100.14/30; GigabitEthernet0/1 is configured as ip nat inside. An internal server 10.20.30.25 must be reachable from the Internet on TCP port 443 by using R1’s outside interface address. Which additional NAT configuration supports this requirement?
Options:
A.
ip nat inside source static tcp 10.20.30.25 443 interface GigabitEthernet0/0 443B.
ip nat inside source list 10 interface GigabitEthernet0/0 overloadC.
ip nat inside source static tcp 10.20.30.25 80 interface GigabitEthernet0/0 443D.
ip nat outside source static tcp 10.20.30.25 443 interface GigabitEthernet0/0 443
Best answer: A
Explanation: For Internet users to initiate connections to an inside server through the router’s public interface address, IOS XE needs a static PAT, also called port forwarding, entry. The ip nat inside source static tcp form identifies the inside local host and port, then maps it to a reachable outside address and port. Using the interface keyword is appropriate when the public address is the address assigned to the outside interface. Dynamic PAT with overload is mainly for inside hosts initiating outbound sessions and does not create a predictable inbound mapping for the server.
- Dynamic PAT supports outbound address sharing, but it does not publish a specific inside server application for inbound Internet connections.
- Outside source NAT translates outside-origin addresses and is the wrong direction for exposing an inside server.
- Wrong inside port would send Internet TCP/443 traffic to TCP/80 on the server, not the required HTTPS service port.
Continue in the web app
Use IT Mastery for interactive Cisco CCNA 200-301 v2.0 practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Try Cisco CCNA 200-301 v2.0 on Web