Dumps -

0 votes, 0 avg

Created by

Md Hedaet Shake

CCNA 200-301

1 / 10

1. Which of the following cables would be used to connect a router to a switch?

1. crossover

2. rollover

3. straight-through

2 / 10

2. What command was used to generate the output shown below?

1. show interface status

2. show ip interface

3. show ip interface brief

4. show interface

3 / 10

3. What two devices can be connected to a router WAN serial interface that can provide clocking?
(Choose two.)

1. hub

2. modem

3. switch

4. CSU/DSU

4 / 10

4. What is the valid host address range for the subnet 172.25.4.0 /23?

1. 172.25.4.21 to 172.25.5.56

2. 172.25.4.35 to 172.25.5.64

3. 172.25.4.1 to 172.25.5.254

4. 172.25.4.10 to 172.25.5.210

5 / 10

5. What command should you use to quickly view the HSRP state of the switch for all HSRP groups
of which the switch is a member?

1. switch# show hsrp

2. switch# show ip interface brief

3. switch# show standby

4. switch# show standby brief

6 / 10

6. Which Cisco Internetwork Operating System (IOS) command is used to view the number of
Enhanced Interior Gateway Routing Protocol (EIGRP) packets that are sent and received?

1. show ip eigrp topology

2. show ip eigrp packets

3. show ip eigrp traffic

4. show eigrp neighbors

5. show ip route

6. show ip eigrp interfaces

7 / 10

7. Which device can break Collision domain?

1. Hub

2. Firewall

3. Router

4. Switch

8 / 10

8. Which of the following are port roles in the Rapid Spanning Tree Protocol (RSTP)? (Choose
three.)

1. Listening

2. Discarding

3. Routing

4. Designated

5. Alternate

6. Blocking

7. Backup

9 / 10

9. Which statement is NOT true regarding Internet Control Message Protocol (ICMP)?

1. ICMP can identify network problems.

2. An ICMP echo-request message is generated by the ping command.

3. ICMP is documented in RFC 792.

4. ICMP provides reliable transmission of data in an Internet Protocol (IP) environment.

10 / 10

10. Which type of Category 5 unshielded twisted-pair (UTP) cable is used to work as a trunk between
two switches?

1. RJ-45 crossover

2. RJ-11 straight-through

3. RJ-41 crossover

4. RJ-45 straight-through

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

CCNP 350-401 ENCOR

1 / 1

1. Which Cisco Internetwork Operating System (IOS) command is used to view the number of
Enhanced Interior Gateway Routing Protocol (EIGRP) packets that are sent and received?

1. show ip eigrp traffic

2. show ip eigrp packets

3. show eigrp neighbors

4. show ip eigrp interfaces

5. show ip route

6. show ip eigrp topology

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

CCNP 300-410 ENARSI

1 / 1

1. Which Cisco Internetwork Operating System (IOS) command is used to view the number of
Enhanced Interior Gateway Routing Protocol (EIGRP) packets that are sent and received?

1. show ip eigrp packets

2. show ip eigrp interfaces

3. show ip eigrp traffic

4. show eigrp neighbors

5. show ip eigrp topology

6. show ip route

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

NSE 4

1 / 30

1. Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple
dialup tunnels?

1. . In aggressive mode, the remote peers are able to provide their peer IDs in the first message.

2. Main mode does not support XAuth for user authentication.

3. FortiClient only supports aggressive mode.

4. FortiGate is able to handle NATed connections only in aggressive mode.

2 / 30

2. How can you block or allow to Twitter using a firewall policy?

1. Configure the Destination field as Internet Service objects for Twitter.

2. Configure the Source field as Internet Service objects for Twitter.

3. Configure the Service field as Internet Service objects for Twitter.

4. . Configure the Action field as Learn and select Twitter.

3 / 30

3. Which of the following features is supported by web filter in flow-based inspection mode
with NGFW mode set to profile-based?

1. Static URL

2. Search engines

3. Rating option

4. FortiGuard Quotas

4 / 30

4. An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

1. The interface is a member of a zone.

2. The interface has been configured for one-arm sniffer.

3. Captive portal is enabled in the interface.

4. The operation mode is transparent.

5. The interface is a member of a virtual wire pair.

5 / 30

5. Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

1. FortiGate will route twice as much traffic to the port2 route

2. FortiGate will load balance all traffic across both routes.

3. . FortiGate will only actuate the port1 route in the routing table

4. FortiGate will use the port1 route as the primary candidate.

6 / 30

6. An administrator needs to strengthen the security for SSL VPN access. Which of the following
statements are best practices to do so? (Choose three.)

1. Configure a client integrity check (host-check).

2. Configure host restrictions by IP or MAC address.

3. . Configure SSL offloading to a content processor (FortiASIC).

4. Configure split tunneling for content inspection.

5. Configure two-factor authentication using security certificates.

7 / 30

7. Which of the following statements about converse mode are true? (Choose two.)

1. FortiGate stops sending files to FortiSandbox for inspection.

2. Administrators cannot change the configuration.

3. Administrators can access the FortiGate only through the console port.

4. FortiGate stops doing RPF checks over incoming packets.

8 / 30

8. Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. The next-hop IP address is unreachable.

2. It matched the default implicit firewall policy.

3. . It failed the RPF check.

4. It matched an explicitly configured firewall policy with the action DENY.

9 / 30

9. What is the limitation of using a URL list and application control on the same firewall policy,
in NGFW policy-based mode?

1. It limits the scope of application control to scan application traffic using parent signatures only

2. It limits the scope of application control to the browser-based technology category only.

3. It limits the scope of application control to scan application traffic based on application category only.

4. It limits the scope of application control to scan application traffic on DNS protocol only.

10 / 30

10. On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager?
(Choose two.)

1. real time

2. hourly

3. on-demand

4. store-and-upload

11 / 30

11. How does FortiGate verify the login credentials of a remote LDAP user?

1. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.

2. FortiGate queries its own database for credentials.

3. FortiGate sends the user-entered credentials to the LDAP server for authentication.

4. FortiGate queries the LDAP server for credentials.

12 / 30

12. In a high availability (HA) cluster operating in active-active mode, which of the following
correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a
secondary FortiGate?

1. Client> primary FortiGate> secondary FortiGate> web server.

2. Client > secondary FortiGate> web server.

3. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.

4. Clinet >secondary FortiGate> primary FortiGate> web server.

13 / 30

13. company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?

1. Different SSL VPN realms for each group.

2. Different virtual SSL VPN IP addresses for each group.

3. Two separate SSL VPNs in different interfaces mapping the same ssl.root.

4. Two firewall policies with different captive portals.

14 / 30

14. If the Issuer and Subject values are the same in a digital certificate, which type of entity was
the certificate issued to?

1. A person

2. A root CA

3. A subordinate CA

4. A CRL

15 / 30

15. Which statement about DLP on FortiGate is true?

1. Files can be sent to FortiSandbox for detecting DLP threats.

2. It can be applied to a firewall policy in a flow-based VDOM

3. Traffic shaping can be applied to DLP sensors.

4. It can archive files and messages.

16 / 30

16. What files are sent to FortiSandbox for inspection in flow-based inspection mode?

1. . All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.

2. All suspicious files that are above the defined oversize limit value in the protocol options.

3. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.

4. All suspicious files that match patterns defined in the antivirus profile.

17 / 30

17. What criteria does FortiGate use to look for a matching firewall policy to process traffic?
(Choose two.)

1. Highest to lowest priority defined in the firewall policy.

2. Services defined in the firewall policy.

3. . Lowest to highest policy ID number.

4. Incoming and outgoing interfaces.

18 / 30

18. If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does
FortiGate take?

1. It notifies the administrator by sending an email.

2. It blocks all future traffic for that IP address for a configured interval.

3. It archives the data for that IP address.

4. It provides a DLP block replacement page with a link to download the file.

19 / 30

19. Which configuration objects can be selected for the Source field of a firewall policy? (Choose
two.)

1. FQDN address

2. Firewall service

3. IP Pool

4. User or user group

20 / 30

20. When using WPAD DNS method, which FQDN format do browsers use to query the DNS
server?

1. srv_proxy.<local-domain>/wpad.dat

2. proxy.<local-domain>.wpad

3. srv_tcp.wpad.<local-domain>

4. wpad.<local-domain>

21 / 30

21. Which of the following services can be inspected by the DLP profile? (Choose three.)

1. HTTP-POST

2. FTP

3. NFS

4. IMAP

5. CIFS

22 / 30

22. An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?

1. A phase 2 configuration is not required.

2. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

3. This VPN cannot be used as part of a hub-and-spoke topology.

4. The IPsec firewall policies must be placed at the top of the list.

23 / 30

23. Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

1. The port1 and port2 default routes are active in the routing table.

2. The port3 default route has the highest distance.

3. There will be eight routes active in the routing table.

4. The port3 default route has the lowest metric.

24 / 30

24. Which of the following statements about NTLM authentication are correct? (Choose two.)

1. Multi-domain environments require DC agents on every domain controller.

2. It is useful when users log in to DCs that are not monitored by a collector agent.

3. NTLM-enabled web browsers are required.

4. . It takes over as the primary authentication method when configured alongside FSSO.

25 / 30

25. Which statement is true regarding the policy ID number of a firewall policy?

1. Represents the number of objects used in the firewall policy.

2. Defines the order in which rules are processed.

3. Required to modify a firewall policy using the CLI.

4. Changes when firewall policies are reordered.

26 / 30

26. During the digital verification process, comparing the original and fresh hash results satisfies
which security requirement?

1. Signature verification.

2. Authentication.

3. Data integrity.

4. Non-repudiation.

27 / 30

27. Which of the following route attributes must be equal for static routes to be eligible for equal
cost multipath (ECMP) routing? (Choose two.)

1. Priority

2. Distance

3. Metric

4. Cost

28 / 30

28. Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

1. . Extend timeout timers.

2. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.

3. Include the group of guest users in a policy.

4. Ensure all firewalls allow the FSSO required ports.

29 / 30

29. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. ADVPN is only supported with IKEv2.

2. . It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

3. Tunnels are negotiated dynamically between spokes.

4. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

30 / 30

30. Which Statements about virtual domains (VDOMs) arc true? (Choose two.)

1. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.

2. Each VDOM has its own routing table.

3. Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.

4. Each VDOM can be configured with different system hostnames.

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

NSE4 Valid Dumps

1 / 184

1. Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

1. The port3 default route has the highest distance.

2. The port1 and port2 default routes are active in the routing table.

3. The port3 default route has the lowest metric.

4. There will be eight routes active in the routing table.

2 / 184

2. Refer to the exhibit.

Which contains a Performance SLA configuration.
An administrator has configured a performance SLA on FortiGate.
Which failed to generate any traffic.
Why is FortiGate not generating any traffic for the performance SLA?

1. There may not be a static route to route the performance SLA traffic.

2. You need to turn on the Enable probe packets switch.

3. The Ping protocol is not supported for the public servers that are configured.

4. Participants configured are not SD-WAN members.

3 / 184

3. Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings.
Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

1. Traffic matching the signature will be allowed and logged.

2. The signature setting includes a group of other signatures

3. The signature setting uses a custom rating threshold.

4. Traffic matching the signature will be silently dropped and logged.

4 / 184

4. Which two statements are true about collector agent standard access mode? (Choose two.)

1. Standard access mode supports nested groups.

2. Standard mode uses Windows convention-NetBios: Domain\Username

3. Standard mode security profiles apply to user groups.

4. Standard mode security profiles apply to organizational units (OU).

5 / 184

5. Which statement regarding the firewall policy authentication timeout is true?

1. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

2. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.

3. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.

4. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.

6 / 184

6. Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. It matched an explicitly configured firewall policy with the action DENY.

2. The next-hop IP address is unreachable.

3. It matched the default implicit firewall policy.

4. . It failed the RPF check.

7 / 184

7. Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode?
(Choose two.)

1. FG-traffic

2. Mgmt

3. Root

4. FG-Mgmt

8 / 184

8. Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

1. FortiGate will load balance all traffic across both routes.

2. FortiGate will use the port1 route as the primary candidate.

3. FortiGate will only actuate the port1 route in the routing table

4. FortiGate will route twice as much traffic to the port2 route

9 / 184

9. An administrator is running the following sniffer command:
diagnose aniffer packer any "host 192.168.2.12" 5
Which three pieces of Information will be Included in me sniffer output? {Choose three.)

1. Application header

2. IP header

3. Ethernet header

4. Interface name

5. Packet payload

10 / 184

10. Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

1. FortiGuaid update servers

2. NGFW mode

3. Operating mode

4. System time

11 / 184

11. Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

1. FortiGate will load balance all traffic across both routes.

2. FortiGate will route twice as much traffic to the port2 route

3. . FortiGate will only actuate the port1 route in the routing table

4. FortiGate will use the port1 route as the primary candidate.

12 / 184

12. company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?

1. Different SSL VPN realms for each group.

2. Two separate SSL VPNs in different interfaces mapping the same ssl.root.

3. Different virtual SSL VPN IP addresses for each group.

4. Two firewall policies with different captive portals.

13 / 184

13. The HTTP inspection process in web filtering follows a specific order when multiple features are
enabled in the web filter profile.

What order must FortiGate use when the web filter profile has features enabled, such as safe search?

1. Static URL filter, FortiGuard category filter, and advanced filters

2. FortiGuard category filter and rating filter

3. DNS-based web filter and proxy-based web filter

4. Static domain filter, SSL inspection filter, and external connectors filters

14 / 184

14. An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

1. The interface is a member of a virtual wire pair.

2. The interface has been configured for one-arm sniffer.

3. The interface is a member of a zone.

4. The operation mode is transparent.

5. Captive portal is enabled in the interface.

15 / 184

15. Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

16 / 184

16. To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?

1. FortiAnalyzer

2. Downstream FortiGate

3. Root FortiGate

4. FortiManager

17 / 184

17. A network administrator has enabled SSL certificate inspection and antivirus on FortiGate detects the virus and blocks the file. When downloading the same file that's be downloaded.

What is the reason for the felled virus detection by FortiGate?

1. Application control as not enabled

2. Antivirus profile configuration is incorrect

3. SSL/SSH inspection profile is incorrect

4. Antivirus definitions are not up to date

18 / 184

18. Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

1. Both the phase 1 SA and phase 2 SA are bidirectional.

2. Phase 2 SA expiration can be time-based, volume-based, or both.

3. An SA never expires.

4. A phase 1 SA is bidirectional, while a phase 2 SA is directional.

5. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

19 / 184

19. How does FortiGate verify the login credentials of a remote LDAP user?

1. FortiGate sends the user-entered credentials to the LDAP server for authentication.

2. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.

3. FortiGate queries its own database for credentials.

4. FortiGate queries the LDAP server for credentials.

20 / 184

20. An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?

1. A virtual IPsec interface is automatically created after the phase 1 configuration is completed

2. A phase 2 configuration is not required.

3. The IPsec firewall policies must be placed at the top of the list.

4. This VPN cannot be used as part of a hub-and-spoke topology.

21 / 184

21. When a firewall policy is created, which attribute is added to the policy to support recording logs to a
FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these
devices?

1. Policy ID

2. Sequence ID

3. Log ID

4. Universally Unique Identifier

22 / 184

22. Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux
server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The
administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This
issue does not happen when the application establishes a Telnet connection to the Linux server directly
on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running
through FortiGate? (Choose two.)

1. Set the maximum session TTL value for the TELNET service object

2. Create a new service object for TELNET and set the maximum session TTL.

3. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy

4. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

23 / 184

23. Which of the following statements about backing up logs from the CLI and downloading logs from the GUI
are true? (Choose two.)

1. Log downloads from the GUI are limited to the current filter view

2. Log backups from the CLI can be configured to upload to FTP as a scheduled time

3. Log downloads from the GUI are stored as LZ4 compressed files.

4. Log backups from the CLI cannot be restored to another FortiGate.

24 / 184

24. When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?

1. remote user’s public IP address

2. The remote user’s virtual IP address.

3. The public IP address of the FortiGate device.

4. The internal IP address of the FortiGate device

25 / 184

25. Which downstream FortiGate VOOM is used to join the Security Fabric ?

1. Root VDOOM

2. Customer VOOM

3. FG-traffic VDOM

4. Global VDOM

26 / 184

26. An administrator Is configuring an IPsec VPN between site A and site
B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site
A. the local quick mode selector is 192.160.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

1. 192.168.0.0/24

2. 92.168.1.0/24

3. 192.168.2.0/24

4. 192.168.3.0/24

27 / 184

27. Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address
conflict?

1. get system status

2. get system arp

3. diagnose sys top

4. get system performance status

28 / 184

28. Which of the following statements correctly describes FortiGates route lookup behavior when
searching for a suitable gateway? (Choose two)

1. Lookup is done on the first packet from the session originator

2. Lookup is done on every packet, regardless of direction

3. Lookup is done on the last packet sent from the responder

4. Lookup is done on the trust reply packet from the responder

29 / 184

29. Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

1. Access to the social networking web filter category was explicitly blocked to all users

2. The action on firewall policy ID 1 is set to warning

3. Social networking web filter category is configured with the action set to authenticate

4. The name of the firewall policy is all_users_web.

30 / 184

30. Which of statement is true about SSL VPN web mode?

1. The tunnel is up while the client is connected.

2. It assigns a virtual IP address to the client

3. The external network application sends data through the VPN.

4. It supports a limited number of protocols.

31 / 184

31. An administrator has configured two-factor authentication to strengthen SSL VPN access.
Which additional best practice can an administrator implement?

1. Configure host check.

2. Configure Source IP Pools.

3. Configure different SSL VPN realms.

4. Configure split tunneling in tunnel mode

32 / 184

32. Which two statements ate true about the Security Fabric rating? (Choose two.)

1. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

2. It provides executive summaries of the four largest areas of security focus.

3. Many of the security issues can be fixed immediately by click ng Apply where available

4. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

33 / 184

33. Which three methods are used by the collector agent for AD polling? (Choose three.)

1. Novell API

2. FortiGate polling

3. NetAPI

4. WMI

5. WinSecLog

34 / 184

34. Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

1. Virtual IP addresses are used to distinguish between cluster members.

2. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

3. The primary device in the cluster is always assigned IP address 169.254.0.1.

4. Heartbeat interfaces have virtual IP addresses that are manually assigned.

35 / 184

35. Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple
dialup tunnels?

1. Main mode does not support XAuth for user authentication.

2. FortiGate is able to handle NATed connections only in aggressive mode.

3. . In aggressive mode, the remote peers are able to provide their peer IDs in the first message.

4. FortiClient only supports aggressive mode.

36 / 184

36. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. Tunnels are negotiated dynamically between spokes.

2. ADVPN is only supported with IKEv2.

3. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes

4. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

37 / 184

37. Which configuration objects can be selected for the Source field of a firewall policy? (Choose
two.)

1. User or user group

2. FQDN address

3. IP Pool

4. Firewall service

38 / 184

38. Which statement is true regarding the policy ID number of a firewall policy?

1. Represents the number of objects used in the firewall policy.

2. Defines the order in which rules are processed.

3. Changes when firewall policies are reordered.

4. Required to modify a firewall policy using the CLI.

39 / 184

39. A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added
to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP
addresses in different subnets.

1. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

2. The two VLAN sub interfaces must have different VLAN IDs.

3. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

4. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

40 / 184

40. Which statement about DLP on FortiGate is true?

1. It can be applied to a firewall policy in a flow-based VDOM

2. Traffic shaping can be applied to DLP sensors.

3. It can archive files and messages.

4. Files can be sent to FortiSandbox for detecting DLP threats.

41 / 184

41. Refer to the exhibit
The exhibit shower the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two).

1. The sensor will gather a packet log for all matched traffic.

2. The sensor will allow attackers matching the NTP>Spoofed.KoD.DoS signature.

3. The sensor will block all attacks aimed at Windows server.

4. The sensor will reset all connections that match these signatures.

42 / 184

42. Which two inspection modes can you use to configure a firewall policy on a profile-based next-generate?

1. Certificate Inspection

2. Full Content lnspection

3. Proxy-based inspection

4. Flow-based inspection

43 / 184

43. Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

1. Include the group of guest users in a policy.

2. . Extend timeout timers.

3. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.

4. Ensure all firewalls allow the FSSO required ports.

44 / 184

44. Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the
diagnose firewall auth list CLI command on FortiGate?

1. Read/Write permission for Firewall

2. Read/Write permission for Log & Report

3. CLI diagnostics commands permission

4. Custom permission for Network

45 / 184

45. Which of the following statements about central NAT are true? (Choose two.)

1. Source NAT, using central NAT, requires at least one central SNAT policy.

2. IP tool references must be removed from existing firewall policies before enabling central NAT.

3. Central NAT can be enabled or disabled from the CLI only.

4. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

46 / 184

46. Which scanning technique on FortiGate can be enabled only on the CLI?

1. Heuristics scan

2. Trojan scan

3. Ransomware scan

4. Antivirus scan

47 / 184

47. Examine this PAC file configuration

Which of the following statements are true? (Choose two.)

1. Browsers can be configured to retrieve this PAC file from the FortiGate

2. Any web request fortinet.com is allowed to bypass the proxy.

3. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.

4. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.

48 / 184

48. Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies.
What does the Administrator account need to access the FortiGate global settings?
A. Change password

1. Enable restrict access to trusted hosts

2. Enable two-factor authentication

3. Change Administrator profile

4. Change password

49 / 184

49. 61.Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

1. The issuer must be a public CA.

2. The CA extension must be set to TRUE.

3. The common name on the subject field must use a wildcard name

4. The keyUsage extension must be set to keyCertSign.

50 / 184

50. In a high availability (HA) cluster operating in active-active mode, which of the following
correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a
secondary FortiGate?

1. Client > secondary FortiGate> web server.

2. Clinet >secondary FortiGate> primary FortiGate> web server.

3. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.

4. Client> primary FortiGate> secondary FortiGate> web server.

51 / 184

51. Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

1. Additional application signatures are required to add to the security policy.

2. The SSL inspection needs to be a deep content inspection.

3. Force access to Facebook using the HTTP service.

4. Add Facebook in the URL category in the security policy.

52 / 184

52. Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading
an infected file for the first time?

1. The volume of traffic being inspected is too high for this model of FortiGate.

2. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode

3. The flow-based inspection is used, which resets the last packet to the user.

4. The firewall policy performs the full content inspection on the file.

53 / 184

53. Which of the following statements about NTLM authentication are correct? (Choose two.)

1. NTLM-enabled web browsers are required.

2. . It takes over as the primary authentication method when configured alongside FSSO.

3. Multi-domain environments require DC agents on every domain controller.

4. It is useful when users log in to DCs that are not monitored by a collector agent.

54 / 184

54. Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. The next-hop IP address is unreachable.

2. It matched an explicitly configured firewall policy with the action DENY.

3. It failed the RPF check

4. It matched the default implicit firewall policy.

55 / 184

55. Which two policies must be configured to allow traffic on a policy-based next-generation firewall
(NGFW) FortiGate? (Choose two.)

1. Firewall policy

2. SSL inspection and authentication policy

3. Policy rule

4. Security policy

56 / 184

56. Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

1. The session is in TCP ESTABLISHED state

2. The session is a bidirectional TCP connection

3. The session is a UDP unidirectional state.

4. The session is a bidirectional UDP connection

57 / 184

57. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. ADVPN is only supported with IKEv2.

2. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

3. . It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

4. Tunnels are negotiated dynamically between spokes.

58 / 184

58. Which two statements are true about the RPF check? (Choose two.)

1. The RPF check is run on the first reply packet of any new session

2. RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks

3. The RPF check is run on the first sent packet of any new session

4. The RPF check is run on the first sent and reply packet of any new session.

59 / 184

59. During the digital verification process, comparing the original and fresh hash results satisfies
which security requirement?

1. Authentication.

2. Signature verification.

3. Data integrity.

4. Non-repudiation.

60 / 184

60. If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does
FortiGate take?

1. It provides a DLP block replacement page with a link to download the file.

2. It blocks all future traffic for that IP address for a configured interval.

3. It notifies the administrator by sending an email.

4. It archives the data for that IP address.

61 / 184

61. Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds.
Based on the system performance output, which two statements are correct? (Choose two.)

1. Administrators can access FortiGate only through the console port.

2. FortiGate has entered conserve mode.

3. FortiGate will start sending all files to FortiSandbox for inspection.

4. Administrators cannot change the configuration

62 / 184

62. Which three statements are true regarding session-based authentication? (Choose three.)

1. IP sessions from the same source IP address are treated as a single user

2. It is not recommended if multiple users are behind the source NAT

3. It requires more resources.

4. It can differentiate among multiple clients behind the same source IP address.

5. HTTP sessions are treated as a single user.

63 / 184

63. Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
Which two statements are true? (Choose two.)

1. FortiGate devices are not in sync because one device is down.

2. FortiGate SN FGVM010000064692 has the higher HA priority.

3. FortiGate SN FGVM010000065036 HA uptime has been reset.

4. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime

64 / 184

64. Which two statements are correct about NGFW Policy-based mode? (Choose two)

1. NGFN policy-based mode can only be applied globally and not.

2. NGFW policy-based mode does not require the use of central source NAT

3. NGFW policy-based mode policies support only flow inspection

4. NGFW policy-based mode supports creating applications and webfilter

65 / 184

65. Which statement about the policy ID number of a firewall policy is true?

1. It defines the order in which rules are processed.

2. It represents the number of objects used in the firewall policy.

3. It is required to modify a firewall policy using the CLI.

4. It changes when firewall policies are reordered.

66 / 184

66. Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA? (Choose two.)

1. udp-echo

2. DNS

3. ping

4. TWAMP

67 / 184

67. D18912E1457D5D1DDCBD40AB3BF70D5D
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

1. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

2. FortiGate automatically negotiates different local and remote addresses with the remote peer.

3. FortiGate automatically negotiates a new security association after the existing security association expires.

4. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

68 / 184

68. An administrator has configured a strict RPF check on FortiGate.
Which statement is true about the strict RPF check?

1. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

2. Strict RPF allows packets back to sources with all active routes.

3. Strict RPF checks the best route back to the source using the incoming interface

4. The strict RPF check is run on the first sent and reply packet of any new session.

69 / 184

69. What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose
three.)

1. SQL injection attacks

2. Traffic to inappropriate web sites

3. Traffic to botnetservers

4. Credit card data leaks

5. Server information disclosure attacks

70 / 184

70. An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

1. A session for denied traffic is created.

2. Device detection on all interfaces is enforced for 30 minutes

3. The number of logs generated by denied traffic is reduced.

4. Denied users are blocked for 30 minutes

71 / 184

71. Which of the following services can be inspected by the DLP profile? (Choose three.)

1. FTP

2. NFS

3. CIFS

4. HTTP-POST

5. IMAP

72 / 184

72. In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.
Instead of separate policies.
Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

1. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

2. The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

3. The IP version of the sources and destinations in a policy must match.

4. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

5. The IP version of the sources and destinations in a firewall policy must be different.

73 / 184

73. If Internet Service is already selected as Source in a firewall policy, which other configuration objects can
be added to the Source filed of a firewall policy?

1. IP address

2. FQDN address

3. User or User Group

4. Once Internet Service is selected, no other object can be added

74 / 184

74. View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based
on this configuration, which statement is true?

1. Addcting.Games is allowed based on the Categories configuration

2. Addicting.Games is blocked on the Filter Overrides configuration.

3. Addicting.Games is allowed based on the Application Overrides configuration

4. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt

75 / 184

75. An administrator does not want to report the logon events of service accounts to FortiGate.
What setting on the collector agent is required to achieve this?

1. Add user accounts to the Ignore User List.

2. Add user accounts to Active Directory (AD).

3. Add user accounts to the FortiGate group fitter

4. Add the support of NTLM authentication.

76 / 184

76. How do you format the FortiGate flash disk?

1. Execute the CLI command execute formatlogdisk

2. Load the hardware test (HQIP) image

3. Select the format boot device option from the BIOS menu.

4. Load a debug FortiOS image

77 / 184

77. How can you block or allow to Twitter using a firewall policy?

1. Configure the Source field as Internet Service objects for Twitter.

2. . Configure the Action field as Learn and select Twitter.

3. Configure the Service field as Internet Service objects for Twitter.

4. Configure the Destination field as Internet Service objects for Twitter.

78 / 184

78. Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

1. The collector agent must search security event logs.

2. NetAPI polling can increase bandwidth usage in large networks.

3. The NetSessionEnum function is user] to track user logouts

4. The collector agent uses a Windows API to query DCs for user logins.

79 / 184

79. FortiGuard categories can be overridden and defined in different categories override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating override for the

1. www.example.com

2. example.com

3. www.example.com:443

4. www.example.com/index.html

80 / 184

80. 141.Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic?
(Choose three.)

1. Highest to lowest priority defined in the firewall policy.

2. Destination defined as Internet Services in the firewall policy.

3. Lowest to highest policy ID number.

4. Source defined as Internet Services in the firewall policy.

5. Services defined in the firewall policy.

81 / 184

81. What is the limitation of using a URL list and application control on the same firewall policy,
in NGFW policy-based mode?

1. It limits the scope of application control to scan application traffic using parent signatures only

2. It limits the scope of application control to scan application traffic based on application category only.

3. It limits the scope of application control to scan application traffic on DNS protocol only.

4. It limits the scope of application control to the browser-based technology category only.

82 / 184

82. Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires
authorization?

1. It always authorizes the traffic without requiring authentication.

2. It authenticates the traffic using the authentication scheme SCHEME2.

3. It authenticates the traffic using the authentication scheme SCHEME1

4. It drops the traffic.

83 / 184

83. What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

1. It limits the scope of application control to scan application traffic using parent signatures only

2. It limits the scope of application control to scan application traffic based on application category only.

3. It limits the scope of application control to the browser-based technology category only.

4. It limits the scope of application control to scan application traffic on DNS protocol only.

84 / 184

84. Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

1. The action on the firewall policy must be set to deny.

2. Web filter should be enabled on the firewall policy to complement the antivirus profile.

3. The firewall policy does not apply deep content inspection.

4. The firewall policy must be configured in proxy-based inspection mode

85 / 184

85. Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

1. port1-vlan10 and port2-vlan10 are part of the same broadcast domain

2. port1 is a native VLAN.

3. D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs

4. Traffic between port2 and port2-vlan1 is allowed by default.

86 / 184

86. Which Security rating scorecard helps identify configuration weakness and best practice violations in
your network?

1. Fabric Coverage

2. Optimization

3. Security Posture

4. Automated Response

87 / 184

87. NGFW mode allows policy-based configuration for most inspection rules.
Which security profile’s configuration does not change when you enable policy-based inspection?

1. Web filtering

2. Application control

3. Web proxy

4. Antivirus

88 / 184

88. Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2.
Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose
two.)

1. Set the Destination address as Web_server in the Deny policy

2. Enable match vip in the Deny policy.

3. Disable match-vip in the Deny policy.

4. Set the Destination address as Deny_IP in the Allow-access policy

89 / 184

89. Which security feature does FortiGate provide to protect servers located in the internal networks from
attacks such as SQL injections?

1. Antivirus

2. Web application firewall

3. Denial of Service

4. Application control

90 / 184

90. Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.
How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

1. If there is a full-through policy in place, users will not be prompted for authentication.

2. Authentication is enforced at a policy level; all users will be prompted for authentication.

3. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials

4. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

91 / 184

91. Examine this FortiGate configuration

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that
require inspection?

1. It is allowed and inspected as long as the inspection is flow based

2. It is allowed and inspected, as long as the only inspection required is antivirus

3. It is dropped

4. It is allowed, but with no inspection

92 / 184

92. Which of the following features is supported by web filter in flow-based inspection mode
with NGFW mode set to profile-based?

1. Search engines

2. FortiGuard Quotas

3. Static URL

4. Rating option

93 / 184

93. You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set
up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

1. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.

2. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

3. No new log is recorded until you manually clear logs from the local disk.

4. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

94 / 184

94. Which statements are true regarding firewall policy NAT using the outgoing interface IP address with
fixed port disabled? (Choose two.)

1. This is known as many-to-one NAT.

2. Port address translation is not use

3. Connections are tracked using source port and source MAC address.

4. Source IP is translated to the outgoing interface IP.

95 / 184

95. By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard
servers.
Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

1. set protocol udp

2. set fortiguard anycast disable

3. set webfilter-force-off disable

4. set webfilter-cache disable

96 / 184

96. Refer to the exhibit, which contains a static route configuration

An administrator created a static route for Amazon Web Services.
What CLI command must the administrator use to view the route?

1. get router info routing-table all

2. diagnose firewall proute list

3. get router info routing-table datab

4. get internet service route list

97 / 184

97. Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP
address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

1. 10.200.1.10

2. 10.200.1.1

3. 0.0.1.254

4. Any available IP address in the WAN (port1) subnet 10.200.1.0/24

98 / 184

98. Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

1. FTM

2. HTTPS

3. SSH

4. FortiTelemetry

99 / 184

99. Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question
below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

1. ip_src_session

2. SMTP.Login.Brute.Force

3. IMAP.Login.brute.Force

4. Location: server Protocol: SMTP

100 / 184

100. An organization’s employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

1. Change the login timeout

2. Change the session-ttl.

3. Change the udp idle timer.

4. Change the idle-timeout.

101 / 184

101. Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?

1. A bridge CA

2. A subordinate

3. A root CA

4. A user

102 / 184

102. Refer to the exhibit

Given the routing database shown in the exhibit, which two statements are choose.

1. There will be eight routes active in the routing table

2. The port3 default route has the highest distance

3. The port1 and port2 default routes are act1ve in the routing table

4. The port3 default route has the lowest metric

103 / 184

103. Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

1. Session

2. Source IP

3. Spillover

4. Volume

104 / 184

104. An administrator wants to configure timeouts for users Regardless of the user's behavior, the timer should start and expire after the configured value.
Which timeout option should be configured on FortiGate?

1. Idle timeout

2. New-session

3. Soft-timeout

4. Auth-on-demand

5. Hard-timeout

105 / 184

105. View the exhibit.

Which of the following statements are correct? (Choose two.)

1. This setup requires at least two firewall policies with the action set to IPsec.

2. This is a redundant IPsec setup.

3. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

4. Dead peer detection must be disabled to support this type of IPsec setup.

106 / 184

106. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address
is dynamic, in addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should tie administrator configure on FortiGate for the new IPsec VPN tunnel
to work?

1. Dialup User

2. Static IP Address

3. Pre-shared Key

4. Dynamic DNS

107 / 184

107. How does FortiGate act when using SSL VPN in web mode?

1. FortiGate acts as an HTTP reverse proxy.

2. FortiGate acts as DNS server

3. FortiGate acts as an FDS server.

4. FortiGate acts as router.

108 / 184

108. In an explicit proxy setup, where is the authentication method and database configured?

1. Proxy Policy

2. Authentication Rule

3. Firewall Policy

4. Authentication scheme

109 / 184

109. The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of
diagnose sys virtual-wan-link health-check.
Which interface will be selected as an outgoing interface?

1. port4

2. port3

3. port2

4. port1

110 / 184

110. Which two statements are correct about a software switch on FortiGate?

1. It can group only physical Interfaces.

2. It can be configured only when FortlGate is operating in NAT mode.

3. All interfaces in the software switch share the same IP address.

4. Can act as a Layer 2 switch as well as a Layer 3 router.

111 / 184

111. Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings.
In this scenario, which statement is true?

1. The category of Apple FaceTime is being blocked

2. The category of Apple FaceTime is being monitored.

3. Apple FaceTime belongs to the custom monitored filter

4. Apple FaceTime belongs to the custom blocked filter.

112 / 184

112. Which of the following conditions must be met in order for a web browser to trust a web server certificate
signed by a third-party CA?

1. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

2. The public key of the web server certificate must be installed on the browser.

3. The web-server certificate must be installed on the browser.

4. The CA certificate that signed the web-server certificate must be installed on the browser.

113 / 184

113. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec

VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose
two,)

1. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel

2. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

3. Enable Dead Peer Detection

4. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

114 / 184

114. Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

1. A certificate is not required on the remote peer when you set the signature as the authentication method

2. FortiGate supports pre-shared key and signature as authentication methods.

3. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password

4. Enabling XAuth results in a faster authentication because fewer packets are exchanged

115 / 184

115. Refer to the exhibit, which contains a redious server configuration.

An administration added a configuration for a new RADIUS server.
While configuring, the administrator selected the include eery user group option.

What will be the impact of include in every user group option in a RADIUS configuration?

1. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which in this case is FortiAuthenticator.

2. This option places all user every RADIUS user group including groups that are used for the LDAP server on FortiGate.

3. This option places the RADIUS server, and all user who can authenticate against that server into RADIUS group.

4. This option places the RADIUS server and all users who can authenticate against that server, into every FortiGate user.

116 / 184

116. Which two statements are true about the FGCP protocol? (Choose two.)

1. Runs only over the heartbeat links

2. Elects the primary FortiGate device

3. Not used when FortiGate is in Transparent mode

4. Is used to discover FortiGate devices in different HA groups

117 / 184

117. If the Issuer and Subject values are the same in a digital certificate, which type of entity was the
certificate issued to?

1. A root CA

2. A subordinate CA

3. A CRL

4. A person

118 / 184

118. Which statement about the IP authentication header (AH) used by IPsec is true?

1. AH does not provide any data integrity or encryption

2. AH provides data integrity bur no encryption.

3. AH does not support perfect forward secrecy.

4. AH provides strong data integrity but weak encryption.

119 / 184

119. Which two statements about antivirus scanning mode are true? (Choose two.)

1. In flow-based inspection mode. FortiGate buffers the file, but also simultaneously transmits it to the client.

2. In proxy-based inspection mode, files bigger than the buffer size are scanned.

3. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

4. In flow-based inspection mode, files bigger than the buffer size are scanned.

120 / 184

120. Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

1. To force a new DH exchange with each phase 2 rekey.

2. To dynamically change phase 1 negotiation mode aggressive mode.

3. To delete intermediary NAT devices in the tunnel path.

4. To encapsulation ESP packets in UDP packets using port 4500.

121 / 184

121. What is the primary FortiGate election process when the HA override setting is disabled?

1. Connected monitored ports > Priority > System uptime > FortiGate Serial number

2. Connected monitored ports > Priority > HA uptime > FortiGate Serial number

3. Connected monitored ports > System uptime > Priority > FortiGate Serial number

4. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

122 / 184

122. Which Statements about virtual domains (VDOMs) arc true? (Choose two.)

1. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.

2. Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.

3. Each VDOM has its own routing table.

4. Each VDOM can be configured with different system hostnames.

123 / 184

123. Which two statements are true when FortiGate is in transparent mode? (Choose two.)

1. The existing network IP schema must be changed when installing a transparent mode.

2. Static routes are required to allow traffic to the next hop.

3. FortiGate forwards frames without changing the MAC address

4. By default, all interfaces are part of the same broadcast domain.

124 / 184

124. Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

1. Shut down/reboot a downstream FortiGate device.

2. Log in to a downstream FortiSwitch device.

3. Disable FortiAnalyzer logging for a downstream FortiGate device

4. Ban or unban compromised hosts.

125 / 184

125. Which three statements about a flow-based antivirus profile are correct? (Choose three.)

1. Optimized performance compared to proxy-based inspection

2. IPS engine handles the process as a standalone.

3. If the virus is detected, the last packet is delivered to the client.

4. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

5. FortiGate buffers the whole file but transmits to the client simultaneously.

126 / 184

126. An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?

1. A phase 2 configuration is not required.

2. The IPsec firewall policies must be placed at the top of the list.

3. This VPN cannot be used as part of a hub-and-spoke topology.

4. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

127 / 184

127. An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both
sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and
the remote quick mode selector is 192.16.2.0/24.
How must the administrator configure the local quick mode selector for site B?

1. 192.168.1.0/24

2. 192.168.2.0/24

3. 192.168.0.0/8

4. 192.168.3.0/24

128 / 184

128. Which type of logs on FortiGate record information about traffic directly to and from the FortiGate
management IP addresses?

1. Local traffic logs

2. Forward traffic logs

3. Security logs

4. System event logs

129 / 184

129. An administrator has configured outgoing Interface any in a firewall policy.
Which statement is true about the policy list view?

1. By Sequence view will be disabled.

2. Search option will be disabled

3. Policy lookup will be disabled.

4. Interface Pair view will be disabled.

130 / 184

130. Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the
physical layer nor the link layer? (Choose three.)

1. get system arp

2. diagnose sys top

3. execute ping

4. diagnose sniffer packet any

5. execute traceroute

131 / 184

131. Which three security features require the intrusion prevention system (IPS) engine to function? (Choose
three.)

1. Web filter in flow-based inspection

2. DNS filter

3. Antivirus in flow-based inspection

4. Web application firewall

5. Application control

132 / 184

132. Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are
configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access internet.
The To_lnternet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
Which two statements are true? (Choose two.)

1. A static route is required on the To_Internet VDOM to allow LAN users to access the internet

2. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

3. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM

4. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs

133 / 184

133. Which statements about the firmware upgrade process on an active-active HA cluster are true?
(Choose two.)

1. Uninterruptable upgrade is enabled by default

2. The firmware image must be manually uploaded to each FortiGate.

3. load balancing is temporally disabled while upgrading the firmware.

4. Only secondary FortiGate devices are rebooted.

134 / 184

134. Which two statements are correct about SLA targets? (Choose two.)

1. SLA targets are used only when referenced by an SD-WAN rule.

2. You can configure only two SLA targets per one Performance SLA.

3. SLA targets are required for SD-WAN rules with a Best Quality strategy.

4. SLA targets are optional.

135 / 184

135. Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation
to the Web server?

1. 172.16.32.0/24 is directly connected, port1

2. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]

3. 10.4.200.0/30 is directly connected, port2

4. 0.0.0.0/0 [20/0] via 10.4.200.2, port2

136 / 184

136. Refer to the exhibit.

Which contains a session diagnostic output.
Which statement is true about the session diagnostic output?

1. The session is in FIN_ACK state.

2. The session is in SYN_SEXT state.

3. The session is in FTN_WAIT state.

4. The session is in ESTABLISHED state.

137 / 184

137. If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is
used?

1. The Services field is used when you need to bundle several VIPs into VIP groups.

2. The Services field removes the requirement to create multiple VIPs for different services.

3. The Services field prevents SNAT and DNAT from being combined in the same policy.

4. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

138 / 184

138. Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP
address 10.0.1.10?

1. 10.200.1.10

2. 10.200.1.1

3. 10.200.3.1

4. 10.200.1.100

139 / 184

139. Refer to the exhibit

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme,
users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a
form-based authentication scheme for the FortiGate local user database.
Users will be prompted for authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP
10.0.1.10 to the destination http://www.fortinet.com? (Choose two.)

1. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

2. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

3. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

4. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed

140 / 184

140. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

1. There are 19 security recommendations for the security fabric.

2. There are five devices that are part of the security fabric.

3. Device detection is disabled on all FortiGate devices

4. This security fabric topology is a logical topology view.

141 / 184

141. An administrator needs to strengthen the security for SSL VPN access. Which of the following
statements are best practices to do so? (Choose three.)

1. Configure split tunneling for content inspection.

2. Configure a client integrity check (host-check).

3. . Configure SSL offloading to a content processor (FortiASIC).

4. Configure two-factor authentication using security certificates.

5. Configure host restrictions by IP or MAC address.

142 / 184

142. Which certificate value can FortiGate use to determine the relationship between the issuer and the
certificate?

1. Subject Key Identifier value

2. Subject value

3. SMMIE Capabilities value

4. Subject Alternative Name value

143 / 184

143. FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering
and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

1. DNS filter

2. File filter

3. Antivirus scanning

4. Intrusion prevention

144 / 184

144. Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

1. The default route is required to receive a reply.

2. A firewall policy allowed the connection.

3. A new traffic session is created

4. The debug flow is of ICMP traffic.

145 / 184

145. On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager?
(Choose two.)

1. real time

2. hourly

3. store-and-upload

4. on-demand

146 / 184

146. Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices.
The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2
up?

1. On HQ-FortiGate, enable Diffie-Hellman Group 2

2. On HQ-FortiGate, set Encryption to AES256On HQ-FortiGate, set Encryption to AES256

3. On HQ-FortiGate, enable Auto-negotiate

4. On Remote-FortiGate, set Seconds to 43200.

147 / 184

147. Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

1. Traffic is blocked because Action is set to DENY in the firewall policy

2. Log severity is set to error on FortiGate.

3. Traffic belongs to the root VDOM.

4. This is a security log.

148 / 184

148. Which three options are the remote log storage options you can configure on FortiGate? (Choose
three.)

1. FortiSandbox

2. FortiSIEM

3. FortiAnalyzer

4. FortiCloud

5. FortiCache

149 / 184

149. Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

1. One server was contacted to retrieve the contract information

2. There is at least one server that lost packets consecutively.

3. FortiGate is using default FortiGuard communication setting

4. A local FortiManager is one of the servers FortiGate communicates with.

150 / 184

150. Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be
applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP
address of Remote-FortiGate (10.200.3.1)?

1. 10.200.1.49

2. 10.200.1.149

3. 10.200.1.1

4. 10.200.1.99

151 / 184

151. What files are sent to FortiSandbox for inspection in flow-based inspection mode?

1. All suspicious files that are above the defined oversize limit value in the protocol options.

2. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.

3. All suspicious files that match patterns defined in the antivirus profile.

4. . All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.

152 / 184

152. Which two configuration settings are synchronized when FortiGate devices are in an active-active HA
cluster? (Choose two.)

1. FortiGate hostname

2. DNS

3. NTP

4. FortiGuard web filter cache

153 / 184

153. What criteria does FortiGate use to look for a matching firewall policy to process traffic?
(Choose two.)

1. Services defined in the firewall policy.

2. . Lowest to highest policy ID number.

3. Incoming and outgoing interfaces.

4. Highest to lowest priority defined in the firewall policy.

154 / 184

154. Refer to the exhibit

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 fails to come up. The administrator has also re-entered the
pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration
changes will bring phase 1 up? (Choose two.)

1. On HQ-FortiGate, set IKE mode to Main (ID protection).

2. On both FortiGate devices, set Dead Peer Detection to On Demand.

3. On Remote-FortiGate, set port2 as Interface.

4. On HQ-FortiGate, disable Diffie-Helman group 2.

155 / 184

155. Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides
(client and server) have terminated the session?

1. To allow for out-of-order packets that could arrive after the FIN/ACK packets

2. To finish any inspection operations

3. To generate logs

4. To remove the NAT operation

156 / 184

156. Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it.
What should the user do to successfully connect to SSL VPN?

1. Change the SSL VPN portal to the tunnel.

2. Change the Server IP address

3. Change the idle-timeout

4. Change the SSL VPN port on the client.

157 / 184

157. Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both
sides (client and server) have terminated the session?

1. To remove the NAT operation

2. To generate logs

3. To allow for out-of-order packets that could arrive after the FIN/ACK packets

4. To allow for out-of-order packets that could arrive after the FIN/ACK packets

158 / 184

158. Refer to the exhibit

The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client
and the explicit web proxy?

1. ‘host 192.168.0.2 and port 8080’

2. ‘host 10.0.0.50 and port 8080’

3. ‘host 192.168.0.1 and port 80’

4. ‘host 10.0.0.50 and port 80’

159 / 184

159. Which two types of traffic are managed only by the management VDOM? (Choose two.)

1. PKI

2. Traffic shaping

3. DNS

4. FortiGuard web filter queries

160 / 184

160. Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL
certificate inspection is enabled? (Choose three.)

1. The subject alternative name (SAN) field in the server certificate

2. The serial number in the server certificate

3. The server name indication (SNI) extension in the client hello message

4. The subject field in the server certificate

5. The host field in the HTTP header

161 / 184

161. Examine the following web filtering log.

Which statement about the log message is true?

1. The usage quota for the IP address 10.0.1.10 has expired

2. The web site miniclip.com matches a static URL filter whose action is set to Warning

3. The name of the applied web filter profile is default

4. The action for the category Games is set to block

162 / 184

162. An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

1. The interface has been configured for one-arm sniffer

2. The interface is a member of a virtual wire pair.

3. Captive portal is enabled in the interface.

4. The interface is a member of a zone

5. The operation mode is transparent

163 / 184

163. Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

1. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

2. By default, the SSL VPN portal requires the installation of a client’s certificate.

3. By default, split tunneling is enabled.

4. By default, FortiGate uses WINS servers to resolve names.

164 / 184

164. Refer to the exhibit

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a
decrease in the CPU usage?

1. The IPS engine was inspecting high volume of traffic.

2. The IPS engine will continue to run in a normal state.

3. The IPS engine was blocking all traffic.

4. The IPS engine was unable to prevent an intrusion attack.

165 / 184

165. An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for DPD probes only when no traffic is observed in the tunnel.
Which DPO mode on FortiGate wtll meet the above requirement?

1. Disabled

2. On Demand

3. On Idel

4. Enabled

166 / 184

166. If the Issuer and Subject values are the same in a digital certificate, which type of entity was
the certificate issued to?

1. A person

2. A CRL

3. A subordinate CA

4. A root CA

167 / 184

167. A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any
HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser
does not report errors.
What is the reason for the certificate warning errors?

1. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

2. FortiGate does not support full SSL inspection when web filtering is enabled.

3. There are network connectivity issues.

4. The browser requires a software update.

168 / 184

168. Which of the following route attributes must be equal for static routes to be eligible for equal
cost multipath (ECMP) routing? (Choose two.)

1. Metric

2. Distance

3. Priority

4. Cost

169 / 184

169. Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is
true?

1. Overload NAT IP pool is used in the firewall policy

2. Port block allocation IP pool is used in the firewall policy.

3. One-to-one NAT IP pool is used in the firewall policy

4. Destination NAT is disabled in the firewall policy.

170 / 184

170. Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is
still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

1. A DoS policy should be used, instead of an IPS sensor

2. The IPS filter is missing the Protocol: HTTPS option.

3. The firewall policy is not using a full SSL inspection profile.

4. The HTTPS signatures have not been added to the sensor

5. A DoS policy should be used, instead of an IPS sensor.

171 / 184

171. Which of the following statements about converse mode are true? (Choose two.)

1. FortiGate stops sending files to FortiSandbox for inspection.

2. Administrators cannot change the configuration.

3. Administrators can access the FortiGate only through the console port.

4. FortiGate stops doing RPF checks over incoming packets.

172 / 184

172. An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken.
Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

1. The administrator must use a FortiAuthenticator device.

2. The administrator must use the user self-registration server

3. The administrator can register the same FortiToken on more than one FortiGate.

4. The administrator can use a third-party radius OTP server.

173 / 184

173. When using WPAD DNS method, which FQDN format do browsers use to query the DNS
server?

1. srv_proxy.<local-domain>/wpad.dat

2. wpad.<local-domain>

3. proxy.<local-domain>.wpad

4. srv_tcp.wpad.<local-domain>

174 / 184

174. Which engine handles application control traffic on the next-generation firewall?

1. Antivirus engine

2. Detection engine

3. Flow engine

4. Intrusion prevention system engine

175 / 184

175. What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall
(NGFW)?

1. Certificate inspection

2. Full Content inspection

3. Flow-based inspection

4. Proxy-based inspection

176 / 184

176. Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The
administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

1. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

2. Capture the traffic using an external sniffer connected to port1.

3. Execute a debug flow.

4. Run a sniffer on the web server.

177 / 184

177. Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

1. diagnose wad session list | grep hook=pre&&hook=out

2. diagnose wad session list

3. diagnose wad session list | grep hook-pre&&hook-out

4. diagnose wad session list | grep "hook=pre"&"hook=out"

178 / 184

178. An administrator must disable RPF check to investigate an issue.
Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?

1. Disable the RPF check at the FortiGate interface level for the reply check.

2. Disable the RPF check at the FortiGate interface level for the source check.

3. Enable asymmetric routing, so the RPF check will be bypassed.

4. Enable asymmetric routing at the interface level

179 / 184

179. An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

1. Aggregate interface

2. Redundant interface

3. Software Switch interface

4. VLAN interface

180 / 184

180. Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

1. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1

2. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

3. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

4. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

181 / 184

181. Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

1. hard-timeout

2. Idle-timeout

3. soft-timeout

4. new-session

5. auth-on-demand

182 / 184

182. Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

1. FortiGate uses the AD server as the collector agent.

2. FortiGate queries AD by using the LDAP to retrieve user group information

3. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

4. FortiGate points the collector agent to use a remote LDAP server.

183 / 184

183. View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

1. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

2. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOM

3. port-VLAN1 is the native VLAN for the port1 physical interface.

4. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

184 / 184

184. What devices form the core of the security fabric?

1. Two FortiGate devices and one FortiAnalyzer device

2. Two FortiGate devices and one FortiManager device

3. One FortiGate device and one FortiManager device

4. One FortiGate device and one FortiAnalyzer device

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-1

1 / 100

1. An engineer must configure a /30 subnet between two routers. Which usable IP address and subnet mask
combination meets this criteria?

1. interface e0/0 description to HQ-A370:98968 ip address 209.165.201.2 255.255.255.252

2. interface e0/0 description to HQ-A370:98968 ip address 192.168.1.1 255.255.255.248

3. interface e0/0 description to HQ-A370:98968 ip address 172.16.1.4 255.255.255.248

4. interface e0/0 description to HQ-A370:98968 ip address 10.2.1.3 255.255.255.252

A /30 subnet means subnet mask of 255.255.255.252. But 10.2.1.3 255.255.255.252 is a broadcast IP address;
only 209.165.201.2/30 is the usable IP address

2 / 100

2. When OSPF learns multiple paths to a network, how does it select a route?

1. It divides a reference bandwidth of 100 Mbps by the actual bandwidth of the existing interface to calculate the router with the lowest cost.

2. It multiple the active K value by 256 to calculate the route with the lowest metric

3. For each existing interface, it adds the metric from the source router to the destination to calculate the route with the lowest bandwidth.

4. It count the number of hops between the source router and the destination to determine the router with the lowest metric.

3 / 100

3. If a notice-level messaging is sent to a syslog server, which event has occurred?

1. A network device has restarted.

2. An ARP inspection has failed.

3. A routing instance has flapped.

4. A debug operation is running.

Usually no action is required when a route flaps so it generates the notification syslog level message (level 5).

4 / 100

4. Refer to the exhibit. With which metric was the route to host 172.16.0.202 learned?

1. 38443

2. 3184439

3. 0

4. 110

Both the line "O 172.16.0.128/25" and "S 172.16.0.0/24" cover the host 172.16.0.202 but with the "longest
(prefix) match" rule the router will choose the first route.

5 / 100

5. Refer to the exhibit. What does router R1 use as its OSPF router-ID?

1. 192.168.0.1

2. 172.16.15.10

3. 10.10.1.10

4. 10.10.10.20

OSPF uses the following criteria to select the router ID:
1. Manual configuration of the router ID (via the "router-id x.x.x.x" command under OSPF router configuration
mode).
2. Highest IP address on a loopback interface.
3. Highest IP address on a non-loopback and active (no shutdown) interface

6 / 100

6. Which statement correctly compares traditional networks and controller-based networks?

1. Only controller-based networks decouple the control plane and the data plane.

2. Only traditional networks natively support centralized management

3. Only traditional networks offer a centralized control plane.

4. Traditional and controller-based networks abstract policies from device configurations.

Most traditional devices use a distributed architecture, in which each control plane is resided in a networking
device. Therefore they need to communicate with each other via messages to work correctly.
In contrast to distributed architecture, centralized (or controller-based) architectures centralizes the control of
networking devices into one device, called SDN controller -> Answer D is correct.

7 / 100

7. What is the primary different between AAA authentication and authorization?

1. Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database

2. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user can perform.

3. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user can perform.

4. Authentication identifies a user who is attempting to access a system, and authorization validates the users password.

AAA stands for Authentication, Authorization and Accounting.
+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)
An example of AAA is shown below:
+ Authentication: "I am a normal user. My username/password is user_tom/learnforever"
+ Authorization: "user_tom can access LearnCCNA server via HTTP and FTP"
+ Accounting: "user_tom accessed LearnCCNA server for 2 hours". This user only uses "show" commands.

8 / 100

8. Which two capacities of Cisco DNA Center make it more extensible? (Choose two)

1. adapters that support all families of Cisco IOS software

2. SDKs that support interaction with third-party network equipment

3. REST APIs that allow for external applications to interact natively with Cisco DNA Center

4. customized versions for small, medium, and large enterprises

5. modular design that is upgradable as needed

Cisco DNA Center offers 360-degree extensibility through four distinct types of platform capabilities:
+ Intent-based APIs leverage the controller and enable business and IT applications to deliver intent to the
network and to reap network analytics and insights for IT and business innovation.
+ Process adapters, built on integration APIs, allow integration with other IT and network systems to streamline
IT operations and processes.
+ Domain adapters, built on integration APIs, allow integration with other infrastructure domains such as data
center, WAN, and security to deliver a consistent intent-based infrastructure across the entire IT environment.
+ SDKs allow management to be extended to third-party vendor's network devices to offer support for diverse
environments.

9 / 100

9. Refer to the exhibit. What is the effect of this configuration?

1. The switch discard all ingress ARP traffic with invalid MAC-to-IP address bindings

2. Egress traffic is passed only if the destination is a DHCP server.

3. All ARP packets are dropped by the switch.

4. All ingress and egress traffic is dropped because the interface is untrusted.

Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking

10 / 100

10. Which network allows devices to communicate without the need to access the Internet?

1. 172.28.0.0/16

2. 209.165.201.0/24

3. 172.9.0.0/16

4. 192.0.0.0/8

This question asks about the private ranges of IPv4 addresses. The private ranges of each class of IPv4 are
listed below:
Class A private IP address ranges from 10.0.0.0 to 10.255.255.255 Class B private IP address ranges from
172.16.0.0 to 172.31.255.255 Class C private IP address ranges from 192.168.0.0 to 192.168.255.255 Only the
network 172.28.0.0/16 belongs to the private IP address (of class B).

11 / 100

11. Which type of wireless encryption is used for WPA2 in pre-shared key mode?

1. AES-128

2. TKIP with RC4

3. AES-256

4. RC4

12 / 100

12. Refer to the exhibit. An engineer configured NAT translations and has verified that the configuration is correct.
Which IP address is the source IP?

1. 10.4.4.5

2. 10.4.4.4

3. 172.23.104.4

4. 172.23.103.10

13 / 100

13. What are two characteristics of a controller-based network? (Choose two)

1. The administrator can make configuration updates from the CLI.

2. It uses Telnet to report system issues.

3. It moves the control plane to a central point.

4. It uses northbound and southbound APIs to communicate between architectural layers.

5. It decentralizes the control plane, which allows each device to make its own forwarding decisions

14 / 100

14. Which statement identifies the functionality of virtual machines?

1. The hypervisor can virtualize physical components including CPU, memory, and storage.

2. Each hypervisor can support a single virtual machine and a single software switch.

3. Virtualized servers run most efficiently when they are physically connected to a switch that is separate from the hypervisor.

4. The hypervisor communicates on Layer 3 without the need for additional resources.

15 / 100

15. When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two formats are
available to select? (Choose two)

1. decimal

2. hexadecimal

3. ASCII

4. binary

5. base64

When configuring a WLAN with WPA2 Preshared Key (PSK), we can choose the encryption key format as
either ASCII or HEX.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/74/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010001.htm

16 / 100

16. How do TCP and UDP differ in the way that they establish a connection between two endpoints?

1. TCP uses the three-way handshake and UDP does not guarantee message delivery.

2. UDP uses SYN, SYN ACK and FIN bits in the frame header while TCP uses SYN, SYN ACK and ACK bits.

3. TCP uses synchronization packets, and UDP uses acknowledgment packets.

4. UDP provides reliable message transfer and TCP is a connectionless protocol.

17 / 100

17. Refer to the exhibit. Which prefix does Router 1 use for traffic to Host A?

1. 10.10.13.208/29

2. 10.10.10.0/28

3. 10.10.13.0/25

4. 10.10.13.144/28

Host A address fall within the address range. However, if more than one route to the same subnet exist (router
will use the longest stick match, which match more specific route to the subnet). If there are route
10.10.13.192/26 and 10.10.13.208/29, the router will forward the packet to /29 rather than /28.

18 / 100

18. Which API is used in controller-based architectures to interact with edge devices?

1. underlay

2. northbound

3. southbound

4. overlay

19 / 100

19. Router A learns the same route from two different neighbors, one of the neighbor routers is an OSPF neighbor
and the other is an EIGRP neighbor. What is the administrative distance of the route that will be installed in the
routing table?

1. 115

2. 90

3. 20

4. 110

The Administrative distance (AD) of EIGRP is 90 while the AD of OSPF is 110 so EIGRP route will be chosen
to install into the routing table.

20 / 100

20. Which IPv6 address is valid?

1. 2001:0db8:0000:130F:0000:0000:08GC:140B

2. 2031:0:130F::9C0:876A:130B

3. 2031::130F::9C0:876A:130B

4. 2001:0db8:0:130H::87C:140B

An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits
(two octets). The groups are separated by colons (:). An example of an IPv6 address is
2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The leading O’s in a group can be collapsed using ::, but this can only be done once in an IP address.

21 / 100

21. Which design element is a best practice when deploying an 802.11b wireless infrastructure?

1. setting the maximum data rate to 54 Mbps on the Cisco Wireless LAN Controller

2. allocating nonoverlapping channels to access points that are in close physical proximity to one another

3. configuring access points to provide clients with a maximum of 5 Mbps

4. disabling TPC so that access points can negotiate signal levels with their attached wireless devices

22 / 100

22. Which two statements describe characteristics of IPv6 unicast addressing? (Choose two.)

1. If a global address is assigned to an interface, then that is the only allowable address for the interface.

2. Link-local addresses start with FE00:/12.

3. Link-local addresses start with FF00::/10.

4. Which two statements describe characteristics of IPv6 unicast addressing? (Choose two.)

5. There is only one loopback address and it is ::1.

23 / 100

23. Which command is used to specify the delay time in seconds for LLDP to initialize on any interface?

1. lldp reinit

2. ldp tlv-select

3. lldp holdtimt

4. lldp timer

+ lldp holdtime seconds: Specify the amount of time a receiving device should hold the information from your
device before discarding it
+ lldp reinit delay: Specify the delay time in seconds for LLDP to initialize on an interface
+ lldp timer rate: Set the sending frequency of LLDP updates in seconds

24 / 100

24. Which set of action satisfy the requirement for multi-factor authentication?

1. The user enters a user name and password and then re-enters the credentials on a second screen.

2. The user enters a user name and password, and then clicks a notification in an authentication app on a mobile device

3. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login screen.

4. The user swipes a key fob, then clicks through an email link.

This is an example of how two-factor authentication (2FA) works:
1. The user logs in to the website or service with their username and password.
2. The password is validated by an authentication server and, if correct, the user becomes eligible for the
second factor.
3. The authentication server sends a unique code to the user's second-factor method (such as a smartphone
app).
4. The user confirms their identity by providing the additional authentication for their second-factor method.

25 / 100

25. When a floating static route is configured, which action ensures that the backup route is used when the primary
route fails?

1. The default-information originate command must be configured for the route to be installed into the routing table.

2. The administrative distance must be higher on the primary route so that the backup route becomes secondary

3. The floating static route must have a lower administrative distance than the primary route so it is used as a backup.

4. The floating static route must have a higher administrative distance than the primary route so it is used as a backup.

26 / 100

26. What makes Cisco DNA Center different from traditional network management applications and their
management of networks?

1. It only supports auto-discovery of network elements in a greenfield deployment.

2. It does not support high availability of management functions when operating in cluster mode.

3. It abstracts policy from the actual device configuration

4. It modular design allows someone to implement different versions to meet the specific needs of an organization.

27 / 100

27. Refer to the exhibit. A frame on VLAN 1 on switch S1 is sent to switch S2 where the frame is received on VLAN
2.

What causes this behavior?

1. native VLAN mismatches

2. trunk mode mismatches

3. allowing only VLAN 2 on the destination

4. VLANs that do not correspond to a unique IP subnet

Untagged frames are encapsulated with the native VLAN. In this case, the native VLANs are different so
although S1 will tag it as VLAN 1 it will be received by S2.

28 / 100

28. Refer to the exhibit. An extended ACL has been configured and applied to router R2 The configuration farted to
work as intended.

Refer to the exhibit. An extended ACL has been configured and applied to router R2 The configuration started
to work as intended.Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the
10.0.10.0/26 subnet while still allowing all other traffic? (Choose two)

1. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic.

2. The source and destination IPs must be swapped in ACL 101.

3. Add a “permit ip any any” statement to the begining of ACL 101 for allowed traffic.

4. The ACL must be moved to the Gio/1 interface outbound on R2.

5. The ACL must be configured the Gi0/2 interface inbound on R1.

29 / 100

29. Which output displays a JSON data representation?

1. Option D

2. Option A

3. Option B

4. Option C

JSON data is written as name/value pairs.
A name/value pair consists of a field name (in double quotes), followed by a colon, followed by a value:
“name”:”Mark”
JSON can use arrays. Array values must be of type string, number, object, array, boolean or null.
For example:
{
“name”:”John”,
“age”:30,
“cars”:[ “Ford”, “BMW”, “Fiat” ]
}
JSON can have empty object like “taskId”:{}

30 / 100

30. An engineer configured an OSPF neighbor as a designated router. Which state verifies the designated router is
in the proper mode?

1. Init

2. Exchange

3. Full

4. 2-way

31 / 100

31. Two switches are connected and using Cisco Dynamic Trunking Protocol SW1 is set to Dynamic Desirable.
What is the result of this configuration?

1. The link is becomes an access port.

2. The link is in a down state.

3. The link becomes a trunk port.

4. The link is in an error disables state

32 / 100

32. Which two values or settings must be entered when configuring a new WLAN in the Cisco Wireless LAN
Controller GUI? (Choose two)

1. SSID

2. Profile name

3. management interface settings

4. Ip address of one or more access points

5. QoS settings

33 / 100

33. What are two benefits of network automation? (Choose two)

1. faster changes with more reliable results

2. increased network security

3. reduced hardware footprint

4. fewer network failures

5. reduced operational costs

34 / 100

34. Refer to the exhibit. A network administrator is configuring an EtherChannel between SW1 and SW2. The SW1
configuration is shown.

1. interface FastEthernet 0/1 channel-group 1 mode active switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 1 mode active switchport trunk encapsulation dot1q switchport mode trunk

2. interface FastEthernet 0/1 channel-group 1 mode desirable switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 1 mode desirable switchport trunk encapsulation dot1q switchport mode trunk

3. interface FastEthernet 0/1 channel-group 2 mode auto switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 2 mode auto switchport trunk encapsulation dot1q switchport mode trunk

4. interface FastEthernet 0/1 channel-group 1 mode passive switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 1 mode passive switchport trunk encapsulation dot1q switchport mode trunk

If the etherchannel was configured with mode “auto”, it was using PagP, so, we need to configure the other
switch with “desirable” mode.
PagP modes: auto | Desirable
LACP modes: active | pasive

35 / 100

35. Which type of address is the public IP address of a NAT device?

1. outside global

2. inside local

3. outside public

4. inside global

5. inside public

6. outside local

NAT use four types of addresses:
* Inside local address - The IP address assigned to a host on the inside network. The address is usually not an
IP address assigned by the Internet Network Information Center (InterNIC) or service provider.
This address is likely to be an RFC 1918 private address.
* Inside global address - A legitimate IP address assigned by the InterNIC or service provider that represents
one or more inside local IP addresses to the outside world.
* Outside local address - The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address - The IP address assigned to a host on the outside network. The owner of the host
assigns this address.

36 / 100

36. Which action is taken by a switch port enabled for PoE power classification override?

1. As power usage on a PoE switch port is checked data flow to the connected device is temporarily paused.

2. When a powered device begins drawing power from a PoE switch port a syslog message is generated

3. If a switch determines that a device is using less than the minimum configured power it assumes the device has failed and disconnects.

4. If a monitored port exceeds the maximum administrative value for power, the port is shutdown and errdisabled.

Explanation: PoE monitoring and policing compares the power consumption on ports with the administrative
maximum value (either a configured maximum value or the port’s default value). If the power consumption on a
monitored port exceeds the administrative maximum value, the following actions occur:
– A syslog message is issued.
– The monitored port is shut down and error-disabled.
– The allocated power is freed.
Reference:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/power_over_ethernet.pdf

37 / 100

37. Refer to the exhibit. The show ip ospf interface command has been executed on R1. How is OSPF configured?

1. There are six OSPF neighbors on this interface.

2. The interface is not participating in OSPF.

3. The default Hello and Dead timers are in use.

4. A point-to-point network type is configured.

Explanation:
From the output we can see there are Designated Router & Backup Designated Router for this OSPF domain
so this is a broadcast network (point-to-point and point-to multipoint networks do not elect DR & BDR) ->
Answer B is not correct.
By default, the timers on a broadcast network (Ethernet, point-to-point and point-to-multipoint) are 10 seconds
hello and 40 seconds dead (therefore answer C is correct). The timers on a non- broadcast network are 30
seconds hello 120 seconds dead.
From the line “Neighbor Count is 3”, we learn there are four OSPF routers in this OSPF domain -> Answer D is
not correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13689-17.html

38 / 100

38. Refer to the exhibit. If configuring a static default route on the router with the ip route 0.0.0.0 0.0.0.0 10.13.0.1
120 command, how does the router respond?

1. It ignores the new static route until the existing OSPF default route is removed.

2. It immediately replaces the existing OSPF route in the routing table with the newly configured static route.

3. It starts load-balancing traffic between the two default routes.

4. It starts sending traffic without a specific matching entry in the routing table to GigabitEthernet0/1.

Our new static default route has the Administrative Distance (AD) of 120, which is bigger than the AD of OSPF
External route (O*E2) so it will not be pushed into the routing table until the current OSPF External route is
removed.
For your information, if you don't type the AD of 120 (using the command "ip route 0.0.0.0 0.0.0.0 10.13.0.1")
then the new static default route would replace the OSPF default route as the default AD of static route is 1.
You will see such line in the routing table:
S* 0.0.0.0/0 [1/0] via 10.13.0.1

39 / 100

39. Which IPv6 address type provides communication between subnets and cannot route on the Internet?

1. unique local

2. global unicast

3. multicast

4. ink-local

A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7. It is the approximate IPv6 counterpart of
the IPv4 private address. It is not routable on the global Internet.
Note: In the past, Site-local addresses (FEC0::/10) are equivalent to private IP addresses in IPv4 but now they
are deprecated.
Link-local addresses only used for communications within the local subnet. It is usually created dynamically
using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on 48-bit MAC address).

40 / 100

40. An email user has been lured into clicking a link in an email sent by their company’s security organization. The
webpage that opens reports that it was safe but the link could have contained malicious code. Which type of
security program is in place?

1. Social engineering attack

2. Physical access control

3. user awareness

4. brute force attack

41 / 100

41. R1 has learned route 192.168.12.0/24 via IS-IS. OSPF, RIP. and Internal EIGRP Under normal operating
conditions, which routing protocol is installed in the routing table?

1. Internal EIGRP

2. IS-IS

3. RIP

4. OSPF

With the same route (prefix), the router will choose the routing protocol with lowest Administrative Distance
(AD) to install into the routing table. The AD of Internal EIGRP (90) is lowest so it would be chosen. The table
below lists the ADs of popular routing protocols.

Note: The AD of IS-IS is 115. The "EIGRP" in the table above is "Internal EIGRP". The AD of "External EIGRP"
is 170. An EIGRP external route is a route that was redistributed into EIGRP.

42 / 100

42. Refer to the exhibit. Which type of route does R1 use to reach host 10.10.13.10/32?

1. host route

2. network route

3. default route

4. floating static route

From the output, we see R1 will use the entry "O 10.10.13.0/25 [110/4576] via 10.10.10.1, ..." to reach host
10.10.13.10. This is a network route.
Note: "B* 0.0.0.0/0 ..." is a default route.

43 / 100

43. An organization has decided to start using cloud-provided services.
Which cloud service allows the organization to install its own operating system on a virtual machine?

1. platform-as-a-service

2. infrastructure-as-a-service

3. network-as-a-service

4. software-as-a-service

Below are the 3 cloud supporting services cloud providers provide to customer:
+ SaaS (Software as a Service): SaaS uses the web to deliver applications that are managed by a thirdparty
vendor and whose interface is accessed on the clients' side. Most SaaS applications can be run directly from a
web browser without any downloads or installations required, although some require plugins.
+ PaaS (Platform as a Service): are used for applications, and other development, while providing cloud
components to software. What developers gain with PaaS is a framework they can build upon to develop or
customize applications. PaaS makes the development, testing, and deployment of applications quick, simple,
and cost-effective. With this technology, enterprise operations, or a thirdparty provider, can manage OSes,
virtualization, servers, storage, networking, and the PaaS software itself. Developers, however, manage the
applications.
+ IaaS (Infrastructure as a Service): self-service models for accessing, monitoring, and managing remote
datacenter infrastructures, such as compute (virtualized or bare metal), storage, networking, and networking
services (e.g. firewalls). Instead of having to purchase hardware outright, users can purchase IaaS based on
consumption, similar to electricity or other utility billing.
In general, IaaS provides hardware so that an organization can install their own operating system.

44 / 100

44. An engineer is asked to protect unused ports that are configured in the default VLAN on a switch. Which two
steps will fulfill the request? (Choose two)

1. Configure the port type as access and place in VLAN 99.

2. Administratively shut down the ports.

3. Configure the ports as trunk ports.

4. Configure the ports in an EtherChannel.

5. Enable the Cisco Discovery Protocol.

45 / 100

45. A network engineer must back up 20 network router configurations globally within a customer environment.
Which protocol allows the engineer to perform this function using the Cisco IOS MIB?

1. SNMP

2. SMTP

3. ARP

4. CDP

SNMP is an application-layer protocol that provides a message format for communication between SNMP
managers and agents. SNMP provides a standardized framework and a common language used for the
monitoring and management of devices in a network.
The SNMP framework has three parts:
+ An SNMP manager
+ An SNMP agent
+ A Management Information Base (MIB)
The Management Information Base (MIB) is a virtual information storage area for network management
information, which consists of collections of managed objects.
With SNMP, the network administrator can send commands to multiple routers to do the backup.

46 / 100

46. Which two must be met before SSH can operate normally on a Cisco IOS switch? (Choose two)

1. Telnet must be disabled on the switch.

2. A console password must be configured on the switch.

3. The ip domain-name command must be configured on the switch

4. The switch must be running a k9 (crypto) IOS image.

5. IP routing must be enabled on the switch.

47 / 100

47. Refer to exhibit. Which statement explains the configuration error message that is received?

1. It is a broadcast IP address.

2. It belongs to a private IP address range.

3. The router does not support/28 mask.

4. is a network IP address.

48 / 100

48. Which two outcomes are predictable behaviors for HSRP? (Choose two)

1. Each router has a different IP address both routers act as the default gateway on the LAN, and traffic is load balanced between them.

2. The two routers negotiate one router as the active router and the other as the standby router.

3. The two routers share a virtual IP address that is used as the default gateway for devices on the LAN.

4. The two routed share the same IP address, and default gateway traffic is load-balanced between them.

5. The two routers synchronize configurations to provide consistent packet forwarding.

49 / 100

49. What are two reasons that cause late collisions to increment on an Ethernet interface? (Choose two)

1. when one side of the connection is configured for half-duplex

2. when the sending device waits 15 seconds before sending the frame again

3. when the cable length limits are exceeded

4. when Carner Sense Multiple Access/Collision Detection is used

5. when a collision occurs after the 32nd byte of a frame has been transmitted

A late collision is defined as any collision that occurs after the first 512 bits (or 64th byte) of the frame have
been transmitted. The usual possible causes are full-duplex/half-duplex mismatch, exceeded Ethernet cable
length limits, or defective hardware such as incorrect cabling, noncompliant number of hubs in the network, or a
bad NIC.
Late collisions should never occur in a properly designed Ethernet network. They usually occur when Ethernet
cables are too long or when there are too many repeaters in the network.
Reference: Click here

50 / 100

50. Which result occurs when PortFast is enabled on an interface that is connected to another switch?

1. Spanning tree may fail to detect a switching loop in the network that causes broadcast storms.

2. Root port choice and spanning tree recalculation are accelerated when a switch link goes down.

3. VTP is allowed to propagate VLAN configuration information from switch to switch automatically

4. After spanning tree converges PortFast shuts down any port that receives BPDUS.

Enabling the PortFast feature causes a switch or a trunk port to enter the STP forwarding-state immediately or
upon a linkup event, thus bypassing the listening and learning states.
Note: To enable portfast on a trunk port you need the trunk keyword "spanning-tree portfast trunk"

51 / 100

51. When configuring IPv6 on an interface, which two IPv6 multicast groups are joined? (Choose two)

1. FF02::1

2. FC00::/7

3. 2000::/3

4. FF02::2

5. 2002::5

52 / 100

52. A router running EIGRP has learned the same route from two different paths. Which parameter does the router
use to select the best path?

1. cost

2. metric

3. administrative distance

4. as-path

If a router learns two different paths for the same network from the same routing protocol, it has to decide
which route is better and will be placed in the routing table. Metric is the measure used to decide which route is
better (lower number is better). Each routing protocol uses its own metric.
For example, RIP uses hop counts as a metric, while OSPF uses cost.

53 / 100

53. Which command enables a router to become a DHCP client?

1. ip address dhcp

2. ip dhcp pool

3. ip helper-address

4. ip dhcp client

54 / 100

54. Refer to the exhibit. A frame on VLAN 1 on switch S1 is sent to switch S2 where the frame is received on VLAN-2

1. allowing only VLAN 2 on the destination

2. trunk mode mismatches

3. VLANs that do not correspond to a unique IP subnet

4. native VLAN mismatches

Untagged frames are encapsulated with the native VLAN. In this case, the native VLANs are different so
although S1 will tag it as VLAN 1 it will be received by S2.

55 / 100

55. Which two actions are performed by the Weighted Random Early Detection mechanism? (Choose two)

1. It can mitigate congestion by preventing the queue from filling up.

2. It guarantees the delivery of high-priority packets.

3. It can identify different flows with a high level of granularity.

4. It drops lower-priority packets before it drops higher-priority packets.

5. It supports protocol discovery.

Weighted Random Early Detection (WRED) is just a congestion avoidance mechanism. WRED drops packets
selectively based on IP precedence. Edge routers assign IP precedences to packets as they enter the network.
When a packet arrives, the following events occur:
1. The average queue size is calculated.
2. If the average is less than the minimum queue threshold, the arriving packet is queued.
3. If the average is between the minimum queue threshold for that type of traffic and the maximum threshold for
the interface, the packet is either dropped or queued, depending on the packet drop probability for that type of
traffic.
4. If the average queue size is greater than the maximum threshold, the packet is dropped. WRED reduces the
chances of tail drop (when the queue is full, the packet is dropped) by selectively dropping packets when the
output interface begins to show signs of congestion (thus it can mitigate congestion by preventing the queue
from filling up). By dropping some packets early rather than waiting until the queue is full, WRED avoids
dropping large numbers of packets at once and minimizes the chances of global synchronization. Thus, WRED
allows the transmission line to be used
fully at all times.
WRED generally drops packets selectively based on IP precedence. Packets with a higher IP precedence are
less likely to be dropped than packets with a lower precedence. Thus, the higher the priority of a packet, the
higher the probability that the packet will be delivered (-> answer A is correct).

56 / 100

56. Refer to Exhibit. Which action do the switches take on the trunk link?

1. The trunk forms but the mismatched native VLANs are merged into a single broadcast domain.

2. The trunk forms but VLAN 99 and VLAN 999 are in a shutdown state.

3. The trunk does not form and the ports go into an err-disabled status.

4. The trunk does not form, but VLAN 99 and VLAN 999 are allowed to traverse the link.

The trunk still forms with mismatched native VLANs and the traffic can actually flow between mismatched
switches. But it is absolutely necessary that the native VLANs on both ends of a trunk link match; otherwise a
native VLAN mismatch occurs, causing the two VLANs to effectively merge.
For example with the above configuration, SW1 would send untagged frames for VLAN 999. SW2 receives
them but would think they are for VLAN 99 so we can say these two VLANs are merged.

57 / 100

57. Refer to the exhibit. Based on the LACP neighbor status, in which mode is the SW1 port channel configured?

1. mode on

2. auto

3. active

4. passive

In order to create an Etherchannel interface, the (local) SW1 ports should be in Active mode.
Moreover, the “Port State” in the exhibit is “0x3c” (which equals to “00111100 in binary format).
Bit 3 is “1” which means the ports are synchronizing -> the ports are working so the local ports should be in
Active mode.

58 / 100

58. Refer to Exhibit. How does SW2 interact with other switches in this VTP domain?

1. It receives updates from all VTP servers and forwards all locally configured VLANs out all trunk ports

2. It transmits and processes VTP updates from any VTP Clients on the network on its trunk ports.

3. It processes VTP updates from any VTP clients on the network on its access ports

4. It forwards only the VTP advertisements that it receives on its trunk ports.

The VTP mode of SW2 is transparent so it only forwards the VTP updates it receives to its trunk links without
processing them.
Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html

59 / 100

59. Refer to the exhibit. Which configuration when applied to switch A accomplishes this task?

1. Option C

2. Option B

3. Option A

4. Option D

60 / 100

60. Refer to Exhibit. An engineer is configuring the NEW York router to reach the Lot interface of the Atlanta router
using interface Se0/0/0 as the primary path.

Which two commands must be configured on the New York router so that it can reach the Lo1 interface of the
Atlanta router via Washington when the link between New York and Atlanta goes down? (Choose two)

1. ipv6 router 2000::1/128 2023::3 5

2. ipv6 router 2000::1/128 2012::2

3. ipv6 router 2000::1/128 2023:2 5

4. ipv6 router 2000::1/128 2012:1 5

5. ipv6 router 2000::1/128 2012::1

Floating static routes are static routes that have an administrative distance greater than the administrative
distance (AD) of another static route or dynamic routes. By default a static route has an AD of 1 then floating
static route must have the AD greater than 1. Floating static route has a manually configured administrative
distance greater than that of the primary route and therefore would not be in the routing table until the primary
route fails.

61 / 100

61. Which configuration is needed to generate an RSA key for SSH on a router?

1. Create a user with a password.

2. Assign a DNS domain name.

3. Configure VTY access.

4. Configure the version of SSH.

In order to generate an RSA key for SSH, we need to configure the hostname and a DNS domain name on the
router (a username and password is also required). Therefore in fact both answer C and answer D are correct.

62 / 100

62. A user configured OSPF and advertised the Gigabit Ethernet interface in OSPF by default, which type of OSPF
network does this interface belong to?

1. nonbroadcast

2. point-to-point

3. broadcast

4. point-to-multipoint

The Broadcast network type is the default for an OSPF enabled ethernet interface (while Point-toPoint is the
default OSPF network type for Serial interface with HDLC and PPP encapsulation).
Reference: https://www.oreilly.com/library/view/cisco-ios-cookbook/0596527225/ch08s15.html

63 / 100

63. What are two enhancements that OSPFv3 supports over OSPFV2? (Choose two.)

1. It can support multiple IPv6 subnets on a single link.

2. It routes over links rather than over networks.

3. It supports up to 2 instances of OSPFv3 over a common link.

4. It requires the use of ARP.

64 / 100

64. Refer to the exhibit. Which route does R1 select for traffic that is destined to 192 168.16.2?

1. 192.168.16.0/27

2. 192.168.16.0/21

3. 92.168.16.0/24

4. 192.168 26.0/26

The destination IP addresses match all four entries in the routing table but the 192.168.16.0/27 has the longest
prefix so it will be chosen. This is called the "longest prefix match" rule.

65 / 100

65. An engineer must configure a WLAN using the strongest encryption type for WPA2-PSK. Which cipher fulfills
the configuration requirement?

1. RC4

2. AES

3. TKIP

4. WEP

Many routers provide WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) as options.
TKIP is actually an older encryption protocol introduced with WPA to replace the very-insecure WEP encryption
at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now
deprecated. In other words, you shouldn't be using it.
AES is a more secure encryption protocol introduced with WPA2 and it is currently the strongest encryption
type for WPA2-PSK/

66 / 100

66. Refer to the exhibit. Which password must an engineer use to enter the enable mode?

1. adminadmin123

2. default

3. esting1234

4. cisco123

If neither the enable password command nor the enable secret command is configured, and if there is a line
password configured for the console, the console line password serves as the enable password for all VTY
sessions -> The "enable secret" will be used first if available, then "enable password" and line password.
Reference:
https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/configuration/guide/cpt93_configuration/
cpt93_configuration_chapter_0100

67 / 100

67. Which IPv6 address block sends packets to a group address rather than a single address?

1. FE80::/10

2. FF00::/8

3. FC00::/7

4. 2000::/3

FF00::/8 is used for IPv6 multicast and this is the IPv6 type of address the question wants to ask.
FE80::/10 range is used for link-local addresses. Link-local addresses only used for communications within the
local subnetwork (automatic address configuration, neighbor discovery, router discovery, and by many routing
protocols). It is only valid on the current subnet.
It is usually created dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on
48-bit MAC address).

68 / 100

68. Refer to the Exhibit. After the switch configuration the ping test fails between PC A and PC B Based on the
output for switch 1.

Which error must be corrected?

1. There is a native VLAN mismatch.

2. Access mode is configured on the switch ports.

3. The PCs are in the incorrect VLAN.

4. All VLANs are not enabled on the trunk.

From the output we see the native VLAN of Switch1 on Gi0/1 interface is VLAN 1 while that of Switch2 is VLAN
99 so there would be a native VLAN mismatch

69 / 100

69. Which two actions influence the EIGRP route selection process? (Choose two)

1. The router calculates the feasible distance of all paths to the destination route.

2. The advertised distance is calculated by a downstream neighbor to inform the local router of the bandwidth on the link.

3. The router calculates the reported distance by multiplying the delay on the exiting Interface by 256.

4. The router must use the advertised distance as the metric for any given route. Correct Answer:

5. The router calculates the best backup path to the destination route and assigns it as the feasible successor.

The reported distance (or advertised distance) is the cost from the neighbor to the destination. It is calculated
from the router advertising the route to the network. For example in the topology below, suppose router A & B
are exchanging their routing tables for the first time. Router B says "Hey, the best metric (cost) from me to
IOWA is 50 and the metric from you to IOWA is 90" and advertises it to router A.
Router A considers the first metric (50) as the Advertised distance. The second metric (90), which is from
NEVADA to IOWA (through IDAHO), is called the Feasible distance.

-> Answer A is not correct.
Feasible successor is the backup route. To be a feasible successor, the route must have an Advertised
distance (AD) less than the Feasible distance (FD) of the current successor route -> Answer B is correct.
Feasible distance (FD): The sum of the AD plus the cost between the local router and the next- hop router.
The router must calculate the FD of all paths to choose the best path to put into the routing table.
Note: Although the new CCNA exam does not have EIGRP topic but you should learn the basic knowledge of
this routing protocol.

70 / 100

70. Which attribute does a router use to select the best path when two or more different routes to the same
destination exist from two different routing protocols?

1. administrative distance

2. metric

3. dual algorithm

4. hop count

71 / 100

71. Which QoS Profile is selected in the GUI when configuring a voice over WLAN deployment?

1. Silver

2. Platinum

3. Gold

4. Bronze

Cisco Unified Wireless Network solution WLANs support four levels of QoS: Platinum/Voice, Gold/Video, Silver/
Best Effort (default), and Bronze/Background.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010111.html

72 / 100

72. In Which way does a spine-and-leaf architecture allow for scalability in a network when additional access ports
are required?

1. A leaf switch can be added with a single connection to a core spine switch.

2. A leaf switch can be added with connections to every spine switch.

3. A spine switch can be added with at least 40 GB uplinks.

4. A spine switch and a leaf switch can be added with redundant connections between them.

Spine-leaf architecture is typically deployed as two layers: spines (such as an aggregation layer), and leaves
(such as an access layer). Spine-leaf topologies provide high-bandwidth, low-latency, nonblocking server-toserver
connectivity.
Leaf (aggregation) switches are what provide devices access to the fabric (the network of spine and leaf
switches) and are typically deployed at the top of the rack. Generally, devices connect to the leaf switches.
Devices can include servers, Layer 4-7 services (firewalls and load balancers), and WAN or Internet routers.
Leaf switches do not connect to other leaf switches. In spine-and-leaf architecture, every leaf should connect to
every spine in a full mesh.
Spine (aggregation) switches are used to connect to all leaf switches and are typically deployed at the end or
middle of the row. Spine switches do not connect to other spine switches

73 / 100

73. What is the default behavior of a Layer 2 switch when a frame with an unknown destination MAC address is
received?

1. The Layer 2 switch forwards the packet and adds the destination MAC address to its MAC address table.

2. The Layer 2 switch sends a copy of a packet to CPU for destination MAC address learning.

3. The Layer 2 switch floods packets to all ports except the receiving port in the given VLAN.

4. The Layer 2 switch drops the received frame.

If the destination MAC address is not in the CAM table (unknown destination MAC address), the switch sends
the frame out all other ports that are in the same VLAN as the received frame. This is called flooding. It does
not flood the frame out the same port on which the frame was received.

74 / 100

74. Refer to the exhibit. Which command provides this output?

1. show ip interface

2. show cdp neighbor

3. show interface

4. show ip route

75 / 100

75. A frame that enters a switch fails the Frame Check Sequence.
Which two interface counters are incremented? (Choose two)

1. CRC

2. runts

3. input errors

4. giants

5. frame

76 / 100

76. What is the primary effect of the spanning-tree portfast command?

1. It immediately puts the port into the forwarding state when the switch is reloaded

2. It immediately enables the port in the listening state

3. It enables BPDU messages

4. It minimizes spanning-tree convergence time

77 / 100

77. Which two tasks must be performed to configure NTP to a trusted server in client mode on a single network
device? (Choose two)

1. Disable NTP broadcasts

2. Verify the time zone.

3. Set the NTP server private key.

4. Enable NTP authentication.

5. Specify the IP address of the NTP server.

To configure authentication, perform this task in privileged mode:
Step 1: Configure an authentication key pair for NTP and specify whether the key will be trusted or untrusted.
Step 2: Set the IP address of the NTP server and the public key.
Step 3: Enable NTP client mode.
Step 4: Enable NTP authentication.
Step 5: Verify the NTP configuration.

78 / 100

78. Which option is a valid IPv6 address?

1. 2001:0000:130F::099a::12a

2. 2002:7654:A1AD:61:81AF:CCC1

3. 2004:1:25A4:886F::1

4. FEC0:ABCD:WXYZ:0067::2A4

79 / 100

79. Which statement about Link Aggregation when implemented on a Cisco Wireless LAN Controller is true?

1. When enabled, the WLC bandwidth drops to 500 Mbps.

2. The EtherChannel must be configured in “mode active”.

3. To pass client traffic two or more ports must be configured.

4. One functional physical port is needed to pass client traffic.

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of
the controller's distribution system ports into a single 802.3ad port channel.
Restriction for Link aggregation:
- LAG requires the EtherChannel to be configured for `mode on' on both the controller and the Catalyst switch -
> Answer B is not correct.
- If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the
LAG connection as a single member link or disable LAG on the controller -> Answer A is not correct while
answer D is correct.

80 / 100

80. Which command prevents passwords from being stored in the configuration as plaintext on a router or switch?

1. username Cisco password encrypt

2. enable password

3. enable secret

4. service password-encryption

81 / 100

81. What are two southbound APIs? (Choose two)

1. OpenFlow

2. CORBA

3. DSC

4. NETCONF

5. Thrift

OpenFlow is a well-known southbound API. OpenFlow defines the way the SDN Controller should interact with
the forwarding plane to make adjustments to the network, so it can better adapt to changing business
requirements.
The Network Configuration Protocol (NetConf) uses Extensible Markup Language (XML) to install, manipulate
and delete configuration to network devices.
Other southbound APIs are:
+ onePK: a Cisco proprietary SBI to inspect or modify the network element configuration without hardware
upgrades.
+ OpFlex: an open-standard, distributed control system. It send "summary policy" to network elements.

82 / 100

82. When a site-to-site VPN is used, which protocol is responsible for the transport of user data?

1. IKEv2

2. MD5

3. IPsec

4. KEv1

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over
a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by
encrypting and sending data between two devices. One set of rules for creating a siteto-site VPN is defined by
IPsec.

83 / 100

83. Which command automatically generates an IPv6 address from a specified IPvô prefix and MAC address of an
interface?

1. ipv6 address dhcp

2. ipv6 address 2001:DB8:5:112::2/64 link-local

3. ipv6 address autoconfig

4. ipv6 address 2001:DB8:5:112::/64 eui-64

The “ipv6 address autoconfig” command causes the device to perform IPv6 stateless address
autoconfiguration to discover prefixes on the link and then to add the EUI-64 based addresses to the
interface.
Addresses are configured depending on the prefixes received in Router Advertisement (RA)
messages.
The device will listen for RA messages which are transmitted periodically from the router (DHCP
Server).
This RA message allows a host to create a global IPv6 address from:
+ Its interface identifier (EUI-64 address)
+ Link Prefix (obtained via RA)
Note: Global address is the combination of Link Prefix and EUI-64 address

84 / 100

84. Which 802.11 frame type is association response?

1. management

2. action

3. control

4. protected frame

There are three main types of 802.11 frames: the Data Frame, the Management Frame and the Control Frame.
Association Response belongs to Management Frame. Association response is sent in response to an
association request.
Reference: https://en.wikipedia.org/wiki/802.11_Frame_Types

85 / 100

85. Which MAC address is recognized as a VRRP virtual address?

1. 0007.C070/AB01

2. 0000.0C07.AC99

3. 0000.5E00.010a

4. 0005.3711.0975

With VRRP, the virtual router's MAC address is 0000.5E00.01xx , in which xx is the VRRP group.

86 / 100

86. What is a benefit of using a Cisco Wireless LAN Controller?

1. It supports autonomous and lightweight APs.

2. Central AP management requires more complex configurations.

3. Unique SSIDs cannot use the same authentication method.

4. It eliminates the need to configure each access point individually.

87 / 100

87. How does HSRP provide first hop redundancy?

1. It load-balances traffic by assigning the same metric value to more than one route to the same destination m the IP routing table.

2. It forwards multiple packets to the same destination over different routed links n the data path.

3. It uses a shared virtual MAC and a virtual IP address to a group of routers that serve as the default gateway for hosts on a LAN.

4. It load-balances Layer 2 traffic along the path by flooding traffic out all interfaces configured with the same VLAN

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-16/fhp-xe-16-book/
fhp-hsrp-mgo.html

88 / 100

88. Which three are characteristics of an IPv6 anycast address? (Choose three.)

1. the same address for multiple devices in the group

2. one-to-nearest communication model

3. delivery of packets to the group interface that is closest to the sending device

4. one-to-many communication model

5. a unique IPv6 address for each device in the group

6. any-to-many communication model

89 / 100

89. Which mode must be used to configure EtherChannel between two switches without using a negotiation
protocol?

1. auto

2. on

3. desirable

4. active

The Static Persistence (or “on” mode) bundles the links unconditionally and no negotiation protocol is used. In
this mode, neither PAgP nor LACP packets are sent or received.

90 / 100

90. A Cisco IP phone receive untagged data traffic from an attached PC.
Which action is taken by the phone?

1. It allows the traffic to pass through unchanged

2. It drops the traffic.

3. It tags the traffic with the default VLAN.

4. It tags the traffic with the native VLAN.

Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged,
regardless of the trust state of the access port on the phone.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/
configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_0110.pdf

91 / 100

91. A user configured OSPF in a single area between two routers A serial interface connecting R1 and R2 is
running encapsulation PPP, by default, which OSPF network type is seen on this interface when the user types
show ip ospf interface on R1 or R2?

1. point-to-point

2. nonbroadcast

3. broadcast

4. port-to-multipoint

The default OSPF network type for HDLC and PPP on Serial link is point-to-point (while the default OSPF
network type for Ethernet link is Broadcast).

92 / 100

92. Refer to the exhibit. If OSPF is running on this network, how does Router 2 handle traffic from Site B to
10.10.13.128/25 at Site A?

1. It cannot send packets to 10.10.13.128/25.

2. It sends packets out of interface Fa0/1 only.

3. It sends packets out of interface Fa0/2 only.

4. It load-balances traffic out of Fa0/1 and Fa0/2.

Router2 does not have an entry for the subnet 10.10.13.128/25. It only has an entry for 10.10.13.0/25, which
ranges from 10.10.13.0 to 10.10.13.127.

93 / 100

93. Refer to the exhibit. The New York router is configured with static routes pointing to the Atlanta and Washington
sites.

Which two tasks must be performed so that the Serial0/0/0 interfaces on the Atlanta and Washington routers
can reach one another? (Choose two.)

1. Configure the ipv6 route 2023::/126 2012::2 command on the Atlanta router

2. Configure the ipv6 route 2012::/126 2023::2 command on the Washington router.

3. Configure the Ipv6 route 2012::/126 s0/0/0 command on the Atlanta router.

4. Configure the ipv6 route 2012::/126 2023::1 command on the Washington router.

5. Configure the ipv6 route 2023::/126 2012::1 command on the Atlanta router.

The short syntax of static IPv6 route is:
ipv6 route <destination-IPv6-address> {next-hop-IPv6-address | exit-interface}

94 / 100

94. Which feature on the Cisco Wireless LAN Controller when enabled restricts management access from specific
networks?

1. RADIUS

2. CPU ACL

3. TACACS

4. Flex ACL

Whenever you want to control which devices can talk to the main CPU, a CPU ACL is used.
Note: CPU ACLs only filter traffic towards the CPU, and not any traffic exiting or generated by the CPU.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

95 / 100

95. Which unified access point mode continues to serve wireless clients after losing connectivity to the Cisco
Wireless LAN Controller?

1. flexconnect

2. sniffer

3. mesh

4. local

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/flexconnect.html

96 / 100

96. Refer to the exhibit. An engineer is bringing up a new circuit to the MPLS provider on the Gi0/1 interface of
Router1. The new circuit uses eBGP and teams the route to VLAN25 from the BGP path.
Whats the expected behavior for the traffic flow for route 10.10.13.0/25?

1. Route 10.10.13.0/25 learned via the Gi0/0 interface remains in the routing table.

2. Traffic to 10.10.13.0.25 is load balanced out of multiple interfaces.

3. Traffic to 10.10.13.0/25 is asymmeteical.

4. Route 10.10.13.0/25 is updated in the routing table as being learned from interface Gi0/1.

97 / 100

97. Which two encoding methods are supported by REST APIs? (Choose two)

1. SGML

2. JSON

3. EBCDIC

4. XML

5. YAML

The Application Policy Infrastructure Controller (APIC) REST API is a programmatic interface that uses REST
architecture. The API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain
JavaScript Object Notation (JSON) or Extensible Markup Language (XML) documents.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/5_x/rest_api_config/
b_Cisco_N1KV_VMware_REST_API_Config_5x/
b_Cisco_N1KV_VMware_REST_API_Config_5x_chapter_010.pdf

98 / 100

98. What is the alternative notation for the IPv6 address B514:82C3:0000:0000:0029:EC7A:0000:EC72?

1. B514 : 82C3 :: 0029 : EC7A : EC72

2. B514 : 82C3 :: 0029 : EC7A : 0 : EC72

3. B514 : 82C3 : 0029 : EC7A : EC72

4. B514 : 82C3 : 0029 :: EC7A : 0000 : EC72

There are two ways that an IPv6 address can be additionally compressed: compressing leading zeros and
substituting a group of consecutive zeros with a single double colon(::). Both of these can be used in any
number of combinations to notate the same address. It is important to note that the double colon (::) can only
be used once within a single IPv6 address notation. So, the extra 0’s can only be compressed once.

99 / 100

99. Refer to the exhibit. What is the effect of this configuration?

1. The switch port remains down until it is configured to trust or untrust incoming packets.

2. The switch port interface trust state becomes untrusted.

3. The switch port remains administratively down until the interface is connected to another switch.

4. Dynamic ARP inspection is disabled because the ARP ACL is missing.

Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs,
and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

100 / 100

100. Which mode allows access points to be managed by Cisco Wireless LAN Controllers?

1. autonomous

2. lightweight

3. bridge

4. mobility express

A Lightweight Access Point (LAP) is an AP that is designed to be connected to a wireless LAN (WLAN)
controller (WLC). APs are “lightweight,” which means that they cannot act independently of a wireless LAN
controller (WLC). The WLC manages the AP configurations and firmware. The APs are “zero touch” deployed,
and individual configuration of APs is not necessary.

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-2

1 / 124

1. Which function does the range of private IPv4 addresses perform?

1. provides a direct connection for hosts from outside of the enterprise network

2. ensures that NAT is not required to reach the internet with private range addressing

3. allows multiple companies to each use the same addresses without conflicts

4. enables secure communications to the internet for all external hosts

2 / 124

2. Refer to the exhibit. How does router R1 handle traffic to 192.168.10.16?

1. It selects the OSPF route because it has the lowest cost.

2. It selects the IS-IS route because it has the shortest prefix inclusive of the destination address.

3. It selects the RIP route because it has the longest prefix inclusive of the destination address

4. It selects the EIGRP route because it has the lowest administrative distance.

3 / 124

3. A network engineer must create a diagram of a multivendor network. Which command must be configured on
the Cisco devices so that the topology of the network can be mapped?

1. Device(Config-if)#cdp enable

2. Device(Config)#flow-sampler-map topology

3. Device(Config)#lldp run

4. Device(Config)#cdp run

4 / 124

4. A network administrator is troubleshooting the OSPF configuration of routers R1 and R2. The routers cannot
establish an adjacency relationship on their common Ethernet link. The graphic shows the output of the show ip
ospf interface e0 command for routers R1 and R2. Based on the information in the graphic, what is the cause
of this problem?

1. The OSPF process ID numbers must match

2. The cost on R1 should be set higher.

3. The OSPF area is not configured properly

4. The OSPF area is not configured properly.

5. A backup designated router needs to be added to the network.

6. The hello and dead timers are not configured properly.

5 / 124

5. Refer to the exhibit. Which command would you use to configure a static route on Router1 to network
192.168.202.0/24 with a nondefault administrative distance?

1. router1(config)#ip route 192.168.202.0 255.255.255.0 192.168.201.2 1

2. router1(config)#ip route 5 192.168.202.0 255.255.255.0 192.168.201.2

3. router1(config)#ip route 192.168.202.0 255.255.255.0 192.168.201.2 5

4. router1(config)#ip route 1 192.168.201.1 255.255.255.0 192.168.201.2

6 / 124

6. You have two paths for the 10.10.10.0 network – one that has a feasible distance of 3072 and the other of
6144. What do you need to do to load balance your EIGRP routes?

1. Change the configuration so they both have the same feasible distance

2. Change the maximum paths to 2

3. Change the variance for the path that has a feasible distance of 3072 to 2

4. Change the IP addresses so both paths have the same source IP address

7 / 124

7. Refer to the exhibit. Which two statements about the interface that generated the output are true? (Choose
two.)

1. the security violation counter increments if packets arrive from a new unknown source address

2. it has dynamically learned three secure MAC addresses

3. the interface is error-disabled if packets arrive from a new unknown source address

4. learned MAC addresses are deleted after five minutes of inactivity

5. it has dynamically learned two secure MAC addresses

8 / 124

8. In a CDP environment, what happens when the CDP interface on an adjacent device is configured without an
IP address?

1. CDP becomes inoperable on that neighbor

2. CDP operates normally ,but it cannot provide IP address information for that neighbor

3. CDP uses the IP address of another interface for that neighbor

4. CDP operates normally ,but it cannot provide any information for that neighbor

9 / 124

9. Which component of an Ethernet frame is used to notify a host that traffic is coming?

1. preamble

2. Type field

3. Data field

4. start of frame delimiter

10 / 124

10. Which command enables IPv6 forwarding on a Cisco router?

1. ipv6 local

2. ipv6 host

3. ipv6 neighbor

4. ipv6 unicast-routing

To enable IPv6 routing on the Cisco router use the following command: ipv6 unicast-routing
If this command is not recognized, your version of IOS does not support IPv6.

11 / 124

11. Refer to the exhibit. How will the router handle a packet destined for 192.0.2.156?

1. The router will forward the packet via either Serial0 or Serial1.

2. The router will forward the packet via Serial2

3. The router will return the packet to its source.

4. The router will drop the packet.

12 / 124

12. Which feature or protocol is required for an IP SLA to measure UDP jitter?

1. LLDP

2. CDP

3. EEM

4. NTP

13 / 124

13. Refer to the exhibit. Which two statements about the network environment of router R1 must be true? (Choose
two.)

1. The 10.0.0.0/8 network was learned via external EIGRP

2. The EIGRP administrative distance was manually changed from 90 to 170

3. there are 20 different network masks within the 10.0.0.0/8 network

4. A static default route to 10.85.33.14 was defined

5. Ten routes are equally load-balanced between Te0/1/0.100 and Te0/2/0.100

14 / 124

14. Refer to the exhibit. What two conclusions should be made about this configuration? (Choose two)

1. This is a root bridge

2. The designated port is FastEthernet 2/1

3. The root port is FastEthernet 2/1

4. The spanning-tree mode is PVST+

5. The spanning-tree mode is Rapid PVST+

15 / 124

15. Which command must you enter to guarantee that an HSRP router with higher priority becomes the HSRP
primary router after it is reloaded?

1. standby 10 priority 150

2. standby 10 version 1

3. standby 10 preempt

4. standby 10 version 2

16 / 124

16. Refer to the exhibit. Given the output for this command, if the router ID has not been manually set, what router
ID will OSPF use for this router?

1. 172.16.5.1

2. 192.168.5.3

3. 10.154.154.1

4. 10.1.1.2

The highest IP address of all loopback interfaces will be chosen -> Loopback 0 will be chosen as the router ID.

17 / 124

17. Refer to the exhibit. The default-information originate command is configured under the R1 OSPF
configuration. After testing, workstations on VLAN 20 at Site B cannot reach a DNS server on the Internet.
Which action corrects the configuration issue?

1. Add the always keyword to the default-information originate command on R1.

2. Configure the ip route 0.0.0.0 0.0.0.0 10.10.10.2 command on R2

3. Add the default-information originate command on R2.

4. Configure the ip route 0.0.0.0 0.0.0.0 10.10.10.18 command on R1.

18 / 124

18. Which two pieces of information can you determine from the output of the show ntp status command? (Choose
two)

1. the NTP version number of the peer

2. the IP address of the peer to which the clock is synchronized

3. the configured NTP servers

4. whether the clock is synchronized

5. whether the NTP peer is statically configured

19 / 124

19. Which two statements about the purpose of the OSI model are accurate? (Choose two.)

1. Facilitates an understanding of how information travels throughout a network

2. Ensures reliable data delivery through its layered approach

3. Changes in one layer do not impact other layer

4. Defines the network functions that occur at each layer

20 / 124

20. Which configuration command can u apply to a HSRP router so that its local interface becomes active if all
other routers in the group fail?

1. no additional config is required

2. standby 1 preempt

3. standby 1 track ethernet

4. standby 1 priority 250

21 / 124

21. Refer to the exhibit. Which two statements are true about the loopback address that is configured on RouterB?
(Choose two.)

1. It ensures that data will be forwarded by RouterB.

2. It specifies that the router ID for RouterB should be 10.0.0.1.

3. It indicates that RouterB should be elected the DR for the LAN.

4. It provides stability for the OSPF process on RouterB.

5. It decreases the metric for routes that are advertised from RouterB.

22 / 124

22. Which IPv6 address is the equivalent of the IPv4 interface loopback address 127.0.0.1?

1. 0::/10

2. ::

3. 2000::/3

4. : :1

In IPv6 the loopback address is written as, ::1
This is a 128bit number, with the first 127 bits being ‘0’ and the 128th bit being ‘1’. It’s just a single address, so
could also be written as ::1/128.

23 / 124

23. Which Cisco IOS command will indicate that interface GigabitEthernet 0/0 is configured via DHCP?

1. show ip interface GigabitEthernet 0/0 brief

2. show ip interface GigabitEthernet 0/0 dhcp

3. show ip interface GigabitEthernet 0/0

4. show ip interface dhcp

5. show interface GigabitEthernet 0/0

24 / 124

24. Refer to the exhibit. Which rule does the DHCP server use when there is an IP address conflict?

1. Only the IP detected by Ping is removed from the pool.

2. The address remains in the pool until the conflict is resolved

3. The IP will be shown, even after the conflict is resolved

4. Only the IP detected by Gratuitous ARP is removed from the pool.

5. The address is removed from the pool until the conflict is resolved.

25 / 124

25. Which two command sequences must you configure on a switch to establish a Layer 3 EtherChannel with an
open-standard protocol? (Choose two.)

1. interface GigabitEthernet0/0/1 channel-group 10 mode auto

2. interface GigabitEthernet0/0/1 channel-group 10 mode on

3. interface port-channel 10 no switchport ip address 172.16.0.1.255.255.255.0

4. interface port-channel 10 switchport switchport mode trunk

5. interface GigabitEthernet0/0/1 channel-group 10 mode active

26 / 124

26. Refer to the exhibit. How will switch SW2 handle traffic from VLAN 10 on SW1?

1. It sends the traffic to VLAN 10.

2. It sends the traffic to VLAN 100.

3. It drops the traffic.

4. It sends the traffic to VLAN 1.

27 / 124

27. Which command is used to configure an IPv6 static default route?

1. ipv6 route default interface next-hop

2. ipv6 route 0.0.0.0/0 interface next-hop

3. ip route 0.0.0.0/0 interface next-hop

4. ipv6 route ::/0 interface next-hop5

28 / 124

28. Change the IP addresses so both paths have the same source IP address

1. EIGRP

2. IS-IS

3. RIP

4. BGP

5. OSPF

29 / 124

29. Refer to the exhibit. When running EIGRP, what is required for RouterA to exchange routing updates with
RouterC?

1. Loopback interfaces must be configured so a DR is elected

2. Router B needs to have two network statements, one for each connected network

3. AS numbers must be changed to match on all the routers

4. The no auto-summary command is needed on Router A and Router C

This question is to examine the understanding of the interaction between EIGRP routers. The following
information must be matched so as to create neighborhood. EIGRP routers to establish, must match the
following information:
1. AS Number;
2. K value.

30 / 124

30. Which three describe the reasons large OSPF networks use a hierarchical design? (Choose Three)

1. to reduce the complexity of router configuration

2. to confine network instability to single areas of the network.

3. to speed up convergence

4. to reduce routing overhead

5. to lower costs by replacing routers with distribution layer switches

6. to decrease latency by increasing bandwidth.

31 / 124

31. Which two statements about EtherChannel technology are true? (Choose two.)

1. STP does not block EtherChannel links.

2. EtherChannel allows redundancy in case one or more links in the EtherChannel fail.

3. EtherChannel provides increased bandwidth by bundling existing FastEthernet or Gigabit Ethernet interfaces into a single EtherChannel.

4. EtherChannel does not allow load sharing of traffic among the physical links within the EtherChannel.

5. You can configure multiple EtherChannel links between two switches, using up to a limit of sixteen physical ports.

32 / 124

32. Refer to the exhibit. Which two statements about the interface that generated the output are true? (Choose
two.)

1. The interface is error-disabled.

2. An SNMP trap is generated when the maximum number of secure MAC addresses is reached on the interface.

3. The interface dynamically learned two secure MAC addresses.

4. Two secure MAC address are manually configured on the interface.

5. A syslog message is generated when the maximum number of secure MAC addresses is on the interface

33 / 124

33. Which two statements about exterior routing protocols are true? (Choose two.)

1. BGP is the current standard exterior routing protocol.

2. Most modern network routers support both EGP and EIGRP for external routing.

3. They determine the optimal path between autonomous systems.

4. Most modern networking supports both EGP and BGP for external routing.

5. They determine the optimal within an autonomous system.

34 / 124

34. How can the Cisco Discovery Protocol be used?

1. all of the above

2. to determine the IP addresses of connected Cisco devices

3. to determine the hardware platform of the device

4. to allow a switch to discover the devices that are connected to its ports

35 / 124

35. Which statement about static and dynamic routes is true?

1. Dynamic routes tell the router how to forward packets to networks that are not directly connected, while static routes tell the router how to forward packets to networks that are directly connected.

2. Static routes tell the router how to forward packets to networks that are not directly connected, while dynamic routes tell the router how to forward packets to networks that are directly connected.

3. Dynamic routes are manually configured by a network administrator, while static routes are automatically learned and adjusted by a routing protocol.

4. Static routes are manually configured by a network administrator, while dynamic routes are automatically learned and adjusted by a routing protocol.

36 / 124

36. Which two options are the best reasons to use an IPV4 private IP space?(choose two)

1. to implement NAT

2. to connect applications

3. to conserve global address space

4. to manage routing overhead

5. to enable intra-enterprise communication

37 / 124

37. Which keyword in a NAT configuration enables the use of one outside IP address for multiple inside hosts?

1. source

2. overload

3. static

4. pool

38 / 124

38. Refer to the exhibit. Which address and mask combination represents a summary of the routes learned by
EIGRP?

1. 192.168.25.0 255.255.255.240

2. 192.168.25.16 255.255.255.252

3. 192.168.25.28 255.255.255.252

4. 192.168.25.0 255.255.255.252

5. 192.168.25.16 255.255.255.240

6. 192.168.25.28 255.255.255.240

39 / 124

39. Which three statements about MAC addresses are correct? (Choose three.)

1. An example of a MAC address is 0A:26:38: D6:65:90.

2. To communicate with other devices on a network, a network device must have a unique MAC address.

3. A MAC address contains two main components, the first of which identifies the network on which the host resides and the second of which uniquely identifies the host on the network.

4. The MAC address of a device must be configured in the Cisco IOS CLI by a user with administrative privileges.

5. The MAC address is also referred to as the IP address.

6. A MAC address contains two main components, the first of which identifies the manufacturer of the hardware and the second of which uniquely identifies the hardware.

40 / 124

40. Refer to the graphic. R1 is unable to establish an OSPF neighbor relationship with R3. What are possible
reasons for this problem? (Choose two.)

1. The hello and dead interval timers are not set to the same values on R1 and R3.

2. EIGRP is also configured on these routers with a lower administrative distance

3. A static route has been configured from R1 to R3 and prevents the neighbor adjacency from being established.

4. All of the routers need to be configured for backbone Area 1.

5. R1 and R2 are the DR and BDR, so OSPF will not establish neighbor adjacency with R3.

6. R1 and R3 are configured in different areas.

41 / 124

41. AAA stands for authentication, authorization, and accounting

1. True

2. False

42 / 124

42. Which NAT term is defined as a group of addresses available for NAT use?

1. one-way NAT

2. dynamic NAT

3. NAT pool

4. static NAT

43 / 124

43. Which of the following is the JSON encoding of a dictionary or hash?

1. (“key”:”value”)

2. {“key”:”value”}

3. [“key”,”value”]

4. {“key”,”value”}

44 / 124

44. Which command is used to display the collection of OSPF link states?

1. show ip ospf neighbors

2. show ip ospf lsa database

3. show ip ospf database

4. show ip ospf link-state

The “show ip ospf database” command displays the link states. Here is an example:
Here is the lsa database on R2.
R2#show ip ospf database
OSPF Router with ID (2.2.2.2) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count2.2.2.2 2.2.2.2 793 0x80000003 0x004F85 210.4.4.4
10.4.4.4 776 0x80000004 0x005643 1111.111.111.111 111.111.111.111 755 0x80000005 0x0059CA
2133.133.133.133 133.133.133.133 775 0x80000005 0x00B5B1 2 Net Link States (Area 0) Link ID ADV Router
Age Seq# Checksum10.1.1.1 111.111.111.111 794 0x80000001 0x001E8B10.2.2.3 133.133.133.133 812
0x80000001 0x004BA910.4.4.1 111.111.111.111 755 0x80000001 0x007F1610.4.4.3 133.133.133.133 775
0x80000001 0x00C31F

45 / 124

45. What is the expected outcome when an EUI-64 address is generated?

1. The seventh bit of the original MAC address of the interface is inverted

2. The MAC address of the interface is used as the interface ID without modification

3. The characters FE80 are inserted at the beginning of the MAC address of the interface

4. The interface ID is configured as a random 64-bit value

46 / 124

46. Which technique can you use to route IPv6 traffic over an IPv4 infrastructure?

1. 6to4 tunneling

2. NAT

3. L2TPv3

4. dual-stack

47 / 124

47. After you deploy a new WLAN controller on your network, which two additional tasks should you consider?
(Choose two)

1. configure additional security policies

2. deploy load balancers

3. configure additional vlans

4. configure multiple VRRP groups

5. deploy POE switches

48 / 124

48. Which unified access point mode continues to serve wireless clients after losing connectivity to the Cisco
Wireless LAN Controller?

1. local

2. mesh

3. sniffer

4. flexconnect

49 / 124

49. Router R1 must send all traffic without a matching routing-table entry to 192.168.1.1. Which configuration
accomplishes this task?

1. Option A

2. Option D

3. Option B

4. Option C

50 / 124

50. What is the binary pattern of unique ipv6 unique local address?

1. 11111100

2. 11111101

3. 11111111

4. 00000000

A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7, which means that IPv6 Unique Local
addresses begin with 7 bits with exact binary pattern as 1111 110 -> Answer B is correct.
Note: IPv6 Unique Local Address is the approximate IPv6 counterpart of the IPv4 private address. It is not
routable on the global Internet.

51 / 124

51. While examining excessive traffic on the network, it is noted that all incoming packets on an interface appear to
be allowed even though an IPv4 ACL is applied to the interface. Which two misconfigurations cause this
behavior? (Choose two)

1. A matching deny statement is too high in the access list

2. The ACL is empty

3. A matching permit statement is too high in the access test

4. The packets fail to match any permit statement

5. A matching permit statement is too broadly defined

52 / 124

52. In which two formats can the IPv6 address fd15:0db8:0000:0000:0700:0003:400F:572B be written? (Choose
two.)

1. fd15::db8::700:3:400F:527B

2. fd15:db8:0::700:3:4F:527B

3. fd15:0db8::7:3:4F:527B

4. fd15:db8::700:3:400F:572B

5. fd15:0db8:0000:0000:700:3:400F:527B

53 / 124

53. You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface.
Which action can you take to correct the problem in the least disruptive way?

1. Specify a loopback address

2. Reload the OSPF process.

3. Reboot the router

4. Save the router configuration

Once an OSPF Router ID selection is done, it remains there even if you remove it or configure another OSPF
Router ID. So the least disruptive way is to correct it using the command "clear ip ospf process".

54 / 124

54. Which two statements about VTP are true? (Choose two.)

1. All switches must be configured to perform trunk negotiation.

2. All switches must be configured with a unique VTP domain name

3. All switches must be configured with the same VTP domain name

4. The VTP server must have the highest revision number in the domain

5. All switches must use the same VTP version.

55 / 124

55. Which two VLAN IDs indicate a default VLAN? (Choose two.)

1. 4096

2. 1005

3. 1006

4. 0

5. 1

56 / 124

56. What is the destination MAC address of a broadcast frame?

1. 00:00:0c:07:ac:01

2. ff:ff:ff:ff:ff:ff

3. 43:2e:08:00:00:0c

4. 00:00:0c:43:2e:08

5. 00:00:0c:ff:ff:ff

You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface.
Which action can you take to correct the problem in the least disruptive way?

57 / 124

57. Refer to the exhibit. Which Command do you enter so that R1 advertises the loopback0 interface to the BGP
Peers?

1. Network 172.16.1.32 mask 255.255.255.224

2. Network 172.16.1.32 0.0.0.31

3. Network 172.16.1.32 255.255.255.224

4. network 172.16.1.32 mask 0.0.0.31

5. Network 172.16.1.0 0.0.0.255

6. Network 172.16.1.33 mask 255.255.255.224

58 / 124

58. What is a difference between local AP mode and FiexConnet AP mode?

1. Local AP mode causes the AP to behave as if it were an autonomous AP

2. Local AP mode creates two CAPWAP tunnels per AP to the WLC

3. FlexConnect AP mode bridges the traffic from the AP to the WLC when local switching is configured

4. FiexConnect AP mode fails to function if me AP loses connectivity with the WLC

59 / 124

59. Which three statements about network characteristics are true? (Choose three.)

1. Speed is a measure of the data rate in bits per second of a given link in the network.

2. The logical topology is the arrangement of cables, network devices, and end systems.

3. Availability is a measure of the probability that the network will be available for use when it is required

4. Scalability indicates how many nodes are currently on the network.

5. Reliability indicates the dependability of the components that make up the network.

60 / 124

60. You are configuring your edge routers interface with a public IP address for Internet connectivity.
The router needs to obtain the IP address from the service provider dynamically. Which command is needed on
interface FastEthernet 0/0 to accomplish this?

1. ip default-network

2. ip default-gateway

3. ip address dhcp

4. p route

5. ip address dynamic

61 / 124

61. Which statement about the nature of NAT overload is true?

1. applies a many-to-many relationship to internal IP addresses

2. applies a one-to-one relationship to internal IP addresses

3. applies a one-to-many relationship to internal IP addresses

4. can be configured only on Gigabit interface

62 / 124

62. A user configured OSPF in a single area between two routers A serial interface connecting R1 and R2 is
running encapsulation PPP. By default which OSPF network type is seen on this interface when the user types
show ip ospf interface on R1 or R2?

1. non-broadcast

2. point-to-point

3. port-to-multipoint

4. broadcast

The default OSPF network type for HDLC and PPP on Serial link is point-to-point (while the default OSPF
network type for Ethernet link is Broadcast).

63 / 124

63. R1 has learned route 10.10.10.0/24 via numerous routing protocols. Which route is installed?

1. route with the next hop that has the highest IP

2. route with the lowest administrative distance

3. route with the shortest prefix length

4. route with the lowest cost

64 / 124

64. How does STP prevent forwarding loops at OSI Layer 2?

1. MAC address forwarding

2. Collision avoidance

3. TTL

4. Port blocking

65 / 124

65. Refer to the exhibit. A network technician is asked to design a small network with redundancy. The exhibit
represents this design, with all hosts configured in the same VLAN. What conclusions can be made about this
design?

1. This design will function as intended.

2. The connection between switches should be a trunk

3. Spanning-tree will need to be used.

4. The router will not accept the addressing scheme.

5. The router interfaces must be encapsulated with the 802.1Q protocol

66 / 124

66. What are two fundamentals of virtualization? (choose two)

1. The environment must be configured with one hypervisor that serves solely as a network manager to monitor SNMP traffic

2. It allows logical network devices to move traffic between virtual machines and the rest of the physical network

3. It allows multiple operating systems and applications to run independently on one physical server.

4. It requires that some servers, virtual machines and network gear reside on the Internet

5. It allows a physical router to directly connect NICs from each virtual machine into the network

67 / 124

67. Which statement about the nature of NAT overload is true?

1. can be configured only on Gigabit interface

2. applies a many-to-many relationship to internal IP addresses

3. applies a one-to-many relationship to internal IP addresses

4. applies a one-to-one relationship to internal IP addresses

68 / 124

68. How do AAA operations compare regarding user identification, user services and access control?

1. Authorization identifies users and authentication provides access control

2. Authentication identifies users and accounting tracks user services

3. Accounting tracks user services, and authentication provides access control

4. Authorization provides access control and authentication tracks user services

69 / 124

69. Refer to the exhibit Users in your office are complaining that they cannot connect to the severs at a remote site.
When troubleshooting, you find that you can successfully reach the severs from router R2. What is the most
likely reason that the other users are experiencing connection failure?

1. The ip helper-address command is missing on the R2 interface that connects to the switch

2. VLSM is misconfigured between the router interface and the DHCP pool

3. The DHCP address pool has been exhausted

4. interface ports are shut down on the remote servers

70 / 124

70. Refer to the exhibit. Which statement about the interface that generated the output is true?

1. A syslog message is generated when a violation occurs.

2. Five secure MAC addresses are dynamically learned on the interface.

3. One secure MAC address is manually configured on the interface.

4. One secure MAC address is dynamically configured on the interface.

71 / 124

71. Refer to exhibit. What Administrative distance has route to 192.168.10.1 ?

1. 110

2. 90

3. 1

4. 120

72 / 124

72. Which command is used to enable LLDP globally on a Cisco IOS ISR?

1. lldp transmit

2. ldp run

3. cdp enable

4. cdp run

5. lldp enable

73 / 124

73. Which type does a port become when it receives the best BPDU on a bridge?

1. The root port

2. The designated port

3. The backup port

4. The alternate port

74 / 124

74. Which command should you enter to view the error log in an EIGRP for IPv6 environment?

1. show ipv6 eigrp events

2. show ipv6 eigrp neighbors

3. show ipv6 eigrp traffic

4. show ipv6 eigrp topology

75 / 124

75. Which value is used to determine the active router in an HSRP default configuration?

1. Router IP address

2. Router priority

3. Router loopback address

4. Router tracking number

76 / 124

76. Refer to the exhibit. The MAC address table is shown in its entirety. The Ethernet frame that is shown arrives at
the switch.

What two operations will the switch perform when it receives this frame? (Choose two.)

1. The MAC address of 0000.00aa.aaaa will be added to the MAC Address Table.

2. The frame will be forwarded out of fa0/0 and fa0/1 only.

3. The frame will be forwarded out of all the ports on the switch.

4. The switch will not forward a frame with this destination MAC address.

5. The MAC address of ffff.ffff.ffff will be added to the MAC address table.

6. The frame will be forwarded out of all the active switch ports except for port fa0/0.

77 / 124

77. Which effete does the aaa new-model configuration command have?

1. It configures a local user on the device

2. It configures the device to connect to a RADIUS server for AAA

3. It enables AAA services on the device

4. It associates a RADIUS server to an group.

78 / 124

78. Refer to the exhibit. If R1 receives a packet destined to 172.16.1.1, to which IP address does it send the packet?

1. 192.168.15.5

2. 192.168.14.4

3. 192.168.12.2

4. 192.168.13.3

79 / 124

79. What is a difference between RADIUS and TACACS+?

1. TACACS+ encrypts only password information and RADIUS encrypts the entire payload

2. RADIUS logs all commands that are entered by the administrator, but TACACS+ logs only start, stop, and interim commands

3. RADIUS is most appropriate for dial authentication, but TACACS+ can be used for multiple types of authentication

4. TACACS+ separates authentication and authorization, and RADIUS merges them

80 / 124

80. Refer to the exhibit. An administrator configures four switches for local authentication using passwords that are
stored in a cryptographic hash. The four switches must also support SSH access for administrators to manage
the network infrastructure. Which switch is configured correctly to meet these requirements?

1. SW3

2. SW2

3. SW1

4. SW4

81 / 124

81. Refer to the exhibit. C-router is to be used as a “router-on-a-stick” to route between the VLANs. All the
interfaces have been properly configured and IP routing is operational. The hosts in the VLANs have been
configured with the appropriate default gateway. What is true about this configuration?

1. These commands need to be added to the configuration: C-router(config)# router ospf 1 C-router(config-router)# network 172.19.0.0 0.0.3.255

2. No further routing configuration is required.

3. These commands need to be added to the configuration: C-router(config)# router rip C-router(config-router)# network 172.19.0.0

4. These commands need to be added to the configuration: C-router(config)# router eigrp 123 C-router(config-router)# network 172.19.0.0

82 / 124

82. What is a characteristic of spine-and-leaf architecture?

1. It provides variable latency

2. Each link between leaf switches allows for higher bandwidth

3. Each device is separated by the same number of hops

4. It provides greater predictability on STP blocked ports.

83 / 124

83. What are two descriptions of three-tier network topologies? (Choose two)

1. The core and distribution layers perform the same functions

2. The network core is designed to maintain continuous connectivity when devices fail.

3. The access layer manages routing between devices in different domains

4. The core layer maintains wired connections for each host

5. The distribution layer runs Layer 2 and Layer 3 technologies

84 / 124

84. Refer to the exhibit. Which feature is enabled by this configuration?

R1#(config)# ip nat pool cisco 10.1.1.0 10.1.1.50 255.255.255.0

1. a dynamic NAT address pool

2. static NAT translation

3. a DHCP pool

4. PAT

85 / 124

85. Which statements describe the routing protocol OSPF? (Choose three.)

1. It confines network instability to one area of the network.

2. It is simpler to configure than RIP v2.

3. It allows extensive control of routing updates.

4. It increases routing overhead on the network

5. It is used to route between autonomous systems

6. It supports VLSM.

86 / 124

86. When configuring an EtherChannel bundle, which mode enables LACP only if a LACP device is detected?

1. Desirable

2. On

3. Passive

4. Active

5. Auto

The LACP is Link Aggregation Control Protocol. LACP is an open protocol, published under the 802.3ad.
The modes of LACP are active, passive or on. The side configured as "pasive" will waiting the other side that
should an Active for the Etherchannel to be established.
PAgP is Port-Aggregation Protocol. It is Cisco proprietary protocol. The mode are On, Desirable or Auto.
Desirable - Auto will establish a EtherChannel.
An example of how to configure an Etherchannel:
SwitchFormula1>enable
SwitchFormula1#configure terminal
SwitchFormula1(config)# interface range f0/5 -14
SwitchFormula1(config-if-range)# channel-group 13 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected

87 / 124

87. Which command can you enter to allow Telnet to be supported in addition to SSH

1. transport input telnet

2. privilege level 15

3. transport input telnet ssh

4. no transport input telnet

88 / 124

88. Which two pieces of information about a Cisco device can Cisco Discovery Protocol communicate? (Choose
two.)

1. the VTP domain

2. the native VLAN

3. the spanning tree protocol

4. the trunking protocol

5. the spanning-tree priority

89 / 124

89. Which command should you enter to verify the priority of a router in an HSRP group?

1. show sessions

2. show interfaces

3. show standby

4. show hsrp

90 / 124

90. What benefit does controller-based networking provide versus traditional networking?

1. moves from a two-tier to a three-tier network architecture to provide maximum redundancy

2. allows configuration and monitoring of the network from one centralized point

3. provides an added layer of security to protect from DDoS attacks

4. combines control and data plane functionality on a single device to minimize latency

91 / 124

91. Which two commands were used to create port channel 10? (Choose two )

1. int range g0/0-1---- channel-group 10 mode auto

2. int range g0/0-1---- channel-group 10 mode on

3. int range g0/0-1---- channel-group 10 mode active

4. int range g0/0-1---- channel-group 10 mode desirable

5. int range g0/0-1---- channel-group 10 mode passive

92 / 124

92. Refer to the exhibit. On R1 which routing protocol is in use on the route to 192.168.10.1?

1. OSPF

2. RIP

3. EIGRP

4. IGRP

93 / 124

93. Which WPA3 enhancement protects against hackers viewing traffic on the Wi-Fi network?

1. SAE encryption

2. AES encryption

3. scrambled encryption key

4. TKiP encryption

94 / 124

94. Which statement about VLAN configuration is true?

1. Dynamic inter-VLAN routing is supported on VLAN2 through VLAN 4064

2. The switch must be in VTP server or transparent mode before you can configure a VLAN

3. The switch must be in config-vlan mode before you configure an extended VLAN

4. A switch in VTP transparent mode save the VLAN databases to the running configuration only

95 / 124

95. Which feature or protocol determines whether the QOS on the network is sufficient to support IP services?

1. LLDP

2. IP SLA

3. CDP

4. EEM

IP SLA allows an IT professional to collect information about network performance in real time.
Therefore it helps determine whether the QoS on the network is sufficient for IP services or not.
Cisco IOS Embedded Event Manager (EEM) is a powerful and flexible subsystem that provides realtime
network event detection and onboard automation. It gives you the ability to adapt the behavior of your network
devices to align with your business needs.

96 / 124

96. Refer to the exhibit. A network associate has configured OSPF with the command:
City(config-router)# network 192.168.12.64 0.0.0.63 area 0.
After completing the configuration, the associate discovers that not all the interfaces are participating in OSPF.
Which three of the interfaces shown in the exhibit will participate in OSPF according to this configuration
statement? (Choose three.)

1. Serial0/1.103

2. Serial0/1.102

3. FastEthernet0 /1

4. Serial0/1.104

5. FastEthernet0 /0

6. Serial0/0

97 / 124

97. Refer to the exhibit. Router R1 is running three different routing protocols. Which route characteristic is used by
the router to forward the packet that it receives for destination IP 172.16.32.1?

1. longest prefix

2. cost

3. administrative distance

4. metric

98 / 124

98. Which value can you modify to configure a specific interface as the preferred forwarding interface?

1. The port priority

2. The interface number

3. The VLAN priority

4. The hello time

99 / 124

99. Which option best describes an API?

1. A contract that describes how various components communicate and exchange data with each other.

2. a stateless client-server model

3. an architectural style (versus a protocol) for designing applications

4. request a certain type of data by specifying the URL path that models the data

100 / 124

100. Refer to the exhibit. Which two events occur on the interface, if packets from an unknown Source address
arrive after the interface learns the maximum number of secure MAC address? (Choose two.)

1. The port LED turns off

2. The interface is error-disabled

3. A syslog message is generated

4. The security violation counter dose not increment

5. The interface drops traffic from unknown MAC address

101 / 124

101. Refer to the exhibit. If RTR01 is configured as shown, which three addresses will be received by other routers
that are running EIGRP on the network? (Choose three)

1. 172.16.0.0

2. 172.16.4.0

3. 192.168.2.0

4. 10.4.3.0

5. 192.168.0.0

6. 10.0.0.0

102 / 124

102. Which statement about Cisco Discovery Protocol is true?

1. It can discover information from routers, firewalls, and switches.

2. It runs on the network layer.

3. It runs on the physical layer and the data link layer

4. It is a Cisco-proprietary protocol.

103 / 124

103. Which command verifies whether any IPv6 ACLs are configured on a router?

1. show ipv6 interface

2. show access-list

3. show ipv6 route

4. show ipv6 access-list

104 / 124

104. What is an advantage of Cisco DNA Center versus traditional campus device management?

1. It enables easy auto-discovery of network elements m a brownfield deployment

2. It supports high availability for management functions when operating in cluster mode.

3. It is designed primarily to provide network assurance.

4. It supports numerous extensibility options including cross-domain adapters and third-party SDKs.

105 / 124

105. Refer to the exhibit. Which VLAN ID is associated with the default VLAN in the given environment?

1. VLAN 5

2. VLAN 1

3. VLAN 20

4. VLAN 10

106 / 124

106. Which two statements about eBGP neighbor relationships are true? (Choose two)

1. The two devices must have matching timer settings

2. Neighbors must be specifically declared in the configuration of each device

3. The two devices must reside in different autonomous systems

4. The two devices must reside in the same autonomous system

5. They can be created dynamically after the network statement is configured

107 / 124

107. Which action must be taken to assign a global unicast IPv6 address on an interface that is derived from the
MAC address of that interface?

1. disable the EUI-64 bit process

2. enable SLAAC on an interface

3. configure a stateful DHCPv6 server on the network

4. explicitly assign a link-local address

108 / 124

108. Which two statements about NTP operations are true? (Choose two.)

1. NTP uses UDP over IP.

2. Cisco routers can act only as NTP servers.

3. Cisco routers can act only as NTP clients

4. Cisco routers can act as both NTP authoritative servers and NTP clients.

5. NTP uses TCP over IP.

109 / 124

109. What event has occurred if a router sends a notice level message to a syslog server?

1. A TCP connection has been torn down

2. A certificate has expired

3. An ICMP connection has been built

4. An interface line has changed status

110 / 124

110. Network 172.16.1.32 0.0.0.31

1. to uniquely identify devices at Layer 2

2. to allow communication with devices on a different network

3. to allow detection of a remote device when its physical address is unknown

4. to establish a priority system to determine which device gets to transmit first

5. to differentiate a Layer 2 frame from a Layer 3 packet

6. to allow communication between different devices on the same network

111 / 124

111. What is the purpose of the show ip ospf interface command?

1. displaying OSPF-related interface information

2. displaying OSPF neighbor information on a per-interface-type basis

3. displaying general information about OSPF routing processes

4. displaying OSPF neighbor information on a per-interface basis

112 / 124

112. Refer to the exhibit. An engineer is bringing up a new circuit to the MPLS provider on the Gi0/1 interface of
Router1 The new circuit uses eBGP and teams the route to VLAN25 from the BGP path What s the expected
behavior for the traffic flow for route 10.10.13.0/25?

1. Route 10.10.13.0/25 learned via the GiO/0 interface remains in the routing table

2. Traffic to 10.10.13.0/25 is asymmeteical

3. Route 10.10.13.0/25 is updated in the routing table as being learned from interface Gi0/1.

4. Traffic to 10.10.13.0.25 is load balanced out of multiple interfaces

113 / 124

113. Which two pieces of information can you learn by viewing the routing table? (Choose two)

1. the length of time that a route has been known

2. Which neighbor adjacencies are established

3. whether an ACL was applied inbound or outbound to an interface

4. whether the administrative distance was manually or dynamically configured

5. the EIGRP or BGP autonomous system

114 / 124

114. Which command should you enter to configure a device as an NTP sever?

1. ntp authenticate

2. ntp master

3. ntp peer

4. ntp sever

115 / 124

115. Refer to the exhibit. Which switch in this configuration becomes the root bridge?

1. SW3

2. SW4

3. SW2

4. SW1

116 / 124

116. Which command should you enter to configure an LLDP delay time of 5 seconds?

1. ldp reinit 5000

2. lldp holdtime 5

3. lldp reinit 5

4. lldp timer 5000

117 / 124

117. Refer to the exhibit. After you apply the give configurations to R1 and R2 you notice that OSPFv3 fails to start.
Which reason for the problem is most likely true ?

1. The autonomous system numbers on R1 and R2 are mismatched

2. The router ids on R1 and R2 are mismatched

3. The IPv6 network addresses on R1 and R2 are mismatched

4. The area numbers on R1 and R2 are mismatched

118 / 124

118. Refer to the exhibit. How does the router manage traffic to 192.168.12.16?

1. It chooses the OSPF route because it has the longest prefix inclusive of the destination address.

2. It selects the RIP route because it has the longest prefix inclusive of the destination address.

3. It load-balances traffic between all three routes

4. It chooses the EIGRP route because it has the lowest administrative distance

119 / 124

119. Which two commands can you use to configure an actively negotiate EtherChannel? (Choose two)

1. channel-group 10 mode auto

2. channel-group 10 mode desirable

3. channel-group 10 mode on

4. channel-group 10 mode passive

5. channel-group 10 mode active

120 / 124

120. Which two are features of IPv6? (Choose two.)

1. broadcast

2. anycast

3. allcast

4. multicast

5. podcast

IPv6 addresses are classified by the primary addressing and routing methodologies common in networking:
unicast addressing, anycast addressing, and multicast addressing. A unicast address identifies a single network
interface. The Internet Protocol delivers packets sent to a unicast address to that specific interface. An anycast
address is assigned to a group of interfaces, usually belonging to different nodes. A packet sent to an anycast
address is delivered to just one of the member interfaces, typically the nearest host, according to the routing
protocol’s definition of distance. Anycast addresses cannot be identified easily, they have the same format as
unicast addresses, and differ only by their presence in the network at multiple points. Almost any unicast
address can be employed as an anycast address.
A multicast address is also used by multiple hosts, which acquire the multicast address destination by
participating in the multicast distribution protocol among the network routers. A packet that is sent to a multicast
address is delivered to all interfaces that have joined the corresponding multicast group.

121 / 124

121. Which two circumstances can prevent two routers from establishing an OSPF neighbor adjacency? (Choose
two.)

1. mismatched hello timers and dead timers

2. mismatched process IDs

3. mismatched autonomous system numbers

4. use of the same router ID on both devices

5. an ACL blocking traffic from multicast address 224.0.0.10

122 / 124

122. Which function does an SNMP agent perform?

1. it coordinates user authentication between a network device and a TACACS+ or RADIUS server

2. it sends information about MIB variables in response to requests from the NMS

3. it requests information from remote network nodes about catastrophic system events

4. it manages routing between Layer 3 devices in a network

123 / 124

123. Refer to the exhibit. After you apply the given configuration to arouter, the DHCP clients behind the device
connot communicate with hosts outside of their subnet. Which action is most likely to correct the problem?

1. configure the default gateway

2. Configure the dns server on the same subnet as the clients

3. Activate the dhcp pool

4. Correct the subnet mask

124 / 124

124. What will happen if you configure the logging trap debug command on a router?

1. It causes the router to send messages with lower severity levels to the syslog server.

2. It causes the router to send all messages with the severity levels Warning, Error, Critical, and Emergency to the syslog server.

3. It causes the router to stop sending all messages to the syslog server

4. It causes the router to send all messages to the syslog server

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-3

1 / 110

1. Refer to the exhibit. Refer to the exhibit. An engineer must add a subnet for a new office that will add 20 users
to the network. Which IPv4 network and subnet mask combination does the engineer assign to minimize
wasting addresses?

1. 10.10.225.32 255.255.255.240

2. 10.10.225.32 255.255.255.224

3. 10.10.225.48 255.255.255.240

4. 10.10.225.48 255.255.255.224

2 / 110

2. Which type of information resides on a DHCP server?

1. a list of the available IP addresses in a pool

2. a list of public IP addresses and their corresponding names

3. usernames and passwords for the end users in a domain

4. a list of statically assigned MAC addresses

3 / 110

3. Which two minimum parameters must be configured on an active interface to enable OSPFv2 to operate?
(Choose two)

1. OSPf process ID

2. iPv6 address

3. OSPF MD5 authentication key

4. OSPF area

5. OSPf stub flag

4 / 110

4. What are two differences between optical-fiber cabling and copper cabling? (Choose two)

1. A BNC connector is used for fiber connections

2. The glass core component is encased in a cladding

3. The data can pass through the cladding

4. Fiber connects to physical interfaces using Rj-45 connections

5. Light is transmitted through the core of the fiber

5 / 110

5. Using direct sequence spread spectrum, which three 2.4-GHz channels are used to limit collisions?

1. 1,6.11

2. 1,2,3

3. 1,5,10

4. 5,6,7

6 / 110

6. Which type of API would be used to allow authorized salespeople of an organization access to internal sales
data from their mobile devices?

1. private

2. public

3. open

4. partner

7 / 110

7. The OSPF Hello protocol performs which of the following tasks? (Choose two.)

1. It detects unreachable neighbors in 90 second intervals

2. It maintains neighbor relationships

3. It negotiates correctness parameters between neighboring interfaces

4. It provides dynamic neighbor discovery.

5. It broadcasts hello packets throughout the internetwork to discover all routers that are running OSPIt broadcasts hello packets throughout the internetwork to discover all routers that are running OSP

6. It uses timers to elect the router with the fastest links as the designated router.

8 / 110

8. An engineer is configuring NAT to translate the source subnet of 10.10.0.0/24 to any of three addresses
192.168.3.1, 192.168.3.2, 192.168.3.3 . Which configuration should be used?

1. C

2. A

3. B

4. D

9 / 110

9. Refer to the exhibit. If the switch reboots and all routers have to re-establish OSPF adjacencies, which routers
will become the new DR and BDR?

1. Router R3 will become the DR and router R1 will become the BDR.

2. Router R3 will become the DR and router R2 will become the BDR

3. Router R4 will become the DR and router R3 will become the BDR

4. Router R1 will become the DR and router R2 will become the BDR.

10 / 110

10. What is the function of a server?

1. It routes traffic between Layer 3 devices.

2. It provides shared applications to end users

3. It Creates security zones between trusted and untrusted networks

4. It transmits packets between hosts in the same broadcast domain.

11 / 110

11. Refer to the exhibit. Which path is used by the router for internet traffic?

1. 10.10.10.0/28

2. 0.0.0.0/0

3. 209.165.200.0/27

4. 10.10.13.0/24

12 / 110

12. An engineer must configure an OSPF neighbor relationship between router R1 and R3 The authentication
configuration has been configured and the connecting interfaces are in the same 192.168 1.0/30 sublet. What
are the next two steps to complete the configuration? (Choose two.)

1. configure the same process ID for the router OSPF process

2. configure the hello and dead timers to match on both sides

3. configure the interfaces as OSPF active on both sides.

4. configure the same router ID on both routing processes

5. configure both interfaces with the same area ID

13 / 110

13. Which IPv6 address block forwards packets to a multicast address rather than a unicast address?

1. 2000::/3

2. FC00::/7

3. FE80::/10

4. FF00::/12

14 / 110

14. Which device performs stateful inspection of traffic?

1. access point

2. switch

3. wireless controller

4. firewall

15 / 110

15. What are two roles of the Dynamic Host Configuration Protocol (DHCP)? (Choose two)

1. The DHCP client maintains a pool of IP addresses it can assign

2. The DHCP server offers the ability to exclude specific IP addresses from a pool of IP addresses

3. The DHCP server leases client IP addresses dynamically.

4. The DHCP client can request up to four DNS server addresses

5. The DHCP server assigns IP addresses without requiring the client to renew them

16 / 110

16. Which type of VPN uses a hub-and-spoke configuration to establish a full mesh topology?

1. IPsec virtual tunnel interface

2. MPLS VPN

3. dynamic multipoint VPN

4. GRE over IPsec

17 / 110

17. Refer to the exhibit. Router R1 Fa0/0 cannot ping router R3 Fa0/1. Which action must be taken in router R1 to
help resolve the configuration issue?

1. set the default network as 20.20.20.0/24

2. configure a static route with Fa0/1 as the egress interface to reach the 20.20.20.0/24 network

3. set the default gateway as 20.20.20.2

4. configure a static route with 10.10.10.2 as the next hop to reach the 20.20.20.0/24 network

18 / 110

18. Refer to the exhibit. Which action is expected from SW1 when the untagged frame is received on the
GigabitEthernet0/1 interface?

1. The frame is dropped

2. The frame is processed in VLAN 5.

3. The frame is processed in VLAN 1

4. The frame is processed in VLAN 11

19 / 110

19. Refer to the exhibit. A network administrator assumes a task to complete the connectivity between PC A and
the File Server Switch A and Switch B have been partially configured with VLANs 10, 11, 12, and 13 What is the
next step in the configuration?

1. Add a router on a stick between Switch A and Switch B allowing for Inter VLAN routing

2. Add VLAN 13 to the trunk links on Switch A and Switch B for VLAN propagation

3. Add PC A to the same subnet as the File Server allowing for intra-VLAN communication

4. Add PDA to VLAN 10 and the File Server to VLAN 11 for VLAN segmentation

20 / 110

20. Which function dose the range of private IPv4 addresses perform?

1. provides a direct connection for hosts from outside of the enterprise network

2. ensues that NAT is not required to reach the internet with private range addressing

3. allow multiple companies to each use the same address without conflicts

4. enable secure communications to the internet for all external hosts

21 / 110

21. An engineer requires a scratch interface to actively attempt to establish a trunk link with a neighbor switch.
What command must be configured?

1. switchport mode dynamic desirable

2. switchport mode trunk

3. switchport nonegotiate

4. switchport mode dynamic auto

22 / 110

22. Which technology must be implemented to configure network device monitoring with the highest security?

1. IP SLA

2. NetFlow

3. SNMPv3

4. syslog

23 / 110

23. Refer to the exhibit. What configuration on RTR-1 denies SSH access from PC-1 to any RTR-1 interface and
allows all other traffic?

1. access-list 100 deny tcp host 172.16.1.33 any eq 22 access-list 100 permit ip any any interface GigabitEthernet0/0 ip access-group 100 in

2. access-list 100 deny tcp host 172.16.1.33 any eq 23 access-list 100 permit ip any any line vty 0 15 access-class 100 in

3. access-list 100 deny tcp host 172.16.1.33 any eq 23 access-list 100 permit ip any any interface Gigabit Ethernet0/0 ip access-group 100 in

4. access-list 100 deny tcp host 172.16.1.33 any eq 22 access-list 100 permit ip any any line vty 0 15 access-class 100 in

24 / 110

24. What is a function of Wireless LAN Controller?

1. register with a single access point that controls traffic between wired and wireless endpoints.

2. use SSIDs to distinguish between wireless clients.

3. send LWAPP packets to access points.

4. monitor activity on wireless and wired LANs

25 / 110

25. Refer to the exhibit. Which switch becomes the root bridge?

SW1: 0C:E0:38:00:36:75
SW2: 0C:0E:15:22:05:97
SW3: 0C:0E:15:1A:3C:9D
SW4: 0C:E0:18:A1:B3:19

1. SW1

2. SW3

3. SW2

4. SW4

26 / 110

26. What are two purposes of launching a reconnaissance attack on a network? (Choose two.)

1. to retrieve and modify data

2. to prevent other users from accessing the system

3. to scan for accessibility

4. to gather information about the network and devices

5. to escalate access privileges

27 / 110

27. Refer to Exhibit. The loopback1 interface of the Atlanta router must reach the loopback3 interface of the
Washington router. Which two static host routes must be configured on the NEW York router? (Choose two)

1. ipv6 route 2000::1/128 2012::1

2. ipv6 route 2000::3/128 2023::3

3. ipv6 route 2000::1/128 2012::2

4. ipv6 route 2000::1/128 s0/0/1

5. ipv6 route 2000::3/128 s0/0/0

28 / 110

28. Refer to the exhibit. An administrator configures the following ACL in order to prevent devices on the
192.168.1.0 subnet from accessing the server at 10.1.1.5:
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 10.1.1.5
access-list 100 permit ip any any

Where should the administrator place this ACL for the most efficient use of network resources?

1. outbound on router A Fa0/1

2. outbound on router B Fa0/0

3. inbound on router A Fa0/0

4. inbound on router B Fa0/1

29 / 110

29. What are two requirements for an HSRP group? (Choose two.)

1. one or more standby routers

2. exactly one standby active router

3. exactly one backup virtual router

4. one or more backup virtual routers

5. exactly one active router

30 / 110

30. What are two recommendations for protecting network ports from being exploited when located in an office
space outside of an IT closet? (Choose two)

1. enable the PortFast feature on ports

2. implement port-based authentication

3. shut down unused ports

4. configure static ARP entries

5. configure ports to a fixed speed

31 / 110

31. What are two roles of Domain Name Services (DNS)? (Choose Two)
A. builds

1. encrypts network Traffic as it travels across a WAN by default

2. improves security by protecting IP addresses under Fully Qualified Domain Names (FQDNs)

3. builds a flat structure of DNS names for more efficient IP operations

4. allows a single host name to be shared across more than one IP address

5. enables applications to identify resources by name instead of IP address

32 / 110

32. What is the primary purpose of a First Hop Redundancy Protocol?

1. It allows directly connected neighbors to share configuration information.

2. It reduces routing failures by allowing Layer 3 load balancing between OSPF neighbors that have the same link metric

3. It reduces routing failures by allowing more than one router to represent itself, as the default gateway of a network.

4. It allows a router to use bridge priorities to create multiple loop-free paths to a single destination.

33 / 110

33. An engineer must establish a trunk link between two switches. The neighboring switch is set to trunk or
desirable mode. What action should be taken?

1. configure switchport nonegotiate

2. configure switchport mode dynamic auto

3. configure switchport mode dynamic desirable

4. configure switchport trunk dynamic desirable

34 / 110

34. If all OSPF routers in a single area are configured with the same priority value, what value does a router use for
the OSPF router ID in the absence of a loopback interface?

1. the priority value until a loopback interface is configured

2. the IP address of the first Fast Ethernet interface

3. the IP address of the console management interface

4. the highest IP address among its active interfaces

5. the lowest IP address among its active interfaces

35 / 110

35. A manager asks a network engineer to advise which cloud service models are used so employees do not have
to waste their time installing, managing, and updating software which is only used occasionally Which cloud
service model does the engineer recommend?

1. software-as-a-service

2. business process as service to support different types of service

3. platform-as-a-service

4. infrastructure-as-a-service

36 / 110

36. What occurs to frames during the process of frame flooding?

1. Frames are sent to all ports, including those that are assigned to other VLANs.

2. Frames are sent to every port on the switch that has a matching entry in MAC address table

3. Frames are sent to every port on the switch in the same VLAN except from the originating port.

4. Frames are sent to every port on the switch in the same VLAN

37 / 110

37. Which state does the switch port move to when PortFast is enabled?

1. forwarding

2. listening

3. learning

4. blocking

38 / 110

38. A company needs to interconnect several branch offices across a metropolitan area. The network engineer is
seeking a solution that provides high-speed converged traffic, including voice, video, and data on the same
network infrastructure. The company also wants easy integration to their existing LAN infrastructure in their
office locations. Which technology should be recommended?

1. VSAT

2. Ethernet WAN

3. ISDN

4. Frame Relay

39 / 110

39. Refer to the exhibit. To which device does Router1 send packets that are destined to host 10.10.13.165?

1. Router2

2. Router3

3. Router5

4. Router4

40 / 110

40. Refer to the exhibit. An engineer deploys a topology in which R1 obtains its IP configuration from DHCP. If the
switch and DHCP server configurations are complete and correct. Which two sets of commands must be
configured on R1 and R2 to complete the task? (Choose two)

1. R2(config)# interface gi0/0 R2(config-if)# ip helper-address 198.51.100.100

2. R1(config)# interface fa0/0 R1(config-if)# ip helper-address 198.51.100.100

3. R1(config)# interface fa0/0 R1(config-if)# ip helper-address 192.0.2.2

4. R2(config)# interface gi0/0 R2(config-if)# ip address dhcp

5. R1(config)# interface fa0/0 R1(config-if)# ip address dhcp R1(config-if)# no shutdown

41 / 110

41. What are two reasons for an engineer to configure a floating state route? (Choose two)

1. to control the return path of traffic that is sent from the router

2. to automatically route traffic on a secondary path when the primary path goes down

3. to route traffic differently based on the source IP of the packet

4. to enable fallback static routing when the dynamic routing protocol fails

5. to support load balancing via static routing

42 / 110

42. What protocol allows an engineer to back up 20 network router configurations globally while using the copy
function?

1. TCP

2. SMTP

3. SNMP

4. FTP

43 / 110

43. Refer to the exhibit. If the network environment is operating normally, which type of device must be connected
to interface FastEthernet 0/1?

1. Access point

2. Router

3. DHCP client

4. PC

44 / 110

44. Refer to the exhibit. Refer to the exhibit. After the configuration is applied, the two routers fail to establish an
OSPF neighbor relationship. what is the reason for the problem?

1. The network statement on Router1 is misconfigured

2. The OSPF router IDs are mismatched.

3. The OSPF process IDs are mismatched

4. Router2 is using the default hello timer

45 / 110

45. Refer to the exhibit. The network administrator wants VLAN 67 traffic to be untagged between Switch 1 and
Switch 2 while all other VLANs are to remain tagged. Which command accomplishes this task?

1. switchport trunk native vlan 67

2. switchport trunk allowed vlan 67

3. switchport access vlan 67

4. switchport private-vlan association host 67

46 / 110

46. Refer to the exhibit. What commands are needed to add a subinterface to Ethernet0/0 on R1 to allow for VLAN
20, with IP address 10.20.20.1/24?

1. R1(config)#interface ethernet0/0.20 R1(config)#encapsulation dot1q 20 R1(config)#ip address 10.20.20.1 255.255.255.0

2. R1(config)#interface ethernet0/0.20 R1(config)#ip address 10.20.20.1 255.255.255.0

3. R1(config)#interface ethernet0/0 R1(config)#encapsulation dot1q 20 R1(config)#ip address 10.20.20.1 255.255.255.0

4. R1(config)#interface ethernet0/0 R1(config)#ip address 10.20.20.1 255.255.255.0

47 / 110

47. What are two functions of a Layer 2 switch? (Choose two)

1. makes forwarding decisions based on the MAC address of a packet

2. acts as a central point for association and authentication servers

3. selects the best route between networks on a WAN

4. moves packets between different VLANs

5. moves packets within a VLAN

48 / 110

48. Refer to the exhibit. Which route type does the routing protocol Code D represent in the output?

1. internal BGP route

2. statically assigned route

3. route learned through EIGRP

4. /24 route of a locally configured IP

49 / 110

49. What are two benefits of controller-based networking compared to traditional networking?

1. Controller-based provides centralization of key IT functions. While traditional requires distributes management function

2. Controller-based increases network bandwidth usage, while traditional lightens the load on the network.

3. Controller-based inflates software costs, while traditional decreases individual licensing costs

4. Controller-based reduces network configuration complexity, while traditional increases the potential for errors

5. Controller-based allows for fewer network failure, while traditional increases failure rates

50 / 110

50. Refer to the exhibit Which outcome is expected when PC_A sends data to PC_B?

1. The source and destination MAC addresses remain the same

2. The destination MAC address is replaced with ffff.ffff.ffff

3. The source MAC address is changed

4. The switch rewrites the source and destination MAC addresses with its own

51 / 110

51. Which WAN access technology is preferred for a small office / home office architecture?

1. Integrated Services Digital Network switching.

2. dedicated point-to-point leased line

3. broadband cable access

4. frame-relay packet switching

52 / 110

52. Refer to the exhibit. Which type of configuration is represented in the output?

1. Ansible

2. Chef

3. Puppet

4. JSON

53 / 110

53. Router R2 is configured with multiple routes to reach network 10 1.1.0/24 from router R1. What protocol is
chosen by router R2 to reach the destination network 10.1.1.0/24?

1. EIGRP

2. OSPF

3. eBGP

4. static

54 / 110

54. Refer to the exhibit. Which route type is configured to reach the internet?

1. default route

2. network route

3. host route

4. floating static route

55 / 110

55. A device detects two stations transmitting frames at the same time. This condition occurs after the first 64 bytes
of the frame is received interface counter increments?

1. CRC

2. collision

3. runt

4. late collision

56 / 110

56. What is a characteristic of the REST API?

1. most widely used API for web services

2. considered slow, complex, and rigid

3. evolved into what became SOAP

4. used for exchanging XML structured information over HTTP or SMTP

57 / 110

57. Which step in the link-state routing process is described by a router sending Hello packets out all of the OSPFenabled
interfaces?

1. ecting the designated router

2. exchanging link-state advertisements

3. injecting the default route

4. establishing neighbor adjacencies

58 / 110

58. What is the name of the layer in the Cisco borderless switched network design that is considered to be the
backbone used for high-speed connectivity and fault isolation?

1. network access

2. network

3. data link

4. access

5. core

59 / 110

59. By default, how Does EIGRP determine the metric of a route for the routing table?

1. it uses a default metric of 10 for all routes that are learned by the router

2. it counts the number of hops between the receiving and destination routers and uses that value as the metric

3. it uses a reference Bandwidth and the actual bandwidth of the connected link to calculate the route metric

4. it uses the bandwidth and delay values of the path to calculate the route metric

60 / 110

60. How does Cisco DNA Center gather data from the network?

1. Network devices use different services like SNMP, syslog, and streaming telemetry to send data to the controller

2. Devices establish an iPsec tunnel to exchange data with the controller

3. The Cisco CU Analyzer tool gathers data from each licensed network device and streams it to the controller

4. Devices use the call-home protocol to periodically send data to the controller

61 / 110

61. What is a recommended approach to avoid co-channel congestion while installing access points that use the
2.4 GHz frequency?

1. different overlapping channels

2. one overlapping channel

3. different nonoverlapping channels

4. one nonoverlapping channel

62 / 110

62. A port security violation has occurred on a switch port due to the maximum MAC address count being
exceeded Which command must be configured to increment the security-violation count and forward an SNMP
trap?

1. switchport port-security violation protect

2. switchport port-security violation access

3. switchport port-security violation restrict

4. switchport port-security violation shutdown

63 / 110

63. Which technology is used to improve web traffic performance by proxy caching?

1. Firepower

2. FireSIGHT

3. WSA

4. ASA

64 / 110

64. The service password-encryption command is entered on a router. What is the effect of this configuration?

1. protects the VLAN database from unauthorized PC connections on the switch

2. encrypts the password exchange when a VPN tunnel is established

3. restricts unauthorized users from viewing clear-text passwords in the running configuration

4. prevents network administrators from configuring clear-text passwords

65 / 110

65. Refer to the exhibit. An administrator is tasked with configuring a voice VLAN. What is the expected outcome
when a Cisco phone is connected to the GigabitEthernet 3/1/4 port on a switch?

interface GigabitEthernet 3/1/4

switchport voice vlan 50

1. The phone and a workstation that is connected to the phone do not have VLAN connectivity

2. The phone and a workstation that is connected to the phone send and receive data in VLAN 50.

3. The phone sends and receives data in VLAN 50, but a workstation connected to the phone sends and receives data in VLAN 1.

4. The phone sends and receives data in VLAN 50, but a workstation connected to the phone has no VLAN connected.

66 / 110

66. What are two functions of a server on a network? (Choose two)

1. handles requests from multiple workstations at the same time

2. housed solely in a data center that is dedicated to a single client

3. achieves redundancy by exclusively using virtual server clustering

4. runs the same operating system in order to communicate with other servers

5. runs applications that send and retrieve data for workstations that make requests

67 / 110

67. What is the difference regarding reliability and communication type between TCP and UDP?

1. TCP is not reliable and is a connectionless protocol; UDP is reliable and is a connection-oriented protocol

2. TCP is reliable and is a connectionless protocol; UDP is not reliable and is a connection-oriented protocol

3. TCP is reliable and is a connection-oriented protocol; UDP is not reliable and is a connectionless protocol

4. TCP is not reliable and is a connection-oriented protocol; UDP is reliable and is a connectionless protocol

68 / 110

68. Which three statements are typical characteristics of VLAN arrangements? (Choose three.)

1. A new switch has no VLANs configured

2. VLANs typically decrease the number of collision domains

3. Each VLAN uses a separate address space.

4. A switch maintains a separate bridging table for each VLAN.

5. Connectivity between VLANs requires a Layer 3 device

6. VLANs cannot span multiple switches.

69 / 110

69. How do TCP and UDP differ in the way they guarantee packet delivery?

1. TCP uses two-dimensional parity checks, checksums, and cyclic redundancy checks and UDP uses retransmissions only.

2. TCP uses retransmissions, acknowledgement and parity checks and UDP uses cyclic redundancy checks only.

3. TCP uses checksum, acknowledgement, and retransmissions, and UDP uses checksums only.

4. TCP uses checksum, parity checks, and retransmissions, and UDP uses acknowledgements only.

70 / 110

70. Several new coverage cells are required to improve the Wi-Fi network of an organization. Which two standard
designs are recommended? (Choose two.)

1. 5GHz provides increased network capacity with up to 23 nonoverlapping channels.

2. Cells that overlap one another are configured to use nonoverlapping channels

3. 5GHz channel selection requires an autonomous access point.

4. Adjacent cells with overlapping channels use a repeater access point.

5. For maximum throughput, the WLC is configured to dynamically set adjacent access points to the channel

71 / 110

71. Which spanning-tree enhancement avoids the learning and listening states and immediately places ports in the
forwarding state?

1. Backbonefast

2. BPDUguard

3. PortFast

4. BPDUfilter

72 / 110

72. The OSPF Hello protocol performs which of the following tasks? (Choose two.)

1. It detects unreachable neighbors in 90 second intervals

2. It provides dynamic neighbor discovery.

3. It uses timers to elect the router with the fastest links as the designated router.

4. It negotiates correctness parameters between neighboring interfaces.

5. It broadcasts hello packets throughout the internetwork to discover all routers that are running OSPF.

6. It maintains neighbor relationships.

73 / 110

73. What role does a hypervisor provide for each virtual machine in server virtualization?

1. control and distribution of physical resources

2. services as a hardware controller.

3. Software-as-a-service

4. infrastructure-as-a-service.

74 / 110

74. How does CAPWAP communicate between an access point in local mode and a WLC?

1. The access point must directly connect to the WLC using a copper cable

2. The access point has the ability to link to any switch in the network, assuming connectivity to the WLC

3. The access point must not be connected to the wired network, as it would create a loop

4. The access point must be connected to the same switch as the WLC

75 / 110

75. Refer to the exhibit. Which two configurations would be used to create and apply a standard access list on R1,
so that only the 10.0.70.0/25 network devices are allowed to access the internal database server? (Choose
two.)

1. R1(config)# access-list 5 permit any

2. R1(config)# access-list 5 permit 10.0.54.0 0.0.1.255

3. R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127

4. R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group 5 out

5. R1(config)# interface Serial0/0/0 R1(config-if)# ip access-group 5 in

76 / 110

76. A network administrator enabled port security on a switch interface connected to a printer. What is the next
configuration action in order to allow the port to learn the MAC address of the printer and insert it into the table
automatically?

1. implement auto MAC address learning

2. implement static MAC addressing.

3. enable dynamic MAC address learning

4. enable sticky MAC addressing

77 / 110

77. When using Rapid PVST+, which command guarantees the switch is always the root bridge for VLAN 200?

1. spanning -tree vlan 200 root primary

2. spanning -tree vlan 200 priority 614440

3. spanning -tree vlan 200 priority 0

4. spanning -tree vlan 200 priority 38572422

78 / 110

78. What criteria is used first during the root port selection process?

1. local port ID

2. lowest neighbor’s bridge ID

3. lowest neighbor’s port ID

4. lowest path cost to the root bridge

79 / 110

79. Which configuration ensures that the switch is always the root for VLAN 750?

1. Switch(config)#spanning-tree vlan 750 priority 38003685

2. Switch(config)#spanning-tree vlan 750 priority 0

3. Switch(config)#spanning-tree vlan 750 priority 614440

4. Switch(config)#spanning-tree vlan 750 root primary

80 / 110

80. On a corporate network, hosts on the same VLAN can communicate with each other, but they are unable to
communicate with hosts on different VLANs. What is needed to allow communication between the VLANs?

1. a switch with an access link that is configured between the switches

2. a switch with a trunk link that is configured between the switches

3. a router with subinterfaces configured on the physical interface that is connected to the switch

4. a router with an IP address on the physical interface connected to the switch

81 / 110

81. Which command can you enter to determine the addresses that have been assigned on a DHCP Server?

1. Show ip DHCP database.

2. Show ip DHCP pool.

3. Show ip DHCP server statistic.

4. Show ip DHCP binding.

82 / 110

82. Refer to the exhibit. After the election process what is the root bridge in the HQ LAN?

1. Switch 1

2. Switch 2

3. Switch 4

4. Switch 3

83 / 110

83. In which two ways does a password manager reduce the chance of a hacker stealing a users password?
(Choose two.)

1. It automatically provides a second authentication factor that is unknown to the original user

2. It protects against keystroke logging on a compromised device or web site.

3. It stores the password repository on the local workstation with built-in antivirus and anti-malware functionality

4. It uses an internal firewall to protect the password repository from unauthorized access

5. It encourages users to create stronger passwords

84 / 110

84. Refer to the exhibit. Which configuration issue is preventing the OSPF neighbor relationship from being
established between the two routers?

1. R1 interface Gi1/0 has a larger MTU size

2. R2 is using the passive-interface default command

3. R1 has an incorrect network command for interface Gi1/0

4. R2 should have its network command in area 1

85 / 110

85. What is the primary function of a Layer 3 device?

1. forward traffic within the same broadcast domain

2. to transmit wireless traffic between hosts

3. to pass traffic between different networks

4. to analyze traffic and drop unauthorized traffic from the Internet

86 / 110

86. What are two benefits of using VTP in a switching environment? (Choose two.)

1. It allows VLAN information to be automatically propagated throughout the switching environment

2. It allows frames from multiple VLANs to use a single interface

3. It allows switches to read frame tags.

4. It allows ports to be assigned to VLANs automatically

5. It maintains VLAN consistency across a switched network

87 / 110

87. When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum number of
characters that is required in ASCII format?

1. 6

2. 18

3. 8

4. 12

88 / 110

88. Which type of attack can be mitigated by dynamic ARP inspection?

1. malware

2. DDoS

3. worm

4. man-in-the-middle

89 / 110

89. Refer to the exhibit. A router reserved these five routes from different routing information sources. Which two
routes does the router install in its routing table? (Choose two)

1. iBGP route 10.0.0.0/30

2. EIGRP route 10.0.0.1/32

3. RIP route 10.0.0.0/30

4. OSPF route 10.0.0.0/30

5. OSPF route 10.0.0.0/16

90 / 110

90. What software defined architecture plane assists network devices with making packet-forwarding decisions by
providing Layer 2 reachability and Layer 3 routing information?

1. policy plane

2. data plane

3. control plane

4. management plane

91 / 110

91. An engineer needs to configure LLDP to send the port description time length value (TLV). What command
sequence must be implemented?

1. switch#lldp port-description

2. switch(config)#lldp port-description

3. switch(config-if)#lldp port-description

4. switch(config-line)#lldp port-description

92 / 110

92. Which type of ipv6 address is publicly routable in the same way as ipv4 public addresses?

1. multicast

2. global unicast

3. unique local

4. ink-local

93 / 110

93. What are two reasons a network administrator would use CDP? (Choose two.)

1. to verify the type of cable interconnecting two devices

2. to determine the status of network services on a remote device

3. to obtain VLAN information from directly connected switches

4. to obtain the IP address of a connected device in order to telnet to the device

5. to verify Layer 2 connectivity between two devices when Layer 3 fails

6. to determine the status of the routing protocols between directly connected routers

94 / 110

94. Which goal is achieved by the implementation of private IPv4 addressing on a network?

1. allows communication across the Internet to other private networks

2. allows servers and workstations to communicate across public network boundaries

3. provides a reduction in size of the forwarding table on network routers

4. provides an added level of protection against Internet exposure

95 / 110

95. How do TCP and UDP differ in the way they provide reliability for delivery of packets?

1. TCP does not guarantee delivery or error checking to ensure that there is no corruption of data UDP provides message acknowledgement and retransmits data if lost.

2. TCP provides flow control to avoid overwhelming a receiver by sending too many packets at once, UDP sends packets to the receiver in a continuous stream without checking for sequencing

3. TCP is a connectionless protocol that does not provide reliable delivery of data, UDP is a connectionoriented protocol that uses sequencing to provide reliable delivery

4. TCP uses windowing to deliver packets reliably; UDP provides reliable message transfer between hosts by establishing a three-way handshake

96 / 110

96. Refer to the exhibit. Which two commands were used to create port channel 10? (Choose two.)

1. int range g0/0-1 channel-group 10 mode auto

2. int range g0/0-1 channel-group 10 mode desirable

3. int range g0/0-1 channel-group 10 mode active

4. int range g0/0-1 channel-group 10 mode passive

5. int range g0/0-1 channel-group 10 mode on

97 / 110

97. A wireless administrator has configured a WLAN; however, the clients need access to a less congested 5-GHz
network for their voice quality. What action must be taken to meet the requirement?

1. enable AAA override

2. enable Band Select

3. enable DTIM

4. enable RX-SOP

98 / 110

98. Which two statements are true about the command ip route 172.16.3.0 255.255.255.0 192.168.2.4? (Choose
two.)

1. It uses the default administrative distance

2. It configures the router to send any traffic for an unknown destination out the interface with the address 192.168.2.4.

3. It is a route that would be used last if other routes to the same destination exist

4. It establishes a static route to the 172.16.3.0 network

5. It configures the router to send any traffic for an unknown destination to the 172.16.3.0 network

6. It establishes a static route to the 192.168.2.0 network

99 / 110

99. What mechanism carries multicast traffic between remote sites and supports encryption?

1. ISATAP

2. iPsec over ISATAP

3. GRE over iPsec

4. GRE

100 / 110

100. Which purpose does a northbound API serve in a controller-based networking architecture?

1. generates statistics for network hardware and traffic

2. communicates between the controller and the physical network hardware

3. facilitates communication between the controller and the applications

4. reports device errors to a controller

101 / 110

101. Which two functions are performed by the core layer in a three-tier architecture? (Choose two)

1. Police traffic that is sent to the edge of the network.

2. Provide uninterrupted forwarding service

3. Ensure timely data transfer between layers.

4. Provide direct connectivity for end user devices.

5. Inspect packets for malicious activity.

102 / 110

102. Refer to the exhibit. Router R1 is configured with static NAT. Addressing on the router and the web server are
correctly configured, but there is no connectivity between the web server and users on the Internet. What is a
possible reason for this lack of connectivity?

1. Interface Fa0/0 should be configured with the command ip nat outside

2. The router NAT configuration has an incorrect inside local address

3. The inside global address is incorrect.

4. The NAT configuration on interface S0/0/1 is incorrect.

103 / 110

103. An office has 8 floors with approximately 30-40 users per floor What command must be configured on the
router Switched Virtual Interface to use address space efficiently?

1. ip address 192.168.0.0 255.255.255.224

2. ip address 192.168.0.0 255.255.0.0

3. ip address 192.168.0.0 255.255.254.0

4. ip address 192.168.0.0 255.255.255.128

104 / 110

104. What is a function of TFTP in network operations?

1. transfers files between file systems on a router

2. transfers a backup configuration file from a server to a switch using a username and password

3. transfers IOS images from a server to a router for firmware upgrades

4. transfers a configuration files from a server to a router on a congested link

105 / 110

105. The SW1 interface g0/1 is in the down/down state. Which two configurations are valid reasons for the interface
conditions?(choose two)

1. The interface is shut down

2. There is a speed mismatch

3. The interface is error-disabled

4. There is a protocol mismatch

5. There is a duplex mismatch

106 / 110

106. A corporate office uses four floors in a building
* Floor 1 has 24 users
* Floor 2 has 29 users
* Floor 3 has 28 users
* Floor 4 has 22 users
Which subnet summarizes and gives the most efficient distribution of IP addresses for the router configuration?

1. 192.168.0.0/25 as summary and 192.168.0.0/27 for each floor

2. 192.168.0.0/26 as summary and 192.168.0.0/29 for each floor

3. 192.168.0.0/23 as summary and 192.168.0.0/25 for each floor

4. 192.168.0.0.24 as summary and 192.168.0.0/28 for each floor

107 / 110

107. Refer to the exhibit. A packet is being sent across router R1 to host 172.16.3.14. To which destination does the
router send the packet?

1. 207.165 200.254 via Serial0/0/1

2. 207 165 200 246 via Serial0/1/0

3. 207.165.200.254 via Serial0/0/0

4. 207.165.200.250 via Serial0/0/0

108 / 110

108. A packet is destined for 10.10.1.22. Which static route does the router choose to forward the packet?

1. ip route 10.10.1.16 255.255.255.252 10.10.255.1

2. ip route 10.10.1.20 255.255.255.252 10.10.255.1

3. ip route 10.10.1.20 255.255.255.254 10.10.255.1

4. ip route 10.10.1.0 255.255.255.240 10.10.255.1

109 / 110

109. Anycompany has decided to reduce its environmental footprint by reducing energy costs, moving to a smaller
facility, and promoting telecommuting. What service or technology would support this requirement?

1. cloud services

2. APIC-EM

3. data center

4. Cisco ACI

110 / 110

110. Which two WAN architecture options help a business scalability and reliability for the network? (Choose two)

1. asychronous routing

2. dynamic routing

3. single-homed branches

4. static routing

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-4

1 / 47

1. Which command must be entered to configure a DHCP relay?

1. ip dhcp pool

2. ip address dhcp

3. ip helper-address

4. ip dhcp relay

2 / 47

2. Refer to the exhibit. A network administrator has been tasked with securing VTY access to a router Which
access-list entry accomplishes this task?

1. access-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq telnet

2. access-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq scp C. access-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq telnetaccess-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq telnet

3. access-list 101 permit tcp 10.1.10 0.0.0.255 172.16.10 0.0.0.255 eq https

4. access-list 101 permit tcp 10.1.10 0.0.0.255 172.16.10 0.0.0.255 eq ssh

3 / 47

3. An engineer must configure Interswitch VLAN communication between a Cisco switch and a third-party switch.
Which action should be taken?

1. configure IEEE 802.1p

2. configure ISL

3. configure IEEE 802.1q

4. configure DSCP

4 / 47

4. What is the same for both copper and fiber interfaces when using SFP modules?

1. They provide minimal interruption to services by being hot-swappable

2. They offer reliable bandwidth up to 100 Mbps in half duplex mode

3. They accommodate single-mode and multi-mode in a single module

4. They support an inline optical attenuator to enhance signal strength

5 / 47

5. What is a DHCP client?

1. a host that is configured to request an IP address automatically

2. a server that dynamically assigns IP addresses to hosts

3. a router that statically assigns IP addresses to hosts.

4. a workstation that requests a domain name associated with its IP address

6 / 47

6. Which CRUD operation corresponds to the HTTP GET method?

1. read

2. create

3. delete

4. update

7 / 47

7. allows the users to access company internal network resources through a secure tunnel

1. read

2. update

3. replace

4. create

8 / 47

8. What is recommended for the wireless infrastructure design of an organization?

1. group access points together to increase throughput on a given channel

2. assign physically adjacent access points to the same Wi-Fi channel

3. configure the first three access points are configured to use Channels 1, 6, and 11

4. include a least two access points on nonoverlapping channels to support load balancing

9 / 47

9. Which state does the switch port move to when PortFast is enabled?

1. earning

2. blocking

3. listening

4. forwarding

10 / 47

10. What is a practice that protects a network from VLAN hopping attacks?

1. Change native VLAN to an unused VLAN ID

2. Configure an ACL to prevent traffic from changing VLANs

3. Implement port security on internet-facing VLANs

4. Enable dynamic ARP inspection

11 / 47

11. Which type of security program is violated when a group of employees enters a building using the ID badge of
only one person?

1. intrusion detection

2. network authorization

3. physical access control

4. user awareness

12 / 47

12. What is the effect when loopback interfaces and the configured router ID are absent during the OSPF Process configuration?

1. The lowest IP address is incremented by 1 and selected as the router ID.

2. The highest up/up physical interface IP address is selected as the router ID.

3. The router ID 0.0.0.0 is selected and placed in the OSPF process

4. No router ID is set, and the OSPF protocol does not run.

13 / 47

13. What is the purpose of traffic shaping?

1. to mitigate delays over slow links

2. to limit the bandwidth that a flow can use to

3. be a marking mechanism that identifies different flows

4. to provide fair queuing for buffered flows

14 / 47

14. Refer to the exhibit. What is the result if Gig1/11 receives an STP BPDU?

1. The port transitions to STP blocking

2. The port goes into error-disable state

3. The port transitions to the root port

4. The port immediately transitions to STP forwarding

15 / 47

15. A network administrator must enable DHCP services between two sites. What must be configured for the router
to pass DHCPDISCOVER messages on to the server?

1. A DHCP Pool

2. DHCP Snooping

3. DHCP Binding

4. A DHCP Relay Agent

16 / 47

16. A network administrator needs to aggregate 4 ports into a single logical link which must negotiate layer 2
connectivity to ports on another switch What must be configured when using active mode on both sides of the
connection?

1. Cisco vPC

2. LACP

3. LLDP

4. 802.1q trunks

17 / 47

17. Where does the configuration reside when a helper address Is configured to support DHCP?

1. on the router closest to the server

2. on the switch trunk interface

3. on every router along the path

4. on the router closest to the client

18 / 47

18. Which function is performed by the collapsed core layer in a two-tier architecture?

1. enforcing routing policies

2. applying security policies

3. marking interesting traffic for data polices

4. attaching users to the edge of the netwo

19 / 47

19. What is the maximum bandwidth of a T1 point-to-point connection?

1. 34.368 Mbps

2. 1.544 Mbps

3. 43.7 Mbps

4. 2.048 Mbps

20 / 47

20. When implementing a router as a DHCP server, which two features must be configured? (Choose two)

1. address pool

2. manual bindings

3. database agent

4. smart-relay

5. relay agent information

21 / 47

21. Refer to the exhibit. An access list is created to deny Telnet access from host PC-1 to RTR-1 and allow access
from all other hosts A Telnet attempt from PC-2 gives this message:”% Connection refused by remote host”
Without allowing Telnet access from PC-1, which action must be taken to permit the traffic?

1. Remove the access-class 10 in command from line vty 0.4.

2. Remove the password command from line vty 0 4.

3. Add the ip access-group 10 out command to interface g0/0.

4. Add the access-list 10 permit any command to the configuration

22 / 47

22. In which situation is private IPv4 addressing appropriate for a new subnet on the network of an organization?

1. Traffic on the subnet must traverse a site-to-site VPN to an outside organization

2. The network has multiple endpoint listeners, and it is desired to limit the number of broadcasts

3. The ISP requires the new subnet to be advertised to the internet for web services.

4. There is limited unique address space, and traffic on the new subnet will stay local within the organization

23 / 47

23. Which device controls the forwarding of authentication requests for users when connecting to the network using
a lightweight access point?

1. wireless LAN controller

2. TACACS server

3. wireless access point

4. RADIUS server

24 / 47

24. Which technology can prevent client devices from arbitrarily connecting to the network without state
remediation?

1. MAC Authentication Bypass

2. 802.1x

3. 802.11n

4. IP Source Guard

25 / 47

25. How do servers connect to the network in a virtual environment?

1. a virtual switch that links to an access point that is physically connected to the network

2. a cable connected to a physical switch on the network

3. a software switch on a hypervisor that is physically connected to the network

4. wireless to an access point that is physically connected to the network

26 / 47

26. Which 802.11 frame type is indicated by a probe response after a client sends a probe request?

1. control

2. data

3. management

4. action

27 / 47

27. An engineer must configure traffic for a VLAN that is untagged by the switch as it crosses a trunk link. Which
command should be used?

1. switchport trunk encapsulation dot1q

2. switchport trunk native vlan 10

3. switchport mode trunk

4. switchport trunk allowed vlan 10

28 / 47

28. Which protocol prompts the Wireless LAN Controller to generate its own local web administration SSL
certificate for GUI access?

1. TACACS+

2. HTTPS

3. RADIUS

4. HTTP

29 / 47

29. Refer to the exhibit. An engineer configured the New York router with state routes that point to the Atlanta and
Washington sites. When command must be configured on the Atlanta and Washington routers so that both
sites are able to reach the loopback2 interface on the New York router?

1. ipv6 route ::/0 2000::2

2. ip route 0.0.0.0.0.0.0.0 Serial 0/0/0

3. pv6 route 0/0 Serial 0/0/0

4. ipv6 route ::/0 Serial 0/0/0

5. ipv6 route ::/0 Serial 0/0/1

30 / 47

30. Aside from discarding, which two states does the switch port transition through while using RSTP (802.1w)?
(Choose two)

1. blocking

2. speaking

3. learning

4. listening

5. forwarding

31 / 47

31. Which configuration management mechanism uses TCP port 22 by default when communicating with managed
nodes?

1. Chef

2. Puppet

3. Python

4. Ansible

32 / 47

32. Refer to the exhibit. Which command configures a floating static route to provide a backup to the primary link?

1. ip route 0.0.0.0 0.0.0.0 209.165.200.224

2. ip route 209.165.201.0 255.255.255.224 209.165.202.130

3. ip route 209.165.200.224 255.255.255.224 209.165.202.129 254

4. ip route 0.0.0.0 0.0.0.0 209.165.202.131

33 / 47

33. In software defined architectures, which plane is distributed and responsible for traffic forwarding?

1. policy plane

2. management plane

3. data plane

4. control plane

34 / 47

34. Which device tracks the state of active connections in order to make a decision to forward a packet through?

1. wireless LAN controller

2. wireless access point

3. router

4. firewall

35 / 47

35. With REST API, which standard HTTP header tells a server which media type is expected by the client?

1. Content-Type: application/json; charset=utf-8

2. Accept-Patch: text/example; charset=utf-8

3. Accept: application/json

4. Accept-Encoding: gzip. deflate

36 / 47

36. Refer to the exhibit. PC1 is trying to ping PC3 for the first time and sends out an ARP to S1. Which action is
taken by S1?

1. It drops the frame.

2. It is flooded out every port except G0/0.

3. It forwards it out interface G0/2 only.

4. It forwards it out G0/3 only

37 / 47

37. Where does a switch maintain DHCP snooping information?

1. in the CAM table

2. in the MAC address table

3. in the frame forwarding database

4. in the binding database

38 / 47

38. Which network plane is centralized and manages routing decisions?

1. data plane

2. control plane

3. policy plane

4. management plane

39 / 47

39. How does the dynamically-learned MAC address feature function?

1. It requires a minimum number of secure MAC addresses to be filled dynamically

2. The CAM table is empty until ingress traffic arrives at each port

3. The ports are restricted and learn up to a maximum of 10 dynamically-learned addresses

4. Switches dynamically learn MAC addresses of each connecting CAM table

40 / 47

40. What is a function of a remote access VPN?

1. allows the users to access company internal network resources through a secure tunnel

2. used cryptographic tunneling to protect the privacy of data for multiple users simultaneously

3. used exclusively when a user is connected to a company’s internal network

4. establishes a secure tunnel between two branch sites

41 / 47

41. When using Rapid PVST+, which command guarantees the switch is always the root bridge for VLAN 200?

1. spanning -tree vlan 200 priority 38572422

2. spanning -tree vlan 200 priority 0

3. spanning -tree vlan 200 root primary

4. spanning -tree vlan 200 priority 614440

42 / 47

42. How does a Cisco Unified Wireless network respond to Wi-Fi channel overlap?

1. It alternates automatically between 2.4 GHz and 5 GHz on adjacent access points

2. It analyzes client load and background noise and dynamically assigns a channel.

3. It segregates devices from different manufacturers onto different channels

4. It allows the administrator to assign channels on a per-device or per-interface basis

43 / 47

43. What does a switch use to build its MAC address table?

1. ingress traffic

2. DTP

3. egress traffic

4. VTP

44 / 47

44. What facilitates a Telnet connection between devices by entering the device name?

1. DNS lookup

2. SNMP

3. syslog

4. NTP

45 / 47

45. Refer to the exhibit. If OSPF Is running on this network, how does Router2 handle traffic from Site B to
10.10.13.128/25 at Site A?

1. It is unreachable and discards the traffic

2. It load-balances traffic out of Fa0/1 and Fa0/2.

3. It sends packets out of interface Fa0/2.

4. It sends packets out of interface Fa0/1.

46 / 47

46. Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network.
The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?

1. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22

2. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22

3. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

4. Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network. The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?

47 / 47

47. What is a role of wireless controllers in an enterprise network?

1. centralize the management of access points in an enterprise network

2. provide secure user logins to devices on the network

3. serve as the first line of defense in an enterprise network

4. support standalone or controller-based architectures

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-5

1 / 99

1. Which communication interaction takes place when a southbound API Is used?

1. between the SON controller and switches and routers on the network

2. between network applications and switches and routers on the network

3. between the SON controller and services and applications on the network

4. between the SDN controller and PCs on the network

2 / 99

2. Which two events occur automatically when a device Is added to Cisco DNA Center? (Choose two.)

1. The device Is placed into the Provisioned state

2. The device is assigned to the Local site

3. The device Is placed into the Unmanaged state

4. The device Is placed into the Managed state

5. The device Is assigned to the Global site

3 / 99

3. What is a characteristic of cloud-based network topology?

1. wireless connections provide the sole access method to services

2. services are provided by a public, private, or hybrid deployment

3. onsite network services are provided with physical Layer 2 and Layer 3 components

4. physical workstations are configured to share resources

4 / 99

4. What causes a port to be placed in the err-disabled state?

1. shutdown command issued on the port

2. latency

3. nothing plugged into the port

4. port security violation

5 / 99

5. Refer to me exhibit. Which action is taken by the router when a packet is sourced from 10.10.10.2 and destined for 10.10.10.16?

1. It floods packets to all learned next hops

2. It discards the packets

3. It Queues the packets waiting for the route to be learned

4. It uses a route that is similar to the destination address

6 / 99

6. Which QoS tool is used to optimize voice traffic on a network that is primarily intended for data traffic?

1. WFQ

2. WRED

3. PQ

4. FIFO

7 / 99

7. Which networking function occurs on the data plane?

1. facilitates spanning-tree elections

2. forwarding remote client/server traffic

3. processing inbound SSH management traffic

4. sending and receiving OSPF Hello packets

8 / 99

8. A network administrator is asked to configure VLANS 2, 3 and 4 for a new implementation. Some ports must be assigned to the new VLANS
with unused remaining. Which action should be taken for the unused ports?

1. configure ports as access ports

2. configure ports in a black hole VLAN

3. configure port in the native VLAN

4. configure in a nondefault native VLAN

9 / 99

9. Which network action occurs within the data plane?

1. compare the destination IP address to the IP routing table

2. make a configuration change from an incoming NETCONF RPC

3. run routing protocols (OSPF, EIGRP, RIP, BGP)

4. reply to an incoming ICMP echo request

10 / 99

10. What is the function of a controller in controller-based networking?

1. It is the card on a core router that maintains all routing decisions for a campus

2. It serves as the centralized management point of an SDN architecture

3. It centralizes the data plane for the network

4. It is a pair of core routers that maintain all routing decisions for a campus

11 / 99

11. What is a similarity between OM3 and OM4 fiber optic cable?

1. Both have a 100 micron core diameter

2. Both have a 62.5 micron core diameter

3. Both have a 9 micron core diameter

4. Both have a 50 micron core diameter

12 / 99

12. What Is a syslog facility?

1. password that authenticates a Network Management System to receive log messages

2. group of log messages associated with the configured severity level

3. Host that is configured for the system to send log messages

4. set of values that represent the processes that can generate a log message

13 / 99

13. Which port type supports the spanning-tree portfast command without additional configuration?

1. Layer 3 suninterfaces

2. Layer 3 main Interfaces

3. trunk ports

4. access ports

14 / 99

14. Which technology allows for multiple operating systems to be run on a single host computer?

1. virtual device contexts

2. Server Virtualization

3. virtual routing and forwarding

4. network port ID visualization

15 / 99

15. What are two similarities between UTP Cat 5e and Cat 6a cabling? (Choose two.)

1. Both support runs of up to 100 meters.

2. Both support runs of up to 55 meters.

3. Both support speeds of at least 1 Gigabit

4. Both support speeds up to 10 Gigabit.

5. Both operate at a frequency of 500 MHz.

16 / 99

16. Which access layer threat-mitigation technique provides security based on identity?

1. using a non-default native VLAN

2. DHCP snooping

3. Dynamic ARP Inspection

4. 802.1x

17 / 99

17. What does an SDN controller use as a communication protocol to relay forwarding changes to a southbound API?

1. Java

2. OpenFlow

3. REST

4. XML

18 / 99

18. When a site-to-site VPN is configured, which IPsec mode provides encapsulation and encryption of the entire original P packet?

1. IPsec transport mode with AH

2. IPsec tunnel mode with ESP

3. IPsec tunnel mode with AH

4. IPsec transport mode with ESP

19 / 99

19. When a WLAN with WPA2 PSK is configured in the Wireless LAN Controller GUI which format is supported?

1. base64

2. Unicode

3. ASCII

4. decimal

20 / 99

20. What uses HTTP messages to transfer data to applications residing on different hosts?

1. OpFlex

2. OpenFlow

3. OpenStack

4. REST

21 / 99

21. A network engineer must configure the router R1 GigabitEthernet1/1 interface to connect to the router R2 GigabitEthernet1/1 interface. For the
configuration to be applied the engineer must compress the address 2001:0db8:0000:0000:0500:000a:400F:583B. Which command must be
issued on the interface?

1. ipv6 address 2001:0db8::5: a: 4F 583B

2. ipv6 address 2001:db8::500:a:400F:583B

3. ipv6 address 2001 db8:0::500:a:4F:583B

4. ipv6 address 2001::db8:0000::500:a:400F:583B

22 / 99

22. Refer to the exhibit. Shortly after SiteA was connected to SiteB over a new single-mode fiber path users at SiteA report intermittent connectivity
issues with applications hosted at SiteB What is the cause of the intermittent connectivity issue?

1. High usage is causing high latency

2. Interface errors are incrementing

3. An incorrect SFP media type was used at SiteA

4. The sites were connected with the wrong cable type

23 / 99

23. Which two protocols are supported on service-port interfaces? (Choose two.)

1. RADIUS

2. TACACS+

3. Telnet

4. SSH

5. SCP

24 / 99

24. What are network endpoints?

1. . act as routers to connect a user to the service prowler network

2. a threat to the network if they are compromised

3. support inter-VLAN connectivity

4. enforce policies for campus-wide traffic going to the internet

25 / 99

25. What is the difference in data transmission delivery and reliability between TCP and UDP?

1. UDP is used for multicast and broadcast communication. TCP is used for unicast communication and transmits data at a higher rate with error checking.

2. TCP requires the connection to be established before transmitting data. UDP transmits data at a higher rate without ensuring packet delivery.

3. TCP transmits data at a higher rate and ensures packet delivery. UDP retransmits lost data to ensure applications receive the data on the remote end.

4. UDP sets up a connection between both devices before transmitting data. TCP uses the three-way handshake to transmit data with a reliable connection.

26 / 99

26. Where does wireless authentication happen?

1. radio

2. SSID

3. band

4. Layer 2

27 / 99

27. Refer to the exhibit. Which two prefixes are included in this routing table entry? (Choose two.)

1. 192.168.1.61

2. 192.168.1.127

3. 192.168.1.64

4. 192.168.1.17

5. 192.168.1.254

28 / 99

28. Which protocol does an access point use to draw power from a connected switch?

1. Neighbor Discovery Protocol

2. Internet Group Management Protocol

3. Adaptive Wireless Path Protocol

4. Cisco Discovery Protocol

29 / 99

29. Which HTTP status code is returned after a successful REST API request?

1. 404

2. 500

3. 301

4. 200

30 / 99

30. What is the role of a firewall in an enterprise network?

1. explicitly denies all packets from entering an administrative domain

2. Forwards packets based on stateless packet inspection

3. determines which packets are allowed to cross from unsecured to secured networks

4. Processes unauthorized packets and allows passage to less secure segments of the network

31 / 99

31. Which switch becomes the permanent root bridge for VLAN 5?

1. Branch-1

2. Branch-2

3. Branch-3

4. Branch-4

32 / 99

32. An engineer must configure the IPv6 address 2001:0db8:0000:0000:0700:0003:400F:572B on the serial0/0 interface of the HQ router and wants
to compress it for easier configuration. Which command must be issued on the router interface?

1. ipv6 address 2001:db8::700:3:400F:572B

2. ipv6 address 2001:Odb8::7:3:4F:572B

3. ipv6 address 2001::db8:0000::700:3:400F:572B

4. ipv6 address 2001:db8:0::700:3:4F:572B

33 / 99

33. Which JSON data type is an unordered set of attribute- value pairs?

1. Boolean

2. object

3. string

4. array

34 / 99

34. Refer to the exhibit. When PC-A sends traffic to PC-B, which network component is in charge of receiving the packet from PC-A verifying the IP
addresses, and forwarding the packet to PC-B?

1. Layer 2 switch

2. firewall

3. Router

4. Load balancer

35 / 99

35. Which two QoS tools provides congestion management? (Choose two)

1. CAR

2. PBR

3. FRTS

4. CBWFQ

5. PQ

36 / 99

36. An administrator must secure the WLC from receiving spoofed association requests. Which steps must be taken to configure the WLC to
restrict the requests and force the user to wait 10 ms to retry an association request?

1. Enable Security Association Teardown Protection and set the SA Query timeout to 10

2. Enable MAC filtering and set the SA Query timeout to 10

3. Enable 802.1x Layer 2 security and set me Comeback timer to 10

4. Enable the Protected Management Frame service and set the Comeback timer to 10

37 / 99

37. What describes the operation of virtual machines?

1. In a virtual machine environment, physical servers must run one operating system at a time

2. . Virtual machines are operating system instances that are decoupled from server hardware

3. Virtual machines are the physical hardware that support a virtual environment

4. Virtual machines are responsible for managing and allocating host hardware resources

38 / 99

38. Which action does the router take as rt forwards a packet through the network?

1. The router encapsulates the original packet and then includes a tag that identifies the source router MAC address and transmit transparently to the destination

2. The router replaces the original source and destination MAC addresses with the sending router MAC address as the source and neighbor MAC address as the destination

3. The router replaces the source and desinaoon labels wth the sending router uterface label as a source and the next hop router label as a desbnabon

4. The router encapsulates the source and destination IP addresses with the sending router P address as the source and the neighbor IP address as the destination

39 / 99

39. What is the purpose of using First Hop Redundancy Protocol in a specific subnet?

1. ensures a loop-free physical topology

2. Sends the default route to the hosts on a network

3. forwards multicast hello messages between routers

4. Filter traffic based on destination IP addressing

40 / 99

40. What is a function of the Cisco DNA Center Overall Health Dashboard?

1. It summarizes daily and weekly CPU usage for servers and workstations in the network

2. It summarizes the operational status of each wireless devise on the network

3. It provides detailed activity logging for the 10 devices and users on the network

4. It provides a summary of the top 10 global issues

41 / 99

41. What are two characteristics of the distribution layer in a three-tier network architecture? (Choose two.)

1. serves as the network aggregation point

2. provides a boundary between Layer 2 and Layer 3 communications

3. designed to meet continuous, redundant uptime requirements

4. physical connection point for a LAN printer

5. is the backbone for the network topology

42 / 99

42. What occurs when overlapping Wi-Fi channels are implemented?

1. Network communications are open to eavesdropping

2. The wireless network becomes vulnerable to unauthorized access.

3. . Wireless devices are unable to distinguish between different SSIDs

4. Users experience poor wireless network performance.

43 / 99

43. Which function is performed by DHCP snooping?

1. rate-limits certain traffic

2. provides DDoS mitigation

3. propagates VLAN information between switches

4. listens to multicast traffic for packet forwarding

44 / 99

44. Which protocol requires authentication to transfer a backup configuration file from a router to a remote server?

1. SMTP

2. FTP

3. DTP

4. TFTP

45 / 99

45. Which two protocols must be disabled to increase security for management connections to a Wireless LAN Controller? (Choose two)

1. HTTP

2. Telnet

3. HTTPS

4. TFTP

5. SSH

46 / 99

46. Refer to the exhibit. R5 is the current DR on the network, and R4 is the BDR. Their interfaces are flapping, so a network engineer wants the
OSPF network to elect a different DR and BDR. Which set of configurations must the engineer implement?

1. R2(config)#interface gi0/0 R2(config-if)#ip ospf priority 259 R3(config)#interface gi0/0 R3(config-if)#ip ospf priority 256

2. . R4(config)#interface gi0/0 R4(config-if)#ip ospf priority 20 R5(config)#interface gi0/0 R5(config-if)#ip ospf priority 10

3. R3(config)#interface gi0/0 R3(config-if)#ip ospf priority 255 R2(config)#interface gi0/0 R2(config-if)#ip ospf priority 240

4. R5(config)#interface gi0/0 R5(config-if)#ip ospf priority 120 R4(config)#interface gi0/0 R4(config-if)#ip ospf priority 110

47 / 99

47. An implementer is preparing hardware for virtualization to create virtual machines on a host. What is needed to provide communication between
hardware and virtual machines?

1. switch

2. router

3. hypervisor

4. straight cable

48 / 99

48. Refer to the exhibit. Router R4 is dynamically learning the path to the server. If R4 is connected to R1 via OSPF Area 20, to R2 via R2 BGP, and
to R3 via EIGRP 777, which path is installed in the routing table of R4?

1. the path through R2. because the IBGP administrative distance is 200

2. the path through R2 because the EBGP administrative distance is 20

3. the path through R1, because the OSPF administrative distance is 110

4. the path through R3. because the EIGRP administrative distance is lower than OSPF and BGP

49 / 99

49. Refer to the exhibit. Which change to the configuration on Switch allows the two switches to establish an GtherChannel?

1. Change the LACP mode to desirable

2. Change the protocol to EtherChannel mode on.

3. Change the protocol to PAqP and use auto mode

4. Change the LACP mode to active

50 / 99

50. A network analyst is tasked with configured the date and time on a router using EXEC mode. The date must be set to 12:00am. Which
command should be used?

1. Clock set

2. Clock timezone

3. Clock summer-time date

4. Clock summer-time-recurring

51 / 99

51. Refer to the exhibit. Which command must be executed for Gi1.1 on SW1 to become a trunk port if Gi1/1 on SW2 is configured in desirable or
trunk mode?

1. switchport mode dynamic desirable

2. switchport mode dynamic auto

3. switchport mode dot1-tunnel

4. switchport mode trunk

52 / 99

52. Which global command encrypt all passwords in the running configuration?

1. enable password-encryption

2. password-encrypt

3. enable secret

4. service password-encryption

53 / 99

53. How does QoS optimize voice traffic?

1. by increasing jitter

2. by reducing packet loss

3. reducing bandwidth usage

4. by differentiating voice and video traffic

54 / 99

54. Where is the interface between the control plane and data plane within the softwaredefined architecture?

1. control layer and the application layer

2. application layer and the management layer

3. control layer and the infrastructure layer

4. application layer and the infrastructure layer

55 / 99

55. How does WPA3 improve security?

1. It uses RC4 for encryption

2. It uses a 4-way handshake for authentication

3. It uses TKIP for encryption.

4. It uses SAE for authentication.

56 / 99

56. What is a role of access points in an enterprise network?

1. integrate with SNMP in preventing DDoS attacks

2. serve as a first line of defense in an enterprise network

3. support secure user logins to devices or the network

4. connect wireless devices to a wired network

57 / 99

57. What is the purpose of a southbound API in a control based networking architecture?

1. Facilities communication between the controller and the applications

2. Facilities communication between the controller and the networking hardware

3. integrates a controller with other automation and orchestration tools.

4. allows application developers to interact with the network

58 / 99

58. Why was the RFC 1918 address space defined?

1. preserve public IPv6 address space

2. support the NAT protocol

3. reduce instances of overlapping IP addresses

4. conserve public IPv4 addressing

59 / 99

59. What is the benefit of using FHRP?

1. higher degree of availability

2. reduced management overhead on network routers

3. reduced ARP traffic on the network

4. balancing traffic across multiple gateways in proportion to their loads

60 / 99

60. Refer to the exhibit. What is the metric of the route to the 192.168.10.33/28 subnet?

1. 193

2. 128

3. 84

4. 110

5. 192

61 / 99

61. What are two characteristics of an SSID? (Choose Two)

1. It is at most 32 characters long.

2. It uniquely identifies an access point in a WLAN

3. IT provides secured access to a WLAN

4. It uniquely identifies a client in a WLAN

5. It can be hidden or broadcast in a WLAN

62 / 99

62. How are VLAN hopping attacks mitigated?

1. configure extended VLANs

2. enable dynamic ARP inspection

3. activate all ports and place in the default VLAN

4. manually implement trunk ports and disable DTP

63 / 99

63. Which two components are needed to create an Ansible script that configures a VLAN on a switch? (Choose two.)

1. playbook

2. task

3. recipe

4. cookbook

5. model

64 / 99

64. Which security program element involves installing badge readers on data-center doors to allow workers to enter and exit based on their job
roles?

1. physical access control

2. multifactor authentication

3. biometrics

4. role-based access control

65 / 99

65. What Is the path for traffic sent from one user workstation to another workstation on a separate switch In a Ihree-lter architecture model?

1. access – core – access

2. access – core – distribution – access

3. access – distribution – distribution – access

4. access -distribution – core – distribution – access

66 / 99

66. What are two improvements provided by automation for network management in an SDN environment? (Choose two)

1. New devices are onboarded with minimal effort

2. Proprietary Cisco APIs leverage multiple network management tools

3. Artificial intelligence identifies and prevents potential design failures

4. Machine learning minimizes the overall error rate when automating troubleshooting processes

5. Data collection and analysis tools establish a baseline for the network

67 / 99

67. When deploying syslog, which severity level logs informational message?

1. 4

2. 6

3. 2

4. 0

68 / 99

68. Refer to the exhibit. How must router A be configured so that it only sends Cisco Discovery Protocol Information to router C?

1. Option B

2. Option C

3. Option D

4. Option A

69 / 99

69. When a client and server are not on the same physical network, which device is used to forward requests and replies between client and server
for DHCP?

1. DHCPOFFER

2. DHCP relay agent

3. DHCPDISCOVER

4. DHCP server

70 / 99

70. An engineer is configuring data and voice services to pass through the same port. The designated switch interface fastethernet0/1 must transmit
packets using the same priority for data when they are received from the access port of the IP phone. Which configuration must be used?

1. interface fastethernet0/1 switchport voice vlan untagged

2. interface fastethernet0/1 switchport priority extend trust

3. . interface fastethernet0/1 switchport voice vlan dot1p

4. interface fastethernet0/1 switchport priority extend cos 7

71 / 99

71. What is the benefit of configuring PortFast on an interface?

1. The frames entering the interface are marked with higher priority and then processed faster by a switch.

2. After the cable is connected, the interface is available faster to send and receive user data

3. After the cable is connected, the interface uses the fastest speed setting available for that cable type

4. Real-time voice and video frames entering the interface are processed faster

72 / 99

72. Refer to the exhibit. Which two commands, when configured on router R1, fulfill these requirements? (Choose two.)
Packets towards the entire network 2001:db8:2::/64 must be forwarded through router R2.
Packets toward host 2001:db8:23::14 preferably must be forwarded through R3.

1. Ipv6 route 2001:db8:23::/128 fd00:12::2

2. Ipv6 route 2001:db8:23::/64 fd00:12::2

3. Ipv6 route 2001:db8:23::14/128 fd00:13::3

4. Ipv6 route 2001:db8:23::14/64 fd00:12::2 200

5. Ipv6 route 2001:db8:23::14/64 fd00:12::2

73 / 99

73. What are two benefits of FHRPs? (Choose two.)

1. They allow encrypted traffic.

2. They are able to bundle muftlple ports to increase bandwidth

3. They allow multiple devices lo serve as a single virtual gateway for clients in the network

4. They enable automatic failover of the default gateway.

5. They prevent (oops in the Layer 2 network.

74 / 99

74. What does the switch do as it receives the frame from Sales-4?

1. Flood the frame out of all ports except on the port where Sales-1 is connected

2. Map the Layer 2 MAC address to the Layer 3 IP address and forward the frame

3. . Perform a lookup in the MAC address table and discard the frame due to a missing entry

4. Insert the source MAC address and port into the forwarding table and forward the frame to Sales-1

75 / 99

75. Refer to the exhibit. An administrator must turn off the Cisco Discovery Protocol on the port configured with address last usable address in the
10.0.0.0/30 subnet. Which command set meets the requirement?

1. interface gi0/1 clear cdp table

2. interface gi0/0 no cdp advertise-v2

3. interface gi0/0 no cdp run

4. interface gi0/1 no cdp enable

76 / 99

76. Which level of severity must be set to get informational syslogs?

1. debug

2. critical

3. alert

4. notice

77 / 99

77. Which WLC port connects to a switch to pass normal access-point traffic?

1. service

2. console

3. distribution system

4. redundancy

78 / 99

78. When a switch receives a frame for a known destination MAC address, how is the frame handed?

1. sent to the port identified for the known MAC address

2. broadcast to all ports

3. forwarded to the first available port

4. flooded to all ports except the one from which it originated

79 / 99

79. An engineer configures interface Gi1/0 on the company PE router to connect to an ISP Neighbor discovery is disabled. Which action is
necessary to complete the configuration if the ISP uses third-party network devices?

1. Enable LLDP globally

2. Disable Cisco Discovery Protocol on the interface

3. Enable LLDP-MED on the ISP device

4. Disable autonegotiation

80 / 99

80. An engineer observes high usage on the 2.4GHz channels and lower usage on the 5GHz channels. What must be configured to allow clients to
preferentially use 5GHz access points?

1. OEAP Split Tunnel

2. 11ac MU-MIMO

3. Client Band Select

4. Re- Anchor Roamed Clients

81 / 99

81. Which mode must be set for APs to communicate to a Wireless LAN Controller using the Control and Provisioning of Wireless Access Points
(CAPWAP) protocol?

1. lightweight

2. bridge

3. route

4. autonomous

82 / 99

82. An engineering team asks an implementer to configure syslog for warning conditions and error conditions. Which command does the
implementer configure to achieve the desired result?

1. logging trap 5

2. logging trap 3

3. logging trap 2

4. logging trap 4

83 / 99

83. What is a characteristic of private IPv4 addressing?

1. composed of up to 65.536 available addresses

2. used without tracking or registration

3. traverse the Internet when an outbound ACL is applied

4. issued by IANA in conjunction with an autonomous system number

84 / 99

84. What is the function of a hub-and-spoke WAN topology?

1. provides direct connections between subscribers

2. supports application optimization

3. supports Layer 2 VPNs

4. allows access restrictions to be implemented between subscriber sites.

85 / 99

85. Which plane is centralized by an SON controller?

1. services-plane

2. management-plane

3. data-plane

4. control-plane

86 / 99

86. Which condition must be met before an NMS handles an SNMP trap from an agent?

1. The NMS must receive the same trap from two different SNMP agents to verify that it is reliable.

2. The NMS software must be loaded with the MIB associated with the trap

3. The NMS must receive a trap and an inform message from the SNMP agent within a configured interval

4. The NMS must be configured on the same router as the SNMP agent

87 / 99

87. Which technology is appropriate for communication between an SDN controller and applications running over the network?

1. Southbound API

2. REST API

3. OpenFlow

4. NETCONF

88 / 99

88. What prevents a workstation from receiving a DHCP address?

1. DTP

2. 802.10

3. VTP

4. STP

89 / 99

89. On workstations running Microsoft Windows, which protocol provides the default gateway for the device?

1. DHCP

2. DNS

3. SNMP

4. STP

90 / 99

90. An engineer needs to add an old switch back into a network. To prevent the switch from corrupting the VLAN database which action must be
taken?

1. Add the switch with DTP set to dynamic desirable

2. Add the switch with DTP set to desirable

3. Add the switch in the VTP domain with a higher revision number

4. Add the switch in the VTP domain with a lower revision number

91 / 99

91. What does physical access control regulate?

1. access to networking equipment and facilities

2. access to spec fie networks based on business function

3. access 😮 computer networks and file systems

4. access to servers to prevent malicious activity

92 / 99

92. A network administrator must to configure SSH for remote access to router R1 The requirement is to use a public and private key pair to encrypt
management traffic to and from the connecting client. Which configuration, when applied, meets the requirements?

1. Option D

2. Option C

3. Option A

4. Option B

93 / 99

93. Which 802.11 management frame type is sent when a client roams between access points on the same SSID?

1. Authentication Request

2. Probe Request

3. Reassociation Request

4. Association Request

94 / 99

94. What are two benefits of using the PortFast feature? (Choose two)

1. Enabled interfaces are automatically placed in listening state

2. Enabled interfaces come up and move to the forwarding state immediately

3. Enabled interfaces that move to the learning state generate switch topology change notifications

4. Enabled interfaces never generate topology change notifications

5. . Enabled interfaces wait 50 seconds before they move to the forwarding state

95 / 99

95. After installing a new Cisco ISE server, which task must the engineer perform on the Cisco WLC to connect wireless clients on a specific VLAN
based on their credentials?

1. Enable the Even: Driven RRM

2. Enable the allow AAA Override

3. Disable the LAG Mode or Next Reboot.

4. Enable the Authorized MIC APs against auth-list or AAA.

96 / 99

96. Which two primary drivers support the need for network automation? (Choose two.)

1. Policy-derived provisioning of resources

2. Eliminating training needs

3. Providing a ship entry point for resource provisioning

4. Reducing hardware footprint

5. ncreasing reliance on self-diagnostic and self-healing

97 / 99

97. Which switch technology establishes a network connection immediately when it is plugged in?

1. PortFast

2. BackboneFast

3. UplinkFast

4. BPDU guard

98 / 99

98. What must be considered when using 802.11a?

1. It is chosen over 802 11b/g when a lower-cost solution is necessary

2. It is used in place of 802 11b/g when many nonoverlapping channels are required

3. It is susceptible to interference from 2 4 GHz devices such as microwave ovens.

4. It is compatible with 802 lib- and 802 11-compliant wireless devices

99 / 99

99. In QoS, which prioritization method is appropriate for interactive voice and video?

1. round-robin scheduling

2. expedited forwarding

3. traffic policing

4. low-latency queuing

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-6

1 / 109

1. Refer to the exhibit. An engineer has started to configure replacement switch SW1. To verify part of the configuration, the engineer issued the
commands as shown and noticed that the entry for PC2 is missing. Which change must be applied to SW1 so that PC1 and PC2 communicate
normally?

1. SW1(config)#interface fa0/2 SW1(config-if)#no switchport access vlan 2 SW1(config-if)#no switchport trunk allowed vlan 3 SW1(config-if)#switchport trunk allowed vlan 2

2. SW1(config)#interface fa0/1 SW1(config-if)#no switchport access vlan 2 SW1(config-if)#switchport trunk native vlan 2 SW1(config-if)#switchport trunk allowed vlan 3

3. SW1(config)#interface fa0/2 SW1(config-if)#no switchport mode trunk SW1(config-if)#no switchport trunk allowed vlan 3 SW1(config-if)#switchport mode access

4. SW1(config)#interface fa0/1 SW1(config-if)#no switchport access vlan 2 SW1(config-if)#switchport access vlan 3 SW1(config-if)#switchport trunk allowed vlan 2

2 / 109

2. A Cisco engineer must configure a single switch interface to meet these requirements
accept untagged frames and place them in VLAN 20
accept tagged frames in VLAN 30 when CDP detects a Cisco IP phone
Which command set must the engineer apply?

1. switchport mode dynamic auto switchport trunk native vlan 20 switchport trunk allowed vlan 30 switchport voice vlan 30

2. switchport mode dynamic desirable switchport access vlan 20 switchport trunk allowed vlan 30 switchport voice vlan 30

3. switchport mode trunk switchport access vlan 20 switchport voice vlan 30

4. switchport mode access switchport access vlan 20 switchport voice vlan 30

3 / 109

3. Refer to the exhibit. Router R1 resides in OSPF Area 0. After updating the R1 configuration to influence the paths that it will use to direct traffic,
an engineer verified that each of the four Gigabit interfaces has the same route to 10.10.0.0/16. Which interface will R1 choose to send traffic to
reach the route?

1. GigabitEthernet0/0

2. GigabitEthernet0/2

3. GigabitEthernet0/3

4. GigabltEthornet0/1

4 / 109

4. What is the function of the controller in a software-defined network?

1. multicast replication at the hardware level

2. fragmenting and reassembling packets

3. making routing decisions

4. forwarding packets

5 / 109

5. What is a requirement when configuring or removing LAG on a WLC?

1. The Incoming and outgoing ports for traffic flow must be specified If LAG Is enabled.

2. The controller must be rebooted after enabling or reconfiguring LAG

3. Multiple untagged interfaces on the same port must be supported.

4. The management interface must be reassigned if LAG disabled

6 / 109

6. OSPF must be configured between routers R1 and R2. Which OSPF configuration must be applied to router R1 to avoid a DR/BDR election?

1. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 interface e1/1 ip address 192.168.1.1 255.255.255.252 ip ospf network point-to-point

2. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 interface e1/1 ip address 192.168.1.1 255.255.255.252 ip ospf network broadcast

3. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 hello interval 15 interface e1/1 Ip address 192.168.1.1 255.255.255.252

4. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 interface e1/1 ip address 192.168.1.1 255.255.255.252 ip ospf cost 0

7 / 109

7. Refer to the exhibit. R1 learns all routes via OSPF Which command configures a backup static route on R1 to reach the 192.168.20.0/24
network via R3?

1. R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.30.2

2. R1(config)#ip route 192.168.20.0 255.255.0.0 192.168.30.2

3. R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.30.2 111

4. R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.30.2 90

8 / 109

8. Refer to the exhibit. How should the configuration be updated to allow PC1 and PC2 access to the Internet?

1. Add either the ip nat {inside|outside} command under both interfaces.

2. Remove the overload keyword from the ip nat inside source command.

3. Modify the configured number of the second access list

4. . Change the ip nat inside source command to use interface GigabitEthernet0/0

9 / 109

9. A Cisco engineer is configuring a factory-default router with these three passwords:
The user EXEC password for console access is p4ssw0rd1
The user EXEC password for Telnet access is s3cr3t2
The password for privileged EXEC mode is pnv4t3p4ss.

Which command sequence must the engineer configured

1. enable secret privilege 15 priv4t3p4ss ! line con 0 password p4ssword1 login ! line vty 0 15 password s3cr3t2 login

2. enable secret priv4t3p4ss ! line con 0 password p4ssword1 login ! line vty 0 15 password s3cr3t2 login

3. . enable secret priv4t3p4ss ! line con 0 password login p4ssword1 ! line vty 0 15 password login s3cr3t2 login

4. enable secret priv4t3p4ss ! line con 0

10 / 109

10. Which wireless security protocol relies on Perfect Forward Secrecy?

1. WPA3

2. WPA

3. WPA2

4. WEP

11 / 109

11. Refer to the exhibit. An IP subnet must be configured on each router that provides enough addresses for the number of assigned hosts and
anticipates no more than 10% growth for now hosts. Which configuration script must be used?

1. R7# configure terminal interface Fa1/0 ip address 10.1.56.1 255.255.192.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.224.0 no shutdown R9# configure terminal interface Fa 1/1 ip address 10.23.96.1 255.255.128.0 no shutdown

2. R7# configure terminal interface Fa 1/0 ip address 10.1.56.1 255.255.252.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.255.0 no shutdown R9# configure terminal interface Fa 1/1 ip address 10.23.96.1 255.255.240.0 no shutdown

3. R7# configure terminal interface Fa1/0 ip address 10.1.56.1 255.255.248.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.254.0 no shutdown R9# configure terminal interface Fa1/1 ip address 10.23.96.1 255.255.248.0 no shutdown

4. R7# configure terminal interface Fa 1/0 ip address 10.1.56.1 255.255.240.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.224.0 no shutdown R9# configure terminal interface Fa1/1 ip address 10.23.96.1 255.255.192.0 no shutdown

12 / 109

12. An engineer is configuring remote access to a router from IP subnet 10.139.58.0/28. The domain name, crypto keys, and SSH have been
configured. Which configuration enables the traffic on the destination router?

1. Option B

2. Option A

3. Option C

4. Option D

13 / 109

13. Which type of API allows SDN controllers to dynamically make changes to the network?

1. REST API

2. SOAP API

3. southbound API

4. northbound API

14 / 109

14. Refer to the exhibit. Switch A is newly configured. All VLANs are present in the VLAN database. The IP phone and PC A on Gi0/1 must be
configured for the appropriate VLANs to establish connectivity between the PCs. Which command set fulfills the requirement?

1. SwitchA(config-if)#switchport mode trunk SwitchA(config-if)#switchport trunk allowed vlan 50, 51 SwitchA(config-if)#mls qos trust cos

2. SwitchA(config-if)#switchport mode trunk SwitchA(config-if)#switchport trunk allowed vlan add 50, 51 SwitchA(config-if)#switchport voice vlan dot1p

3. SwitchA(config-if)#switchport mode access SwitchA(config-if)#switchport access vian 50 SwitchA(config-if)#switchport voice vlan 51

4. SwitchA(config-if)#switchport mode access SwitchA(config-if)#switchport access vlan 50 SwitchA(config-if)#switchport voice vlan untagged

15 / 109

15. Which PoE mode enables powered-device detection and guarantees power when the device is detected?

1. active

2. auto

3. dynamic

4. static

16 / 109

16. Refer to the exhibit. Which two commands must be added to update the configuration of router R1 so that it accepts only encrypted
connections? (Choose two)

1. line vty 0 4

2. username CNAC secret R!41!4319115@

3. crypto key generate rsa 1024

4. ip ssh version 2

5. transport input ssh

17 / 109

17. Refer to the exhibit. An engineer is configuring the HO router. Which IPv6 address configuration must be applied to the router fa0’1 interface for
the router to assign a unique 64-brt IPv6 address to Itself?

1. ipv6 address 2001:DB8:0:1:C601:42FF:FE0F:7/64

2. ipv6 address 2001:DB8:0:1:C601:42FE:800F:7/64

3. ipv6 address 2001 :DB8:0:1:FE80:C601:420F:7/64

4. ipv6 address 2001 :DB8:0:1:FFFF:C601:420F:7/64

18 / 109

18. Refer to the exhibit. Which route must be configured on R1 so that OSPF routing is used when OSPF is up. but the server is still reachable
when OSPF goes down?

1. ip route 10.1.1.0 255.255.255.0 172.16.2.2 100

2. ip route 10.1.1.10 255.255.255.255 gi0/0 125

3. ip route 10.1.1.0 255.255.255.0 gi0/1 125

4. ip route 10.1.1.10 255.255.255.255 172.16.2.2 100

19 / 109

19. Refer to the exhibit. Traffic that is flowing over interface TenGigabitEthernet0/0 experiences slow transfer speeds. What is the reason for the
issue?

1. a duplex incompatibility

2. a speed conflict

3. heavy traffic congestion

4. queuing drops

20 / 109

20. Refer to the exhibit. Which command configures OSPF on the point-to-point link between routers R1 and R2?

1. ipospf priority 100

2. router-id 10.0.0.15

3. network 10.0.0.0 0.0.0.3 area 0

4. neighbor 10.1.2.0 cost 180

21 / 109

21. Refer to the exhibit. The following must be considered:
SW1 is fully configured for all traffic
The SW4 and SW9 links to SW1 have been configured
The SW4 interface Gi0/1 and Gi0/0 on SW9 have been configured

The remaining switches have had all VLANs added to their VLAN database.

Which configuration establishes a successful ping from PC2 to PC7 without interruption to traffic flow between other PCs?

1. Option A

2. Option B

22 / 109

22. Which type of organization should use a collapsed-core architecture?

1. large and must minimize downtime when hardware fails

2. small and needs to reduce networking costs currently

3. small but is expected to grow dramatically in the near future

4. large and requires a flexible, scalable network design

23 / 109

23. What is one reason to implement LAG on a Cisco WLC?

1. to allow for stateful and link-state failover

2. to provide link redundancy and load balancing

3. to increase security and encrypt management frames

4. to enable connected switch ports to failover and use different VLANs

24 / 109

24. Which virtual MAC address is used by VRRP group 1?

1. 0050.0c05.ad81

2. 0007.c061.bc01

3. 0500.3976.6401

4. 0000.5E00.0101

25 / 109

25. Refer to the exhibit. A network engineer must update the configuration on Switch2 so that it sends LLDP packets every minute and the
information sent via LLDP is refreshed every 3 minutes Which configuration must the engineer apply?

1. Switch2(config)#lldp timer 60 Switch2(config)#lldp holdtime 180

2. Switch2(config)#lldp timer 1 Switch2(config)#lldp holdtime 3

3. Switch2(config)#lldp timer 60 Switch2(config)#lldp tlv-select 180

4. Switch2(config)#lldp timer 1 Switch2(config)#lldp tlv-select 3

26 / 109

26. Which QoS traffic handling technique retains excess packets in a queue and reschedules these packets for later transmission when the
configured maximum bandwidth has been surpassed?

1. traffic policing

2. weighted random early detection

3. traffic prioritization

4. traffic shaping

27 / 109

27. A network engineer is Installing an IPv6-only capable device. The client has requested that the device IP address be reachable only from the
internal network. Which type of IPv6 address must the engineer assign?

1. aggregatable global address

2. IPv4-compatible IPv6 address

3. link-local address

4. unique local address

28 / 109

28. Refer to the exhibit. An engineer is configuring an EtherChannel using LACP between Switches 1 and 2. Which configuration must be applied so
that only Switch 1 sends LACP initiation packets?

1. Switch1{config-if)#channel-group 1 mode active Switch2(config-if)#channel-group 1 mode passive

2. Switch1(config-if)#channel-group 1 mode on Switch2(config-if)#channel-group 1 mode active

3. Switch1(config-if)#channel-group 1 mode passive Switch2(config-if)#channel-group 1 mode active

4. Switch 1 (config-if)#channel-group 1 mode on Swrtch2(config-if)#channel-group 1 mode passive

29 / 109

29. What is the purpose of an SSID?

1. It provides network security

2. It differentiates traffic entering access posits

3. It identities an individual access point on a WLAN

4. It identifies a WLAN

30 / 109

30. Refer to the exhibit. Which command must be issued lo enable a floating static default route on router A?

1. ip route 0.0.0.0 0.0.0.0 192.168.1.2

2. ip route 0.0.0.0 0.0.0.0 192.168.1.2 10

3. ip default-gateway 192.168.2.1

4. ip route 0.0.0.0 0.0.0.0 192.168.2.1 10

31 / 109

31. Which WLC management connection type is vulnerable to man-in-the-middle attacks?

1. console

2. SSH

3. HTTPS

4. Telnet

32 / 109

32. What is a function of a Layer 3 switch?

1. move frames between endpoints limited to IP addresses

2. flood broadcast traffic within a VLAN

3. forward Ethernet frames between VLANs using only MAC addresses

4. transmit broadcast traffic when operating in Layer 3 mode exclusively

33 / 109

33. R1 as an NTP server must have:
NTP authentication enabled
NTP packets sourced from Interface loopback 0
NTP stratum 2

NTP packets only permitted to client IP 209.165.200.225
How should R1 be configured?

1. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp interface Loopback0 ntp access-groud server-only 10

2. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 nntp access-group server-only 10 ntp master 2 ! access-list 10 permit 209.165.200.225

3. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp stratum 2 ! access-list 10 permit udp host 209.165.200.225 any eq 123

4. ntp authenticate ntp authentication-key 2 sha1 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 ! access-list 10 permit udp host 209.165.200.225 any eq 123

34 / 109

34. Refer to the exhibit. Which two commands must be configured on router R1 to enable the router to accept secure remote-access connections?
(Choose two)

1. username cisco password 0 Cisco

2. ip ssh pubkey-chain

3. crypto key generate rsa

4. login console

5. transport input telnet

35 / 109

35. Refer to the exhibit. All VLANs are present in the VLAN database. Which command sequence must be applied to complete the configuration?

1. Interface FastEthernet0/1 switchport trunk allowed vlan add 10 vlan 10 private-vlan isolated

2. Interface FastEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,15

3. interface FastEthernet0/1 switchport mode access switchport voice vlan 10

4. Interface FastEthernet0/1 switchport trunk native vlan 10 switchport trunk allowed vlan 10,15

36 / 109

36. An engineer must configure R1 for a new user account. The account must meet these requirements:
It must be configured in the local database.
The username is engineer.
It must use the strongest password configurable.

Which command must the engineer configure on the router?

1. R1(config)# username englneer2 secret 4 S1Sb1Ju$kZbBS1Pyh4QzwXyZ

2. R1(config)# username engineer2 secret 5 .password S1$b1Ju$kZbBS1Pyh4QzwXyZ

3. R1 (config)# username engineer2 algorithm-type scrypt secret test2021

4. R1(config)# username engineer2 privilege 1 password 7 test2021

37 / 109

37. How does Rapid PVST+ create a fast loop-free network topology?

1. lt requires multiple links between core switches

2. It uses multiple active paths between end stations.

3. It maps multiple VLANs into the same spanning-tree instance

4. It generates one spanning-tree instance for each VLAN

38 / 109

38. Refer to the exhibit. An engineer assumes a configuration task from a peer Router A must establish an OSPF neighbor relationship with
neighbor 172.1.1.1 The output displays the status of the adjacency after 2 hours. What is the next step in the configuration process for the
routers to establish an adjacency?

1. Configure a point-to-point link between router A and router B.

2. Set the router B OSPF ID to the same value as its IP address

3. Set the router B OSPF ID to a nonhost address.

4. Configure router A to use the same MTU size as router B

39 / 109

39. What is a function of an endpoint on a network?

1. forwards traffic between VLANs on a network

2. allows users to record data and transmit to a tile server

3. provides wireless services to users in a building

4. connects server and client devices to a network

40 / 109

40. Refer to the exhibit. Which minimum configuration items are needed to enable Secure Shell version 2 access to R15?

1. Router(config)#hostname R15 R15(config)#crypto key generate rsa general-keys modulus 1024 R15(config-line #line vty 0 15 R15(config-line)#transport input ssh R15(config)#ip ssh source-interface Fa0/0 R15(config)#ip ssh stricthostkeycheck

2. . Router(config)#ip domain-name cisco.com Router(config)#crypto key generate rsa general-keys modulus 1024 Router(config)#ip ssh version 2 Router(config-line)#line vty 0 15 Router(config-line)#transport input all Router(config)#ip ssh logging events

3. Router(config)#hostname R15 R15(config)#ip domain-name cisco.com R15(config)#crypto key generate rsa general-keys modulus 1024 R15(config)#ip ssh version 2 R15(config-line)#line vty 0 15 R15(config-line)#transport input ssh

4. Router(config)#crypto key generate rsa general-keys modulus 1024 Router(config)#ip ssh version 2 Router(config-line #line vty 0 15 Router(config-line)#transport input ssh Router(config)#ip ssh logging events R15(config)#ip ssh stricthostkeycheck

41 / 109

41. Refer to the exhibit. Which configuration enables DHCP addressing for hosts connected to interface FastEthernet0/1 on router R4?

1. interface FastEthernet0/1 ip helper-address 10.0.1.1 ! access-list 100 permit udp host 10.0.1.1 eq bootps host 10.148.2.1

2. interface FastEthernot0/1 ip helper-address 10.0.1.1 ! access-list 100 permit tcp host 10.0.1.1 eq 67 host 10.148.2.1

3. interface FastEthernet0/0 ip helper-address 10.0.1.1 ! access-list 100 permit udp host 10.0.1.1 eq bootps host 10.148.2.1

4. interface FastEthernetO/0 ip helper-address 10.0.1.1 ! access-list 100 permit host 10.0.1.1 host 10.148.2.1 eq bootps

42 / 109

42. Refer to the exhibit. The link between PC1 and the switch is up. but it is performing poorly. Which interface condition is causing the performance
problem?

1. There is an interface type mismatch

2. There is an issue with the fiber on the switch interface.

3. There is a duplex mismatch on the interface

4. There is a speed mismatch on the interface

43 / 109

43. What is an expected outcome when network management automation is deployed?

1. Custom applications are needed to configure network devices

2. Software upgrades are performed from a central controller

3. A distributed management plane must be used

4. Complexity increases when new device configurations are added

44 / 109

44. Which protocol is used for secure remote CLI access?

1. HTTP

2. SSH

3. HTTPS

4. Telnet

45 / 109

45. Refer to the exhibit. Which two configurations must the engineer apply on this network so that R1 becomes the DR? (Choose two.)

1. R3(config)#interface fastethernet 0/0 R3(config-if)#ip ospf priority 0

2. R1(config)#interface fastethernet 0/0 R1(config-if)#ip ospf priority 0

3. R1(config)#interface fastethernet 0/0 R1(config-if)#ip ospf priority 200

4. R3(config)#interface fastethernet 0/0 R3(config-if)#ip ospf priority 200

5. R1(config)#router ospf 1 R1(config-router)#router-id 192.168.100.1

46 / 109

46. What are two characteristics of a public cloud Implementation? (Choose two.)

1. It Is a data center on the public Internet that maintains cloud services for only one company.

2. It enables an organization to fully customize how It deploys network resources.

3. It provides services that are accessed over the Internet.

4. It is owned and maintained by one party, but it is shared among multiple organizations.

5. It supports network resources from a centralized third-party provider and privately-owned virtual resources

47 / 109

47. Refer to the exhibit. The router has been configured with a supernet to accommodate the requirement for 380 users on a subnet The
requirement already considers 30% future growth. Which configuration verifies the IP subnet on router R4?

1. Subnet: 10.7.54.0 Subnet mask: 255.255.128.0 Broadcast address: 10.7.55.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

2. Subnet: 10.7.54.0 Subnet mask: 255.255.254.0 Broadcast address: 10.7.55.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

3. Subnet: 10.7.54.0 Subnet mask: 255.255 254.0 Broadcast address: 10.7.54.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

4. Subnet: 10.7.54.0 Subnet mask: 255.255.255.0 Broadcast address: 10.7.54.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

48 / 109

48. What is the difference between IPv6 unicast and anycast addressing?

1. . An individual IPv6 unicast address is supported on a single interface on one node but an IPv6 anycast address is assigned to a group of interfaces on multiple nodes.

2. IPv6 anycast nodes must be explicitly configured to recognize the anycast address, but IPv6 unicast nodes require no special configuration

3. Unlike an IPv6 anycast address, an IPv6 unicast address is assigned to a group of interfaces on multiple nodes

4. IPv6 unicast nodes must be explicitly configured to recognize the unicast address, but IPv6 anycast nodes require no special configuration

49 / 109

49. Which action is taken by the data plane within a network device?

1. forwards traffic to the next hop

2. looks up an egress interface in the forwarding information base

3. constructs a routing table based on a routing protocol

4. provides CLI access to the network device

50 / 109

50. Which type of network attack overwhelms the target server by sending multiple packets to a port until the half-open TCP resources of the target
are exhausted?

1. reflection

2. teardrop

3. SYN flood

4. amplification

51 / 109

51. Refer to the exhibit. An engineer is configuring a new router on the network and applied this configuration. Which additional configuration allows
the PC to obtain its IP address from a DHCP server?

1. Configure the ip dhcp smart-relay command globally on the router

2. Configure the ip dhcp relay information command under interface Gi0/1

3. Configure the ip address dhcp command under interface Gi0/0

4. Configure the ip helper-address 172.16.2.2 command under interface Gi0/0

52 / 109

52. Which action implements physical access control as part of the security program of an organization?

1. configuring enable passwords on network devices

2. backing up syslogs at a remote location

3. configuring a password for the console port

4. setting up IP cameras to monitor key infrastructure

53 / 109

53. Refer to the exhibit. Router R1 currently is configured to use R3 as the primary route to the Internet, and the route uses the default
administrative distance settings. A network engineer must configure R1 so that it uses R2 as a backup, but only if R3 goes down. Which
command must the engineer configure on R1 so that it correctly uses R2 as a backup route, without changing the administrative distance
configuration on the link to R3?

1. ip route 0,0.0.0 0.0.0.0 g0/1 6

2. ip route 0.0.0.0 0.0.0.0 209.165.200.226 1

3. ip route 0.0.0.0 0.0.0.0 g0/1 1

4. ip route 0.0.0.0 0.0.0.0 209.165.201.5 10

54 / 109

54. Refer to the exhibit. Traffic sourced from the loopback0 Interface is trying to connect via ssh to the host at 10.0.1.15. What Is the next hop to the
destination address?

1. 192.168.0.4

2. 192.168.0.40

3. 192.168.0.7

4. 192.168.3.5

55 / 109

55. Refer to the exhibit. Which configuration allows routers R14 and R86 to form an OSPFv2 adjacency while acting as a central point for exchanging OSPF

information between routers?

1. Option B

2. Option C

3. Option D

4. Option A

56 / 109

56. Refer to the exhibit. An engineer is updating the R1 configuration to connect a new server to the management network. The PCs on the
management network must be blocked from pinging the default gateway of the new server. Which command must be configured on R1 to
complete the task?

1. R1(config)#ip route 172.16.2.2 255.255.255.248 gi0/1

2. R1(config)#ip route 172.16.2.2 255.255.255.255 gi0/0

3. R1(conflg)#ip route 172.16.2.0 255.255.255.0 192.168.1.15

4. R1(conflg)#ip route 172.16.2.0 255.255.255.0 192.168.1.5

57 / 109

57. Refer to the exhibit. Routers R1 and R3 have the default configuration The router R2 priority is set to 99 Which commands on R3 configure it as
the DR in the 10.0 4.0/24 network?

1. R3(config)#interface Gig0/0 R3(config-if)i=ip ospf priority 1

2. R3(config)#interface Gig0/0 R3(config-if)#ip ospf priority 100

3. . R3(config)#interface Gig0/1 R3(config-if)#ip ospf priority 100

4. R3(config)#interface Gig0/1 R3(config-if)#ip ospf priority 0

58 / 109

58. What is a capability of FTP in network management operations?

1. offers proprietary support at the session layer when transferring data

2. uses separate control and data connections to move files between server and client

3. encrypts data before sending between data resources

4. devices are directly connected and use UDP to pass file information

59 / 109

59. Which field within the access-request packet is encrypted by RADIUS?

1. authenticator

2. authorized services

3. password

4. username

60 / 109

60. Which type of traffic Is sent with pure iPsec?

1. multicast traffic from a server at one site to hosts at another location

2. spanning-tree updates between switches that are at two different sites

3. unicast messages from a host at a remote site lo a server at headquarters

4. broadcast packets from a switch that is attempting to locate a MAC address at one of several remote sites

61 / 109

61. Refer to the exhibit. Which action must be taken to ensure that router A is elected as the DR for OSPF area 0?

1. Configure router B and router C as OSPF neighbors of router A

2. Configure router A with a fixed OSPF router ID

3. Configure the OSPF priority on router A with the lowest value between the three routers

4. Configure the router A interfaces with the highest OSPF priority value within the area

62 / 109

62. Which Layer 2 switch function encapsulates packets for different VLANs so that the packets traverse the same port and maintain traffic
separation between the VLANs?

1. VLAN DSCP

2. VLAN tagging

3. VLAN marking

4. VLAN numbering

63 / 109

63. A network engineer must implement an IPv6 configuration on the vlan 2000 interface to create a routable locally-unique unicast address that is
blocked from being advertised to the internet. Which configuration must the engineer apply?

1. interface vlan 2000 Ipv6 address fc00:0000:aaaa:a15d:1234:2343:8aca/64

2. interface vlan 2000 ipv6 address ffc0:0000:aaaa::1234:2343/64

3. interface vlan 2000 ipv6 address fe80;0000:aaaa::1234:2343/64

4. interface vlan 2000 ipv6 address fd00::1234:2343/64

64 / 109

64. Refer to the exhibit. Packets received by the router from BGP enter via a serial interface at 209 165 201 1 Each route is present within the
routing table Which interface is used to forward traffic with a destination IP of 10.1.1.19?

1. F0/3

2. F0/1

3. F0/0

4. F0/4

65 / 109

65. In software-defined architecture, which place handles switching for traffic through a Cisco router?

1. Data

2. Control

3. Management

4. application

66 / 109

66. Which protocol uses the SSL?

1. HTTPS

2. Telnet

3. HTTP

4. SSH

67 / 109

67. Which type of IPv6 address is similar to a unicast address but is assigned to multiple devices on the same network at the same time?

1. multicast address

2. anycast address

3. global unicast address

4. link-local address

68 / 109

68. Refer to the exhibit. Which plan must be Implemented to ensure optimal QoS marking practices on this network?

1. . As traffic traverses MS1 remark the traffic, but trust all markings at the access layer

2. Remark traffic as it traverses R1 and trust all markings at the access layer

3. Trust the IP phone markings on SW1 and mark traffic entering SW2 at SW2.

4. As traffic enters from the access layer on SW1 and SW2. trust all traffic markings

69 / 109

69. What is a requirement for nonoverlapping Wi-Fi channels?

1. unique SSIDs

2. different transmission speeds

3. discontinuous frequency ranges

4. different security settings

70 / 109

70. How are the switches in a spine-and-leaf topology interconnected?

1. Each leaf switch is connected to one of the spine switches

2. Each leaf switch is connected to each spine switch

3. Each leaf switch is connected to a central leaf switch, then uplinked to a core spine switch.

4. Each leaf switch is connected to two spine switches, making a loop

71 / 109

71. Which characteristic differentiates the concept of authentication from authorization and accounting?

1. identity verification

2. consumption-based billing

3. service limitations

4. user-activity logging

72 / 109

72. Refer to the exhibit. Which IPv6 configuration is required for R17 to successfully ping the WAN interface on R18?

1. Option B

2. Option A

3. Option D

4. Option C

73 / 109

73. Which two network actions occur within the data plane? (Choose two.)

1. Reply to an incoming ICMP echo request

2. Add or remove an 802.1Q trunking header

3. Make a configuration change from an incoming NETCONF RPC

4. Run routing protocols

5. Match the destination MAC address to the MAC address table.

74 / 109

74. Refer to the exhibit. Between which zones do wireless users expect to experience intermittent connectivity?

1. between zones 2 and 5

2. between zones 1 and 2

3. between zones 3 and 6

4. between zones 3 and 4

75 / 109

75. Which two components comprise part of a PKI? (Choose two.)

1. one or more CRLs

2. clear-text password that authenticates connections

3. RSA token

4. CA that grants certificates

5. preshared key that authenticates connections

76 / 109

76. Which two spanning-tree states are bypassed on an interface running PortFast? (Choose two.)

1. learning

2. listening

3. disabled

4. blocking

5. forwarding

77 / 109

77. Refer to the exhibit. An engineer is asked to insert the new VLAN into the existing trunk without modifying anything previously configured. Which
command accomplishes this task?

1. switchport trunk allowed vlan add 104

2. switchport trunk allowed vlan 104

3. switchport trunk allowed vlan all

4. switchport trunk allowed vlan 100-104

78 / 109

78.

Which device permits or denies network traffic based on a set of rules?

1. wireless controller

2. firewall

3. access point

4. switch

79 / 109

79. Refer to the exhibit. The DHCP server and clients are connected to the same switch. What is the next step to complete the DHCP configuration
to allow clients on VLAN 1 to receive addresses from the DHCP server?

1. Configure the ip dhcp relay information option command on the interface that is connected to the DHCP client.

2. Configure the ip dhcp snooping trust command on the interface that is connected to the DHCP server.

3. Configure the ip dhcp snooping trust command on the interlace that is connected to the DHCP client.

4. Configure the Ip dhcp relay information option command on the interface that is connected to the DHCP server.

80 / 109

80. Refer to the exhibit. What must be configured to enable 802.11w on the WLAN?

1. Set PMF to Required

2. Enable MAC Filtering.

3. Set Fast Transition to Enabled

4. Enable WPA Policy.

81 / 109

81. What is a function of Opportunistic Wireless Encryption in an environment?

1. increase security by using a WEP connection

2. protect traffic on open networks

3. offer compression

4. provide authentication

82 / 109

82. Refer to the exhibit. A company is configuring a failover plan and must implement the default routes in such a way that a floating static route will
assume traffic forwarding when the primary link goes down. Which primary route configuration must be used?

1. ip route 0.0.0.0 0.0.0.0 192.168.0.2 floating

2. ip route 0.0.0.0 0.0.0.0 192.168.0.2

3. ip route 0.0.0.0 0.0.0.0 192.168.0.2 tracked

4. ip route 0.0.0.0 0.0.0.0 192.168.0.2 GigabitEthernetl/0

83 / 109

83. What is a function of a Next-Generation IPS?

1. correlates user activity with network events

2. serves as a controller within a controller-based network

3. makes forwarding decisions based on learned MAC addresses

4. integrates with a RADIUS server to enforce Layer 2 device authentication rules

84 / 109

84. Refer to the exhibit. Users on existing VLAN 100 can reach sites on the Internet. Which action must the administrator take to establish
connectivity to the Internet for users in VLAN 200?

1. Update the NAT_INSIDE_RANGES ACL

2. Configure the ip nat outside command on another interface for VLAN 200

3. Configure static NAT translations for VLAN 200

4. Define a NAT pool on the router.

85 / 109

85. Which configuration must be used?

1. R5(config)#int Gi0/1 R5(config-if)#no cdp enable R5(config-if)#exit R5(config)#no lldp run R5(config)#cdp run R5#sh cdp neighbor detail R5#sh lldp neighbor

2. R5(config)#int Gi0/1 R5(config-if)#no cdp enable R5(config-if)#exit R5(config)#no lldp run R5(config)#cdp run R5#sh cdp neighbor R5#sh lldp neighbor

3. R5(config)#int Gi0/1 R5(config-if)#no cdp enable R5(config-if)#exit R5(config)#lldp run R5(config)#no cdp run R5#sh cdp neighbor detail R5#sh lldp neighbor

4. R5(config)#int Gi0/1 R5(config-if)#no cdp run R5(config-if)#exit R5(config)#lldp run R5(config)#cdp enable R5#sh cdp neighbor R5#sh lldp neighbor

86 / 109

86. A network administrator is setting up a new IPv6 network using the 64-bit address 2001 0EB8 00C1 2200:0001 0000 0000 0331/64 To simplify
the configuration the administrator has decided to compress the address Which IP address must the administrator configure?

1. ipv6 address 2001:EB8:C1:22:1::331/64

2. ipv6 address 21:EB8:C1:2200:1::331/64

3. ipv6 address 2001:EB8:C1:2200:1:0000:331/64

4. ipv6 address 2001 :EB8:C 1:2200.1 ::331-64

87 / 109

87. Refer to the exhibit. Packets received by the router from BGP enter via a serial interface at 209.165.201.10. Each route is present within the
routing table. Which interface is used to forward traffic with a destination IP of 10.10.10.24?

1. F0/11

2. F0/13

3. F0/10

4. F0/12

88 / 109

88. Refer to the exhibit. Users need to connect to the wireless network with IEEE 802. 11r-compatible devices. The connection must be maintained
as users travel between floors or to other areas in the building. What must be the configuration of the connection?

1. Select the WPA Policy option with the CCKM option.

2. Enable Fast Transition and select the FT PSK option

3. Disable AES encryption

4. Enable Fast Transition and select the FT 802.1x option

89 / 109

89. Refer to the exhibit. What is a reason for poor performance on the network interface?

1. The interface is operating at a different speed than the connected device.

2. The cable connection between the two devices is faulty

3. The bandwidth setting of the interface is misconfigured

4. The interface is receiving excessive broadcast traffic.

90 / 109

90. Refer to the exhibit. A static route must be configured on R14 to forward traffic for the 172 21 34 0/25 network that resides on R86 Which
command must be used to fulfill the request?

1. ip route 172.21.34.0 255.255.255.0 10.73.65.65

2. ip route 172.21.34.0 255.255.255.128 10.73.65.66

3. ip route 172.21.34.0 255.255.255.192 10.73.65.65

4. ip route 172.21.34.0 255.255.128.0 10.73.65.64

91 / 109

91. An engineer is installing a new wireless printer with a static IP address on the Wi-Fi network. Which feature must be enabled and configured to
prevent connection issues with the printer?

1. client exclusion

2. static IP tunneling

3. passive client

4. DHCP address assignment

92 / 109

92. Refer to the exhibit. Host A sent a data frame destined for host D What does the switch do when it receives the frame from host A?

1. It floods the frame out of all ports except port Fa0/1

2. It experiences a broadcast storm

3. It drops the frame from the switch CAM table

4. It shuts down the port Fa0/1 and places it in err-disable mode

93 / 109

93. A network engineer must configure two new subnets using the address block 10 70 128 0/19 to meet these requirements:
The first subnet must support 24 hosts
The second subnet must support 472 hosts
Both subnets must use the longest subnet mask possible from the address block.
Which two configurations must be used to configure the new subnets and meet a requirement to use the first available address in each subnetfor the router interfaces? (Choose two)

1. interface vlan 1148 ip address 10.70.148.1 255.255.254.0

2. interface vlan 1234 ip address 10.70.159.1 255.255.254.0

3. interface vlan 4722 ip address 10.70.133.17 255.255.255.192

4. interface vlan 155 ip address 10.70.155.65 255.255.255.224

5. interface vlan 3002 ip address 10.70.147.17 255.255.255.224

94 / 109

94. Which QoS per-hop behavior changes the value of the ToS field in the IPv4 packet header?

1. policing

2. shaping

3. marking

4. classification

95 / 109

95. Refer to the exhibit. Web traffic is coming in from the WAN interface. Which route takes precedence when the router is processing traffic
destined for the LAN network at 10.0.10.0/24?

1. via next-hop 10.0.1.5

2. via next-hop 10.0.1.4

3. via next-hop 10.0.1.50

4. via next-hop 10.0.1.100

96 / 109

96. Refer to the exhibit. A network engineer is in the process of establishing IP connectivity between two sites. Routers R1 and R2 are partially
configured with IP addressing. Both routers have the ability to access devices on their respective LANs. Which command set configures the IP
connectivity between devices located on both LANs in each site?

1. Option B

2. Option A

3. Option C

4. Option D

97 / 109

97. Refer to the exhibit. An engineer built a new L2 LACP EtherChannel between SW1 and SW2 and executed these show commands to verify the
work. Which additional task allows the two switches to establish an LACP port channel?

1. Change the channel-group mode on SW1 to desirable.

2. Change the channel-group mode on SW2 to auto

3. Configure the interface port-channel 1 command on both switches.

4. Change the channel-group mode on SW1 to active or passive.

98 / 109

98. An engineer is configuring router R1 with an IPv6 static route for prefix 2019:C15C:0CAF:E001::/64. The next hop must be
2019:C15C:0CAF:E002::1 The route must be reachable via the R1 Gigabit 0/0 interface. Which command configures the designated route?

1. R1(config)#ipv6 route 2019:C15C:0CAF:E001::/64 2019:C15C:0CAF:E002::1

2. R1(config-if)#ip route 2019:C15C:0CAF:E001::/64 GigabitEthernet0/0

3. R1(config)#ip route 2019:C15C:0CAF:E001::/64 GigabitEthernet0/0

4. R1(config-if)#ipv6 route 2019:C15C:0CAF:E001::/64 2019:C15C:0CAF:E002::1

99 / 109

99. Which interface mode must be configured to connect the lightweight APs in a centralized architecture?

1. access

2. WLAN dynamic

3. management

4. trunk

100 / 109

100. Refer to the exhibit. Which next-hop IP address does Routed use for packets destined to host 10.10.13.158?

1. 10.10.11.2

2. 10.10.10.9

3. 10.10.10.5

4. 10.10.12.2

101 / 109

101. Refer to the exhibit. Site A was recently connected to site B over a new single-mode fiber path. Users at site A report Intermittent connectivity
Issues with applications hosted at site B. What is the reason for the problem?

1. An incorrect type of transceiver has been inserted into a device on the link

2. Heavy usage is causing high latency

3. The wrong cable type was used to make the connection.

4. physical network errors are being transmitted between the two sites

102 / 109

102. Refer to the exhibit. Which switch becomes the root of a spanning tree for VLAN 20 if all li links are of equal speed?

1. SW4 = 64000 0041.454d.407f

2. SW1 = 24596 0018.184e.3c00

3. SW2 = 28692 004a.14e5.4077

4. SW3 = 32788 0022.55cf.dd00

103 / 109

103. A network engineer is configuring a switch so that it is remotely reachable via SSH. The engineer has already configured the host name on the
router. Which additional command must the engineer configure before entering the command to generate the RSA key?

1. ip ssh authentication-retries 2

2. password password

3. crypto key generate rsa modulus 1024

4. ip domain-name domain

104 / 109

104. Which value is the unique identifier that an access point uses to establish and maintain wireless connectivity to wireless network devices?

1. WLANID

2. SSID

3. RFID

4. VLANID

105 / 109

105. What is the purpose of the ip address hcp command?

1. to configure an interface as a DHCP relay

2. to configure an interface as a DHCP client

3. to configure an interface as a DHCP helper

4. to configure an Interface as a DHCP server

106 / 109

106. Refer to the exhibit. Which network prefix was learned via EIGRP?

1. 172.16.0.0/16

2. 207.165.200.0/24

3. 192.168.2.0/24

4. 192.168.1.0/24

107 / 109

107. What is a similarly between 1000BASE-LX and 1000BASE-T standards?

1. Both support up to 550 meters between nodes

2. Both cable types support Rj-45 connectors

3. Both cable types support LP connectors

4. Both use the same data-link header and trailer formats

108 / 109

108. Refer to the exhibit. Which route must be configured on R1 so that OSPF routing is used when OSPF is up. but the server is still reachable
when OSPF goes down?

1. ip route 10.1.1.10 255.255.255.255 172.16.2.2 100

2. ip route 10.1.1.10 255.255.255.255 gi0/0 125

3. ip route 10.1.1.0 255.255.255.0 172.16.2.2 100

4. ip route 10.1.1.0 255.255.255.0 gi0/1 125

109 / 109

109. Refer to the exhibit. The entire MAC address table for SW1 is shown here:
SW1#show mac-address-table
Mac Address Table
Vlan Mac Address Type Ports
000c.8590.bb7d DYNAMIC Fa0/1
010a.7a17.45bc DYNAMIC FaO/3
7aa7.4037.8935 DYNAMIC FaO/4
SW1#

What does SW1 do when Br-4 sends a frame to Br-2?

1. It floods the frame out of all ports except on the port where Br-2 is connected.

2. It inserts the source MAC address and port into the forwarding table and forwards the frame to Br-2.

3. It performs a lookup in the MAC address table for Br-4 and discards the frame due to a missing entry.

4. It maps the Layer 2 MAC address for FaO/3 to the Layer 3 IP address and forwards the frame.

Your score is

LinkedIn Facebook Twitter VKontakte