Dumps -

0 votes, 0 avg

Created by

Md Hedaet Shake

CCNA 200-301

1 / 10

1. Which type of Category 5 unshielded twisted-pair (UTP) cable is used to work as a trunk between
two switches?

1. RJ-41 crossover

2. RJ-11 straight-through

3. RJ-45 straight-through

4. RJ-45 crossover

2 / 10

2. What command was used to generate the output shown below?

1. show ip interface

2. show interface status

3. show ip interface brief

4. show interface

3 / 10

3. What two devices can be connected to a router WAN serial interface that can provide clocking?
(Choose two.)

1. CSU/DSU

2. modem

3. switch

4. hub

4 / 10

4. What is the valid host address range for the subnet 172.25.4.0 /23?

1. 172.25.4.1 to 172.25.5.254

2. 172.25.4.21 to 172.25.5.56

3. 172.25.4.35 to 172.25.5.64

4. 172.25.4.10 to 172.25.5.210

5 / 10

5. Which statement is NOT true regarding Internet Control Message Protocol (ICMP)?

1. ICMP is documented in RFC 792.

2. An ICMP echo-request message is generated by the ping command.

3. ICMP can identify network problems.

4. ICMP provides reliable transmission of data in an Internet Protocol (IP) environment.

6 / 10

6. Which Cisco Internetwork Operating System (IOS) command is used to view the number of
Enhanced Interior Gateway Routing Protocol (EIGRP) packets that are sent and received?

1. show ip eigrp traffic

2. show ip eigrp interfaces

3. show ip eigrp packets

4. show ip eigrp topology

5. show ip route

6. show eigrp neighbors

7 / 10

7. Which device can break Collision domain?

1. Switch

2. Router

3. Hub

4. Firewall

8 / 10

8. What command should you use to quickly view the HSRP state of the switch for all HSRP groups
of which the switch is a member?

1. switch# show standby brief

2. switch# show standby

3. switch# show ip interface brief

4. switch# show hsrp

9 / 10

9. Which of the following are port roles in the Rapid Spanning Tree Protocol (RSTP)? (Choose
three.)

1. Listening

2. Discarding

3. Alternate

4. Blocking

5. Backup

6. Routing

7. Designated

10 / 10

10. Which of the following cables would be used to connect a router to a switch?

1. crossover

2. straight-through

3. rollover

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

CCNP 350-401 ENCOR

1 / 1

1. Which Cisco Internetwork Operating System (IOS) command is used to view the number of
Enhanced Interior Gateway Routing Protocol (EIGRP) packets that are sent and received?

1. show ip eigrp traffic

2. show ip route

3. show ip eigrp packets

4. show eigrp neighbors

5. show ip eigrp interfaces

6. show ip eigrp topology

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

CCNP 300-410 ENARSI

1 / 1

1. Which Cisco Internetwork Operating System (IOS) command is used to view the number of
Enhanced Interior Gateway Routing Protocol (EIGRP) packets that are sent and received?

1. show eigrp neighbors

2. show ip eigrp interfaces

3. show ip eigrp traffic

4. show ip route

5. show ip eigrp topology

6. show ip eigrp packets

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

NSE 4

1 / 30

1. What criteria does FortiGate use to look for a matching firewall policy to process traffic?
(Choose two.)

1. Highest to lowest priority defined in the firewall policy.

2. Services defined in the firewall policy.

3. Incoming and outgoing interfaces.

4. . Lowest to highest policy ID number.

2 / 30

2. When using WPAD DNS method, which FQDN format do browsers use to query the DNS
server?

1. srv_tcp.wpad.<local-domain>

2. srv_proxy.<local-domain>/wpad.dat

3. wpad.<local-domain>

4. proxy.<local-domain>.wpad

3 / 30

3. Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. . It failed the RPF check.

2. It matched an explicitly configured firewall policy with the action DENY.

3. The next-hop IP address is unreachable.

4. It matched the default implicit firewall policy.

4 / 30

4. Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

1. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.

2. Ensure all firewalls allow the FSSO required ports.

3. Include the group of guest users in a policy.

4. . Extend timeout timers.

5 / 30

5. During the digital verification process, comparing the original and fresh hash results satisfies
which security requirement?

1. Signature verification.

2. Data integrity.

3. Non-repudiation.

4. Authentication.

6 / 30

6. If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does
FortiGate take?

1. It blocks all future traffic for that IP address for a configured interval.

2. It provides a DLP block replacement page with a link to download the file.

3. It archives the data for that IP address.

4. It notifies the administrator by sending an email.

7 / 30

7. If the Issuer and Subject values are the same in a digital certificate, which type of entity was
the certificate issued to?

1. A subordinate CA

2. A CRL

3. A root CA

4. A person

8 / 30

8. Which of the following statements about NTLM authentication are correct? (Choose two.)

1. NTLM-enabled web browsers are required.

2. It is useful when users log in to DCs that are not monitored by a collector agent.

3. Multi-domain environments require DC agents on every domain controller.

4. . It takes over as the primary authentication method when configured alongside FSSO.

9 / 30

9. Which configuration objects can be selected for the Source field of a firewall policy? (Choose
two.)

1. User or user group

2. Firewall service

3. FQDN address

4. IP Pool

10 / 30

10. Which of the following features is supported by web filter in flow-based inspection mode
with NGFW mode set to profile-based?

1. Static URL

2. FortiGuard Quotas

3. Rating option

4. Search engines

11 / 30

11. Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

1. The port3 default route has the lowest metric.

2. The port3 default route has the highest distance.

3. There will be eight routes active in the routing table.

4. The port1 and port2 default routes are active in the routing table.

12 / 30

12. Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

1. . FortiGate will only actuate the port1 route in the routing table

2. FortiGate will route twice as much traffic to the port2 route

3. FortiGate will load balance all traffic across both routes.

4. FortiGate will use the port1 route as the primary candidate.

13 / 30

13. An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

1. The interface has been configured for one-arm sniffer.

2. Captive portal is enabled in the interface.

3. The interface is a member of a virtual wire pair.

4. The interface is a member of a zone.

5. The operation mode is transparent.

14 / 30

14. How can you block or allow to Twitter using a firewall policy?

1. Configure the Source field as Internet Service objects for Twitter.

2. Configure the Destination field as Internet Service objects for Twitter.

3. . Configure the Action field as Learn and select Twitter.

4. Configure the Service field as Internet Service objects for Twitter.

15 / 30

15. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. . It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

2. Tunnels are negotiated dynamically between spokes.

3. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

4. ADVPN is only supported with IKEv2.

16 / 30

16. Which Statements about virtual domains (VDOMs) arc true? (Choose two.)

1. Each VDOM has its own routing table.

2. Each VDOM can be configured with different system hostnames.

3. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.

4. Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.

17 / 30

17. An administrator needs to strengthen the security for SSL VPN access. Which of the following
statements are best practices to do so? (Choose three.)

1. Configure split tunneling for content inspection.

2. Configure host restrictions by IP or MAC address.

3. Configure two-factor authentication using security certificates.

4. . Configure SSL offloading to a content processor (FortiASIC).

5. Configure a client integrity check (host-check).

18 / 30

18. Which statement is true regarding the policy ID number of a firewall policy?

1. Changes when firewall policies are reordered.

2. Represents the number of objects used in the firewall policy.

3. Defines the order in which rules are processed.

4. Required to modify a firewall policy using the CLI.

19 / 30

19. In a high availability (HA) cluster operating in active-active mode, which of the following
correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a
secondary FortiGate?

1. Client > secondary FortiGate> web server.

2. Clinet >secondary FortiGate> primary FortiGate> web server.

3. Client> primary FortiGate> secondary FortiGate> web server.

4. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.

20 / 30

20. How does FortiGate verify the login credentials of a remote LDAP user?

1. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.

2. FortiGate sends the user-entered credentials to the LDAP server for authentication.

3. FortiGate queries its own database for credentials.

4. FortiGate queries the LDAP server for credentials.

21 / 30

21. What is the limitation of using a URL list and application control on the same firewall policy,
in NGFW policy-based mode?

1. It limits the scope of application control to scan application traffic based on application category only.

2. It limits the scope of application control to scan application traffic on DNS protocol only.

3. It limits the scope of application control to scan application traffic using parent signatures only

4. It limits the scope of application control to the browser-based technology category only.

22 / 30

22. Which of the following services can be inspected by the DLP profile? (Choose three.)

1. NFS

2. FTP

3. IMAP

4. CIFS

5. HTTP-POST

23 / 30

23. An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?

1. This VPN cannot be used as part of a hub-and-spoke topology.

2. The IPsec firewall policies must be placed at the top of the list.

3. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

4. A phase 2 configuration is not required.

24 / 30

24. On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager?
(Choose two.)

1. store-and-upload

2. on-demand

3. hourly

4. real time

25 / 30

25. Which statement about DLP on FortiGate is true?

1. It can be applied to a firewall policy in a flow-based VDOM

2. Traffic shaping can be applied to DLP sensors.

3. It can archive files and messages.

4. Files can be sent to FortiSandbox for detecting DLP threats.

26 / 30

26. company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?

1. Two firewall policies with different captive portals.

2. Different SSL VPN realms for each group.

3. Different virtual SSL VPN IP addresses for each group.

4. Two separate SSL VPNs in different interfaces mapping the same ssl.root.

27 / 30

27. Which of the following statements about converse mode are true? (Choose two.)

1. FortiGate stops doing RPF checks over incoming packets.

2. Administrators cannot change the configuration.

3. FortiGate stops sending files to FortiSandbox for inspection.

4. Administrators can access the FortiGate only through the console port.

28 / 30

28. What files are sent to FortiSandbox for inspection in flow-based inspection mode?

1. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.

2. . All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.

3. All suspicious files that are above the defined oversize limit value in the protocol options.

4. All suspicious files that match patterns defined in the antivirus profile.

29 / 30

29. Which of the following route attributes must be equal for static routes to be eligible for equal
cost multipath (ECMP) routing? (Choose two.)

1. Metric

2. Cost

3. Distance

4. Priority

30 / 30

30. Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple
dialup tunnels?

1. . In aggressive mode, the remote peers are able to provide their peer IDs in the first message.

2. Main mode does not support XAuth for user authentication.

3. FortiGate is able to handle NATed connections only in aggressive mode.

4. FortiClient only supports aggressive mode.

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Md Hedaet Shake

NSE4 Valid Dumps

1 / 184

1. Which statement about DLP on FortiGate is true?

1. Traffic shaping can be applied to DLP sensors.

2. It can archive files and messages.

3. It can be applied to a firewall policy in a flow-based VDOM

4. Files can be sent to FortiSandbox for detecting DLP threats.

2 / 184

2. Refer to the FortiGuard connection debug output.

Based on the output shown in the exhibit, which two statements are correct? (Choose two.)

1. A local FortiManager is one of the servers FortiGate communicates with.

2. FortiGate is using default FortiGuard communication setting

3. One server was contacted to retrieve the contract information

4. There is at least one server that lost packets consecutively.

3 / 184

3. An administrator has configured a strict RPF check on FortiGate.
Which statement is true about the strict RPF check?

1. Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

2. Strict RPF checks the best route back to the source using the incoming interface

3. Strict RPF allows packets back to sources with all active routes.

4. The strict RPF check is run on the first sent and reply packet of any new session.

4 / 184

4. Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

1. FortiGate will use the port1 route as the primary candidate.

2. FortiGate will load balance all traffic across both routes.

3. FortiGate will only actuate the port1 route in the routing table

4. FortiGate will route twice as much traffic to the port2 route

5 / 184

5. Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

1. Virtual IP addresses are used to distinguish between cluster members.

2. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

3. The primary device in the cluster is always assigned IP address 169.254.0.1.

4. Heartbeat interfaces have virtual IP addresses that are manually assigned.

6 / 184

6. Refer to the exhibit to view the application control profile.

Users who use Apple FaceTime video conferences are unable to set up meetings.
In this scenario, which statement is true?

1. The category of Apple FaceTime is being blocked

2. The category of Apple FaceTime is being monitored.

3. Apple FaceTime belongs to the custom monitored filter

4. Apple FaceTime belongs to the custom blocked filter.

7 / 184

7. Which two statements are true about the FGCP protocol? (Choose two.)

1. Runs only over the heartbeat links

2. Is used to discover FortiGate devices in different HA groups

3. Not used when FortiGate is in Transparent mode

4. Elects the primary FortiGate device

8 / 184

8. A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec

VPN tunnels and static routes.
* All traffic must be routed through the primary tunnel when both tunnels are up
* The secondary tunnel must be used only if the primary tunnel goes down
* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose
two,)

1. Enable Dead Peer Detection

2. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel

3. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

4. Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

9 / 184

9. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.)

1. This security fabric topology is a logical topology view.

2. There are 19 security recommendations for the security fabric.

3. Device detection is disabled on all FortiGate devices

4. There are five devices that are part of the security fabric.

10 / 184

10. Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

1. To force a new DH exchange with each phase 2 rekey.

2. To encapsulation ESP packets in UDP packets using port 4500.

3. To delete intermediary NAT devices in the tunnel path.

4. To dynamically change phase 1 negotiation mode aggressive mode.

11 / 184

11. What is the limitation of using a URL list and application control on the same firewall policy,
in NGFW policy-based mode?

1. It limits the scope of application control to scan application traffic based on application category only.

2. It limits the scope of application control to the browser-based technology category only.

3. It limits the scope of application control to scan application traffic using parent signatures only

4. It limits the scope of application control to scan application traffic on DNS protocol only.

12 / 184

12. Which two configuration settings are synchronized when FortiGate devices are in an active-active HA
cluster? (Choose two.)

1. NTP

2. FortiGuard web filter cache

3. FortiGate hostname

4. DNS

13 / 184

13. Which two inspection modes can you use to configure a firewall policy on a profile-based next-generate?

1. Certificate Inspection

2. Flow-based inspection

3. Proxy-based inspection

4. Full Content lnspection

14 / 184

14. Which of the following statements about NTLM authentication are correct? (Choose two.)

1. . It takes over as the primary authentication method when configured alongside FSSO.

2. Multi-domain environments require DC agents on every domain controller.

3. It is useful when users log in to DCs that are not monitored by a collector agent.

4. NTLM-enabled web browsers are required.

15 / 184

15. Refer to the exhibit.

Which contains a network diagram and routing table output.
The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

1. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1

2. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

3. The first reply packet for Student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

4. The first packet sent from Student failed the RPF check. This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.

16 / 184

16. If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is
used?

1. The Services field is used when you need to bundle several VIPs into VIP groups.

2. The Services field prevents SNAT and DNAT from being combined in the same policy.

3. The Services field removes the requirement to create multiple VIPs for different services.

4. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.

17 / 184

17. The HTTP inspection process in web filtering follows a specific order when multiple features are
enabled in the web filter profile.

What order must FortiGate use when the web filter profile has features enabled, such as safe search?

1. Static domain filter, SSL inspection filter, and external connectors filters

2. Static URL filter, FortiGuard category filter, and advanced filters

3. FortiGuard category filter and rating filter

4. DNS-based web filter and proxy-based web filter

18 / 184

18. An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

1. The interface has been configured for one-arm sniffer.

2. Captive portal is enabled in the interface.

3. The operation mode is transparent.

4. The interface is a member of a zone.

5. The interface is a member of a virtual wire pair.

19 / 184

19. A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces added
to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP
addresses in different subnets.

1. The two VLAN sub interfaces must have different VLAN IDs.

2. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets.

3. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.

4. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.

20 / 184

20. In consolidated firewall policies, IPv4 and IPv6 policies are combined in a single consolidated policy.
Instead of separate policies.
Which three statements are true about consolidated IPv4 and IPv6 policy configuration? (Choose three.)

1. The policy table in the GUI can be filtered to display policies with IPv4, IPv6 or IPv4 and IPv6 sources and destinations.

2. The IP version of the sources and destinations in a firewall policy must be different.

3. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations.

4. The IP version of the sources and destinations in a policy must match.

5. The Incoming Interface. Outgoing Interface. Schedule, and Service fields can be shared with both IPv4 and IPv6.

21 / 184

21. Which two statements are true about the RPF check? (Choose two.)

1. RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks

2. The RPF check is run on the first sent and reply packet of any new session.

3. The RPF check is run on the first reply packet of any new session

4. The RPF check is run on the first sent packet of any new session

22 / 184

22. Which two statements about IPsec authentication on FortiGate are correct? (Choose two.)

1. FortiGate supports pre-shared key and signature as authentication methods.

2. Enabling XAuth results in a faster authentication because fewer packets are exchanged

3. A certificate is not required on the remote peer when you set the signature as the authentication method

4. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password

23 / 184

23. Which of the following services can be inspected by the DLP profile? (Choose three.)

1. NFS

2. HTTP-POST

3. FTP

4. IMAP

5. CIFS

24 / 184

24. If the Issuer and Subject values are the same in a digital certificate, which type of entity was
the certificate issued to?

1. A root CA

2. A person

3. A CRL

4. A subordinate CA

25 / 184

25. How can you block or allow to Twitter using a firewall policy?

1. Configure the Source field as Internet Service objects for Twitter.

2. . Configure the Action field as Learn and select Twitter.

3. Configure the Destination field as Internet Service objects for Twitter.

4. Configure the Service field as Internet Service objects for Twitter.

26 / 184

26. Refer to the exhibits.

Exhibit A shows system performance output. Exhibit B shows a FortiGate configured with the default
configuration of high memory usage thresholds.
Based on the system performance output, which two statements are correct? (Choose two.)

1. FortiGate will start sending all files to FortiSandbox for inspection.

2. FortiGate has entered conserve mode.

3. Administrators cannot change the configuration

4. Administrators can access FortiGate only through the console port.

27 / 184

27. Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.

An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is
still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?

1. The HTTPS signatures have not been added to the sensor

2. A DoS policy should be used, instead of an IPS sensor.

3. A DoS policy should be used, instead of an IPS sensor

4. The IPS filter is missing the Protocol: HTTPS option.

5. The firewall policy is not using a full SSL inspection profile.

28 / 184

28. Refer to the exhibit.

The exhibit contains a network interface configuration, firewall policies, and a CLI console configuration.
How will FortiGate handle user authentication for traffic that arrives on the LAN interface?

1. Users from the Sales group will be prompted for authentication and can authenticate successfully with the correct credentials.

2. If there is a full-through policy in place, users will not be prompted for authentication.

3. Authentication is enforced at a policy level; all users will be prompted for authentication.

4. Users from the HR group will be prompted for authentication and can authenticate successfully with the correct credentials

29 / 184

29. An administrator wants to configure timeouts for users Regardless of the user's behavior, the timer should start and expire after the configured value.
Which timeout option should be configured on FortiGate?

1. Auth-on-demand

2. Hard-timeout

3. Idle timeout

4. New-session

5. Soft-timeout

30 / 184

30. Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same
destination?

1. FortiGate will use the port1 route as the primary candidate.

2. FortiGate will route twice as much traffic to the port2 route

3. . FortiGate will only actuate the port1 route in the routing table

4. FortiGate will load balance all traffic across both routes.

31 / 184

31. A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address
is dynamic, in addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should tie administrator configure on FortiGate for the new IPsec VPN tunnel
to work?

1. Dynamic DNS

2. Pre-shared Key

3. Static IP Address

4. Dialup User

32 / 184

32. A network administrator has enabled SSL certificate inspection and antivirus on FortiGate detects the virus and blocks the file. When downloading the same file that's be downloaded.

What is the reason for the felled virus detection by FortiGate?

1. Application control as not enabled

2. Antivirus definitions are not up to date

3. SSL/SSH inspection profile is incorrect

4. Antivirus profile configuration is incorrect

33 / 184

33. In an explicit proxy setup, where is the authentication method and database configured?

1. Firewall Policy

2. Authentication Rule

3. Proxy Policy

4. Authentication scheme

34 / 184

34. Refer to the exhibit.

Which contains a Performance SLA configuration.
An administrator has configured a performance SLA on FortiGate.
Which failed to generate any traffic.
Why is FortiGate not generating any traffic for the performance SLA?

1. The Ping protocol is not supported for the public servers that are configured.

2. There may not be a static route to route the performance SLA traffic.

3. You need to turn on the Enable probe packets switch.

4. Participants configured are not SD-WAN members.

35 / 184

35. Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

1. Session

2. Volume

3. Source IP

4. Spillover

36 / 184

36. Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

1. FortiGate points the collector agent to use a remote LDAP server.

2. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

3. FortiGate queries AD by using the LDAP to retrieve user group information

4. FortiGate uses the AD server as the collector agent.

37 / 184

37. What is the primary FortiGate election process when the HA override setting is disabled?

1. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

2. Connected monitored ports > Priority > System uptime > FortiGate Serial number

3. Connected monitored ports > Priority > HA uptime > FortiGate Serial number

4. Connected monitored ports > System uptime > Priority > FortiGate Serial number

38 / 184

38. Refer to the exhibit
The exhibit shower the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two).

1. The sensor will allow attackers matching the NTP>Spoofed.KoD.DoS signature.

2. The sensor will block all attacks aimed at Windows server.

3. The sensor will gather a packet log for all matched traffic.

4. The sensor will reset all connections that match these signatures.

39 / 184

39. What files are sent to FortiSandbox for inspection in flow-based inspection mode?

1. All suspicious files that are allowed to be submitted to FortiSandbox in the antivirus profile.

2. All suspicious files that are above the defined oversize limit value in the protocol options.

3. . All suspicious files that do not have their hash value in the FortiGuard antivirus signature database.

4. All suspicious files that match patterns defined in the antivirus profile.

40 / 184

40. Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN
Performance SLA? (Choose two.)

1. ping

2. DNS

3. TWAMP

4. udp-echo

41 / 184

41. Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL
certificate inspection is enabled? (Choose three.)

1. The subject alternative name (SAN) field in the server certificate

2. The host field in the HTTP header

3. The subject field in the server certificate

4. The server name indication (SNI) extension in the client hello message

5. The serial number in the server certificate

42 / 184

42. Which statement regarding the firewall policy authentication timeout is true?

1. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

2. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.

3. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.

4. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.

43 / 184

43. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes

2. Tunnels are negotiated dynamically between spokes.

3. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

4. ADVPN is only supported with IKEv2.

44 / 184

44. Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices.
The administrator has determined that phase 1 status is up. but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2
up?

1. On HQ-FortiGate, enable Diffie-Hellman Group 2

2. On HQ-FortiGate, set Encryption to AES256On HQ-FortiGate, set Encryption to AES256

3. On Remote-FortiGate, set Seconds to 43200.

4. On HQ-FortiGate, enable Auto-negotiate

45 / 184

45. Refer to the exhibit, which contains a redious server configuration.

An administration added a configuration for a new RADIUS server.
While configuring, the administrator selected the include eery user group option.

What will be the impact of include in every user group option in a RADIUS configuration?

1. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which in this case is FortiAuthenticator.

2. This option places the RADIUS server and all users who can authenticate against that server, into every FortiGate user.

3. This option places the RADIUS server, and all user who can authenticate against that server into RADIUS group.

4. This option places all user every RADIUS user group including groups that are used for the LDAP server on FortiGate.

46 / 184

46. Which of the following features is supported by web filter in flow-based inspection mode
with NGFW mode set to profile-based?

1. Search engines

2. Static URL

3. Rating option

4. FortiGuard Quotas

47 / 184

47. Which of the following statements about converse mode are true? (Choose two.)

1. FortiGate stops sending files to FortiSandbox for inspection.

2. Administrators cannot change the configuration.

3. FortiGate stops doing RPF checks over incoming packets.

4. Administrators can access the FortiGate only through the console port.

48 / 184

48. Which of statement is true about SSL VPN web mode?

1. It supports a limited number of protocols.

2. It assigns a virtual IP address to the client

3. The tunnel is up while the client is connected.

4. The external network application sends data through the VPN.

49 / 184

49. An organization’s employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure?

1. Change the login timeout

2. Change the udp idle timer.

3. Change the idle-timeout.

4. Change the session-ttl.

50 / 184

50. Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies.
What does the Administrator account need to access the FortiGate global settings?
A. Change password

1. Change Administrator profile

2. Enable two-factor authentication

3. Enable restrict access to trusted hosts

4. Change password

51 / 184

51. Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) tor
Facebook.
Users are given access to the Facebook web application. They can play video content hosted on
Facebook but they are unable to leave reactions on videos or other types of posts.
Which part of the policy configuration must you change to resolve the issue?

1. Additional application signatures are required to add to the security policy.

2. Force access to Facebook using the HTTP service.

3. Add Facebook in the URL category in the security policy.

4. The SSL inspection needs to be a deep content inspection.

52 / 184

52. Which Statements about virtual domains (VDOMs) arc true? (Choose two.)

1. Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.

2. Each VDOM has its own routing table.

3. Each VDOM can be configured with different system hostnames.

4. Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.

53 / 184

53. Refer to the exhibit.

Based on the administrator profile settings, what permissions must the administrator set to run the
diagnose firewall auth list CLI command on FortiGate?

1. Read/Write permission for Log & Report

2. CLI diagnostics commands permission

3. Custom permission for Network

4. Read/Write permission for Firewall

54 / 184

54. Why does FortiGate Keep TCP sessions in the session table for several seconds, even after both
sides (client and server) have terminated the session?

1. To allow for out-of-order packets that could arrive after the FIN/ACK packets

2. To allow for out-of-order packets that could arrive after the FIN/ACK packets

3. To remove the NAT operation

4. To generate logs

55 / 184

55. When using WPAD DNS method, which FQDN format do browsers use to query the DNS
server?

1. srv_proxy.<local-domain>/wpad.dat

2. proxy.<local-domain>.wpad

3. srv_tcp.wpad.<local-domain>

4. wpad.<local-domain>

56 / 184

56. D18912E1457D5D1DDCBD40AB3BF70D5D
What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

1. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

2. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

3. FortiGate automatically negotiates a new security association after the existing security association expires.

4. FortiGate automatically negotiates different local and remote addresses with the remote peer.

57 / 184

57. An administrator is running the following sniffer command:
diagnose aniffer packer any "host 192.168.2.12" 5
Which three pieces of Information will be Included in me sniffer output? {Choose three.)

1. Packet payload

2. Ethernet header

3. IP header

4. Interface name

5. Application header

58 / 184

58. Which of the following statements about central NAT are true? (Choose two.)

1. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.

2. IP tool references must be removed from existing firewall policies before enabling central NAT.

3. Central NAT can be enabled or disabled from the CLI only.

4. Source NAT, using central NAT, requires at least one central SNAT policy.

59 / 184

59. Which scanning technique on FortiGate can be enabled only on the CLI?

1. Antivirus scan

2. Trojan scan

3. Heuristics scan

4. Ransomware scan

60 / 184

60. Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the
physical layer nor the link layer? (Choose three.)

1. diagnose sniffer packet any

2. get system arp

3. execute traceroute

4. execute ping

5. diagnose sys top

61 / 184

61. Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)

1. new-session

2. Idle-timeout

3. hard-timeout

4. auth-on-demand

5. soft-timeout

62 / 184

62. Examine this FortiGate configuration:

How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires
authorization?

1. It always authorizes the traffic without requiring authentication.

2. It authenticates the traffic using the authentication scheme SCHEME2.

3. It drops the traffic.

4. It authenticates the traffic using the authentication scheme SCHEME1

63 / 184

63. Refer to the exhibit

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The
administrator has determined that phase 1 fails to come up. The administrator has also re-entered the
pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration
changes will bring phase 1 up? (Choose two.)

1. On Remote-FortiGate, set port2 as Interface.

2. On both FortiGate devices, set Dead Peer Detection to On Demand.

3. On HQ-FortiGate, set IKE mode to Main (ID protection).

4. On HQ-FortiGate, disable Diffie-Helman group 2.

64 / 184

64. Which of the following conditions must be met in order for a web browser to trust a web server certificate
signed by a third-party CA?

1. The private key of the CA certificate that signed the browser certificate must be installed on the browser.

2. The public key of the web server certificate must be installed on the browser.

3. The CA certificate that signed the web-server certificate must be installed on the browser.

4. The web-server certificate must be installed on the browser.

65 / 184

65. In a high availability (HA) cluster operating in active-active mode, which of the following
correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a
secondary FortiGate?

1. Client > secondary FortiGate> web server.

2. Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.

3. Client> primary FortiGate> secondary FortiGate> web server.

4. Clinet >secondary FortiGate> primary FortiGate> web server.

66 / 184

66. Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profile (Exhibit B).

Which statement is correct if a user is unable to receive a block replacement message when downloading
an infected file for the first time?

1. The flow-based inspection is used, which resets the last packet to the user.

2. The firewall policy performs the full content inspection on the file.

3. The volume of traffic being inspected is too high for this model of FortiGate.

4. The intrusion prevention security profile needs to be enabled when using flow-based inspection mode

67 / 184

67. When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is
used as the source of the HTTP request?

1. The remote user’s virtual IP address.

2. The public IP address of the FortiGate device.

3. The internal IP address of the FortiGate device

4. remote user’s public IP address

68 / 184

68. Which three security features require the intrusion prevention system (IPS) engine to function? (Choose
three.)

1. Antivirus in flow-based inspection

2. DNS filter

3. Web application firewall

4. Application control

5. Web filter in flow-based inspection

69 / 184

69. Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux
server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The
administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server. This
issue does not happen when the application establishes a Telnet connection to the Linux server directly
on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running
through FortiGate? (Choose two.)

1. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

2. Set the maximum session TTL value for the TELNET service object

3. Create a new service object for TELNET and set the maximum session TTL.

4. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy

70 / 184

70. How do you format the FortiGate flash disk?

1. Execute the CLI command execute formatlogdisk

2. Load a debug FortiOS image

3. Select the format boot device option from the BIOS menu.

4. Load the hardware test (HQIP) image

71 / 184

71. An administrator has configured two-factor authentication to strengthen SSL VPN access.
Which additional best practice can an administrator implement?

1. Configure different SSL VPN realms.

2. Configure Source IP Pools.

3. Configure host check.

4. Configure split tunneling in tunnel mode

72 / 184

72. What is the limitation of using a URL list and application control on the same firewall policy, in NGFW
policy-based mode?

1. It limits the scope of application control to scan application traffic based on application category only.

2. It limits the scope of application control to the browser-based technology category only.

3. It limits the scope of application control to scan application traffic using parent signatures only

4. It limits the scope of application control to scan application traffic on DNS protocol only.

73 / 184

73. Refer to the exhibit

Given the routing database shown in the exhibit, which two statements are choose.

1. The port1 and port2 default routes are act1ve in the routing table

2. The port3 default route has the lowest metric

3. The port3 default route has the highest distance

4. There will be eight routes active in the routing table

74 / 184

74. Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address
conflict?

1. get system status

2. get system performance status

3. get system arp

4. diagnose sys top

75 / 184

75. Which three statements about a flow-based antivirus profile are correct? (Choose three.)

1. FortiGate buffers the whole file but transmits to the client simultaneously.

2. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection.

3. If the virus is detected, the last packet is delivered to the client.

4. IPS engine handles the process as a standalone.

5. Optimized performance compared to proxy-based inspection

76 / 184

76. Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10 .0.1.254. /24.
The first firewall policy has NAT enabled using IP Pool.
The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP
address 10.0.1.10?

1. 10.200.1.1

2. 10.200.3.1

3. 10.200.1.100

4. 10.200.1.10

77 / 184

77. What criteria does FortiGate use to look for a matching firewall policy to process traffic?
(Choose two.)

1. Highest to lowest priority defined in the firewall policy.

2. . Lowest to highest policy ID number.

3. Incoming and outgoing interfaces.

4. Services defined in the firewall policy.

78 / 184

78. An administrator needs to increase network bandwidth and provide redundancy.
What interface type must the administrator select to bind multiple FortiGate interfaces?

1. VLAN interface

2. Aggregate interface

3. Software Switch interface

4. Redundant interface

79 / 184

79. Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode?
(Choose two.)

1. FG-Mgmt

2. FG-traffic

3. Root

4. Mgmt

80 / 184

80. Which two statements ate true about the Security Fabric rating? (Choose two.)

1. Many of the security issues can be fixed immediately by click ng Apply where available

2. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric

3. It provides executive summaries of the four largest areas of security focus.

4. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

81 / 184

81. Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

1. NetAPI polling can increase bandwidth usage in large networks.

2. The collector agent uses a Windows API to query DCs for user logins.

3. The NetSessionEnum function is user] to track user logouts

4. The collector agent must search security event logs.

82 / 184

82. When a firewall policy is created, which attribute is added to the policy to support recording logs to a
FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these
devices?

1. Policy ID

2. Sequence ID

3. Log ID

4. Universally Unique Identifier

83 / 184

83. Which statement about the IP authentication header (AH) used by IPsec is true?

1. AH provides strong data integrity but weak encryption.

2. AH does not support perfect forward secrecy.

3. AH provides data integrity bur no encryption.

4. AH does not provide any data integrity or encryption

84 / 184

84. Refer to the exhibit

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme,
users, and firewall address.
An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.
The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a
form-based authentication scheme for the FortiGate local user database.
Users will be prompted for authentication.
How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP
10.0.1.10 to the destination http://www.fortinet.com? (Choose two.)

1. If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

2. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed

3. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

4. If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

85 / 184

85. Refer to the exhibit

The exhibits show a network diagram and the explicit web proxy configuration.
In the command diagnose sniffer packet, what filter can you use to capture the traffic between the client
and the explicit web proxy?

1. ‘host 192.168.0.1 and port 80’

2. ‘host 192.168.0.2 and port 8080’

3. ‘host 10.0.0.50 and port 8080’

4. ‘host 10.0.0.50 and port 80’

86 / 184

86. Examine the routing database shown in the exhibit, and then answer the following question:

Which of the following statements are correct? (Choose two.)

1. There will be eight routes active in the routing table.

2. The port3 default route has the highest distance.

3. The port3 default route has the lowest metric.

4. The port1 and port2 default routes are active in the routing table.

87 / 184

87. A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any
HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser
does not report errors.
What is the reason for the certificate warning errors?

1. The browser requires a software update.

2. FortiGate does not support full SSL inspection when web filtering is enabled.

3. There are network connectivity issues.

4. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser.

88 / 184

88. Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

1. Access to the social networking web filter category was explicitly blocked to all users

2. Social networking web filter category is configured with the action set to authenticate

3. The name of the firewall policy is all_users_web.

4. The action on firewall policy ID 1 is set to warning

89 / 184

89. If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does
FortiGate take?

1. It blocks all future traffic for that IP address for a configured interval.

2. It archives the data for that IP address.

3. It provides a DLP block replacement page with a link to download the file.

4. It notifies the administrator by sending an email.

90 / 184

90. Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. It matched the default implicit firewall policy.

2. It failed the RPF check

3. It matched an explicitly configured firewall policy with the action DENY.

4. The next-hop IP address is unreachable.

91 / 184

91. Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP
address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

1. 10.200.1.1

2. 10.200.1.10

3. 0.0.1.254

4. Any available IP address in the WAN (port1) subnet 10.200.1.0/24

92 / 184

92. Which two statements are correct about a software switch on FortiGate?

1. It can group only physical Interfaces.

2. All interfaces in the software switch share the same IP address.

3. Can act as a Layer 2 switch as well as a Layer 3 router.

4. It can be configured only when FortlGate is operating in NAT mode.

93 / 184

93. 61.Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.)

1. The keyUsage extension must be set to keyCertSign.

2. The issuer must be a public CA.

3. The CA extension must be set to TRUE.

4. The common name on the subject field must use a wildcard name

94 / 184

94. An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?

1. The IPsec firewall policies must be placed at the top of the list.

2. A virtual IPsec interface is automatically created after the phase 1 configuration is completed

3. A phase 2 configuration is not required.

4. This VPN cannot be used as part of a hub-and-spoke topology.

95 / 184

95. Which type of logs on FortiGate record information about traffic directly to and from the FortiGate
management IP addresses?

1. Forward traffic logs

2. Security logs

3. Local traffic logs

4. System event logs

96 / 184

96. Refer to the exhibit.

The exhibit contains a network diagram, central SNAT policy, and IP pool configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).

Central NAT is enabled, so NAT settings from matching Central SNAT policies will be
applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP
address of Remote-FortiGate (10.200.3.1)?

1. 10.200.1.1

2. 10.200.1.99

3. 10.200.1.49

4. 10.200.1.149

97 / 184

97. Why must you use aggressive mode when a local FortiGate IPSec gateway hosts multiple
dialup tunnels?

1. . In aggressive mode, the remote peers are able to provide their peer IDs in the first message.

2. FortiClient only supports aggressive mode.

3. Main mode does not support XAuth for user authentication.

4. FortiGate is able to handle NATed connections only in aggressive mode.

98 / 184

98. During the digital verification process, comparing the original and fresh hash results satisfies
which security requirement?

1. Authentication.

2. Signature verification.

3. Non-repudiation.

4. Data integrity.

99 / 184

99. NGFW mode allows policy-based configuration for most inspection rules.
Which security profile’s configuration does not change when you enable policy-based inspection?

1. Web proxy

2. Antivirus

3. Web filtering

4. Application control

100 / 184

100. Which statement is true regarding the policy ID number of a firewall policy?

1. Changes when firewall policies are reordered.

2. Represents the number of objects used in the firewall policy.

3. Required to modify a firewall policy using the CLI.

4. Defines the order in which rules are processed.

101 / 184

101. Examine the following web filtering log.

Which statement about the log message is true?

1. The usage quota for the IP address 10.0.1.10 has expired

2. The web site miniclip.com matches a static URL filter whose action is set to Warning

3. The name of the applied web filter profile is default

4. The action for the category Games is set to block

102 / 184

102. What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall
(NGFW)?

1. Full Content inspection

2. Flow-based inspection

3. Certificate inspection

4. Proxy-based inspection

103 / 184

103. Which engine handles application control traffic on the next-generation firewall?

1. Flow engine

2. Antivirus engine

3. Detection engine

4. Intrusion prevention system engine

104 / 184

104. Which security feature does FortiGate provide to protect servers located in the internal networks from
attacks such as SQL injections?

1. Web application firewall

2. Antivirus

3. Application control

4. Denial of Service

105 / 184

105. Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings.
Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

1. The signature setting includes a group of other signatures

2. Traffic matching the signature will be allowed and logged.

3. The signature setting uses a custom rating threshold.

4. Traffic matching the signature will be silently dropped and logged.

106 / 184

106. Refer to the exhibit.

Given the interfaces shown in the exhibit. which two statements are true? (Choose two.)

1. Traffic between port2 and port2-vlan1 is allowed by default.

2. port1 is a native VLAN.

3. port1-vlan10 and port2-vlan10 are part of the same broadcast domain

4. D. port1-vlan and port2-vlan1 can be assigned in the same VDOM or to different VDOMs

107 / 184

107. Which two types of traffic are managed only by the management VDOM? (Choose two.)

1. DNS

2. PKI

3. Traffic shaping

4. FortiGuard web filter queries

108 / 184

108. View the exhibit.

Which of the following statements are correct? (Choose two.)

1. Dead peer detection must be disabled to support this type of IPsec setup.

2. This setup requires at least two firewall policies with the action set to IPsec.

3. This is a redundant IPsec setup.

4. The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.

109 / 184

109. To complete the final step of a Security Fabric configuration, an administrator must authorize all the
devices on which device?

1. Root FortiGate

2. Downstream FortiGate

3. FortiManager

4. FortiAnalyzer

110 / 184

110. An administrator has configured outgoing Interface any in a firewall policy.
Which statement is true about the policy list view?

1. By Sequence view will be disabled.

2. Interface Pair view will be disabled.

3. Policy lookup will be disabled.

4. Search option will be disabled

111 / 184

111. Refer to the exhibit showing a debug flow output.

Which two statements about the debug flow output are correct? (Choose two.)

1. The default route is required to receive a reply.

2. A firewall policy allowed the connection.

3. The debug flow is of ICMP traffic.

4. A new traffic session is created

112 / 184

112. Examine the network diagram shown in the exhibit, then answer the following question:

Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation
to the Web server?

1. 0.0.0.0/0 [20/0] via 10.4.200.2, port2

2. 10.4.200.0/30 is directly connected, port2

3. 172.16.32.0/24 is directly connected, port1

4. 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0]

113 / 184

113. company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?

1. Two firewall policies with different captive portals.

2. Different SSL VPN realms for each group.

3. Different virtual SSL VPN IP addresses for each group.

4. Two separate SSL VPNs in different interfaces mapping the same ssl.root.

114 / 184

114. The exhibit contains the configuration for an SD-WAN Performance SLA, as well as the output of
diagnose sys virtual-wan-link health-check.
Which interface will be selected as an outgoing interface?

1. port4

2. port2

3. port1

4. port3

115 / 184

115. Which two policies must be configured to allow traffic on a policy-based next-generation firewall
(NGFW) FortiGate? (Choose two.)

1. SSL inspection and authentication policy

2. Policy rule

3. Firewall policy

4. Security policy

116 / 184

116. Which two statements are true when FortiGate is in transparent mode? (Choose two.)

1. The existing network IP schema must be changed when installing a transparent mode.

2. Static routes are required to allow traffic to the next hop.

3. FortiGate forwards frames without changing the MAC address

4. By default, all interfaces are part of the same broadcast domain.

117 / 184

117. Which two statements are correct about SLA targets? (Choose two.)

1. SLA targets are required for SD-WAN rules with a Best Quality strategy.

2. You can configure only two SLA targets per one Performance SLA.

3. SLA targets are optional.

4. SLA targets are used only when referenced by an SD-WAN rule.

118 / 184

118. Refer to the exhibit.

In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The
administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit.
What should the administrator do next to troubleshoot the problem?

1. Execute a debug flow.

2. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”

3. Run a sniffer on the web server.

4. Capture the traffic using an external sniffer connected to port1.

119 / 184

119. Refer to the exhibit, which contains a session diagnostic output.

Which statement is true about the session diagnostic output?

1. The session is a bidirectional UDP connection

2. The session is in TCP ESTABLISHED state

3. The session is a bidirectional TCP connection

4. The session is a UDP unidirectional state.

120 / 184

120. Which three options are the remote log storage options you can configure on FortiGate? (Choose
three.)

1. FortiSandbox

2. FortiAnalyzer

3. FortiCloud

4. FortiSIEM

5. FortiCache

121 / 184

121. An administrator needs to strengthen the security for SSL VPN access. Which of the following
statements are best practices to do so? (Choose three.)

1. . Configure SSL offloading to a content processor (FortiASIC).

2. Configure split tunneling for content inspection.

3. Configure a client integrity check (host-check).

4. Configure host restrictions by IP or MAC address.

5. Configure two-factor authentication using security certificates.

122 / 184

122. Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. The next-hop IP address is unreachable.

2. It matched the default implicit firewall policy.

3. It matched an explicitly configured firewall policy with the action DENY.

4. . It failed the RPF check.

123 / 184

123. Which two statements are true about collector agent standard access mode? (Choose two.)

1. Standard mode uses Windows convention-NetBios: Domain\Username

2. Standard access mode supports nested groups.

3. Standard mode security profiles apply to user groups.

4. Standard mode security profiles apply to organizational units (OU).

124 / 184

124. FortiGuard categories can be overridden and defined in different categories override must be configured using a specific syntax.

Which two syntaxes are correct to configure web rating override for the

1. www.example.com

2. example.com

3. www.example.com/index.html

4. www.example.com:443

125 / 184

125. Refer to the exhibit.

According to the certificate values shown in the exhibit, which type of entity was the certificate issued to?

1. A root CA

2. A subordinate

3. A user

4. A bridge CA

126 / 184

126. If Internet Service is already selected as Source in a firewall policy, which other configuration objects can
be added to the Source filed of a firewall policy?

1. IP address

2. FQDN address

3. Once Internet Service is selected, no other object can be added

4. User or User Group

127 / 184

127. Which two statements are correct about NGFW Policy-based mode? (Choose two)

1. NGFW policy-based mode policies support only flow inspection

2. NGFW policy-based mode does not require the use of central source NAT

3. NGFW policy-based mode supports creating applications and webfilter

4. NGFN policy-based mode can only be applied globally and not.

128 / 184

128. Which three methods are used by the collector agent for AD polling? (Choose three.)

1. WMI

2. FortiGate polling

3. Novell API

4. NetAPI

5. WinSecLog

129 / 184

129. What devices form the core of the security fabric?

1. One FortiGate device and one FortiAnalyzer device

2. Two FortiGate devices and one FortiAnalyzer device

3. One FortiGate device and one FortiManager device

4. Two FortiGate devices and one FortiManager device

130 / 184

130. By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard
servers.
Which two CLI commands will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (Choose two.)

1. set webfilter-cache disable

2. set fortiguard anycast disable

3. set protocol udp

4. set webfilter-force-off disable

131 / 184

131. Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

1. Traffic belongs to the root VDOM.

2. This is a security log.

3. Traffic is blocked because Action is set to DENY in the firewall policy

4. Log severity is set to error on FortiGate.

132 / 184

132. Refer to the exhibit.

Which contains a session list output. Based on the information shown in the exhibit, which statement is
true?

1. Destination NAT is disabled in the firewall policy.

2. Overload NAT IP pool is used in the firewall policy

3. Port block allocation IP pool is used in the firewall policy.

4. One-to-one NAT IP pool is used in the firewall policy

133 / 184

133. An administrator does not want to report the logon events of service accounts to FortiGate.
What setting on the collector agent is required to achieve this?

1. Add user accounts to Active Directory (AD).

2. Add user accounts to the Ignore User List.

3. Add the support of NTLM authentication.

4. Add user accounts to the FortiGate group fitter

134 / 184

134. Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.)

1. HTTPS

2. FortiTelemetry

3. FTM

4. SSH

135 / 184

135. Which of the following statements are best practices for troubleshooting FSSO? (Choose two.)

1. Ensure all firewalls allow the FSSO required ports.

2. . Extend timeout timers.

3. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers.

4. Include the group of guest users in a policy.

136 / 184

136. Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. ADVPN is only supported with IKEv2.

2. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

3. Tunnels are negotiated dynamically between spokes.

4. . It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.

137 / 184

137. View the exhibit.

A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting Games). Based
on this configuration, which statement is true?

1. Addicting.Games is blocked on the Filter Overrides configuration.

2. Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt

3. Addcting.Games is allowed based on the Categories configuration

4. Addicting.Games is allowed based on the Application Overrides configuration

138 / 184

138. Examine this FortiGate configuration

Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that
require inspection?

1. It is allowed and inspected, as long as the only inspection required is antivirus

2. It is allowed, but with no inspection

3. It is dropped

4. It is allowed and inspected as long as the inspection is flow based

139 / 184

139. An administrator is configuring an Ipsec between site A and siteB. The Remotes Gateway setting in both
sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and
the remote quick mode selector is 192.16.2.0/24.
How must the administrator configure the local quick mode selector for site B?

1. 192.168.3.0/24

2. 192.168.1.0/24

3. 192.168.0.0/8

4. 192.168.2.0/24

140 / 184

140. An administrator has configured a route-based IPsec VPN between two FortiGate devices.
Which statement about this IPsec VPN configuration is true?

1. A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

2. The IPsec firewall policies must be placed at the top of the list.

3. This VPN cannot be used as part of a hub-and-spoke topology.

4. A phase 2 configuration is not required.

141 / 184

141. Refer to the exhibit.

The exhibit contains a network diagram, firewall policies, and a firewall address object configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-user2.
Remote-user2 is still able to access Webserver.
Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose
two.)

1. Set the Destination address as Deny_IP in the Allow-access policy

2. Enable match vip in the Deny policy.

3. Disable match-vip in the Deny policy.

4. Set the Destination address as Web_server in the Deny policy

142 / 184

142. Refer to the exhibits.

The SSL VPN connection fails when a user attempts to connect to it.
What should the user do to successfully connect to SSL VPN?

1. Change the SSL VPN port on the client.

2. Change the idle-timeout

3. Change the Server IP address

4. Change the SSL VPN portal to the tunnel.

143 / 184

143. Which three statements are true regarding session-based authentication? (Choose three.)

1. It can differentiate among multiple clients behind the same source IP address.

2. HTTP sessions are treated as a single user.

3. It requires more resources.

4. IP sessions from the same source IP address are treated as a single user

5. It is not recommended if multiple users are behind the source NAT

144 / 184

144. Which three statements about security associations (SA) in IPsec are correct? (Choose three.)

1. Phase 2 SAs are used for encrypting and decrypting the data exchanged through the tunnel.

2. A phase 1 SA is bidirectional, while a phase 2 SA is directional.

3. Both the phase 1 SA and phase 2 SA are bidirectional.

4. Phase 2 SA expiration can be time-based, volume-based, or both.

5. An SA never expires.

145 / 184

145. An administrator has configured the following settings:

What are the two results of this configuration? (Choose two.)

1. Device detection on all interfaces is enforced for 30 minutes

2. The number of logs generated by denied traffic is reduced.

3. Denied users are blocked for 30 minutes

4. A session for denied traffic is created.

146 / 184

146. Which statements about the firmware upgrade process on an active-active HA cluster are true?
(Choose two.)

1. Only secondary FortiGate devices are rebooted.

2. The firmware image must be manually uploaded to each FortiGate.

3. Uninterruptable upgrade is enabled by default

4. load balancing is temporally disabled while upgrading the firmware.

147 / 184

147. Examine this PAC file configuration

Which of the following statements are true? (Choose two.)

1. Any web request fortinet.com is allowed to bypass the proxy.

2. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.

3. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.

4. Browsers can be configured to retrieve this PAC file from the FortiGate

148 / 184

148. Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question
below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

1. IMAP.Login.brute.Force

2. ip_src_session

3. SMTP.Login.Brute.Force

4. Location: server Protocol: SMTP

149 / 184

149. Refer to the exhibit to view the firewall policy.

Which statement is correct if well-known viruses are not being blocked?

1. The firewall policy does not apply deep content inspection.

2. The action on the firewall policy must be set to deny.

3. The firewall policy must be configured in proxy-based inspection mode

4. Web filter should be enabled on the firewall policy to complement the antivirus profile.

150 / 184

150. Which configuration objects can be selected for the Source field of a firewall policy? (Choose
two.)

1. FQDN address

2. Firewall service

3. User or user group

4. IP Pool

151 / 184

151. 141.Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic?
(Choose three.)

1. Source defined as Internet Services in the firewall policy.

2. Lowest to highest policy ID number.

3. Services defined in the firewall policy.

4. Destination defined as Internet Services in the firewall policy.

5. Highest to lowest priority defined in the firewall policy.

152 / 184

152. Refer to the exhibit.

The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses.
How does FortiGate process the traffic sent to http://www.fortinet.com?

153 / 184

153. Which downstream FortiGate VOOM is used to join the Security Fabric ?

1. Customer VOOM

2. Global VDOM

3. Root VDOOM

4. FG-traffic VDOM

154 / 184

154. Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

1. Operating mode

2. NGFW mode

3. FortiGuaid update servers

4. System time

155 / 184

155. What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose
three.)

1. Traffic to inappropriate web sites

2. SQL injection attacks

3. Traffic to botnetservers

4. Server information disclosure attacks

5. Credit card data leaks

156 / 184

156. On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager?
(Choose two.)

1. real time

2. store-and-upload

3. hourly

4. on-demand

157 / 184

157. Which Security rating scorecard helps identify configuration weakness and best practice violations in
your network?

1. Security Posture

2. Fabric Coverage

3. Optimization

4. Automated Response

158 / 184

158. How does FortiGate verify the login credentials of a remote LDAP user?

1. FortiGate sends the user-entered credentials to the LDAP server for authentication.

2. FortiGate queries its own database for credentials.

3. FortiGate queries the LDAP server for credentials.

4. FortiGate regenerates the algorithm based on the login credentials and compares it to the algorithm stored on the LDAP server.

159 / 184

159. Which of the following statements about backing up logs from the CLI and downloading logs from the GUI
are true? (Choose two.)

1. Log downloads from the GUI are limited to the current filter view

2. Log downloads from the GUI are stored as LZ4 compressed files.

3. Log backups from the CLI cannot be restored to another FortiGate.

4. Log backups from the CLI can be configured to upload to FTP as a scheduled time

160 / 184

160. An administrator Is configuring an IPsec VPN between site A and site
B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site
A. the local quick mode selector is 192.160.1.0/24 and the remote quick mode selector is 192.168.2.0/24.
Which subnet must the administrator configure for the local quick mode selector for site B?

1. 192.168.2.0/24

2. 92.168.1.0/24

3. 192.168.0.0/24

4. 192.168.3.0/24

161 / 184

161. Which of the following route attributes must be equal for static routes to be eligible for equal
cost multipath (ECMP) routing? (Choose two.)

1. Priority

2. Cost

3. Distance

4. Metric

162 / 184

162. Refer to the exhibit.

The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local VDOMs are
configured in transparent mode.
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users to access internet.
The To_lnternet VDOM is the only VDOM with internet access and is directly connected to ISP modem.
Which two statements are true? (Choose two.)

1. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs

2. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs.

3. A static route is required on the To_Internet VDOM to allow LAN users to access the internet

4. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM

163 / 184

163. An administrator must disable RPF check to investigate an issue.
Which method is best suited to disable RPF without affecting features like antivirus and intrusion
prevention system?

1. Enable asymmetric routing, so the RPF check will be bypassed.

2. Disable the RPF check at the FortiGate interface level for the source check.

3. Enable asymmetric routing at the interface level

4. Disable the RPF check at the FortiGate interface level for the reply check.

164 / 184

164. Which two statements about antivirus scanning mode are true? (Choose two.)

1. In proxy-based inspection mode, files bigger than the buffer size are scanned.

2. In flow-based inspection mode, files bigger than the buffer size are scanned.

3. In flow-based inspection mode. FortiGate buffers the file, but also simultaneously transmits it to the client.

4. In proxy-based inspection mode, antivirus scanning buffers the whole file for scanning, before sending it to the client.

165 / 184

165. Which statement about the policy ID number of a firewall policy is true?

1. It changes when firewall policies are reordered.

2. It is required to modify a firewall policy using the CLI.

3. It defines the order in which rules are processed.

4. It represents the number of objects used in the firewall policy.

166 / 184

166. Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.
Which two statements are true? (Choose two.)

1. FortiGate SN FGVM010000064692 is the primary because of higher HA uptime

2. FortiGate SN FGVM010000065036 HA uptime has been reset.

3. FortiGate devices are not in sync because one device is down.

4. FortiGate SN FGVM010000064692 has the higher HA priority.

167 / 184

167. An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.)

1. The interface has been configured for one-arm sniffer

2. The interface is a member of a virtual wire pair.

3. The interface is a member of a zone

4. The operation mode is transparent

5. Captive portal is enabled in the interface.

168 / 184

168. Refer to the exhibit.

Which contains a session diagnostic output.
Which statement is true about the session diagnostic output?

1. The session is in FTN_WAIT state.

2. The session is in ESTABLISHED state.

3. The session is in SYN_SEXT state.

4. The session is in FIN_ACK state.

169 / 184

169. Refer to the exhibit

Examine the intrusion prevention system (IPS) diagnostic command.
Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a
decrease in the CPU usage?

1. The IPS engine was inspecting high volume of traffic.

2. The IPS engine was unable to prevent an intrusion attack.

3. The IPS engine will continue to run in a normal state.

4. The IPS engine was blocking all traffic.

170 / 184

170. Which statements are true regarding firewall policy NAT using the outgoing interface IP address with
fixed port disabled? (Choose two.)

1. Source IP is translated to the outgoing interface IP.

2. This is known as many-to-one NAT.

3. Port address translation is not use

4. Connections are tracked using source port and source MAC address.

171 / 184

171. Refer to the exhibit, which contains a static route configuration

An administrator created a static route for Amazon Web Services.
What CLI command must the administrator use to view the route?

1. get router info routing-table all

2. get internet service route list

3. diagnose firewall proute list

4. get router info routing-table datab

172 / 184

172. An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for DPD probes only when no traffic is observed in the tunnel.
Which DPO mode on FortiGate wtll meet the above requirement?

1. Enabled

2. Disabled

3. On Demand

4. On Idel

173 / 184

173. Which certificate value can FortiGate use to determine the relationship between the issuer and the
certificate?

1. Subject Key Identifier value

2. SMMIE Capabilities value

3. Subject Alternative Name value

4. Subject value

174 / 184

174. Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?

1. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

2. By default, FortiGate uses WINS servers to resolve names.

3. By default, the SSL VPN portal requires the installation of a client’s certificate.

4. By default, split tunneling is enabled.

175 / 184

175. Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.)

1. Ban or unban compromised hosts.

2. Shut down/reboot a downstream FortiGate device.

3. Log in to a downstream FortiSwitch device.

4. Disable FortiAnalyzer logging for a downstream FortiGate device

176 / 184

176. How does FortiGate act when using SSL VPN in web mode?

1. FortiGate acts as DNS server

2. FortiGate acts as router.

3. FortiGate acts as an HTTP reverse proxy.

4. FortiGate acts as an FDS server.

177 / 184

177. You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set
up logging to use the FortiGate local disk.

What is the default behavior when the local disk is full?

1. Logs are overwritten and the first warning is issued when log disk usage reaches the threshold of 75%.

2. Logs are overwritten and the only warning is issued when log disk usage reaches the threshold of 95%.

3. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

4. No new log is recorded until you manually clear logs from the local disk.

178 / 184

178. Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides
(client and server) have terminated the session?

1. To remove the NAT operation

2. To allow for out-of-order packets that could arrive after the FIN/ACK packets

3. To generate logs

4. To finish any inspection operations

179 / 184

179. View the exhibit:

Which the FortiGate handle web proxy traffic rue? (Choose two.)

1. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

2. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOM

3. port-VLAN1 is the native VLAN for the port1 physical interface.

4. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.

180 / 184

180. Which CLI command will display sessions both from client to the proxy and from the proxy to the
servers?

1. diagnose wad session list | grep hook=pre&&hook=out

2. diagnose wad session list | grep "hook=pre"&"hook=out"

3. diagnose wad session list | grep hook-pre&&hook-out

4. diagnose wad session list

181 / 184

181. An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken.
Each site has a FortiGate VPN gateway.
What must an administrator do to achieve this objective?

1. The administrator must use a FortiAuthenticator device.

2. The administrator must use the user self-registration server

3. The administrator can register the same FortiToken on more than one FortiGate.

4. The administrator can use a third-party radius OTP server.

182 / 184

182. If the Issuer and Subject values are the same in a digital certificate, which type of entity was the
certificate issued to?

1. A subordinate CA

2. A person

3. A root CA

4. A CRL

183 / 184

183. FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering
and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.)

1. DNS filter

2. Antivirus scanning

3. File filter

4. Intrusion prevention

184 / 184

184. Which of the following statements correctly describes FortiGates route lookup behavior when
searching for a suitable gateway? (Choose two)

1. Lookup is done on the last packet sent from the responder

2. Lookup is done on the first packet from the session originator

3. Lookup is done on the trust reply packet from the responder

4. Lookup is done on every packet, regardless of direction

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-1

1 / 100

1. Refer to the exhibit. A network administrator is configuring an EtherChannel between SW1 and SW2. The SW1
configuration is shown.

1. interface FastEthernet 0/1 channel-group 1 mode desirable switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 1 mode desirable switchport trunk encapsulation dot1q switchport mode trunk

2. interface FastEthernet 0/1 channel-group 1 mode active switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 1 mode active switchport trunk encapsulation dot1q switchport mode trunk

3. interface FastEthernet 0/1 channel-group 1 mode passive switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 1 mode passive switchport trunk encapsulation dot1q switchport mode trunk

4. interface FastEthernet 0/1 channel-group 2 mode auto switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet 0/2 channel-group 2 mode auto switchport trunk encapsulation dot1q switchport mode trunk

If the etherchannel was configured with mode “auto”, it was using PagP, so, we need to configure the other
switch with “desirable” mode.
PagP modes: auto | Desirable
LACP modes: active | pasive

2 / 100

2. An engineer must configure a WLAN using the strongest encryption type for WPA2-PSK. Which cipher fulfills
the configuration requirement?

1. AES

2. RC4

3. TKIP

4. WEP

Many routers provide WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) as options.
TKIP is actually an older encryption protocol introduced with WPA to replace the very-insecure WEP encryption
at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now
deprecated. In other words, you shouldn't be using it.
AES is a more secure encryption protocol introduced with WPA2 and it is currently the strongest encryption
type for WPA2-PSK/

3 / 100

3. What is a benefit of using a Cisco Wireless LAN Controller?

1. It eliminates the need to configure each access point individually.

2. Central AP management requires more complex configurations.

3. It supports autonomous and lightweight APs.

4. Unique SSIDs cannot use the same authentication method.

4 / 100

4. Refer to the exhibit. Which command provides this output?

1. show ip route

2. show interface

3. show cdp neighbor

4. show ip interface

5 / 100

5. Which API is used in controller-based architectures to interact with edge devices?

1. southbound

2. underlay

3. overlay

4. northbound

6 / 100

6. Refer to the exhibit. The New York router is configured with static routes pointing to the Atlanta and Washington
sites.

Which two tasks must be performed so that the Serial0/0/0 interfaces on the Atlanta and Washington routers
can reach one another? (Choose two.)

1. Configure the ipv6 route 2023::/126 2012::2 command on the Atlanta router

2. Configure the Ipv6 route 2012::/126 s0/0/0 command on the Atlanta router.

3. Configure the ipv6 route 2012::/126 2023::2 command on the Washington router.

4. Configure the ipv6 route 2012::/126 2023::1 command on the Washington router.

5. Configure the ipv6 route 2023::/126 2012::1 command on the Atlanta router.

The short syntax of static IPv6 route is:
ipv6 route <destination-IPv6-address> {next-hop-IPv6-address | exit-interface}

7 / 100

7. Refer to the exhibit. An extended ACL has been configured and applied to router R2 The configuration farted to
work as intended.

Refer to the exhibit. An extended ACL has been configured and applied to router R2 The configuration started
to work as intended.Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the
10.0.10.0/26 subnet while still allowing all other traffic? (Choose two)

1. Add a “permit ip any any” statement to the begining of ACL 101 for allowed traffic.

2. The ACL must be configured the Gi0/2 interface inbound on R1.

3. The ACL must be moved to the Gio/1 interface outbound on R2.

4. The source and destination IPs must be swapped in ACL 101.

5. Add a “permit ip any any” statement at the end of ACL 101 for allowed traffic.

8 / 100

8. Which configuration is needed to generate an RSA key for SSH on a router?

1. Assign a DNS domain name.

2. Configure the version of SSH.

3. Create a user with a password.

4. Configure VTY access.

In order to generate an RSA key for SSH, we need to configure the hostname and a DNS domain name on the
router (a username and password is also required). Therefore in fact both answer C and answer D are correct.

9 / 100

9. Refer to the exhibit. An engineer configured NAT translations and has verified that the configuration is correct.
Which IP address is the source IP?

1. 172.23.104.4

2. 10.4.4.4

3. 10.4.4.5

4. 172.23.103.10

10 / 100

10. Refer to the exhibit. The show ip ospf interface command has been executed on R1. How is OSPF configured?

1. The interface is not participating in OSPF.

2. A point-to-point network type is configured.

3. There are six OSPF neighbors on this interface.

4. The default Hello and Dead timers are in use.

Explanation:
From the output we can see there are Designated Router & Backup Designated Router for this OSPF domain
so this is a broadcast network (point-to-point and point-to multipoint networks do not elect DR & BDR) ->
Answer B is not correct.
By default, the timers on a broadcast network (Ethernet, point-to-point and point-to-multipoint) are 10 seconds
hello and 40 seconds dead (therefore answer C is correct). The timers on a non- broadcast network are 30
seconds hello 120 seconds dead.
From the line “Neighbor Count is 3”, we learn there are four OSPF routers in this OSPF domain -> Answer D is
not correct.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13689-17.html

11 / 100

11. Refer to the exhibit. A frame on VLAN 1 on switch S1 is sent to switch S2 where the frame is received on VLAN
2.

What causes this behavior?

1. trunk mode mismatches

2. native VLAN mismatches

3. VLANs that do not correspond to a unique IP subnet

4. allowing only VLAN 2 on the destination

Untagged frames are encapsulated with the native VLAN. In this case, the native VLANs are different so
although S1 will tag it as VLAN 1 it will be received by S2.

12 / 100

12. An engineer configured an OSPF neighbor as a designated router. Which state verifies the designated router is
in the proper mode?

1. Init

2. Full

3. Exchange

4. 2-way

13 / 100

13. Which IPv6 address block sends packets to a group address rather than a single address?

1. FC00::/7

2. FF00::/8

3. FE80::/10

4. 2000::/3

FF00::/8 is used for IPv6 multicast and this is the IPv6 type of address the question wants to ask.
FE80::/10 range is used for link-local addresses. Link-local addresses only used for communications within the
local subnetwork (automatic address configuration, neighbor discovery, router discovery, and by many routing
protocols). It is only valid on the current subnet.
It is usually created dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on
48-bit MAC address).

14 / 100

14. Which result occurs when PortFast is enabled on an interface that is connected to another switch?

1. Spanning tree may fail to detect a switching loop in the network that causes broadcast storms.

2. Root port choice and spanning tree recalculation are accelerated when a switch link goes down.

3. After spanning tree converges PortFast shuts down any port that receives BPDUS.

4. VTP is allowed to propagate VLAN configuration information from switch to switch automatically

Enabling the PortFast feature causes a switch or a trunk port to enter the STP forwarding-state immediately or
upon a linkup event, thus bypassing the listening and learning states.
Note: To enable portfast on a trunk port you need the trunk keyword "spanning-tree portfast trunk"

15 / 100

15. An email user has been lured into clicking a link in an email sent by their company’s security organization. The
webpage that opens reports that it was safe but the link could have contained malicious code. Which type of
security program is in place?

1. Physical access control

2. brute force attack

3. Social engineering attack

4. user awareness

16 / 100

16. Refer to the exhibit. Which configuration when applied to switch A accomplishes this task?

1. Option D

2. Option B

3. Option C

4. Option A

17 / 100

17. Refer to the exhibit. A frame on VLAN 1 on switch S1 is sent to switch S2 where the frame is received on VLAN-2

1. VLANs that do not correspond to a unique IP subnet

2. native VLAN mismatches

3. trunk mode mismatches

4. allowing only VLAN 2 on the destination

Untagged frames are encapsulated with the native VLAN. In this case, the native VLANs are different so
although S1 will tag it as VLAN 1 it will be received by S2.

18 / 100

18. Which unified access point mode continues to serve wireless clients after losing connectivity to the Cisco
Wireless LAN Controller?

1. sniffer

2. local

3. mesh

4. flexconnect

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/flexconnect.html

19 / 100

19. In Which way does a spine-and-leaf architecture allow for scalability in a network when additional access ports
are required?

1. A leaf switch can be added with connections to every spine switch.

2. A spine switch and a leaf switch can be added with redundant connections between them.

3. A leaf switch can be added with a single connection to a core spine switch.

4. A spine switch can be added with at least 40 GB uplinks.

Spine-leaf architecture is typically deployed as two layers: spines (such as an aggregation layer), and leaves
(such as an access layer). Spine-leaf topologies provide high-bandwidth, low-latency, nonblocking server-toserver
connectivity.
Leaf (aggregation) switches are what provide devices access to the fabric (the network of spine and leaf
switches) and are typically deployed at the top of the rack. Generally, devices connect to the leaf switches.
Devices can include servers, Layer 4-7 services (firewalls and load balancers), and WAN or Internet routers.
Leaf switches do not connect to other leaf switches. In spine-and-leaf architecture, every leaf should connect to
every spine in a full mesh.
Spine (aggregation) switches are used to connect to all leaf switches and are typically deployed at the end or
middle of the row. Spine switches do not connect to other spine switches

20 / 100

20. Which MAC address is recognized as a VRRP virtual address?

1. 0007.C070/AB01

2. 0000.5E00.010a

3. 0005.3711.0975

4. 0000.0C07.AC99

With VRRP, the virtual router's MAC address is 0000.5E00.01xx , in which xx is the VRRP group.

21 / 100

21. When configuring IPv6 on an interface, which two IPv6 multicast groups are joined? (Choose two)

1. 2002::5

2. 2000::/3

3. FC00::/7

4. FF02::1

5. FF02::2

22 / 100

22. Refer to the exhibit. An engineer is bringing up a new circuit to the MPLS provider on the Gi0/1 interface of
Router1. The new circuit uses eBGP and teams the route to VLAN25 from the BGP path.
Whats the expected behavior for the traffic flow for route 10.10.13.0/25?

1. Route 10.10.13.0/25 is updated in the routing table as being learned from interface Gi0/1.

2. Route 10.10.13.0/25 learned via the Gi0/0 interface remains in the routing table.

3. Traffic to 10.10.13.0.25 is load balanced out of multiple interfaces.

4. Traffic to 10.10.13.0/25 is asymmeteical.

23 / 100

23. Which two encoding methods are supported by REST APIs? (Choose two)

1. SGML

2. YAML

3. EBCDIC

4. XML

5. JSON

The Application Policy Infrastructure Controller (APIC) REST API is a programmatic interface that uses REST
architecture. The API accepts and returns HTTP (not enabled by default) or HTTPS messages that contain
JavaScript Object Notation (JSON) or Extensible Markup Language (XML) documents.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/5_x/rest_api_config/
b_Cisco_N1KV_VMware_REST_API_Config_5x/
b_Cisco_N1KV_VMware_REST_API_Config_5x_chapter_010.pdf

24 / 100

24. Which design element is a best practice when deploying an 802.11b wireless infrastructure?

1. allocating nonoverlapping channels to access points that are in close physical proximity to one another

2. setting the maximum data rate to 54 Mbps on the Cisco Wireless LAN Controller

3. configuring access points to provide clients with a maximum of 5 Mbps

4. disabling TPC so that access points can negotiate signal levels with their attached wireless devices

25 / 100

25. Which two statements describe characteristics of IPv6 unicast addressing? (Choose two.)

1. There is only one loopback address and it is ::1.

2. If a global address is assigned to an interface, then that is the only allowable address for the interface.

3. Which two statements describe characteristics of IPv6 unicast addressing? (Choose two.)

4. Link-local addresses start with FF00::/10.

5. Link-local addresses start with FE00:/12.

26 / 100

26. How do TCP and UDP differ in the way that they establish a connection between two endpoints?

1. UDP provides reliable message transfer and TCP is a connectionless protocol.

2. UDP uses SYN, SYN ACK and FIN bits in the frame header while TCP uses SYN, SYN ACK and ACK bits.

3. TCP uses synchronization packets, and UDP uses acknowledgment packets.

4. TCP uses the three-way handshake and UDP does not guarantee message delivery.

27 / 100

27. Refer to the exhibit. What is the effect of this configuration?

1. Dynamic ARP inspection is disabled because the ARP ACL is missing.

2. The switch port remains administratively down until the interface is connected to another switch.

3. The switch port interface trust state becomes untrusted.

4. The switch port remains down until it is configured to trust or untrust incoming packets.

Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs,
and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

28 / 100

28. Which two actions influence the EIGRP route selection process? (Choose two)

1. The router calculates the best backup path to the destination route and assigns it as the feasible successor.

2. The advertised distance is calculated by a downstream neighbor to inform the local router of the bandwidth on the link.

3. The router must use the advertised distance as the metric for any given route. Correct Answer:

4. The router calculates the feasible distance of all paths to the destination route.

5. The router calculates the reported distance by multiplying the delay on the exiting Interface by 256.

The reported distance (or advertised distance) is the cost from the neighbor to the destination. It is calculated
from the router advertising the route to the network. For example in the topology below, suppose router A & B
are exchanging their routing tables for the first time. Router B says "Hey, the best metric (cost) from me to
IOWA is 50 and the metric from you to IOWA is 90" and advertises it to router A.
Router A considers the first metric (50) as the Advertised distance. The second metric (90), which is from
NEVADA to IOWA (through IDAHO), is called the Feasible distance.

-> Answer A is not correct.
Feasible successor is the backup route. To be a feasible successor, the route must have an Advertised
distance (AD) less than the Feasible distance (FD) of the current successor route -> Answer B is correct.
Feasible distance (FD): The sum of the AD plus the cost between the local router and the next- hop router.
The router must calculate the FD of all paths to choose the best path to put into the routing table.
Note: Although the new CCNA exam does not have EIGRP topic but you should learn the basic knowledge of
this routing protocol.

29 / 100

29. Refer to the exhibit. Which prefix does Router 1 use for traffic to Host A?

1. 10.10.13.144/28

2. 10.10.10.0/28

3. 10.10.13.208/29

4. 10.10.13.0/25

Host A address fall within the address range. However, if more than one route to the same subnet exist (router
will use the longest stick match, which match more specific route to the subnet). If there are route
10.10.13.192/26 and 10.10.13.208/29, the router will forward the packet to /29 rather than /28.

30 / 100

30. Which two outcomes are predictable behaviors for HSRP? (Choose two)

1. The two routers negotiate one router as the active router and the other as the standby router.

2. The two routers synchronize configurations to provide consistent packet forwarding.

3. The two routers share a virtual IP address that is used as the default gateway for devices on the LAN.

4. Each router has a different IP address both routers act as the default gateway on the LAN, and traffic is load balanced between them.

5. The two routed share the same IP address, and default gateway traffic is load-balanced between them.

31 / 100

31. Refer to the exhibit. What does router R1 use as its OSPF router-ID?

1. 172.16.15.10

2. 10.10.10.20

3. 192.168.0.1

4. 10.10.1.10

OSPF uses the following criteria to select the router ID:
1. Manual configuration of the router ID (via the "router-id x.x.x.x" command under OSPF router configuration
mode).
2. Highest IP address on a loopback interface.
3. Highest IP address on a non-loopback and active (no shutdown) interface

32 / 100

32. Which action is taken by a switch port enabled for PoE power classification override?

1. If a switch determines that a device is using less than the minimum configured power it assumes the device has failed and disconnects.

2. When a powered device begins drawing power from a PoE switch port a syslog message is generated

3. As power usage on a PoE switch port is checked data flow to the connected device is temporarily paused.

4. If a monitored port exceeds the maximum administrative value for power, the port is shutdown and errdisabled.

Explanation: PoE monitoring and policing compares the power consumption on ports with the administrative
maximum value (either a configured maximum value or the port’s default value). If the power consumption on a
monitored port exceeds the administrative maximum value, the following actions occur:
– A syslog message is issued.
– The monitored port is shut down and error-disabled.
– The allocated power is freed.
Reference:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/power_over_ethernet.pdf

33 / 100

33. Which command enables a router to become a DHCP client?

1. ip helper-address

2. ip dhcp pool

3. ip dhcp client

4. ip address dhcp

34 / 100

34. Which three are characteristics of an IPv6 anycast address? (Choose three.)

1. one-to-nearest communication model

2. delivery of packets to the group interface that is closest to the sending device

3. the same address for multiple devices in the group

4. any-to-many communication model

5. one-to-many communication model

6. a unique IPv6 address for each device in the group

35 / 100

35. Refer to the exhibit. Which password must an engineer use to enter the enable mode?

1. adminadmin123

2. esting1234

3. cisco123

4. default

If neither the enable password command nor the enable secret command is configured, and if there is a line
password configured for the console, the console line password serves as the enable password for all VTY
sessions -> The "enable secret" will be used first if available, then "enable password" and line password.
Reference:
https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/configuration/guide/cpt93_configuration/
cpt93_configuration_chapter_0100

36 / 100

36. Refer to the exhibit. If configuring a static default route on the router with the ip route 0.0.0.0 0.0.0.0 10.13.0.1
120 command, how does the router respond?

1. It immediately replaces the existing OSPF route in the routing table with the newly configured static route.

2. It starts load-balancing traffic between the two default routes.

3. It starts sending traffic without a specific matching entry in the routing table to GigabitEthernet0/1.

4. It ignores the new static route until the existing OSPF default route is removed.

Our new static default route has the Administrative Distance (AD) of 120, which is bigger than the AD of OSPF
External route (O*E2) so it will not be pushed into the routing table until the current OSPF External route is
removed.
For your information, if you don't type the AD of 120 (using the command "ip route 0.0.0.0 0.0.0.0 10.13.0.1")
then the new static default route would replace the OSPF default route as the default AD of static route is 1.
You will see such line in the routing table:
S* 0.0.0.0/0 [1/0] via 10.13.0.1

37 / 100

37. A network engineer must back up 20 network router configurations globally within a customer environment.
Which protocol allows the engineer to perform this function using the Cisco IOS MIB?

1. CDP

2. SMTP

3. ARP

4. SNMP

SNMP is an application-layer protocol that provides a message format for communication between SNMP
managers and agents. SNMP provides a standardized framework and a common language used for the
monitoring and management of devices in a network.
The SNMP framework has three parts:
+ An SNMP manager
+ An SNMP agent
+ A Management Information Base (MIB)
The Management Information Base (MIB) is a virtual information storage area for network management
information, which consists of collections of managed objects.
With SNMP, the network administrator can send commands to multiple routers to do the backup.

38 / 100

38. An engineer must configure a /30 subnet between two routers. Which usable IP address and subnet mask
combination meets this criteria?

1. interface e0/0 description to HQ-A370:98968 ip address 209.165.201.2 255.255.255.252

2. interface e0/0 description to HQ-A370:98968 ip address 192.168.1.1 255.255.255.248

3. interface e0/0 description to HQ-A370:98968 ip address 172.16.1.4 255.255.255.248

4. interface e0/0 description to HQ-A370:98968 ip address 10.2.1.3 255.255.255.252

A /30 subnet means subnet mask of 255.255.255.252. But 10.2.1.3 255.255.255.252 is a broadcast IP address;
only 209.165.201.2/30 is the usable IP address

39 / 100

39. A user configured OSPF in a single area between two routers A serial interface connecting R1 and R2 is
running encapsulation PPP, by default, which OSPF network type is seen on this interface when the user types
show ip ospf interface on R1 or R2?

1. point-to-point

2. port-to-multipoint

3. broadcast

4. nonbroadcast

The default OSPF network type for HDLC and PPP on Serial link is point-to-point (while the default OSPF
network type for Ethernet link is Broadcast).

40 / 100

40. A user configured OSPF and advertised the Gigabit Ethernet interface in OSPF by default, which type of OSPF
network does this interface belong to?

1. point-to-multipoint

2. broadcast

3. point-to-point

4. nonbroadcast

The Broadcast network type is the default for an OSPF enabled ethernet interface (while Point-toPoint is the
default OSPF network type for Serial interface with HDLC and PPP encapsulation).
Reference: https://www.oreilly.com/library/view/cisco-ios-cookbook/0596527225/ch08s15.html

41 / 100

41. Which set of action satisfy the requirement for multi-factor authentication?

1. The user enters a user name and password and then re-enters the credentials on a second screen.

2. The user swipes a key fob, then clicks through an email link.

3. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login screen.

4. The user enters a user name and password, and then clicks a notification in an authentication app on a mobile device

This is an example of how two-factor authentication (2FA) works:
1. The user logs in to the website or service with their username and password.
2. The password is validated by an authentication server and, if correct, the user becomes eligible for the
second factor.
3. The authentication server sends a unique code to the user's second-factor method (such as a smartphone
app).
4. The user confirms their identity by providing the additional authentication for their second-factor method.

42 / 100

42. Which mode must be used to configure EtherChannel between two switches without using a negotiation
protocol?

1. desirable

2. auto

3. active

4. on

The Static Persistence (or “on” mode) bundles the links unconditionally and no negotiation protocol is used. In
this mode, neither PAgP nor LACP packets are sent or received.

43 / 100

43. What is the default behavior of a Layer 2 switch when a frame with an unknown destination MAC address is
received?

1. The Layer 2 switch sends a copy of a packet to CPU for destination MAC address learning.

2. The Layer 2 switch forwards the packet and adds the destination MAC address to its MAC address table.

3. The Layer 2 switch drops the received frame.

4. The Layer 2 switch floods packets to all ports except the receiving port in the given VLAN.

If the destination MAC address is not in the CAM table (unknown destination MAC address), the switch sends
the frame out all other ports that are in the same VLAN as the received frame. This is called flooding. It does
not flood the frame out the same port on which the frame was received.

44 / 100

44. Refer to the exhibit. Which type of route does R1 use to reach host 10.10.13.10/32?

1. floating static route

2. host route

3. network route

4. default route

From the output, we see R1 will use the entry "O 10.10.13.0/25 [110/4576] via 10.10.10.1, ..." to reach host
10.10.13.10. This is a network route.
Note: "B* 0.0.0.0/0 ..." is a default route.

45 / 100

45. When a floating static route is configured, which action ensures that the backup route is used when the primary
route fails?

1. The default-information originate command must be configured for the route to be installed into the routing table.

2. The administrative distance must be higher on the primary route so that the backup route becomes secondary

3. The floating static route must have a lower administrative distance than the primary route so it is used as a backup.

4. The floating static route must have a higher administrative distance than the primary route so it is used as a backup.

46 / 100

46. Which 802.11 frame type is association response?

1. protected frame

2. control

3. management

4. action

There are three main types of 802.11 frames: the Data Frame, the Management Frame and the Control Frame.
Association Response belongs to Management Frame. Association response is sent in response to an
association request.
Reference: https://en.wikipedia.org/wiki/802.11_Frame_Types

47 / 100

47. Which type of address is the public IP address of a NAT device?

1. inside public

2. inside local

3. outside local

4. outside public

5. inside global

6. outside global

NAT use four types of addresses:
* Inside local address - The IP address assigned to a host on the inside network. The address is usually not an
IP address assigned by the Internet Network Information Center (InterNIC) or service provider.
This address is likely to be an RFC 1918 private address.
* Inside global address - A legitimate IP address assigned by the InterNIC or service provider that represents
one or more inside local IP addresses to the outside world.
* Outside local address - The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address - The IP address assigned to a host on the outside network. The owner of the host
assigns this address.

48 / 100

48. What are two reasons that cause late collisions to increment on an Ethernet interface? (Choose two)

1. when a collision occurs after the 32nd byte of a frame has been transmitted

2. when the sending device waits 15 seconds before sending the frame again

3. when the cable length limits are exceeded

4. when Carner Sense Multiple Access/Collision Detection is used

5. when one side of the connection is configured for half-duplex

A late collision is defined as any collision that occurs after the first 512 bits (or 64th byte) of the frame have
been transmitted. The usual possible causes are full-duplex/half-duplex mismatch, exceeded Ethernet cable
length limits, or defective hardware such as incorrect cabling, noncompliant number of hubs in the network, or a
bad NIC.
Late collisions should never occur in a properly designed Ethernet network. They usually occur when Ethernet
cables are too long or when there are too many repeaters in the network.
Reference: Click here

49 / 100

49. Which command is used to specify the delay time in seconds for LLDP to initialize on any interface?

1. lldp holdtimt

2. lldp reinit

3. ldp tlv-select

4. lldp timer

+ lldp holdtime seconds: Specify the amount of time a receiving device should hold the information from your
device before discarding it
+ lldp reinit delay: Specify the delay time in seconds for LLDP to initialize on an interface
+ lldp timer rate: Set the sending frequency of LLDP updates in seconds

50 / 100

50. A Cisco IP phone receive untagged data traffic from an attached PC.
Which action is taken by the phone?

1. It tags the traffic with the native VLAN.

2. It allows the traffic to pass through unchanged

3. It drops the traffic.

4. It tags the traffic with the default VLAN.

Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged,
regardless of the trust state of the access port on the phone.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/
configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_0110.pdf

51 / 100

51. Which IPv6 address is valid?

1. 2001:0db8:0000:130F:0000:0000:08GC:140B

2. 2031::130F::9C0:876A:130B

3. 2001:0db8:0:130H::87C:140B

4. 2031:0:130F::9C0:876A:130B

An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits
(two octets). The groups are separated by colons (:). An example of an IPv6 address is
2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The leading O’s in a group can be collapsed using ::, but this can only be done once in an IP address.

52 / 100

52. Which feature on the Cisco Wireless LAN Controller when enabled restricts management access from specific
networks?

1. CPU ACL

2. Flex ACL

3. TACACS

4. RADIUS

Whenever you want to control which devices can talk to the main CPU, a CPU ACL is used.
Note: CPU ACLs only filter traffic towards the CPU, and not any traffic exiting or generated by the CPU.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

53 / 100

53. When OSPF learns multiple paths to a network, how does it select a route?

1. It count the number of hops between the source router and the destination to determine the router with the lowest metric.

2. It divides a reference bandwidth of 100 Mbps by the actual bandwidth of the existing interface to calculate the router with the lowest cost.

3. For each existing interface, it adds the metric from the source router to the destination to calculate the route with the lowest bandwidth.

4. It multiple the active K value by 256 to calculate the route with the lowest metric

54 / 100

54. Which two actions are performed by the Weighted Random Early Detection mechanism? (Choose two)

1. It can identify different flows with a high level of granularity.

2. It drops lower-priority packets before it drops higher-priority packets.

3. It guarantees the delivery of high-priority packets.

4. It can mitigate congestion by preventing the queue from filling up.

5. It supports protocol discovery.

Weighted Random Early Detection (WRED) is just a congestion avoidance mechanism. WRED drops packets
selectively based on IP precedence. Edge routers assign IP precedences to packets as they enter the network.
When a packet arrives, the following events occur:
1. The average queue size is calculated.
2. If the average is less than the minimum queue threshold, the arriving packet is queued.
3. If the average is between the minimum queue threshold for that type of traffic and the maximum threshold for
the interface, the packet is either dropped or queued, depending on the packet drop probability for that type of
traffic.
4. If the average queue size is greater than the maximum threshold, the packet is dropped. WRED reduces the
chances of tail drop (when the queue is full, the packet is dropped) by selectively dropping packets when the
output interface begins to show signs of congestion (thus it can mitigate congestion by preventing the queue
from filling up). By dropping some packets early rather than waiting until the queue is full, WRED avoids
dropping large numbers of packets at once and minimizes the chances of global synchronization. Thus, WRED
allows the transmission line to be used
fully at all times.
WRED generally drops packets selectively based on IP precedence. Packets with a higher IP precedence are
less likely to be dropped than packets with a lower precedence. Thus, the higher the priority of a packet, the
higher the probability that the packet will be delivered (-> answer A is correct).

55 / 100

55. A router running EIGRP has learned the same route from two different paths. Which parameter does the router
use to select the best path?

1. administrative distance

2. cost

3. as-path

4. metric

If a router learns two different paths for the same network from the same routing protocol, it has to decide
which route is better and will be placed in the routing table. Metric is the measure used to decide which route is
better (lower number is better). Each routing protocol uses its own metric.
For example, RIP uses hop counts as a metric, while OSPF uses cost.

56 / 100

56. Refer to Exhibit. An engineer is configuring the NEW York router to reach the Lot interface of the Atlanta router
using interface Se0/0/0 as the primary path.

Which two commands must be configured on the New York router so that it can reach the Lo1 interface of the
Atlanta router via Washington when the link between New York and Atlanta goes down? (Choose two)

1. ipv6 router 2000::1/128 2012::1

2. ipv6 router 2000::1/128 2023:2 5

3. ipv6 router 2000::1/128 2023::3 5

4. ipv6 router 2000::1/128 2012::2

5. ipv6 router 2000::1/128 2012:1 5

Floating static routes are static routes that have an administrative distance greater than the administrative
distance (AD) of another static route or dynamic routes. By default a static route has an AD of 1 then floating
static route must have the AD greater than 1. Floating static route has a manually configured administrative
distance greater than that of the primary route and therefore would not be in the routing table until the primary
route fails.

57 / 100

57. What makes Cisco DNA Center different from traditional network management applications and their
management of networks?

1. It modular design allows someone to implement different versions to meet the specific needs of an organization.

2. It abstracts policy from the actual device configuration

3. It does not support high availability of management functions when operating in cluster mode.

4. It only supports auto-discovery of network elements in a greenfield deployment.

58 / 100

58. What is the alternative notation for the IPv6 address B514:82C3:0000:0000:0029:EC7A:0000:EC72?

1. B514 : 82C3 : 0029 :: EC7A : 0000 : EC72

2. B514 : 82C3 :: 0029 : EC7A : 0 : EC72

3. B514 : 82C3 : 0029 : EC7A : EC72

4. B514 : 82C3 :: 0029 : EC7A : EC72

There are two ways that an IPv6 address can be additionally compressed: compressing leading zeros and
substituting a group of consecutive zeros with a single double colon(::). Both of these can be used in any
number of combinations to notate the same address. It is important to note that the double colon (::) can only
be used once within a single IPv6 address notation. So, the extra 0’s can only be compressed once.

59 / 100

59. What are two southbound APIs? (Choose two)

1. Thrift

2. OpenFlow

3. DSC

4. NETCONF

5. CORBA

OpenFlow is a well-known southbound API. OpenFlow defines the way the SDN Controller should interact with
the forwarding plane to make adjustments to the network, so it can better adapt to changing business
requirements.
The Network Configuration Protocol (NetConf) uses Extensible Markup Language (XML) to install, manipulate
and delete configuration to network devices.
Other southbound APIs are:
+ onePK: a Cisco proprietary SBI to inspect or modify the network element configuration without hardware
upgrades.
+ OpFlex: an open-standard, distributed control system. It send "summary policy" to network elements.

60 / 100

60. A frame that enters a switch fails the Frame Check Sequence.
Which two interface counters are incremented? (Choose two)

1. frame

2. giants

3. input errors

4. runts

5. CRC

61 / 100

61. What are two benefits of network automation? (Choose two)

1. reduced operational costs

2. reduced hardware footprint

3. faster changes with more reliable results

4. fewer network failures

5. increased network security

62 / 100

62. Refer to Exhibit. How does SW2 interact with other switches in this VTP domain?

1. It processes VTP updates from any VTP clients on the network on its access ports

2. It receives updates from all VTP servers and forwards all locally configured VLANs out all trunk ports

3. It transmits and processes VTP updates from any VTP Clients on the network on its trunk ports.

4. It forwards only the VTP advertisements that it receives on its trunk ports.

The VTP mode of SW2 is transparent so it only forwards the VTP updates it receives to its trunk links without
processing them.
Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html

63 / 100

63. An organization has decided to start using cloud-provided services.
Which cloud service allows the organization to install its own operating system on a virtual machine?

1. infrastructure-as-a-service

2. software-as-a-service

3. network-as-a-service

4. platform-as-a-service

Below are the 3 cloud supporting services cloud providers provide to customer:
+ SaaS (Software as a Service): SaaS uses the web to deliver applications that are managed by a thirdparty
vendor and whose interface is accessed on the clients' side. Most SaaS applications can be run directly from a
web browser without any downloads or installations required, although some require plugins.
+ PaaS (Platform as a Service): are used for applications, and other development, while providing cloud
components to software. What developers gain with PaaS is a framework they can build upon to develop or
customize applications. PaaS makes the development, testing, and deployment of applications quick, simple,
and cost-effective. With this technology, enterprise operations, or a thirdparty provider, can manage OSes,
virtualization, servers, storage, networking, and the PaaS software itself. Developers, however, manage the
applications.
+ IaaS (Infrastructure as a Service): self-service models for accessing, monitoring, and managing remote
datacenter infrastructures, such as compute (virtualized or bare metal), storage, networking, and networking
services (e.g. firewalls). Instead of having to purchase hardware outright, users can purchase IaaS based on
consumption, similar to electricity or other utility billing.
In general, IaaS provides hardware so that an organization can install their own operating system.

64 / 100

64. What is the primary different between AAA authentication and authorization?

1. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user can perform.

2. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user can perform.

3. Authentication identifies a user who is attempting to access a system, and authorization validates the users password.

4. Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database

AAA stands for Authentication, Authorization and Accounting.
+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)
An example of AAA is shown below:
+ Authentication: "I am a normal user. My username/password is user_tom/learnforever"
+ Authorization: "user_tom can access LearnCCNA server via HTTP and FTP"
+ Accounting: "user_tom accessed LearnCCNA server for 2 hours". This user only uses "show" commands.

65 / 100

65. When a site-to-site VPN is used, which protocol is responsible for the transport of user data?

1. IKEv2

2. MD5

3. KEv1

4. IPsec

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over
a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by
encrypting and sending data between two devices. One set of rules for creating a siteto-site VPN is defined by
IPsec.

66 / 100

66. Which two capacities of Cisco DNA Center make it more extensible? (Choose two)

1. SDKs that support interaction with third-party network equipment

2. adapters that support all families of Cisco IOS software

3. modular design that is upgradable as needed

4. REST APIs that allow for external applications to interact natively with Cisco DNA Center

5. customized versions for small, medium, and large enterprises

Cisco DNA Center offers 360-degree extensibility through four distinct types of platform capabilities:
+ Intent-based APIs leverage the controller and enable business and IT applications to deliver intent to the
network and to reap network analytics and insights for IT and business innovation.
+ Process adapters, built on integration APIs, allow integration with other IT and network systems to streamline
IT operations and processes.
+ Domain adapters, built on integration APIs, allow integration with other infrastructure domains such as data
center, WAN, and security to deliver a consistent intent-based infrastructure across the entire IT environment.
+ SDKs allow management to be extended to third-party vendor's network devices to offer support for diverse
environments.

67 / 100

67. When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two formats are
available to select? (Choose two)

1. decimal

2. hexadecimal

3. ASCII

4. base64

5. binary

When configuring a WLAN with WPA2 Preshared Key (PSK), we can choose the encryption key format as
either ASCII or HEX.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/74/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010001.htm

68 / 100

68. Two switches are connected and using Cisco Dynamic Trunking Protocol SW1 is set to Dynamic Desirable.
What is the result of this configuration?

1. The link is in a down state.

2. The link is becomes an access port.

3. The link becomes a trunk port.

4. The link is in an error disables state

69 / 100

69. Which command prevents passwords from being stored in the configuration as plaintext on a router or switch?

1. username Cisco password encrypt

2. enable password

3. service password-encryption

4. enable secret

70 / 100

70. Refer to the exhibit. Based on the LACP neighbor status, in which mode is the SW1 port channel configured?

1. passive

2. auto

3. active

4. mode on

In order to create an Etherchannel interface, the (local) SW1 ports should be in Active mode.
Moreover, the “Port State” in the exhibit is “0x3c” (which equals to “00111100 in binary format).
Bit 3 is “1” which means the ports are synchronizing -> the ports are working so the local ports should be in
Active mode.

71 / 100

71. Refer to exhibit. Which statement explains the configuration error message that is received?

1. It belongs to a private IP address range.

2. The router does not support/28 mask.

3. It is a broadcast IP address.

4. is a network IP address.

72 / 100

72. Which output displays a JSON data representation?

1. Option A

2. Option B

3. Option C

4. Option D

JSON data is written as name/value pairs.
A name/value pair consists of a field name (in double quotes), followed by a colon, followed by a value:
“name”:”Mark”
JSON can use arrays. Array values must be of type string, number, object, array, boolean or null.
For example:
{
“name”:”John”,
“age”:30,
“cars”:[ “Ford”, “BMW”, “Fiat” ]
}
JSON can have empty object like “taskId”:{}

73 / 100

73. Which statement about Link Aggregation when implemented on a Cisco Wireless LAN Controller is true?

1. To pass client traffic two or more ports must be configured.

2. One functional physical port is needed to pass client traffic.

3. When enabled, the WLC bandwidth drops to 500 Mbps.

4. The EtherChannel must be configured in “mode active”.

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of
the controller's distribution system ports into a single 802.3ad port channel.
Restriction for Link aggregation:
- LAG requires the EtherChannel to be configured for `mode on' on both the controller and the Catalyst switch -
> Answer B is not correct.
- If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the
LAG connection as a single member link or disable LAG on the controller -> Answer A is not correct while
answer D is correct.

74 / 100

74. Refer to the exhibit. If OSPF is running on this network, how does Router 2 handle traffic from Site B to
10.10.13.128/25 at Site A?

1. It load-balances traffic out of Fa0/1 and Fa0/2.

2. It cannot send packets to 10.10.13.128/25.

3. It sends packets out of interface Fa0/2 only.

4. It sends packets out of interface Fa0/1 only.

Router2 does not have an entry for the subnet 10.10.13.128/25. It only has an entry for 10.10.13.0/25, which
ranges from 10.10.13.0 to 10.10.13.127.

75 / 100

75. Which attribute does a router use to select the best path when two or more different routes to the same
destination exist from two different routing protocols?

1. hop count

2. administrative distance

3. metric

4. dual algorithm

76 / 100

76. Which two tasks must be performed to configure NTP to a trusted server in client mode on a single network
device? (Choose two)

1. Verify the time zone.

2. Disable NTP broadcasts

3. Specify the IP address of the NTP server.

4. Enable NTP authentication.

5. Set the NTP server private key.

To configure authentication, perform this task in privileged mode:
Step 1: Configure an authentication key pair for NTP and specify whether the key will be trusted or untrusted.
Step 2: Set the IP address of the NTP server and the public key.
Step 3: Enable NTP client mode.
Step 4: Enable NTP authentication.
Step 5: Verify the NTP configuration.

77 / 100

77. R1 has learned route 192.168.12.0/24 via IS-IS. OSPF, RIP. and Internal EIGRP Under normal operating
conditions, which routing protocol is installed in the routing table?

1. Internal EIGRP

2. OSPF

3. IS-IS

4. RIP

With the same route (prefix), the router will choose the routing protocol with lowest Administrative Distance
(AD) to install into the routing table. The AD of Internal EIGRP (90) is lowest so it would be chosen. The table
below lists the ADs of popular routing protocols.

Note: The AD of IS-IS is 115. The "EIGRP" in the table above is "Internal EIGRP". The AD of "External EIGRP"
is 170. An EIGRP external route is a route that was redistributed into EIGRP.

78 / 100

78. Which statement correctly compares traditional networks and controller-based networks?

1. Only traditional networks offer a centralized control plane.

2. Only controller-based networks decouple the control plane and the data plane.

3. Only traditional networks natively support centralized management

4. Traditional and controller-based networks abstract policies from device configurations.

Most traditional devices use a distributed architecture, in which each control plane is resided in a networking
device. Therefore they need to communicate with each other via messages to work correctly.
In contrast to distributed architecture, centralized (or controller-based) architectures centralizes the control of
networking devices into one device, called SDN controller -> Answer D is correct.

79 / 100

79. Router A learns the same route from two different neighbors, one of the neighbor routers is an OSPF neighbor
and the other is an EIGRP neighbor. What is the administrative distance of the route that will be installed in the
routing table?

1. 20

2. 90

3. 115

4. 110

The Administrative distance (AD) of EIGRP is 90 while the AD of OSPF is 110 so EIGRP route will be chosen
to install into the routing table.

80 / 100

80. What are two characteristics of a controller-based network? (Choose two)

1. It uses Telnet to report system issues.

2. It uses northbound and southbound APIs to communicate between architectural layers.

3. It decentralizes the control plane, which allows each device to make its own forwarding decisions

4. It moves the control plane to a central point.

5. The administrator can make configuration updates from the CLI.

81 / 100

81. Which two values or settings must be entered when configuring a new WLAN in the Cisco Wireless LAN
Controller GUI? (Choose two)

1. management interface settings

2. Ip address of one or more access points

3. Profile name

4. SSID

5. QoS settings

82 / 100

82. Refer to the exhibit. Which route does R1 select for traffic that is destined to 192 168.16.2?

1. 192.168.16.0/27

2. 192.168 26.0/26

3. 92.168.16.0/24

4. 192.168.16.0/21

The destination IP addresses match all four entries in the routing table but the 192.168.16.0/27 has the longest
prefix so it will be chosen. This is called the "longest prefix match" rule.

83 / 100

83. Which network allows devices to communicate without the need to access the Internet?

1. 209.165.201.0/24

2. 172.9.0.0/16

3. 192.0.0.0/8

4. 172.28.0.0/16

This question asks about the private ranges of IPv4 addresses. The private ranges of each class of IPv4 are
listed below:
Class A private IP address ranges from 10.0.0.0 to 10.255.255.255 Class B private IP address ranges from
172.16.0.0 to 172.31.255.255 Class C private IP address ranges from 192.168.0.0 to 192.168.255.255 Only the
network 172.28.0.0/16 belongs to the private IP address (of class B).

84 / 100

84. Refer to the Exhibit. After the switch configuration the ping test fails between PC A and PC B Based on the
output for switch 1.

Which error must be corrected?

1. The PCs are in the incorrect VLAN.

2. All VLANs are not enabled on the trunk.

3. Access mode is configured on the switch ports.

4. There is a native VLAN mismatch.

From the output we see the native VLAN of Switch1 on Gi0/1 interface is VLAN 1 while that of Switch2 is VLAN
99 so there would be a native VLAN mismatch

85 / 100

85. An engineer is asked to protect unused ports that are configured in the default VLAN on a switch. Which two
steps will fulfill the request? (Choose two)

1. Configure the ports as trunk ports.

2. Administratively shut down the ports.

3. Configure the port type as access and place in VLAN 99.

4. Enable the Cisco Discovery Protocol.

5. Configure the ports in an EtherChannel.

86 / 100

86. Refer to Exhibit. Which action do the switches take on the trunk link?

1. The trunk does not form, but VLAN 99 and VLAN 999 are allowed to traverse the link.

2. The trunk forms but VLAN 99 and VLAN 999 are in a shutdown state.

3. The trunk forms but the mismatched native VLANs are merged into a single broadcast domain.

4. The trunk does not form and the ports go into an err-disabled status.

The trunk still forms with mismatched native VLANs and the traffic can actually flow between mismatched
switches. But it is absolutely necessary that the native VLANs on both ends of a trunk link match; otherwise a
native VLAN mismatch occurs, causing the two VLANs to effectively merge.
For example with the above configuration, SW1 would send untagged frames for VLAN 999. SW2 receives
them but would think they are for VLAN 99 so we can say these two VLANs are merged.

87 / 100

87. Which two must be met before SSH can operate normally on a Cisco IOS switch? (Choose two)

1. Telnet must be disabled on the switch.

2. A console password must be configured on the switch.

3. The switch must be running a k9 (crypto) IOS image.

4. IP routing must be enabled on the switch.

5. The ip domain-name command must be configured on the switch

88 / 100

88. Which mode allows access points to be managed by Cisco Wireless LAN Controllers?

1. bridge

2. autonomous

3. mobility express

4. lightweight

A Lightweight Access Point (LAP) is an AP that is designed to be connected to a wireless LAN (WLAN)
controller (WLC). APs are “lightweight,” which means that they cannot act independently of a wireless LAN
controller (WLC). The WLC manages the AP configurations and firmware. The APs are “zero touch” deployed,
and individual configuration of APs is not necessary.

89 / 100

89. How does HSRP provide first hop redundancy?

1. It uses a shared virtual MAC and a virtual IP address to a group of routers that serve as the default gateway for hosts on a LAN.

2. It forwards multiple packets to the same destination over different routed links n the data path.

3. It load-balances traffic by assigning the same metric value to more than one route to the same destination m the IP routing table.

4. It load-balances Layer 2 traffic along the path by flooding traffic out all interfaces configured with the same VLAN

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-16/fhp-xe-16-book/
fhp-hsrp-mgo.html

90 / 100

90. Refer to the exhibit. What is the effect of this configuration?

1. All ingress and egress traffic is dropped because the interface is untrusted.

2. Egress traffic is passed only if the destination is a DHCP server.

3. All ARP packets are dropped by the switch.

4. The switch discard all ingress ARP traffic with invalid MAC-to-IP address bindings

Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking

91 / 100

91. What is the primary effect of the spanning-tree portfast command?

1. It minimizes spanning-tree convergence time

2. It immediately puts the port into the forwarding state when the switch is reloaded

3. It enables BPDU messages

4. It immediately enables the port in the listening state

92 / 100

92. Which type of wireless encryption is used for WPA2 in pre-shared key mode?

1. AES-128

2. AES-256

3. RC4

4. TKIP with RC4

93 / 100

93. Which option is a valid IPv6 address?

1. 2004:1:25A4:886F::1

2. FEC0:ABCD:WXYZ:0067::2A4

3. 2002:7654:A1AD:61:81AF:CCC1

4. 2001:0000:130F::099a::12a

94 / 100

94. If a notice-level messaging is sent to a syslog server, which event has occurred?

1. An ARP inspection has failed.

2. A routing instance has flapped.

3. A debug operation is running.

4. A network device has restarted.

Usually no action is required when a route flaps so it generates the notification syslog level message (level 5).

95 / 100

95. Which command automatically generates an IPv6 address from a specified IPvô prefix and MAC address of an
interface?

1. ipv6 address dhcp

2. ipv6 address 2001:DB8:5:112::2/64 link-local

3. ipv6 address 2001:DB8:5:112::/64 eui-64

4. ipv6 address autoconfig

The “ipv6 address autoconfig” command causes the device to perform IPv6 stateless address
autoconfiguration to discover prefixes on the link and then to add the EUI-64 based addresses to the
interface.
Addresses are configured depending on the prefixes received in Router Advertisement (RA)
messages.
The device will listen for RA messages which are transmitted periodically from the router (DHCP
Server).
This RA message allows a host to create a global IPv6 address from:
+ Its interface identifier (EUI-64 address)
+ Link Prefix (obtained via RA)
Note: Global address is the combination of Link Prefix and EUI-64 address

96 / 100

96. Refer to the exhibit. With which metric was the route to host 172.16.0.202 learned?

1. 3184439

2. 0

3. 110

4. 38443

Both the line "O 172.16.0.128/25" and "S 172.16.0.0/24" cover the host 172.16.0.202 but with the "longest
(prefix) match" rule the router will choose the first route.

97 / 100

97. Which IPv6 address type provides communication between subnets and cannot route on the Internet?

1. multicast

2. unique local

3. ink-local

4. global unicast

A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7. It is the approximate IPv6 counterpart of
the IPv4 private address. It is not routable on the global Internet.
Note: In the past, Site-local addresses (FEC0::/10) are equivalent to private IP addresses in IPv4 but now they
are deprecated.
Link-local addresses only used for communications within the local subnet. It is usually created dynamically
using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on 48-bit MAC address).

98 / 100

98. Which QoS Profile is selected in the GUI when configuring a voice over WLAN deployment?

1. Platinum

2. Bronze

3. Silver

4. Gold

Cisco Unified Wireless Network solution WLANs support four levels of QoS: Platinum/Voice, Gold/Video, Silver/
Best Effort (default), and Bronze/Background.
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010111.html

99 / 100

99. Which statement identifies the functionality of virtual machines?

1. Each hypervisor can support a single virtual machine and a single software switch.

2. The hypervisor can virtualize physical components including CPU, memory, and storage.

3. Virtualized servers run most efficiently when they are physically connected to a switch that is separate from the hypervisor.

4. The hypervisor communicates on Layer 3 without the need for additional resources.

100 / 100

100. What are two enhancements that OSPFv3 supports over OSPFV2? (Choose two.)

1. It can support multiple IPv6 subnets on a single link.

2. It supports up to 2 instances of OSPFv3 over a common link.

3. It requires the use of ARP.

4. It routes over links rather than over networks.

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-2

1 / 124

1. Refer to the exhibit. If RTR01 is configured as shown, which three addresses will be received by other routers
that are running EIGRP on the network? (Choose three)

1. 172.16.0.0

2. 192.168.0.0

3. 10.4.3.0

4. 192.168.2.0

5. 172.16.4.0

6. 10.0.0.0

2 / 124

2. Which statement about static and dynamic routes is true?

1. Dynamic routes are manually configured by a network administrator, while static routes are automatically learned and adjusted by a routing protocol.

2. Static routes tell the router how to forward packets to networks that are not directly connected, while dynamic routes tell the router how to forward packets to networks that are directly connected.

3. Dynamic routes tell the router how to forward packets to networks that are not directly connected, while static routes tell the router how to forward packets to networks that are directly connected.

4. Static routes are manually configured by a network administrator, while dynamic routes are automatically learned and adjusted by a routing protocol.

3 / 124

3. Which IPv6 address is the equivalent of the IPv4 interface loopback address 127.0.0.1?

1. 0::/10

2. : :1

3. ::

4. 2000::/3

In IPv6 the loopback address is written as, ::1
This is a 128bit number, with the first 127 bits being ‘0’ and the 128th bit being ‘1’. It’s just a single address, so
could also be written as ::1/128.

4 / 124

4. How do AAA operations compare regarding user identification, user services and access control?

1. Accounting tracks user services, and authentication provides access control

2. Authorization provides access control and authentication tracks user services

3. Authorization identifies users and authentication provides access control

4. Authentication identifies users and accounting tracks user services

5 / 124

5. A network engineer must create a diagram of a multivendor network. Which command must be configured on
the Cisco devices so that the topology of the network can be mapped?

1. Device(Config)#lldp run

2. Device(Config)#cdp run

3. Device(Config-if)#cdp enable

4. Device(Config)#flow-sampler-map topology

6 / 124

6. Refer to the exhibit. After you apply the give configurations to R1 and R2 you notice that OSPFv3 fails to start.
Which reason for the problem is most likely true ?

1. The router ids on R1 and R2 are mismatched

2. The area numbers on R1 and R2 are mismatched

3. The autonomous system numbers on R1 and R2 are mismatched

4. The IPv6 network addresses on R1 and R2 are mismatched

7 / 124

7. What is the binary pattern of unique ipv6 unique local address?

1. 00000000

2. 11111100

3. 11111111

4. 11111101

A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7, which means that IPv6 Unique Local
addresses begin with 7 bits with exact binary pattern as 1111 110 -> Answer B is correct.
Note: IPv6 Unique Local Address is the approximate IPv6 counterpart of the IPv4 private address. It is not
routable on the global Internet.

8 / 124

8. Which two statements about eBGP neighbor relationships are true? (Choose two)

1. The two devices must have matching timer settings

2. They can be created dynamically after the network statement is configured

3. The two devices must reside in the same autonomous system

4. The two devices must reside in different autonomous systems

5. Neighbors must be specifically declared in the configuration of each device

9 / 124

9. Which configuration command can u apply to a HSRP router so that its local interface becomes active if all
other routers in the group fail?

1. standby 1 priority 250

2. standby 1 preempt

3. standby 1 track ethernet

4. no additional config is required

10 / 124

10. Refer to the exhibit. When running EIGRP, what is required for RouterA to exchange routing updates with
RouterC?

1. AS numbers must be changed to match on all the routers

2. The no auto-summary command is needed on Router A and Router C

3. Loopback interfaces must be configured so a DR is elected

4. Router B needs to have two network statements, one for each connected network

This question is to examine the understanding of the interaction between EIGRP routers. The following
information must be matched so as to create neighborhood. EIGRP routers to establish, must match the
following information:
1. AS Number;
2. K value.

11 / 124

11. Which command is used to display the collection of OSPF link states?

1. show ip ospf link-state

2. show ip ospf neighbors

3. show ip ospf lsa database

4. show ip ospf database

The “show ip ospf database” command displays the link states. Here is an example:
Here is the lsa database on R2.
R2#show ip ospf database
OSPF Router with ID (2.2.2.2) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count2.2.2.2 2.2.2.2 793 0x80000003 0x004F85 210.4.4.4
10.4.4.4 776 0x80000004 0x005643 1111.111.111.111 111.111.111.111 755 0x80000005 0x0059CA
2133.133.133.133 133.133.133.133 775 0x80000005 0x00B5B1 2 Net Link States (Area 0) Link ID ADV Router
Age Seq# Checksum10.1.1.1 111.111.111.111 794 0x80000001 0x001E8B10.2.2.3 133.133.133.133 812
0x80000001 0x004BA910.4.4.1 111.111.111.111 755 0x80000001 0x007F1610.4.4.3 133.133.133.133 775
0x80000001 0x00C31F

12 / 124

12. AAA stands for authentication, authorization, and accounting

1. False

2. True

13 / 124

13. Which two pieces of information about a Cisco device can Cisco Discovery Protocol communicate? (Choose
two.)

1. the spanning tree protocol

2. the trunking protocol

3. the spanning-tree priority

4. the native VLAN

5. the VTP domain

14 / 124

14. Which two statements about exterior routing protocols are true? (Choose two.)

1. Most modern network routers support both EGP and EIGRP for external routing.

2. They determine the optimal path between autonomous systems.

3. Most modern networking supports both EGP and BGP for external routing.

4. BGP is the current standard exterior routing protocol.

5. They determine the optimal within an autonomous system.

15 / 124

15. Which command must you enter to guarantee that an HSRP router with higher priority becomes the HSRP
primary router after it is reloaded?

1. standby 10 version 2

2. standby 10 preempt

3. standby 10 priority 150

4. standby 10 version 1

16 / 124

16. Which three statements about network characteristics are true? (Choose three.)

1. Speed is a measure of the data rate in bits per second of a given link in the network.

2. Scalability indicates how many nodes are currently on the network.

3. Availability is a measure of the probability that the network will be available for use when it is required

4. The logical topology is the arrangement of cables, network devices, and end systems.

5. Reliability indicates the dependability of the components that make up the network.

17 / 124

17. A user configured OSPF in a single area between two routers A serial interface connecting R1 and R2 is
running encapsulation PPP. By default which OSPF network type is seen on this interface when the user types
show ip ospf interface on R1 or R2?

1. point-to-point

2. port-to-multipoint

3. broadcast

4. non-broadcast

The default OSPF network type for HDLC and PPP on Serial link is point-to-point (while the default OSPF
network type for Ethernet link is Broadcast).

18 / 124

18. Refer to the exhibit. Given the output for this command, if the router ID has not been manually set, what router
ID will OSPF use for this router?

1. 192.168.5.3

2. 10.1.1.2

3. 10.154.154.1

4. 172.16.5.1

The highest IP address of all loopback interfaces will be chosen -> Loopback 0 will be chosen as the router ID.

19 / 124

19. Refer to the exhibit. Which VLAN ID is associated with the default VLAN in the given environment?

1. VLAN 20

2. VLAN 5

3. VLAN 10

4. VLAN 1

20 / 124

20. Refer to the exhibit. An engineer is bringing up a new circuit to the MPLS provider on the Gi0/1 interface of
Router1 The new circuit uses eBGP and teams the route to VLAN25 from the BGP path What s the expected
behavior for the traffic flow for route 10.10.13.0/25?

1. Route 10.10.13.0/25 is updated in the routing table as being learned from interface Gi0/1.

2. Traffic to 10.10.13.0.25 is load balanced out of multiple interfaces

3. Route 10.10.13.0/25 learned via the GiO/0 interface remains in the routing table

4. Traffic to 10.10.13.0/25 is asymmeteical

21 / 124

21. Which command should you enter to view the error log in an EIGRP for IPv6 environment?

1. show ipv6 eigrp neighbors

2. show ipv6 eigrp topology

3. show ipv6 eigrp events

4. show ipv6 eigrp traffic

22 / 124

22. What is the expected outcome when an EUI-64 address is generated?

1. The MAC address of the interface is used as the interface ID without modification

2. The interface ID is configured as a random 64-bit value

3. The characters FE80 are inserted at the beginning of the MAC address of the interface

4. The seventh bit of the original MAC address of the interface is inverted

23 / 124

23. Refer to the exhibit. How will switch SW2 handle traffic from VLAN 10 on SW1?

1. It drops the traffic.

2. It sends the traffic to VLAN 10.

3. It sends the traffic to VLAN 100.

4. It sends the traffic to VLAN 1.

24 / 124

24. Which two circumstances can prevent two routers from establishing an OSPF neighbor adjacency? (Choose
two.)

1. use of the same router ID on both devices

2. mismatched hello timers and dead timers

3. an ACL blocking traffic from multicast address 224.0.0.10

4. mismatched autonomous system numbers

5. mismatched process IDs

25 / 124

25. Refer to the exhibit. After you apply the given configuration to arouter, the DHCP clients behind the device
connot communicate with hosts outside of their subnet. Which action is most likely to correct the problem?

1. Correct the subnet mask

2. Configure the dns server on the same subnet as the clients

3. Activate the dhcp pool

4. configure the default gateway

26 / 124

26. Which command is used to enable LLDP globally on a Cisco IOS ISR?

1. cdp enable

2. lldp transmit

3. ldp run

4. cdp run

5. lldp enable

27 / 124

27. Refer to the exhibit. The default-information originate command is configured under the R1 OSPF
configuration. After testing, workstations on VLAN 20 at Site B cannot reach a DNS server on the Internet.
Which action corrects the configuration issue?

1. Configure the ip route 0.0.0.0 0.0.0.0 10.10.10.18 command on R1.

2. Add the default-information originate command on R2.

3. Configure the ip route 0.0.0.0 0.0.0.0 10.10.10.2 command on R2

4. Add the always keyword to the default-information originate command on R1.

28 / 124

28. What will happen if you configure the logging trap debug command on a router?

1. It causes the router to send all messages with the severity levels Warning, Error, Critical, and Emergency to the syslog server.

2. It causes the router to send messages with lower severity levels to the syslog server.

3. It causes the router to send all messages to the syslog server

4. It causes the router to stop sending all messages to the syslog server

29 / 124

29. Which three describe the reasons large OSPF networks use a hierarchical design? (Choose Three)

1. to confine network instability to single areas of the network.

2. to lower costs by replacing routers with distribution layer switches

3. to decrease latency by increasing bandwidth.

4. to reduce routing overhead

5. to reduce the complexity of router configuration

6. to speed up convergence

30 / 124

30. Which two commands were used to create port channel 10? (Choose two )

1. int range g0/0-1---- channel-group 10 mode desirable

2. int range g0/0-1---- channel-group 10 mode auto

3. int range g0/0-1---- channel-group 10 mode on

4. int range g0/0-1---- channel-group 10 mode passive

5. int range g0/0-1---- channel-group 10 mode active

31 / 124

31. Refer to the exhibit. An administrator configures four switches for local authentication using passwords that are
stored in a cryptographic hash. The four switches must also support SSH access for administrators to manage
the network infrastructure. Which switch is configured correctly to meet these requirements?

1. SW2

2. SW3

3. SW1

4. SW4

32 / 124

32. Refer to the exhibit. How will the router handle a packet destined for 192.0.2.156?

1. The router will return the packet to its source.

2. The router will drop the packet.

3. The router will forward the packet via either Serial0 or Serial1.

4. The router will forward the packet via Serial2

33 / 124

33. Refer to the exhibit. Router R1 is running three different routing protocols. Which route characteristic is used by
the router to forward the packet that it receives for destination IP 172.16.32.1?

1. longest prefix

2. metric

3. administrative distance

4. cost

34 / 124

34. Refer to the exhibit. The MAC address table is shown in its entirety. The Ethernet frame that is shown arrives at
the switch.

What two operations will the switch perform when it receives this frame? (Choose two.)

1. The frame will be forwarded out of all the active switch ports except for port fa0/0.

2. The MAC address of ffff.ffff.ffff will be added to the MAC address table.

3. The MAC address of 0000.00aa.aaaa will be added to the MAC Address Table.

4. The frame will be forwarded out of all the ports on the switch.

5. The switch will not forward a frame with this destination MAC address.

6. The frame will be forwarded out of fa0/0 and fa0/1 only.

35 / 124

35. Which two options are the best reasons to use an IPV4 private IP space?(choose two)

1. to conserve global address space

2. to implement NAT

3. to manage routing overhead

4. to enable intra-enterprise communication

5. to connect applications

36 / 124

36. Refer to the exhibit. Which two statements about the interface that generated the output are true? (Choose
two.)

1. learned MAC addresses are deleted after five minutes of inactivity

2. it has dynamically learned two secure MAC addresses

3. it has dynamically learned three secure MAC addresses

4. the interface is error-disabled if packets arrive from a new unknown source address

5. the security violation counter increments if packets arrive from a new unknown source address

37 / 124

37. Refer to the exhibit. Which statement about the interface that generated the output is true?

1. One secure MAC address is manually configured on the interface.

2. A syslog message is generated when a violation occurs.

3. One secure MAC address is dynamically configured on the interface.

4. Five secure MAC addresses are dynamically learned on the interface.

38 / 124

38. Which technique can you use to route IPv6 traffic over an IPv4 infrastructure?

1. NAT

2. dual-stack

3. L2TPv3

4. 6to4 tunneling

39 / 124

39. Refer to the graphic. R1 is unable to establish an OSPF neighbor relationship with R3. What are possible
reasons for this problem? (Choose two.)

1. All of the routers need to be configured for backbone Area 1.

2. A static route has been configured from R1 to R3 and prevents the neighbor adjacency from being established.

3. EIGRP is also configured on these routers with a lower administrative distance

4. R1 and R3 are configured in different areas.

5. The hello and dead interval timers are not set to the same values on R1 and R3.

6. R1 and R2 are the DR and BDR, so OSPF will not establish neighbor adjacency with R3.

40 / 124

40. You are configuring your edge routers interface with a public IP address for Internet connectivity.
The router needs to obtain the IP address from the service provider dynamically. Which command is needed on
interface FastEthernet 0/0 to accomplish this?

1. ip default-gateway

2. ip address dynamic

3. ip address dhcp

4. p route

5. ip default-network

41 / 124

41. While examining excessive traffic on the network, it is noted that all incoming packets on an interface appear to
be allowed even though an IPv4 ACL is applied to the interface. Which two misconfigurations cause this
behavior? (Choose two)

1. The packets fail to match any permit statement

2. A matching permit statement is too high in the access test

3. A matching permit statement is too broadly defined

4. The ACL is empty

5. A matching deny statement is too high in the access list

42 / 124

42. Which command should you enter to verify the priority of a router in an HSRP group?

1. show interfaces

2. show standby

3. show hsrp

4. show sessions

43 / 124

43. Which action must be taken to assign a global unicast IPv6 address on an interface that is derived from the
MAC address of that interface?

1. enable SLAAC on an interface

2. configure a stateful DHCPv6 server on the network

3. disable the EUI-64 bit process

4. explicitly assign a link-local address

44 / 124

44. Which two command sequences must you configure on a switch to establish a Layer 3 EtherChannel with an
open-standard protocol? (Choose two.)

1. interface GigabitEthernet0/0/1 channel-group 10 mode on

2. interface GigabitEthernet0/0/1 channel-group 10 mode auto

3. interface port-channel 10 no switchport ip address 172.16.0.1.255.255.255.0

4. interface GigabitEthernet0/0/1 channel-group 10 mode active

5. interface port-channel 10 switchport switchport mode trunk

45 / 124

45. Refer to the exhibit. On R1 which routing protocol is in use on the route to 192.168.10.1?

1. EIGRP

2. IGRP

3. RIP

4. OSPF

46 / 124

46. Which NAT term is defined as a group of addresses available for NAT use?

1. one-way NAT

2. static NAT

3. NAT pool

4. dynamic NAT

47 / 124

47. Which effete does the aaa new-model configuration command have?

1. It enables AAA services on the device

2. It configures a local user on the device

3. It associates a RADIUS server to an group.

4. It configures the device to connect to a RADIUS server for AAA

48 / 124

48. Which value can you modify to configure a specific interface as the preferred forwarding interface?

1. The port priority

2. The VLAN priority

3. The interface number

4. The hello time

49 / 124

49. Refer to the exhibit. How does the router manage traffic to 192.168.12.16?

1. It chooses the EIGRP route because it has the lowest administrative distance

2. It chooses the OSPF route because it has the longest prefix inclusive of the destination address.

3. It selects the RIP route because it has the longest prefix inclusive of the destination address.

4. It load-balances traffic between all three routes

50 / 124

50. What is a difference between local AP mode and FiexConnet AP mode?

1. Local AP mode creates two CAPWAP tunnels per AP to the WLC

2. FiexConnect AP mode fails to function if me AP loses connectivity with the WLC

3. Local AP mode causes the AP to behave as if it were an autonomous AP

4. FlexConnect AP mode bridges the traffic from the AP to the WLC when local switching is configured

51 / 124

51. Which two VLAN IDs indicate a default VLAN? (Choose two.)

1. 4096

2. 0

3. 1006

4. 1005

5. 1

52 / 124

52. When configuring an EtherChannel bundle, which mode enables LACP only if a LACP device is detected?

1. Passive

2. Auto

3. Desirable

4. On

5. Active

The LACP is Link Aggregation Control Protocol. LACP is an open protocol, published under the 802.3ad.
The modes of LACP are active, passive or on. The side configured as "pasive" will waiting the other side that
should an Active for the Etherchannel to be established.
PAgP is Port-Aggregation Protocol. It is Cisco proprietary protocol. The mode are On, Desirable or Auto.
Desirable - Auto will establish a EtherChannel.
An example of how to configure an Etherchannel:
SwitchFormula1>enable
SwitchFormula1#configure terminal
SwitchFormula1(config)# interface range f0/5 -14
SwitchFormula1(config-if-range)# channel-group 13 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected

53 / 124

53. Network 172.16.1.32 0.0.0.31

1. to allow detection of a remote device when its physical address is unknown

2. to allow communication with devices on a different network

3. to allow communication between different devices on the same network

4. to uniquely identify devices at Layer 2

5. to differentiate a Layer 2 frame from a Layer 3 packet

6. to establish a priority system to determine which device gets to transmit first

54 / 124

54. Refer to the exhibit. Which rule does the DHCP server use when there is an IP address conflict?

1. The address is removed from the pool until the conflict is resolved.

2. The IP will be shown, even after the conflict is resolved

3. Only the IP detected by Gratuitous ARP is removed from the pool.

4. Only the IP detected by Ping is removed from the pool.

5. The address remains in the pool until the conflict is resolved

55 / 124

55. How does STP prevent forwarding loops at OSI Layer 2?

1. Collision avoidance

2. TTL

3. Port blocking

4. MAC address forwarding

56 / 124

56. Which two pieces of information can you determine from the output of the show ntp status command? (Choose
two)

1. whether the clock is synchronized

2. the configured NTP servers

3. the NTP version number of the peer

4. whether the NTP peer is statically configured

5. the IP address of the peer to which the clock is synchronized

57 / 124

57. Refer to the exhibit. Which two events occur on the interface, if packets from an unknown Source address
arrive after the interface learns the maximum number of secure MAC address? (Choose two.)

1. The port LED turns off

2. A syslog message is generated

3. The security violation counter dose not increment

4. The interface is error-disabled

5. The interface drops traffic from unknown MAC address

58 / 124

58. Which two are features of IPv6? (Choose two.)

1. anycast

2. multicast

3. allcast

4. broadcast

5. podcast

IPv6 addresses are classified by the primary addressing and routing methodologies common in networking:
unicast addressing, anycast addressing, and multicast addressing. A unicast address identifies a single network
interface. The Internet Protocol delivers packets sent to a unicast address to that specific interface. An anycast
address is assigned to a group of interfaces, usually belonging to different nodes. A packet sent to an anycast
address is delivered to just one of the member interfaces, typically the nearest host, according to the routing
protocol’s definition of distance. Anycast addresses cannot be identified easily, they have the same format as
unicast addresses, and differ only by their presence in the network at multiple points. Almost any unicast
address can be employed as an anycast address.
A multicast address is also used by multiple hosts, which acquire the multicast address destination by
participating in the multicast distribution protocol among the network routers. A packet that is sent to a multicast
address is delivered to all interfaces that have joined the corresponding multicast group.

59 / 124

59. After you deploy a new WLAN controller on your network, which two additional tasks should you consider?
(Choose two)

1. deploy load balancers

2. configure additional security policies

3. configure additional vlans

4. deploy POE switches

5. configure multiple VRRP groups

60 / 124

60. Which command verifies whether any IPv6 ACLs are configured on a router?

1. show access-list

2. show ipv6 interface

3. show ipv6 route

4. show ipv6 access-list

61 / 124

61. What is the purpose of the show ip ospf interface command?

1. displaying general information about OSPF routing processes

2. displaying OSPF neighbor information on a per-interface-type basis

3. displaying OSPF neighbor information on a per-interface basis

4. displaying OSPF-related interface information

62 / 124

62. Which type does a port become when it receives the best BPDU on a bridge?

1. The alternate port

2. The backup port

3. The designated port

4. The root port

63 / 124

63. What is a difference between RADIUS and TACACS+?

1. TACACS+ encrypts only password information and RADIUS encrypts the entire payload

2. TACACS+ separates authentication and authorization, and RADIUS merges them

3. RADIUS is most appropriate for dial authentication, but TACACS+ can be used for multiple types of authentication

4. RADIUS logs all commands that are entered by the administrator, but TACACS+ logs only start, stop, and interim commands

64 / 124

64. Refer to the exhibit. If R1 receives a packet destined to 172.16.1.1, to which IP address does it send the packet?

1. 192.168.14.4

2. 192.168.13.3

3. 192.168.12.2

4. 192.168.15.5

65 / 124

65. Which statement about the nature of NAT overload is true?

1. applies a many-to-many relationship to internal IP addresses

2. can be configured only on Gigabit interface

3. applies a one-to-one relationship to internal IP addresses

4. applies a one-to-many relationship to internal IP addresses

66 / 124

66. What are two descriptions of three-tier network topologies? (Choose two)

1. The distribution layer runs Layer 2 and Layer 3 technologies

2. The core layer maintains wired connections for each host

3. The network core is designed to maintain continuous connectivity when devices fail.

4. The core and distribution layers perform the same functions

5. The access layer manages routing between devices in different domains

67 / 124

67. Refer to exhibit. What Administrative distance has route to 192.168.10.1 ?

1. 90

2. 120

3. 1

4. 110

68 / 124

68. Refer to the exhibit. Which switch in this configuration becomes the root bridge?

1. SW3

2. SW4

3. SW2

4. SW1

69 / 124

69. Refer to the exhibit. Which two statements about the network environment of router R1 must be true? (Choose
two.)

1. A static default route to 10.85.33.14 was defined

2. The EIGRP administrative distance was manually changed from 90 to 170

3. The 10.0.0.0/8 network was learned via external EIGRP

4. Ten routes are equally load-balanced between Te0/1/0.100 and Te0/2/0.100

5. there are 20 different network masks within the 10.0.0.0/8 network

70 / 124

70. In a CDP environment, what happens when the CDP interface on an adjacent device is configured without an
IP address?

1. CDP becomes inoperable on that neighbor

2. CDP operates normally ,but it cannot provide IP address information for that neighbor

3. CDP operates normally ,but it cannot provide any information for that neighbor

4. CDP uses the IP address of another interface for that neighbor

71 / 124

71. Which command should you enter to configure an LLDP delay time of 5 seconds?

1. ldp reinit 5000

2. lldp timer 5000

3. lldp reinit 5

4. lldp holdtime 5

72 / 124

72. Which command should you enter to configure a device as an NTP sever?

1. ntp peer

2. ntp master

3. ntp authenticate

4. ntp sever

73 / 124

73. Which function does an SNMP agent perform?

1. it manages routing between Layer 3 devices in a network

2. it requests information from remote network nodes about catastrophic system events

3. it sends information about MIB variables in response to requests from the NMS

4. it coordinates user authentication between a network device and a TACACS+ or RADIUS server

74 / 124

74. You have two paths for the 10.10.10.0 network – one that has a feasible distance of 3072 and the other of
6144. What do you need to do to load balance your EIGRP routes?

1. Change the configuration so they both have the same feasible distance

2. Change the IP addresses so both paths have the same source IP address

3. Change the maximum paths to 2

4. Change the variance for the path that has a feasible distance of 3072 to 2

75 / 124

75. Refer to the exhibit. Which two statements about the interface that generated the output are true? (Choose
two.)

1. Two secure MAC address are manually configured on the interface.

2. A syslog message is generated when the maximum number of secure MAC addresses is on the interface

3. An SNMP trap is generated when the maximum number of secure MAC addresses is reached on the interface.

4. The interface dynamically learned two secure MAC addresses.

5. The interface is error-disabled.

76 / 124

76. Which command can you enter to allow Telnet to be supported in addition to SSH

1. no transport input telnet

2. transport input telnet

3. transport input telnet ssh

4. privilege level 15

77 / 124

77. R1 has learned route 10.10.10.0/24 via numerous routing protocols. Which route is installed?

1. route with the lowest cost

2. route with the shortest prefix length

3. route with the lowest administrative distance

4. route with the next hop that has the highest IP

78 / 124

78. Which statement about Cisco Discovery Protocol is true?

1. It is a Cisco-proprietary protocol.

2. It runs on the physical layer and the data link layer

3. It can discover information from routers, firewalls, and switches.

4. It runs on the network layer.

79 / 124

79. Which two pieces of information can you learn by viewing the routing table? (Choose two)

1. whether the administrative distance was manually or dynamically configured

2. the length of time that a route has been known

3. Which neighbor adjacencies are established

4. whether an ACL was applied inbound or outbound to an interface

5. the EIGRP or BGP autonomous system

80 / 124

80. Which component of an Ethernet frame is used to notify a host that traffic is coming?

1. Data field

2. Type field

3. start of frame delimiter

4. preamble

81 / 124

81. Which three statements about MAC addresses are correct? (Choose three.)

1. To communicate with other devices on a network, a network device must have a unique MAC address.

2. A MAC address contains two main components, the first of which identifies the manufacturer of the hardware and the second of which uniquely identifies the hardware.

3. An example of a MAC address is 0A:26:38: D6:65:90.

4. A MAC address contains two main components, the first of which identifies the network on which the host resides and the second of which uniquely identifies the host on the network.

5. The MAC address of a device must be configured in the Cisco IOS CLI by a user with administrative privileges.

6. The MAC address is also referred to as the IP address.

82 / 124

82. What is an advantage of Cisco DNA Center versus traditional campus device management?

1. It is designed primarily to provide network assurance.

2. It supports high availability for management functions when operating in cluster mode.

3. It supports numerous extensibility options including cross-domain adapters and third-party SDKs.

4. It enables easy auto-discovery of network elements m a brownfield deployment

83 / 124

83. What is a characteristic of spine-and-leaf architecture?

1. It provides greater predictability on STP blocked ports.

2. Each device is separated by the same number of hops

3. It provides variable latency

4. Each link between leaf switches allows for higher bandwidth

84 / 124

84. Which statements describe the routing protocol OSPF? (Choose three.)

1. It confines network instability to one area of the network.

2. It is used to route between autonomous systems

3. It supports VLSM.

4. It increases routing overhead on the network

5. It is simpler to configure than RIP v2.

6. It allows extensive control of routing updates.

85 / 124

85. Which value is used to determine the active router in an HSRP default configuration?

1. Router tracking number

2. Router IP address

3. Router loopback address

4. Router priority

86 / 124

86. In which two formats can the IPv6 address fd15:0db8:0000:0000:0700:0003:400F:572B be written? (Choose
two.)

1. fd15:0db8:0000:0000:700:3:400F:527B

2. fd15:db8::700:3:400F:572B

3. fd15::db8::700:3:400F:527B

4. fd15:db8:0::700:3:4F:527B

5. fd15:0db8::7:3:4F:527B

87 / 124

87. What event has occurred if a router sends a notice level message to a syslog server?

1. An interface line has changed status

2. A certificate has expired

3. A TCP connection has been torn down

4. An ICMP connection has been built

88 / 124

88. Which Cisco IOS command will indicate that interface GigabitEthernet 0/0 is configured via DHCP?

1. show ip interface GigabitEthernet 0/0

2. show interface GigabitEthernet 0/0

3. show ip interface GigabitEthernet 0/0 dhcp

4. show ip interface GigabitEthernet 0/0 brief

5. show ip interface dhcp

89 / 124

89. What is the destination MAC address of a broadcast frame?

1. 00:00:0c:43:2e:08

2. 43:2e:08:00:00:0c

3. ff:ff:ff:ff:ff:ff

4. 00:00:0c:07:ac:01

5. 00:00:0c:ff:ff:ff

You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface.
Which action can you take to correct the problem in the least disruptive way?

90 / 124

90. Refer to the exhibit. C-router is to be used as a “router-on-a-stick” to route between the VLANs. All the
interfaces have been properly configured and IP routing is operational. The hosts in the VLANs have been
configured with the appropriate default gateway. What is true about this configuration?

1. No further routing configuration is required.

2. These commands need to be added to the configuration: C-router(config)# router ospf 1 C-router(config-router)# network 172.19.0.0 0.0.3.255

3. These commands need to be added to the configuration: C-router(config)# router eigrp 123 C-router(config-router)# network 172.19.0.0

4. These commands need to be added to the configuration: C-router(config)# router rip C-router(config-router)# network 172.19.0.0

91 / 124

91. What are two fundamentals of virtualization? (choose two)

1. The environment must be configured with one hypervisor that serves solely as a network manager to monitor SNMP traffic

2. It requires that some servers, virtual machines and network gear reside on the Internet

3. It allows logical network devices to move traffic between virtual machines and the rest of the physical network

4. It allows a physical router to directly connect NICs from each virtual machine into the network

5. It allows multiple operating systems and applications to run independently on one physical server.

92 / 124

92. Which keyword in a NAT configuration enables the use of one outside IP address for multiple inside hosts?

1. static

2. source

3. pool

4. overload

93 / 124

93. Which WPA3 enhancement protects against hackers viewing traffic on the Wi-Fi network?

1. TKiP encryption

2. SAE encryption

3. scrambled encryption key

4. AES encryption

94 / 124

94. Which option best describes an API?

1. A contract that describes how various components communicate and exchange data with each other.

2. request a certain type of data by specifying the URL path that models the data

3. a stateless client-server model

4. an architectural style (versus a protocol) for designing applications

95 / 124

95. A network administrator is troubleshooting the OSPF configuration of routers R1 and R2. The routers cannot
establish an adjacency relationship on their common Ethernet link. The graphic shows the output of the show ip
ospf interface e0 command for routers R1 and R2. Based on the information in the graphic, what is the cause
of this problem?

1. The OSPF area is not configured properly

2. The cost on R1 should be set higher.

3. The OSPF process ID numbers must match

4. The hello and dead timers are not configured properly.

5. The OSPF area is not configured properly.

6. A backup designated router needs to be added to the network.

96 / 124

96. Which feature or protocol determines whether the QOS on the network is sufficient to support IP services?

1. EEM

2. LLDP

3. IP SLA

4. CDP

IP SLA allows an IT professional to collect information about network performance in real time.
Therefore it helps determine whether the QoS on the network is sufficient for IP services or not.
Cisco IOS Embedded Event Manager (EEM) is a powerful and flexible subsystem that provides realtime
network event detection and onboard automation. It gives you the ability to adapt the behavior of your network
devices to align with your business needs.

97 / 124

97. Refer to the exhibit. Which Command do you enter so that R1 advertises the loopback0 interface to the BGP
Peers?

1. Network 172.16.1.32 mask 255.255.255.224

2. Network 172.16.1.33 mask 255.255.255.224

3. Network 172.16.1.32 255.255.255.224

4. Network 172.16.1.0 0.0.0.255

5. network 172.16.1.32 mask 0.0.0.31

6. Network 172.16.1.32 0.0.0.31

98 / 124

98. Router R1 must send all traffic without a matching routing-table entry to 192.168.1.1. Which configuration
accomplishes this task?

1. Option C

2. Option D

3. Option B

4. Option A

99 / 124

99. What benefit does controller-based networking provide versus traditional networking?

1. combines control and data plane functionality on a single device to minimize latency

2. provides an added layer of security to protect from DDoS attacks

3. allows configuration and monitoring of the network from one centralized point

4. moves from a two-tier to a three-tier network architecture to provide maximum redundancy

100 / 124

100. Refer to the exhibit. A network associate has configured OSPF with the command:
City(config-router)# network 192.168.12.64 0.0.0.63 area 0.
After completing the configuration, the associate discovers that not all the interfaces are participating in OSPF.
Which three of the interfaces shown in the exhibit will participate in OSPF according to this configuration
statement? (Choose three.)

1. Serial0/0

2. Serial0/1.102

3. FastEthernet0 /0

4. Serial0/1.104

5. Serial0/1.103

6. FastEthernet0 /1

101 / 124

101. Which two statements about EtherChannel technology are true? (Choose two.)

1. STP does not block EtherChannel links.

2. EtherChannel allows redundancy in case one or more links in the EtherChannel fail.

3. EtherChannel does not allow load sharing of traffic among the physical links within the EtherChannel.

4. EtherChannel provides increased bandwidth by bundling existing FastEthernet or Gigabit Ethernet interfaces into a single EtherChannel.

5. You can configure multiple EtherChannel links between two switches, using up to a limit of sixteen physical ports.

102 / 124

102. Which statement about VLAN configuration is true?

1. The switch must be in config-vlan mode before you configure an extended VLAN

2. The switch must be in VTP server or transparent mode before you can configure a VLAN

3. A switch in VTP transparent mode save the VLAN databases to the running configuration only

4. Dynamic inter-VLAN routing is supported on VLAN2 through VLAN 4064

103 / 124

103. Refer to the exhibit. What two conclusions should be made about this configuration? (Choose two)

1. The spanning-tree mode is Rapid PVST+

2. The designated port is FastEthernet 2/1

3. The spanning-tree mode is PVST+

4. The root port is FastEthernet 2/1

5. This is a root bridge

104 / 124

104. Refer to the exhibit. Which feature is enabled by this configuration?

R1#(config)# ip nat pool cisco 10.1.1.0 10.1.1.50 255.255.255.0

1. static NAT translation

2. a dynamic NAT address pool

3. a DHCP pool

4. PAT

105 / 124

105. Change the IP addresses so both paths have the same source IP address

1. OSPF

2. RIP

3. IS-IS

4. EIGRP

5. BGP

106 / 124

106. Which two commands can you use to configure an actively negotiate EtherChannel? (Choose two)

1. channel-group 10 mode active

2. channel-group 10 mode desirable

3. channel-group 10 mode passive

4. channel-group 10 mode auto

5. channel-group 10 mode on

107 / 124

107. You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface.
Which action can you take to correct the problem in the least disruptive way?

1. Specify a loopback address

2. Reload the OSPF process.

3. Save the router configuration

4. Reboot the router

Once an OSPF Router ID selection is done, it remains there even if you remove it or configure another OSPF
Router ID. So the least disruptive way is to correct it using the command "clear ip ospf process".

108 / 124

108. Refer to the exhibit. How does router R1 handle traffic to 192.168.10.16?

1. It selects the OSPF route because it has the lowest cost.

2. It selects the EIGRP route because it has the lowest administrative distance.

3. It selects the IS-IS route because it has the shortest prefix inclusive of the destination address.

4. It selects the RIP route because it has the longest prefix inclusive of the destination address

109 / 124

109. Which statement about the nature of NAT overload is true?

1. applies a one-to-one relationship to internal IP addresses

2. applies a many-to-many relationship to internal IP addresses

3. applies a one-to-many relationship to internal IP addresses

4. can be configured only on Gigabit interface

110 / 124

110. Which feature or protocol is required for an IP SLA to measure UDP jitter?

1. CDP

2. EEM

3. NTP

4. LLDP

111 / 124

111. Which two statements about the purpose of the OSI model are accurate? (Choose two.)

1. Defines the network functions that occur at each layer

2. Facilitates an understanding of how information travels throughout a network

3. Changes in one layer do not impact other layer

4. Ensures reliable data delivery through its layered approach

112 / 124

112. Which of the following is the JSON encoding of a dictionary or hash?

1. [“key”,”value”]

2. (“key”:”value”)

3. {“key”,”value”}

4. {“key”:”value”}

113 / 124

113. How can the Cisco Discovery Protocol be used?

1. to determine the IP addresses of connected Cisco devices

2. to determine the hardware platform of the device

3. all of the above

4. to allow a switch to discover the devices that are connected to its ports

114 / 124

114. Which command is used to configure an IPv6 static default route?

1. ipv6 route default interface next-hop

2. ipv6 route ::/0 interface next-hop5

3. ipv6 route 0.0.0.0/0 interface next-hop

4. ip route 0.0.0.0/0 interface next-hop

115 / 124

115. Refer to the exhibit. Which address and mask combination represents a summary of the routes learned by
EIGRP?

1. 192.168.25.0 255.255.255.252

2. 192.168.25.0 255.255.255.240

3. 192.168.25.16 255.255.255.252

4. 192.168.25.28 255.255.255.252

5. 192.168.25.28 255.255.255.240

6. 192.168.25.16 255.255.255.240

116 / 124

116. Which command enables IPv6 forwarding on a Cisco router?

1. ipv6 unicast-routing

2. ipv6 local

3. ipv6 neighbor

4. ipv6 host

To enable IPv6 routing on the Cisco router use the following command: ipv6 unicast-routing
If this command is not recognized, your version of IOS does not support IPv6.

117 / 124

117. Refer to the exhibit. A network technician is asked to design a small network with redundancy. The exhibit
represents this design, with all hosts configured in the same VLAN. What conclusions can be made about this
design?

1. The router will not accept the addressing scheme.

2. The connection between switches should be a trunk

3. This design will function as intended.

4. The router interfaces must be encapsulated with the 802.1Q protocol

5. Spanning-tree will need to be used.

118 / 124

118. Which two statements about VTP are true? (Choose two.)

1. All switches must be configured with a unique VTP domain name

2. All switches must use the same VTP version.

3. All switches must be configured with the same VTP domain name

4. All switches must be configured to perform trunk negotiation.

5. The VTP server must have the highest revision number in the domain

119 / 124

119. Which function does the range of private IPv4 addresses perform?

1. allows multiple companies to each use the same addresses without conflicts

2. ensures that NAT is not required to reach the internet with private range addressing

3. provides a direct connection for hosts from outside of the enterprise network

4. enables secure communications to the internet for all external hosts

120 / 124

120. Which unified access point mode continues to serve wireless clients after losing connectivity to the Cisco
Wireless LAN Controller?

1. local

2. sniffer

3. flexconnect

4. mesh

121 / 124

121. Refer to the exhibit Users in your office are complaining that they cannot connect to the severs at a remote site.
When troubleshooting, you find that you can successfully reach the severs from router R2. What is the most
likely reason that the other users are experiencing connection failure?

1. The DHCP address pool has been exhausted

2. VLSM is misconfigured between the router interface and the DHCP pool

3. interface ports are shut down on the remote servers

4. The ip helper-address command is missing on the R2 interface that connects to the switch

122 / 124

122. Refer to the exhibit. Which command would you use to configure a static route on Router1 to network
192.168.202.0/24 with a nondefault administrative distance?

1. router1(config)#ip route 192.168.202.0 255.255.255.0 192.168.201.2 1

2. router1(config)#ip route 1 192.168.201.1 255.255.255.0 192.168.201.2

3. router1(config)#ip route 192.168.202.0 255.255.255.0 192.168.201.2 5

4. router1(config)#ip route 5 192.168.202.0 255.255.255.0 192.168.201.2

123 / 124

123. Refer to the exhibit. Which two statements are true about the loopback address that is configured on RouterB?
(Choose two.)

1. It provides stability for the OSPF process on RouterB.

2. It indicates that RouterB should be elected the DR for the LAN.

3. It decreases the metric for routes that are advertised from RouterB.

4. It specifies that the router ID for RouterB should be 10.0.0.1.

5. It ensures that data will be forwarded by RouterB.

124 / 124

124. Which two statements about NTP operations are true? (Choose two.)

1. NTP uses TCP over IP.

2. Cisco routers can act as both NTP authoritative servers and NTP clients.

3. Cisco routers can act only as NTP clients

4. NTP uses UDP over IP.

5. Cisco routers can act only as NTP servers.

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-3

1 / 110

1. The OSPF Hello protocol performs which of the following tasks? (Choose two.)

1. It provides dynamic neighbor discovery.

2. It broadcasts hello packets throughout the internetwork to discover all routers that are running OSPIt broadcasts hello packets throughout the internetwork to discover all routers that are running OSP

3. It detects unreachable neighbors in 90 second intervals

4. It uses timers to elect the router with the fastest links as the designated router.

5. It maintains neighbor relationships

6. It negotiates correctness parameters between neighboring interfaces

2 / 110

2. How do TCP and UDP differ in the way they provide reliability for delivery of packets?

1. TCP is a connectionless protocol that does not provide reliable delivery of data, UDP is a connectionoriented protocol that uses sequencing to provide reliable delivery

2. TCP uses windowing to deliver packets reliably; UDP provides reliable message transfer between hosts by establishing a three-way handshake

3. TCP does not guarantee delivery or error checking to ensure that there is no corruption of data UDP provides message acknowledgement and retransmits data if lost.

4. TCP provides flow control to avoid overwhelming a receiver by sending too many packets at once, UDP sends packets to the receiver in a continuous stream without checking for sequencing

3 / 110

3. Refer to the exhibit. Which type of configuration is represented in the output?

1. Ansible

2. Puppet

3. Chef

4. JSON

4 / 110

4. An engineer must establish a trunk link between two switches. The neighboring switch is set to trunk or
desirable mode. What action should be taken?

1. configure switchport mode dynamic auto

2. configure switchport mode dynamic desirable

3. configure switchport trunk dynamic desirable

4. configure switchport nonegotiate

5 / 110

5. What is a function of TFTP in network operations?

1. transfers IOS images from a server to a router for firmware upgrades

2. transfers a configuration files from a server to a router on a congested link

3. transfers files between file systems on a router

4. transfers a backup configuration file from a server to a switch using a username and password

6 / 110

6. What is the function of a server?

1. It routes traffic between Layer 3 devices.

2. It transmits packets between hosts in the same broadcast domain.

3. It provides shared applications to end users

4. It Creates security zones between trusted and untrusted networks

7 / 110

7. How does Cisco DNA Center gather data from the network?

1. Network devices use different services like SNMP, syslog, and streaming telemetry to send data to the controller

2. Devices establish an iPsec tunnel to exchange data with the controller

3. The Cisco CU Analyzer tool gathers data from each licensed network device and streams it to the controller

4. Devices use the call-home protocol to periodically send data to the controller

8 / 110

8. What are two benefits of using VTP in a switching environment? (Choose two.)

1. It allows switches to read frame tags.

2. It allows ports to be assigned to VLANs automatically

3. It maintains VLAN consistency across a switched network

4. It allows VLAN information to be automatically propagated throughout the switching environment

5. It allows frames from multiple VLANs to use a single interface

9 / 110

9. A wireless administrator has configured a WLAN; however, the clients need access to a less congested 5-GHz
network for their voice quality. What action must be taken to meet the requirement?

1. enable Band Select

2. enable DTIM

3. enable AAA override

4. enable RX-SOP

10 / 110

10. Refer to the exhibit. Router R1 Fa0/0 cannot ping router R3 Fa0/1. Which action must be taken in router R1 to
help resolve the configuration issue?

1. configure a static route with 10.10.10.2 as the next hop to reach the 20.20.20.0/24 network

2. set the default network as 20.20.20.0/24

3. set the default gateway as 20.20.20.2

4. configure a static route with Fa0/1 as the egress interface to reach the 20.20.20.0/24 network

11 / 110

11. Using direct sequence spread spectrum, which three 2.4-GHz channels are used to limit collisions?

1. 5,6,7

2. 1,2,3

3. 1,6.11

4. 1,5,10

12 / 110

12. A packet is destined for 10.10.1.22. Which static route does the router choose to forward the packet?

1. ip route 10.10.1.16 255.255.255.252 10.10.255.1

2. ip route 10.10.1.20 255.255.255.252 10.10.255.1

3. ip route 10.10.1.0 255.255.255.240 10.10.255.1

4. ip route 10.10.1.20 255.255.255.254 10.10.255.1

13 / 110

13. A port security violation has occurred on a switch port due to the maximum MAC address count being
exceeded Which command must be configured to increment the security-violation count and forward an SNMP
trap?

1. switchport port-security violation shutdown

2. switchport port-security violation access

3. switchport port-security violation protect

4. switchport port-security violation restrict

14 / 110

14. The service password-encryption command is entered on a router. What is the effect of this configuration?

1. prevents network administrators from configuring clear-text passwords

2. encrypts the password exchange when a VPN tunnel is established

3. protects the VLAN database from unauthorized PC connections on the switch

4. restricts unauthorized users from viewing clear-text passwords in the running configuration

15 / 110

15. Refer to the exhibit. A network administrator assumes a task to complete the connectivity between PC A and
the File Server Switch A and Switch B have been partially configured with VLANs 10, 11, 12, and 13 What is the
next step in the configuration?

1. Add PDA to VLAN 10 and the File Server to VLAN 11 for VLAN segmentation

2. Add VLAN 13 to the trunk links on Switch A and Switch B for VLAN propagation

3. Add PC A to the same subnet as the File Server allowing for intra-VLAN communication

4. Add a router on a stick between Switch A and Switch B allowing for Inter VLAN routing

16 / 110

16. What are two requirements for an HSRP group? (Choose two.)

1. one or more backup virtual routers

2. exactly one backup virtual router

3. exactly one active router

4. exactly one standby active router

5. one or more standby routers

17 / 110

17. What criteria is used first during the root port selection process?

1. lowest path cost to the root bridge

2. lowest neighbor’s bridge ID

3. lowest neighbor’s port ID

4. local port ID

18 / 110

18. What is the difference regarding reliability and communication type between TCP and UDP?

1. TCP is reliable and is a connection-oriented protocol; UDP is not reliable and is a connectionless protocol

2. TCP is reliable and is a connectionless protocol; UDP is not reliable and is a connection-oriented protocol

3. TCP is not reliable and is a connectionless protocol; UDP is reliable and is a connection-oriented protocol

4. TCP is not reliable and is a connection-oriented protocol; UDP is reliable and is a connectionless protocol

19 / 110

19. What are two benefits of controller-based networking compared to traditional networking?

1. Controller-based inflates software costs, while traditional decreases individual licensing costs

2. Controller-based reduces network configuration complexity, while traditional increases the potential for errors

3. Controller-based provides centralization of key IT functions. While traditional requires distributes management function

4. Controller-based allows for fewer network failure, while traditional increases failure rates

5. Controller-based increases network bandwidth usage, while traditional lightens the load on the network.

20 / 110

20. Which step in the link-state routing process is described by a router sending Hello packets out all of the OSPFenabled
interfaces?

1. ecting the designated router

2. exchanging link-state advertisements

3. injecting the default route

4. establishing neighbor adjacencies

21 / 110

21. A company needs to interconnect several branch offices across a metropolitan area. The network engineer is
seeking a solution that provides high-speed converged traffic, including voice, video, and data on the same
network infrastructure. The company also wants easy integration to their existing LAN infrastructure in their
office locations. Which technology should be recommended?

1. ISDN

2. VSAT

3. Ethernet WAN

4. Frame Relay

22 / 110

22. Which WAN access technology is preferred for a small office / home office architecture?

1. broadband cable access

2. dedicated point-to-point leased line

3. frame-relay packet switching

4. Integrated Services Digital Network switching.

23 / 110

23. A corporate office uses four floors in a building
* Floor 1 has 24 users
* Floor 2 has 29 users
* Floor 3 has 28 users
* Floor 4 has 22 users
Which subnet summarizes and gives the most efficient distribution of IP addresses for the router configuration?

1. 192.168.0.0.24 as summary and 192.168.0.0/28 for each floor

2. 192.168.0.0/23 as summary and 192.168.0.0/25 for each floor

3. 192.168.0.0/26 as summary and 192.168.0.0/29 for each floor

4. 192.168.0.0/25 as summary and 192.168.0.0/27 for each floor

24 / 110

24. Refer to the exhibit. A packet is being sent across router R1 to host 172.16.3.14. To which destination does the
router send the packet?

1. 207.165.200.250 via Serial0/0/0

2. 207 165 200 246 via Serial0/1/0

3. 207.165 200.254 via Serial0/0/1

4. 207.165.200.254 via Serial0/0/0

25 / 110

25. An engineer needs to configure LLDP to send the port description time length value (TLV). What command
sequence must be implemented?

1. switch#lldp port-description

2. switch(config-line)#lldp port-description

3. switch(config-if)#lldp port-description

4. switch(config)#lldp port-description

26 / 110

26. What protocol allows an engineer to back up 20 network router configurations globally while using the copy
function?

1. SNMP

2. SMTP

3. TCP

4. FTP

27 / 110

27. An engineer is configuring NAT to translate the source subnet of 10.10.0.0/24 to any of three addresses
192.168.3.1, 192.168.3.2, 192.168.3.3 . Which configuration should be used?

1. D

2. C

3. B

4. A

28 / 110

28. By default, how Does EIGRP determine the metric of a route for the routing table?

1. it uses a default metric of 10 for all routes that are learned by the router

2. it uses a reference Bandwidth and the actual bandwidth of the connected link to calculate the route metric

3. it counts the number of hops between the receiving and destination routers and uses that value as the metric

4. it uses the bandwidth and delay values of the path to calculate the route metric

29 / 110

29. A device detects two stations transmitting frames at the same time. This condition occurs after the first 64 bytes
of the frame is received interface counter increments?

1. CRC

2. collision

3. late collision

4. runt

30 / 110

30. Refer to the exhibit. What configuration on RTR-1 denies SSH access from PC-1 to any RTR-1 interface and
allows all other traffic?

1. access-list 100 deny tcp host 172.16.1.33 any eq 22 access-list 100 permit ip any any interface GigabitEthernet0/0 ip access-group 100 in

2. access-list 100 deny tcp host 172.16.1.33 any eq 23 access-list 100 permit ip any any interface Gigabit Ethernet0/0 ip access-group 100 in

3. access-list 100 deny tcp host 172.16.1.33 any eq 23 access-list 100 permit ip any any line vty 0 15 access-class 100 in

4. access-list 100 deny tcp host 172.16.1.33 any eq 22 access-list 100 permit ip any any line vty 0 15 access-class 100 in

31 / 110

31. What is the primary function of a Layer 3 device?

1. to transmit wireless traffic between hosts

2. to pass traffic between different networks

3. to analyze traffic and drop unauthorized traffic from the Internet

4. forward traffic within the same broadcast domain

32 / 110

32. Which technology is used to improve web traffic performance by proxy caching?

1. WSA

2. ASA

3. Firepower

4. FireSIGHT

33 / 110

33. What role does a hypervisor provide for each virtual machine in server virtualization?

1. Software-as-a-service

2. control and distribution of physical resources

3. services as a hardware controller.

4. infrastructure-as-a-service.

34 / 110

34. When using Rapid PVST+, which command guarantees the switch is always the root bridge for VLAN 200?

1. spanning -tree vlan 200 priority 614440

2. spanning -tree vlan 200 priority 38572422

3. spanning -tree vlan 200 root primary

4. spanning -tree vlan 200 priority 0

35 / 110

35. Refer to the exhibit. If the switch reboots and all routers have to re-establish OSPF adjacencies, which routers
will become the new DR and BDR?

1. Router R3 will become the DR and router R2 will become the BDR

2. Router R3 will become the DR and router R1 will become the BDR.

3. Router R4 will become the DR and router R3 will become the BDR

4. Router R1 will become the DR and router R2 will become the BDR.

36 / 110

36. What are two reasons a network administrator would use CDP? (Choose two.)

1. to verify the type of cable interconnecting two devices

2. to obtain VLAN information from directly connected switches

3. to obtain the IP address of a connected device in order to telnet to the device

4. to determine the status of the routing protocols between directly connected routers

5. to determine the status of network services on a remote device

6. to verify Layer 2 connectivity between two devices when Layer 3 fails

37 / 110

37. An engineer requires a scratch interface to actively attempt to establish a trunk link with a neighbor switch.
What command must be configured?

1. switchport mode trunk

2. switchport mode dynamic desirable

3. switchport nonegotiate

4. switchport mode dynamic auto

38 / 110

38. Refer to the exhibit. Which path is used by the router for internet traffic?

1. 209.165.200.0/27

2. 10.10.10.0/28

3. 0.0.0.0/0

4. 10.10.13.0/24

39 / 110

39. Which purpose does a northbound API serve in a controller-based networking architecture?

1. reports device errors to a controller

2. communicates between the controller and the physical network hardware

3. generates statistics for network hardware and traffic

4. facilitates communication between the controller and the applications

40 / 110

40. Which two minimum parameters must be configured on an active interface to enable OSPFv2 to operate?
(Choose two)

1. iPv6 address

2. OSPF MD5 authentication key

3. OSPf process ID

4. OSPf stub flag

5. OSPF area

41 / 110

41. Refer to the exhibit. Which action is expected from SW1 when the untagged frame is received on the
GigabitEthernet0/1 interface?

1. The frame is processed in VLAN 5.

2. The frame is processed in VLAN 11

3. The frame is dropped

4. The frame is processed in VLAN 1

42 / 110

42. Which spanning-tree enhancement avoids the learning and listening states and immediately places ports in the
forwarding state?

1. PortFast

2. Backbonefast

3. BPDUguard

4. BPDUfilter

43 / 110

43. What are two functions of a server on a network? (Choose two)

1. runs applications that send and retrieve data for workstations that make requests

2. handles requests from multiple workstations at the same time

3. housed solely in a data center that is dedicated to a single client

4. runs the same operating system in order to communicate with other servers

5. achieves redundancy by exclusively using virtual server clustering

44 / 110

44. Which type of API would be used to allow authorized salespeople of an organization access to internal sales
data from their mobile devices?

1. open

2. public

3. private

4. partner

45 / 110

45. What are two roles of the Dynamic Host Configuration Protocol (DHCP)? (Choose two)

1. The DHCP server leases client IP addresses dynamically.

2. The DHCP server offers the ability to exclude specific IP addresses from a pool of IP addresses

3. The DHCP client maintains a pool of IP addresses it can assign

4. The DHCP server assigns IP addresses without requiring the client to renew them

5. The DHCP client can request up to four DNS server addresses

46 / 110

46. Refer to the exhibit Which outcome is expected when PC_A sends data to PC_B?

1. The destination MAC address is replaced with ffff.ffff.ffff

2. The source MAC address is changed

3. The switch rewrites the source and destination MAC addresses with its own

4. The source and destination MAC addresses remain the same

47 / 110

47. Which function dose the range of private IPv4 addresses perform?

1. allow multiple companies to each use the same address without conflicts

2. provides a direct connection for hosts from outside of the enterprise network

3. ensues that NAT is not required to reach the internet with private range addressing

4. enable secure communications to the internet for all external hosts

48 / 110

48. Which type of VPN uses a hub-and-spoke configuration to establish a full mesh topology?

1. dynamic multipoint VPN

2. IPsec virtual tunnel interface

3. GRE over IPsec

4. MPLS VPN

49 / 110

49. Refer to the exhibit. After the election process what is the root bridge in the HQ LAN?

1. Switch 4

2. Switch 2

3. Switch 3

4. Switch 1

50 / 110

50. Refer to the exhibit. Which switch becomes the root bridge?

SW1: 0C:E0:38:00:36:75
SW2: 0C:0E:15:22:05:97
SW3: 0C:0E:15:1A:3C:9D
SW4: 0C:E0:18:A1:B3:19

1. SW3

2. SW4

3. SW2

4. SW1

51 / 110

51. What software defined architecture plane assists network devices with making packet-forwarding decisions by
providing Layer 2 reachability and Layer 3 routing information?

1. data plane

2. control plane

3. management plane

4. policy plane

52 / 110

52. Refer to the exhibit. Router R1 is configured with static NAT. Addressing on the router and the web server are
correctly configured, but there is no connectivity between the web server and users on the Internet. What is a
possible reason for this lack of connectivity?

1. The router NAT configuration has an incorrect inside local address

2. The NAT configuration on interface S0/0/1 is incorrect.

3. Interface Fa0/0 should be configured with the command ip nat outside

4. The inside global address is incorrect.

53 / 110

53. What is a function of Wireless LAN Controller?

1. use SSIDs to distinguish between wireless clients.

2. monitor activity on wireless and wired LANs

3. register with a single access point that controls traffic between wired and wireless endpoints.

4. send LWAPP packets to access points.

54 / 110

54. Router R2 is configured with multiple routes to reach network 10 1.1.0/24 from router R1. What protocol is
chosen by router R2 to reach the destination network 10.1.1.0/24?

1. EIGRP

2. OSPF

3. static

4. eBGP

55 / 110

55. Which goal is achieved by the implementation of private IPv4 addressing on a network?

1. provides a reduction in size of the forwarding table on network routers

2. allows servers and workstations to communicate across public network boundaries

3. allows communication across the Internet to other private networks

4. provides an added level of protection against Internet exposure

56 / 110

56. Which command can you enter to determine the addresses that have been assigned on a DHCP Server?

1. Show ip DHCP server statistic.

2. Show ip DHCP database.

3. Show ip DHCP binding.

4. Show ip DHCP pool.

57 / 110

57. The SW1 interface g0/1 is in the down/down state. Which two configurations are valid reasons for the interface
conditions?(choose two)

1. The interface is error-disabled

2. The interface is shut down

3. There is a speed mismatch

4. There is a duplex mismatch

5. There is a protocol mismatch

58 / 110

58. On a corporate network, hosts on the same VLAN can communicate with each other, but they are unable to
communicate with hosts on different VLANs. What is needed to allow communication between the VLANs?

1. a switch with a trunk link that is configured between the switches

2. a switch with an access link that is configured between the switches

3. a router with an IP address on the physical interface connected to the switch

4. a router with subinterfaces configured on the physical interface that is connected to the switch

59 / 110

59. What are two roles of Domain Name Services (DNS)? (Choose Two)
A. builds

1. improves security by protecting IP addresses under Fully Qualified Domain Names (FQDNs)

2. encrypts network Traffic as it travels across a WAN by default

3. enables applications to identify resources by name instead of IP address

4. builds a flat structure of DNS names for more efficient IP operations

5. allows a single host name to be shared across more than one IP address

60 / 110

60. The OSPF Hello protocol performs which of the following tasks? (Choose two.)

1. It maintains neighbor relationships.

2. It provides dynamic neighbor discovery.

3. It detects unreachable neighbors in 90 second intervals

4. It broadcasts hello packets throughout the internetwork to discover all routers that are running OSPF.

5. It negotiates correctness parameters between neighboring interfaces.

6. It uses timers to elect the router with the fastest links as the designated router.

61 / 110

61. An office has 8 floors with approximately 30-40 users per floor What command must be configured on the
router Switched Virtual Interface to use address space efficiently?

1. ip address 192.168.0.0 255.255.254.0

2. ip address 192.168.0.0 255.255.255.224

3. ip address 192.168.0.0 255.255.255.128

4. ip address 192.168.0.0 255.255.0.0

62 / 110

62. Refer to the exhibit. The network administrator wants VLAN 67 traffic to be untagged between Switch 1 and
Switch 2 while all other VLANs are to remain tagged. Which command accomplishes this task?

1. switchport trunk native vlan 67

2. switchport access vlan 67

3. switchport private-vlan association host 67

4. switchport trunk allowed vlan 67

63 / 110

63. What are two reasons for an engineer to configure a floating state route? (Choose two)

1. to automatically route traffic on a secondary path when the primary path goes down

2. to enable fallback static routing when the dynamic routing protocol fails

3. to route traffic differently based on the source IP of the packet

4. to control the return path of traffic that is sent from the router

5. to support load balancing via static routing

64 / 110

64. Which state does the switch port move to when PortFast is enabled?

1. blocking

2. forwarding

3. listening

4. learning

65 / 110

65. What mechanism carries multicast traffic between remote sites and supports encryption?

1. iPsec over ISATAP

2. GRE over iPsec

3. GRE

4. ISATAP

66 / 110

66. Refer to the exhibit. Which two configurations would be used to create and apply a standard access list on R1,
so that only the 10.0.70.0/25 network devices are allowed to access the internal database server? (Choose
two.)

1. R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group 5 out

2. R1(config)# access-list 5 permit 10.0.54.0 0.0.1.255

3. R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127

4. R1(config)# access-list 5 permit any

5. R1(config)# interface Serial0/0/0 R1(config-if)# ip access-group 5 in

67 / 110

67. When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum number of
characters that is required in ASCII format?

1. 12

2. 8

3. 18

4. 6

68 / 110

68. Which IPv6 address block forwards packets to a multicast address rather than a unicast address?

1. FE80::/10

2. 2000::/3

3. FF00::/12

4. FC00::/7

69 / 110

69. In which two ways does a password manager reduce the chance of a hacker stealing a users password?
(Choose two.)

1. It encourages users to create stronger passwords

2. It stores the password repository on the local workstation with built-in antivirus and anti-malware functionality

3. It protects against keystroke logging on a compromised device or web site.

4. It automatically provides a second authentication factor that is unknown to the original user

5. It uses an internal firewall to protect the password repository from unauthorized access

70 / 110

70. A manager asks a network engineer to advise which cloud service models are used so employees do not have
to waste their time installing, managing, and updating software which is only used occasionally Which cloud
service model does the engineer recommend?

1. software-as-a-service

2. infrastructure-as-a-service

3. platform-as-a-service

4. business process as service to support different types of service

71 / 110

71. Refer to the exhibit. Refer to the exhibit. An engineer must add a subnet for a new office that will add 20 users
to the network. Which IPv4 network and subnet mask combination does the engineer assign to minimize
wasting addresses?

1. 10.10.225.32 255.255.255.224

2. 10.10.225.48 255.255.255.240

3. 10.10.225.48 255.255.255.224

4. 10.10.225.32 255.255.255.240

72 / 110

72. Which three statements are typical characteristics of VLAN arrangements? (Choose three.)

1. VLANs typically decrease the number of collision domains

2. A switch maintains a separate bridging table for each VLAN.

3. Each VLAN uses a separate address space.

4. A new switch has no VLANs configured

5. VLANs cannot span multiple switches.

6. Connectivity between VLANs requires a Layer 3 device

73 / 110

73. What is a recommended approach to avoid co-channel congestion while installing access points that use the
2.4 GHz frequency?

1. one overlapping channel

2. different overlapping channels

3. one nonoverlapping channel

4. different nonoverlapping channels

74 / 110

74. Refer to Exhibit. The loopback1 interface of the Atlanta router must reach the loopback3 interface of the
Washington router. Which two static host routes must be configured on the NEW York router? (Choose two)

1. ipv6 route 2000::1/128 s0/0/1

2. ipv6 route 2000::1/128 2012::2

3. ipv6 route 2000::1/128 2012::1

4. ipv6 route 2000::3/128 2023::3

5. ipv6 route 2000::3/128 s0/0/0

75 / 110

75. Which technology must be implemented to configure network device monitoring with the highest security?

1. NetFlow

2. SNMPv3

3. IP SLA

4. syslog

76 / 110

76. Refer to the exhibit. To which device does Router1 send packets that are destined to host 10.10.13.165?

1. Router3

2. Router5

3. Router4

4. Router2

77 / 110

77. An engineer must configure an OSPF neighbor relationship between router R1 and R3 The authentication
configuration has been configured and the connecting interfaces are in the same 192.168 1.0/30 sublet. What
are the next two steps to complete the configuration? (Choose two.)

1. configure both interfaces with the same area ID

2. configure the interfaces as OSPF active on both sides.

3. configure the same router ID on both routing processes

4. configure the same process ID for the router OSPF process

5. configure the hello and dead timers to match on both sides

78 / 110

78. What are two differences between optical-fiber cabling and copper cabling? (Choose two)

1. Light is transmitted through the core of the fiber

2. The data can pass through the cladding

3. A BNC connector is used for fiber connections

4. Fiber connects to physical interfaces using Rj-45 connections

5. The glass core component is encased in a cladding

79 / 110

79. How do TCP and UDP differ in the way they guarantee packet delivery?

1. TCP uses checksum, acknowledgement, and retransmissions, and UDP uses checksums only.

2. TCP uses retransmissions, acknowledgement and parity checks and UDP uses cyclic redundancy checks only.

3. TCP uses checksum, parity checks, and retransmissions, and UDP uses acknowledgements only.

4. TCP uses two-dimensional parity checks, checksums, and cyclic redundancy checks and UDP uses retransmissions only.

80 / 110

80. Anycompany has decided to reduce its environmental footprint by reducing energy costs, moving to a smaller
facility, and promoting telecommuting. What service or technology would support this requirement?

1. Cisco ACI

2. cloud services

3. APIC-EM

4. data center

81 / 110

81. Which configuration ensures that the switch is always the root for VLAN 750?

1. Switch(config)#spanning-tree vlan 750 root primary

2. Switch(config)#spanning-tree vlan 750 priority 0

3. Switch(config)#spanning-tree vlan 750 priority 614440

4. Switch(config)#spanning-tree vlan 750 priority 38003685

82 / 110

82. Refer to the exhibit. Which configuration issue is preventing the OSPF neighbor relationship from being
established between the two routers?

1. R2 should have its network command in area 1

2. R1 has an incorrect network command for interface Gi1/0

3. R1 interface Gi1/0 has a larger MTU size

4. R2 is using the passive-interface default command

83 / 110

83. Refer to the exhibit. Which route type does the routing protocol Code D represent in the output?

1. statically assigned route

2. route learned through EIGRP

3. /24 route of a locally configured IP

4. internal BGP route

84 / 110

84. What is a characteristic of the REST API?

1. most widely used API for web services

2. evolved into what became SOAP

3. used for exchanging XML structured information over HTTP or SMTP

4. considered slow, complex, and rigid

85 / 110

85. Refer to the exhibit. An administrator is tasked with configuring a voice VLAN. What is the expected outcome
when a Cisco phone is connected to the GigabitEthernet 3/1/4 port on a switch?

interface GigabitEthernet 3/1/4

switchport voice vlan 50

1. The phone and a workstation that is connected to the phone send and receive data in VLAN 50.

2. The phone and a workstation that is connected to the phone do not have VLAN connectivity

3. The phone sends and receives data in VLAN 50, but a workstation connected to the phone has no VLAN connected.

4. The phone sends and receives data in VLAN 50, but a workstation connected to the phone sends and receives data in VLAN 1.

86 / 110

86. What is the primary purpose of a First Hop Redundancy Protocol?

1. It allows a router to use bridge priorities to create multiple loop-free paths to a single destination.

2. It allows directly connected neighbors to share configuration information.

3. It reduces routing failures by allowing more than one router to represent itself, as the default gateway of a network.

4. It reduces routing failures by allowing Layer 3 load balancing between OSPF neighbors that have the same link metric

87 / 110

87. Which two functions are performed by the core layer in a three-tier architecture? (Choose two)

1. Provide uninterrupted forwarding service

2. Ensure timely data transfer between layers.

3. Police traffic that is sent to the edge of the network.

4. Inspect packets for malicious activity.

5. Provide direct connectivity for end user devices.

88 / 110

88. Which type of information resides on a DHCP server?

1. a list of the available IP addresses in a pool

2. usernames and passwords for the end users in a domain

3. a list of public IP addresses and their corresponding names

4. a list of statically assigned MAC addresses

89 / 110

89. What occurs to frames during the process of frame flooding?

1. Frames are sent to every port on the switch in the same VLAN except from the originating port.

2. Frames are sent to every port on the switch that has a matching entry in MAC address table

3. Frames are sent to every port on the switch in the same VLAN

4. Frames are sent to all ports, including those that are assigned to other VLANs.

90 / 110

90. What are two functions of a Layer 2 switch? (Choose two)

1. moves packets between different VLANs

2. selects the best route between networks on a WAN

3. moves packets within a VLAN

4. makes forwarding decisions based on the MAC address of a packet

5. acts as a central point for association and authentication servers

91 / 110

91. Which device performs stateful inspection of traffic?

1. access point

2. firewall

3. wireless controller

4. switch

92 / 110

92. Refer to the exhibit. An engineer deploys a topology in which R1 obtains its IP configuration from DHCP. If the
switch and DHCP server configurations are complete and correct. Which two sets of commands must be
configured on R1 and R2 to complete the task? (Choose two)

1. R1(config)# interface fa0/0 R1(config-if)# ip address dhcp R1(config-if)# no shutdown

2. R2(config)# interface gi0/0 R2(config-if)# ip address dhcp

3. R1(config)# interface fa0/0 R1(config-if)# ip helper-address 198.51.100.100

4. R2(config)# interface gi0/0 R2(config-if)# ip helper-address 198.51.100.100

5. R1(config)# interface fa0/0 R1(config-if)# ip helper-address 192.0.2.2

93 / 110

93. Refer to the exhibit. Which two commands were used to create port channel 10? (Choose two.)

1. int range g0/0-1 channel-group 10 mode desirable

2. int range g0/0-1 channel-group 10 mode passive

3. int range g0/0-1 channel-group 10 mode auto

4. int range g0/0-1 channel-group 10 mode active

5. int range g0/0-1 channel-group 10 mode on

94 / 110

94. What are two recommendations for protecting network ports from being exploited when located in an office
space outside of an IT closet? (Choose two)

1. configure ports to a fixed speed

2. shut down unused ports

3. enable the PortFast feature on ports

4. implement port-based authentication

5. configure static ARP entries

95 / 110

95. Refer to the exhibit. An administrator configures the following ACL in order to prevent devices on the
192.168.1.0 subnet from accessing the server at 10.1.1.5:
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 10.1.1.5
access-list 100 permit ip any any

Where should the administrator place this ACL for the most efficient use of network resources?

1. inbound on router A Fa0/0

2. outbound on router B Fa0/0

3. outbound on router A Fa0/1

4. inbound on router B Fa0/1

96 / 110

96. Refer to the exhibit. What commands are needed to add a subinterface to Ethernet0/0 on R1 to allow for VLAN
20, with IP address 10.20.20.1/24?

1. R1(config)#interface ethernet0/0 R1(config)#encapsulation dot1q 20 R1(config)#ip address 10.20.20.1 255.255.255.0

2. R1(config)#interface ethernet0/0.20 R1(config)#encapsulation dot1q 20 R1(config)#ip address 10.20.20.1 255.255.255.0

3. R1(config)#interface ethernet0/0.20 R1(config)#ip address 10.20.20.1 255.255.255.0

4. R1(config)#interface ethernet0/0 R1(config)#ip address 10.20.20.1 255.255.255.0

97 / 110

97. Refer to the exhibit. If the network environment is operating normally, which type of device must be connected
to interface FastEthernet 0/1?

1. Router

2. DHCP client

3. Access point

4. PC

98 / 110

98. What is the name of the layer in the Cisco borderless switched network design that is considered to be the
backbone used for high-speed connectivity and fault isolation?

1. core

2. access

3. network

4. data link

5. network access

99 / 110

99. Which two statements are true about the command ip route 172.16.3.0 255.255.255.0 192.168.2.4? (Choose
two.)

1. It establishes a static route to the 192.168.2.0 network

2. It establishes a static route to the 172.16.3.0 network

3. It uses the default administrative distance

4. It configures the router to send any traffic for an unknown destination to the 172.16.3.0 network

5. It configures the router to send any traffic for an unknown destination out the interface with the address 192.168.2.4.

6. It is a route that would be used last if other routes to the same destination exist

100 / 110

100. If all OSPF routers in a single area are configured with the same priority value, what value does a router use for
the OSPF router ID in the absence of a loopback interface?

1. the highest IP address among its active interfaces

2. the lowest IP address among its active interfaces

3. the priority value until a loopback interface is configured

4. the IP address of the first Fast Ethernet interface

5. the IP address of the console management interface

101 / 110

101. How does CAPWAP communicate between an access point in local mode and a WLC?

1. The access point must not be connected to the wired network, as it would create a loop

2. The access point must be connected to the same switch as the WLC

3. The access point has the ability to link to any switch in the network, assuming connectivity to the WLC

4. The access point must directly connect to the WLC using a copper cable

102 / 110

102. Which two WAN architecture options help a business scalability and reliability for the network? (Choose two)

1. static routing

2. single-homed branches

3. asychronous routing

4. dynamic routing

103 / 110

103. Refer to the exhibit. Which route type is configured to reach the internet?

1. default route

2. floating static route

3. network route

4. host route

104 / 110

104. A network administrator enabled port security on a switch interface connected to a printer. What is the next
configuration action in order to allow the port to learn the MAC address of the printer and insert it into the table
automatically?

1. implement static MAC addressing.

2. implement auto MAC address learning

3. enable sticky MAC addressing

4. enable dynamic MAC address learning

105 / 110

105. What are two purposes of launching a reconnaissance attack on a network? (Choose two.)

1. to gather information about the network and devices

2. to retrieve and modify data

3. to prevent other users from accessing the system

4. to escalate access privileges

5. to scan for accessibility

106 / 110

106. Which type of ipv6 address is publicly routable in the same way as ipv4 public addresses?

1. global unicast

2. ink-local

3. unique local

4. multicast

107 / 110

107. Which type of attack can be mitigated by dynamic ARP inspection?

1. malware

2. man-in-the-middle

3. DDoS

4. worm

108 / 110

108. Refer to the exhibit. A router reserved these five routes from different routing information sources. Which two
routes does the router install in its routing table? (Choose two)

1. EIGRP route 10.0.0.1/32

2. iBGP route 10.0.0.0/30

3. OSPF route 10.0.0.0/30

4. OSPF route 10.0.0.0/16

5. RIP route 10.0.0.0/30

109 / 110

109. Several new coverage cells are required to improve the Wi-Fi network of an organization. Which two standard
designs are recommended? (Choose two.)

1. For maximum throughput, the WLC is configured to dynamically set adjacent access points to the channel

2. 5GHz provides increased network capacity with up to 23 nonoverlapping channels.

3. 5GHz channel selection requires an autonomous access point.

4. Cells that overlap one another are configured to use nonoverlapping channels

5. Adjacent cells with overlapping channels use a repeater access point.

110 / 110

110. Refer to the exhibit. Refer to the exhibit. After the configuration is applied, the two routers fail to establish an
OSPF neighbor relationship. what is the reason for the problem?

1. The OSPF router IDs are mismatched.

2. The network statement on Router1 is misconfigured

3. The OSPF process IDs are mismatched

4. Router2 is using the default hello timer

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-4

1 / 47

1. Which state does the switch port move to when PortFast is enabled?

1. blocking

2. forwarding

3. listening

4. earning

2 / 47

2. In which situation is private IPv4 addressing appropriate for a new subnet on the network of an organization?

1. Traffic on the subnet must traverse a site-to-site VPN to an outside organization

2. There is limited unique address space, and traffic on the new subnet will stay local within the organization

3. The ISP requires the new subnet to be advertised to the internet for web services.

4. The network has multiple endpoint listeners, and it is desired to limit the number of broadcasts

3 / 47

3. An engineer must configure traffic for a VLAN that is untagged by the switch as it crosses a trunk link. Which
command should be used?

1. switchport trunk encapsulation dot1q

2. switchport trunk native vlan 10

3. switchport trunk allowed vlan 10

4. switchport mode trunk

4 / 47

4. Refer to the exhibit. A network administrator has been tasked with securing VTY access to a router Which
access-list entry accomplishes this task?

1. access-list 101 permit tcp 10.1.10 0.0.0.255 172.16.10 0.0.0.255 eq ssh

2. access-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq telnet

3. access-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq scp C. access-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq telnetaccess-list 101 permit tcp 10.11.0 0.0.0.255 172.16.10 0.0.0.255 eq telnet

4. access-list 101 permit tcp 10.1.10 0.0.0.255 172.16.10 0.0.0.255 eq https

5 / 47

5. Which protocol prompts the Wireless LAN Controller to generate its own local web administration SSL
certificate for GUI access?

1. RADIUS

2. HTTPS

3. TACACS+

4. HTTP

6 / 47

6. Which function is performed by the collapsed core layer in a two-tier architecture?

1. enforcing routing policies

2. marking interesting traffic for data polices

3. applying security policies

4. attaching users to the edge of the netwo

7 / 47

7. When implementing a router as a DHCP server, which two features must be configured? (Choose two)

1. database agent

2. address pool

3. smart-relay

4. relay agent information

5. manual bindings

8 / 47

8. What is the effect when loopback interfaces and the configured router ID are absent during the OSPF Process configuration?

1. The router ID 0.0.0.0 is selected and placed in the OSPF process

2. The highest up/up physical interface IP address is selected as the router ID.

3. No router ID is set, and the OSPF protocol does not run.

4. The lowest IP address is incremented by 1 and selected as the router ID.

9 / 47

9. What facilitates a Telnet connection between devices by entering the device name?

1. DNS lookup

2. syslog

3. NTP

4. SNMP

10 / 47

10. Refer to the exhibit. If OSPF Is running on this network, how does Router2 handle traffic from Site B to
10.10.13.128/25 at Site A?

1. It sends packets out of interface Fa0/1.

2. It is unreachable and discards the traffic

3. It sends packets out of interface Fa0/2.

4. It load-balances traffic out of Fa0/1 and Fa0/2.

11 / 47

11. Refer to the exhibit. Which command configures a floating static route to provide a backup to the primary link?

1. ip route 0.0.0.0 0.0.0.0 209.165.202.131

2. ip route 0.0.0.0 0.0.0.0 209.165.200.224

3. ip route 209.165.200.224 255.255.255.224 209.165.202.129 254

4. ip route 209.165.201.0 255.255.255.224 209.165.202.130

12 / 47

12. With REST API, which standard HTTP header tells a server which media type is expected by the client?

1. Accept-Encoding: gzip. deflate

2. Accept-Patch: text/example; charset=utf-8

3. Accept: application/json

4. Content-Type: application/json; charset=utf-8

13 / 47

13. Refer to the exhibit. An engineer configured the New York router with state routes that point to the Atlanta and
Washington sites. When command must be configured on the Atlanta and Washington routers so that both
sites are able to reach the loopback2 interface on the New York router?

1. ipv6 route ::/0 2000::2

2. ipv6 route ::/0 Serial 0/0/0

3. pv6 route 0/0 Serial 0/0/0

4. ip route 0.0.0.0.0.0.0.0 Serial 0/0/0

5. ipv6 route ::/0 Serial 0/0/1

14 / 47

14. How do servers connect to the network in a virtual environment?

1. a software switch on a hypervisor that is physically connected to the network

2. a cable connected to a physical switch on the network

3. wireless to an access point that is physically connected to the network

4. a virtual switch that links to an access point that is physically connected to the network

15 / 47

15. How does a Cisco Unified Wireless network respond to Wi-Fi channel overlap?

1. It analyzes client load and background noise and dynamically assigns a channel.

2. It alternates automatically between 2.4 GHz and 5 GHz on adjacent access points

3. It segregates devices from different manufacturers onto different channels

4. It allows the administrator to assign channels on a per-device or per-interface basis

16 / 47

16. A network administrator needs to aggregate 4 ports into a single logical link which must negotiate layer 2
connectivity to ports on another switch What must be configured when using active mode on both sides of the
connection?

1. Cisco vPC

2. LACP

3. LLDP

4. 802.1q trunks

17 / 47

17. Which technology can prevent client devices from arbitrarily connecting to the network without state
remediation?

1. IP Source Guard

2. MAC Authentication Bypass

3. 802.11n

4. 802.1x

18 / 47

18. What is the maximum bandwidth of a T1 point-to-point connection?

1. 43.7 Mbps

2. 34.368 Mbps

3. 2.048 Mbps

4. 1.544 Mbps

19 / 47

19. What is a function of a remote access VPN?

1. establishes a secure tunnel between two branch sites

2. used exclusively when a user is connected to a company’s internal network

3. allows the users to access company internal network resources through a secure tunnel

4. used cryptographic tunneling to protect the privacy of data for multiple users simultaneously

20 / 47

20. Which device controls the forwarding of authentication requests for users when connecting to the network using
a lightweight access point?

1. TACACS server

2. wireless LAN controller

3. RADIUS server

4. wireless access point

21 / 47

21. Which CRUD operation corresponds to the HTTP GET method?

1. delete

2. read

3. update

4. create

22 / 47

22. What is a role of wireless controllers in an enterprise network?

1. serve as the first line of defense in an enterprise network

2. support standalone or controller-based architectures

3. provide secure user logins to devices on the network

4. centralize the management of access points in an enterprise network

23 / 47

23. In software defined architectures, which plane is distributed and responsible for traffic forwarding?

1. management plane

2. policy plane

3. control plane

4. data plane

24 / 47

24. What is the same for both copper and fiber interfaces when using SFP modules?

1. They support an inline optical attenuator to enhance signal strength

2. They accommodate single-mode and multi-mode in a single module

3. They offer reliable bandwidth up to 100 Mbps in half duplex mode

4. They provide minimal interruption to services by being hot-swappable

25 / 47

25. What is recommended for the wireless infrastructure design of an organization?

1. configure the first three access points are configured to use Channels 1, 6, and 11

2. group access points together to increase throughput on a given channel

3. include a least two access points on nonoverlapping channels to support load balancing

4. assign physically adjacent access points to the same Wi-Fi channel

26 / 47

26. What does a switch use to build its MAC address table?

1. VTP

2. ingress traffic

3. DTP

4. egress traffic

27 / 47

27. Which network plane is centralized and manages routing decisions?

1. data plane

2. management plane

3. policy plane

4. control plane

28 / 47

28. Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network.
The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?

1. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

2. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22

3. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22

4. Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network. The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?

29 / 47

29. Which command must be entered to configure a DHCP relay?

1. ip helper-address

2. ip dhcp pool

3. ip address dhcp

4. ip dhcp relay

30 / 47

30. Refer to the exhibit. What is the result if Gig1/11 receives an STP BPDU?

1. The port goes into error-disable state

2. The port transitions to the root port

3. The port transitions to STP blocking

4. The port immediately transitions to STP forwarding

31 / 47

31. When using Rapid PVST+, which command guarantees the switch is always the root bridge for VLAN 200?

1. spanning -tree vlan 200 priority 38572422

2. spanning -tree vlan 200 priority 0

3. spanning -tree vlan 200 root primary

4. spanning -tree vlan 200 priority 614440

32 / 47

32. What is the purpose of traffic shaping?

1. to provide fair queuing for buffered flows

2. to limit the bandwidth that a flow can use to

3. be a marking mechanism that identifies different flows

4. to mitigate delays over slow links

33 / 47

33. What is a practice that protects a network from VLAN hopping attacks?

1. Configure an ACL to prevent traffic from changing VLANs

2. Change native VLAN to an unused VLAN ID

3. Implement port security on internet-facing VLANs

4. Enable dynamic ARP inspection

34 / 47

34. Which type of security program is violated when a group of employees enters a building using the ID badge of
only one person?

1. physical access control

2. network authorization

3. user awareness

4. intrusion detection

35 / 47

35. allows the users to access company internal network resources through a secure tunnel

1. read

2. replace

3. create

4. update

36 / 47

36. Aside from discarding, which two states does the switch port transition through while using RSTP (802.1w)?
(Choose two)

1. blocking

2. learning

3. listening

4. speaking

5. forwarding

37 / 47

37. Which device tracks the state of active connections in order to make a decision to forward a packet through?

1. wireless access point

2. firewall

3. router

4. wireless LAN controller

38 / 47

38. A network administrator must enable DHCP services between two sites. What must be configured for the router
to pass DHCPDISCOVER messages on to the server?

1. A DHCP Pool

2. DHCP Binding

3. DHCP Snooping

4. A DHCP Relay Agent

39 / 47

39. Which configuration management mechanism uses TCP port 22 by default when communicating with managed
nodes?

1. Puppet

2. Python

3. Ansible

4. Chef

40 / 47

40. Where does a switch maintain DHCP snooping information?

1. in the binding database

2. in the MAC address table

3. in the frame forwarding database

4. in the CAM table

41 / 47

41. What is a DHCP client?

1. a router that statically assigns IP addresses to hosts.

2. a workstation that requests a domain name associated with its IP address

3. a host that is configured to request an IP address automatically

4. a server that dynamically assigns IP addresses to hosts

42 / 47

42. Refer to the exhibit. PC1 is trying to ping PC3 for the first time and sends out an ARP to S1. Which action is
taken by S1?

1. It is flooded out every port except G0/0.

2. It forwards it out interface G0/2 only.

3. It drops the frame.

4. It forwards it out G0/3 only

43 / 47

43. How does the dynamically-learned MAC address feature function?

1. Switches dynamically learn MAC addresses of each connecting CAM table

2. The ports are restricted and learn up to a maximum of 10 dynamically-learned addresses

3. It requires a minimum number of secure MAC addresses to be filled dynamically

4. The CAM table is empty until ingress traffic arrives at each port

44 / 47

44. Where does the configuration reside when a helper address Is configured to support DHCP?

1. on the switch trunk interface

2. on every router along the path

3. on the router closest to the server

4. on the router closest to the client

45 / 47

45. Which 802.11 frame type is indicated by a probe response after a client sends a probe request?

1. control

2. action

3. data

4. management

46 / 47

46. Refer to the exhibit. An access list is created to deny Telnet access from host PC-1 to RTR-1 and allow access
from all other hosts A Telnet attempt from PC-2 gives this message:”% Connection refused by remote host”
Without allowing Telnet access from PC-1, which action must be taken to permit the traffic?

1. Add the access-list 10 permit any command to the configuration

2. Add the ip access-group 10 out command to interface g0/0.

3. Remove the password command from line vty 0 4.

4. Remove the access-class 10 in command from line vty 0.4.

47 / 47

47. An engineer must configure Interswitch VLAN communication between a Cisco switch and a third-party switch.
Which action should be taken?

1. configure IEEE 802.1q

2. configure DSCP

3. configure IEEE 802.1p

4. configure ISL

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-5

1 / 99

1. An administrator must secure the WLC from receiving spoofed association requests. Which steps must be taken to configure the WLC to
restrict the requests and force the user to wait 10 ms to retry an association request?

1. Enable 802.1x Layer 2 security and set me Comeback timer to 10

2. Enable Security Association Teardown Protection and set the SA Query timeout to 10

3. Enable the Protected Management Frame service and set the Comeback timer to 10

4. Enable MAC filtering and set the SA Query timeout to 10

2 / 99

2. What are two benefits of FHRPs? (Choose two.)

1. They allow multiple devices lo serve as a single virtual gateway for clients in the network

2. They are able to bundle muftlple ports to increase bandwidth

3. They enable automatic failover of the default gateway.

4. They prevent (oops in the Layer 2 network.

5. They allow encrypted traffic.

3 / 99

3. What is a role of access points in an enterprise network?

1. support secure user logins to devices or the network

2. integrate with SNMP in preventing DDoS attacks

3. serve as a first line of defense in an enterprise network

4. connect wireless devices to a wired network

4 / 99

4. Which action does the router take as rt forwards a packet through the network?

1. The router replaces the original source and destination MAC addresses with the sending router MAC address as the source and neighbor MAC address as the destination

2. The router encapsulates the source and destination IP addresses with the sending router P address as the source and the neighbor IP address as the destination

3. The router replaces the source and desinaoon labels wth the sending router uterface label as a source and the next hop router label as a desbnabon

4. The router encapsulates the original packet and then includes a tag that identifies the source router MAC address and transmit transparently to the destination

5 / 99

5. Which 802.11 management frame type is sent when a client roams between access points on the same SSID?

1. Association Request

2. Reassociation Request

3. Probe Request

4. Authentication Request

6 / 99

6. Which switch becomes the permanent root bridge for VLAN 5?

1. Branch-1

2. Branch-4

3. Branch-3

4. Branch-2

7 / 99

7. An engineering team asks an implementer to configure syslog for warning conditions and error conditions. Which command does the
implementer configure to achieve the desired result?

1. logging trap 3

2. logging trap 4

3. logging trap 5

4. logging trap 2

8 / 99

8. Refer to the exhibit. Which two prefixes are included in this routing table entry? (Choose two.)

1. 192.168.1.17

2. 192.168.1.254

3. 192.168.1.61

4. 192.168.1.64

5. 192.168.1.127

9 / 99

9. Which plane is centralized by an SON controller?

1. services-plane

2. management-plane

3. control-plane

4. data-plane

10 / 99

10. What are two improvements provided by automation for network management in an SDN environment? (Choose two)

1. New devices are onboarded with minimal effort

2. Proprietary Cisco APIs leverage multiple network management tools

3. Machine learning minimizes the overall error rate when automating troubleshooting processes

4. Artificial intelligence identifies and prevents potential design failures

5. Data collection and analysis tools establish a baseline for the network

11 / 99

11. What does the switch do as it receives the frame from Sales-4?

1. Map the Layer 2 MAC address to the Layer 3 IP address and forward the frame

2. Flood the frame out of all ports except on the port where Sales-1 is connected

3. Insert the source MAC address and port into the forwarding table and forward the frame to Sales-1

4. . Perform a lookup in the MAC address table and discard the frame due to a missing entry

12 / 99

12. What are two characteristics of an SSID? (Choose Two)

1. It is at most 32 characters long.

2. It uniquely identifies a client in a WLAN

3. IT provides secured access to a WLAN

4. It uniquely identifies an access point in a WLAN

5. It can be hidden or broadcast in a WLAN

13 / 99

13. What is the benefit of using FHRP?

1. balancing traffic across multiple gateways in proportion to their loads

2. reduced management overhead on network routers

3. reduced ARP traffic on the network

4. higher degree of availability

14 / 99

14. Where does wireless authentication happen?

1. radio

2. band

3. SSID

4. Layer 2

15 / 99

15. Which global command encrypt all passwords in the running configuration?

1. enable password-encryption

2. enable secret

3. password-encrypt

4. service password-encryption

16 / 99

16. What is the function of a hub-and-spoke WAN topology?

1. allows access restrictions to be implemented between subscriber sites.

2. supports Layer 2 VPNs

3. supports application optimization

4. provides direct connections between subscribers

17 / 99

17. Refer to the exhibit. An administrator must turn off the Cisco Discovery Protocol on the port configured with address last usable address in the
10.0.0.0/30 subnet. Which command set meets the requirement?

1. interface gi0/0 no cdp advertise-v2

2. interface gi0/1 no cdp enable

3. interface gi0/1 clear cdp table

4. interface gi0/0 no cdp run

18 / 99

18. Why was the RFC 1918 address space defined?

1. conserve public IPv4 addressing

2. reduce instances of overlapping IP addresses

3. preserve public IPv6 address space

4. support the NAT protocol

19 / 99

19. A network administrator must to configure SSH for remote access to router R1 The requirement is to use a public and private key pair to encrypt
management traffic to and from the connecting client. Which configuration, when applied, meets the requirements?

1. Option B

2. Option A

3. Option D

4. Option C

20 / 99

20. Refer to the exhibit. R5 is the current DR on the network, and R4 is the BDR. Their interfaces are flapping, so a network engineer wants the
OSPF network to elect a different DR and BDR. Which set of configurations must the engineer implement?

1. R3(config)#interface gi0/0 R3(config-if)#ip ospf priority 255 R2(config)#interface gi0/0 R2(config-if)#ip ospf priority 240

2. R2(config)#interface gi0/0 R2(config-if)#ip ospf priority 259 R3(config)#interface gi0/0 R3(config-if)#ip ospf priority 256

3. . R4(config)#interface gi0/0 R4(config-if)#ip ospf priority 20 R5(config)#interface gi0/0 R5(config-if)#ip ospf priority 10

4. R5(config)#interface gi0/0 R5(config-if)#ip ospf priority 120 R4(config)#interface gi0/0 R4(config-if)#ip ospf priority 110

21 / 99

21. When a site-to-site VPN is configured, which IPsec mode provides encapsulation and encryption of the entire original P packet?

1. IPsec transport mode with AH

2. IPsec tunnel mode with AH

3. IPsec tunnel mode with ESP

4. IPsec transport mode with ESP

22 / 99

22. Which two protocols must be disabled to increase security for management connections to a Wireless LAN Controller? (Choose two)

1. HTTP

2. SSH

3. TFTP

4. Telnet

5. HTTPS

23 / 99

23. How does QoS optimize voice traffic?

1. by differentiating voice and video traffic

2. reducing bandwidth usage

3. by increasing jitter

4. by reducing packet loss

24 / 99

24. What is the benefit of configuring PortFast on an interface?

1. After the cable is connected, the interface uses the fastest speed setting available for that cable type

2. The frames entering the interface are marked with higher priority and then processed faster by a switch.

3. Real-time voice and video frames entering the interface are processed faster

4. After the cable is connected, the interface is available faster to send and receive user data

25 / 99

25. What Is a syslog facility?

1. group of log messages associated with the configured severity level

2. password that authenticates a Network Management System to receive log messages

3. set of values that represent the processes that can generate a log message

4. Host that is configured for the system to send log messages

26 / 99

26. Which port type supports the spanning-tree portfast command without additional configuration?

1. Layer 3 suninterfaces

2. access ports

3. trunk ports

4. Layer 3 main Interfaces

27 / 99

27. A network engineer must configure the router R1 GigabitEthernet1/1 interface to connect to the router R2 GigabitEthernet1/1 interface. For the
configuration to be applied the engineer must compress the address 2001:0db8:0000:0000:0500:000a:400F:583B. Which command must be
issued on the interface?

1. ipv6 address 2001::db8:0000::500:a:400F:583B

2. ipv6 address 2001:0db8::5: a: 4F 583B

3. ipv6 address 2001 db8:0::500:a:4F:583B

4. ipv6 address 2001:db8::500:a:400F:583B

28 / 99

28. Which two QoS tools provides congestion management? (Choose two)

1. CAR

2. FRTS

3. PBR

4. PQ

5. CBWFQ

29 / 99

29. Refer to the exhibit. How must router A be configured so that it only sends Cisco Discovery Protocol Information to router C?

1. Option B

2. Option C

3. Option A

4. Option D

30 / 99

30. What is the role of a firewall in an enterprise network?

1. Processes unauthorized packets and allows passage to less secure segments of the network

2. determines which packets are allowed to cross from unsecured to secured networks

3. Forwards packets based on stateless packet inspection

4. explicitly denies all packets from entering an administrative domain

31 / 99

31. What is a characteristic of private IPv4 addressing?

1. composed of up to 65.536 available addresses

2. traverse the Internet when an outbound ACL is applied

3. issued by IANA in conjunction with an autonomous system number

4. used without tracking or registration

32 / 99

32. An engineer needs to add an old switch back into a network. To prevent the switch from corrupting the VLAN database which action must be
taken?

1. Add the switch with DTP set to dynamic desirable

2. Add the switch in the VTP domain with a higher revision number

3. Add the switch with DTP set to desirable

4. Add the switch in the VTP domain with a lower revision number

33 / 99

33. Refer to the exhibit. When PC-A sends traffic to PC-B, which network component is in charge of receiving the packet from PC-A verifying the IP
addresses, and forwarding the packet to PC-B?

1. Router

2. firewall

3. Layer 2 switch

4. Load balancer

34 / 99

34. An engineer is configuring data and voice services to pass through the same port. The designated switch interface fastethernet0/1 must transmit
packets using the same priority for data when they are received from the access port of the IP phone. Which configuration must be used?

1. interface fastethernet0/1 switchport priority extend trust

2. interface fastethernet0/1 switchport priority extend cos 7

3. interface fastethernet0/1 switchport voice vlan untagged

4. . interface fastethernet0/1 switchport voice vlan dot1p

35 / 99

35. What is a similarity between OM3 and OM4 fiber optic cable?

1. Both have a 9 micron core diameter

2. Both have a 62.5 micron core diameter

3. Both have a 50 micron core diameter

4. Both have a 100 micron core diameter

36 / 99

36. What prevents a workstation from receiving a DHCP address?

1. DTP

2. STP

3. 802.10

4. VTP

37 / 99

37. What are two characteristics of the distribution layer in a three-tier network architecture? (Choose two.)

1. is the backbone for the network topology

2. provides a boundary between Layer 2 and Layer 3 communications

3. serves as the network aggregation point

4. physical connection point for a LAN printer

5. designed to meet continuous, redundant uptime requirements

38 / 99

38. What is the difference in data transmission delivery and reliability between TCP and UDP?

1. TCP transmits data at a higher rate and ensures packet delivery. UDP retransmits lost data to ensure applications receive the data on the remote end.

2. UDP sets up a connection between both devices before transmitting data. TCP uses the three-way handshake to transmit data with a reliable connection.

3. TCP requires the connection to be established before transmitting data. UDP transmits data at a higher rate without ensuring packet delivery.

4. UDP is used for multicast and broadcast communication. TCP is used for unicast communication and transmits data at a higher rate with error checking.

39 / 99

39. When a WLAN with WPA2 PSK is configured in the Wireless LAN Controller GUI which format is supported?

1. Unicode

2. base64

3. decimal

4. ASCII

40 / 99

40. What is a function of the Cisco DNA Center Overall Health Dashboard?

1. It summarizes daily and weekly CPU usage for servers and workstations in the network

2. It summarizes the operational status of each wireless devise on the network

3. It provides detailed activity logging for the 10 devices and users on the network

4. It provides a summary of the top 10 global issues

41 / 99

41. Which protocol requires authentication to transfer a backup configuration file from a router to a remote server?

1. TFTP

2. DTP

3. SMTP

4. FTP

42 / 99

42. Which switch technology establishes a network connection immediately when it is plugged in?

1. PortFast

2. BackboneFast

3. BPDU guard

4. UplinkFast

43 / 99

43. When a client and server are not on the same physical network, which device is used to forward requests and replies between client and server
for DHCP?

1. DHCPDISCOVER

2. DHCPOFFER

3. DHCP relay agent

4. DHCP server

44 / 99

44. Refer to the exhibit. Router R4 is dynamically learning the path to the server. If R4 is connected to R1 via OSPF Area 20, to R2 via R2 BGP, and
to R3 via EIGRP 777, which path is installed in the routing table of R4?

1. the path through R2 because the EBGP administrative distance is 20

2. the path through R1, because the OSPF administrative distance is 110

3. the path through R2. because the IBGP administrative distance is 200

4. the path through R3. because the EIGRP administrative distance is lower than OSPF and BGP

45 / 99

45. Refer to the exhibit. Which command must be executed for Gi1.1 on SW1 to become a trunk port if Gi1/1 on SW2 is configured in desirable or
trunk mode?

1. switchport mode dot1-tunnel

2. switchport mode dynamic auto

3. switchport mode dynamic desirable

4. switchport mode trunk

46 / 99

46. On workstations running Microsoft Windows, which protocol provides the default gateway for the device?

1. DNS

2. DHCP

3. STP

4. SNMP

47 / 99

47. Refer to the exhibit. What is the metric of the route to the 192.168.10.33/28 subnet?

1. 110

2. 128

3. 192

4. 193

5. 84

48 / 99

48. What occurs when overlapping Wi-Fi channels are implemented?

1. Network communications are open to eavesdropping

2. The wireless network becomes vulnerable to unauthorized access.

3. . Wireless devices are unable to distinguish between different SSIDs

4. Users experience poor wireless network performance.

49 / 99

49. What is a characteristic of cloud-based network topology?

1. wireless connections provide the sole access method to services

2. services are provided by a public, private, or hybrid deployment

3. onsite network services are provided with physical Layer 2 and Layer 3 components

4. physical workstations are configured to share resources

50 / 99

50. Refer to me exhibit. Which action is taken by the router when a packet is sourced from 10.10.10.2 and destined for 10.10.10.16?

1. It discards the packets

2. It uses a route that is similar to the destination address

3. It floods packets to all learned next hops

4. It Queues the packets waiting for the route to be learned

51 / 99

51. Refer to the exhibit. Shortly after SiteA was connected to SiteB over a new single-mode fiber path users at SiteA report intermittent connectivity
issues with applications hosted at SiteB What is the cause of the intermittent connectivity issue?

1. Interface errors are incrementing

2. An incorrect SFP media type was used at SiteA

3. The sites were connected with the wrong cable type

4. High usage is causing high latency

52 / 99

52. How are VLAN hopping attacks mitigated?

1. manually implement trunk ports and disable DTP

2. configure extended VLANs

3. enable dynamic ARP inspection

4. activate all ports and place in the default VLAN

53 / 99

53. What must be considered when using 802.11a?

1. It is used in place of 802 11b/g when many nonoverlapping channels are required

2. It is chosen over 802 11b/g when a lower-cost solution is necessary

3. It is susceptible to interference from 2 4 GHz devices such as microwave ovens.

4. It is compatible with 802 lib- and 802 11-compliant wireless devices

54 / 99

54. In QoS, which prioritization method is appropriate for interactive voice and video?

1. low-latency queuing

2. round-robin scheduling

3. expedited forwarding

4. traffic policing

55 / 99

55. Which function is performed by DHCP snooping?

1. listens to multicast traffic for packet forwarding

2. rate-limits certain traffic

3. propagates VLAN information between switches

4. provides DDoS mitigation

56 / 99

56. When a switch receives a frame for a known destination MAC address, how is the frame handed?

1. forwarded to the first available port

2. broadcast to all ports

3. sent to the port identified for the known MAC address

4. flooded to all ports except the one from which it originated

57 / 99

57. Which two events occur automatically when a device Is added to Cisco DNA Center? (Choose two.)

1. The device Is placed into the Unmanaged state

2. The device Is placed into the Managed state

3. The device Is assigned to the Global site

4. The device Is placed into the Provisioned state

5. The device is assigned to the Local site

58 / 99

58. A network administrator is asked to configure VLANS 2, 3 and 4 for a new implementation. Some ports must be assigned to the new VLANS
with unused remaining. Which action should be taken for the unused ports?

1. configure in a nondefault native VLAN

2. configure ports as access ports

3. configure ports in a black hole VLAN

4. configure port in the native VLAN

59 / 99

59. What is the purpose of using First Hop Redundancy Protocol in a specific subnet?

1. Sends the default route to the hosts on a network

2. Filter traffic based on destination IP addressing

3. ensures a loop-free physical topology

4. forwards multicast hello messages between routers

60 / 99

60. What is the purpose of a southbound API in a control based networking architecture?

1. Facilities communication between the controller and the applications

2. allows application developers to interact with the network

3. integrates a controller with other automation and orchestration tools.

4. Facilities communication between the controller and the networking hardware

61 / 99

61. Which security program element involves installing badge readers on data-center doors to allow workers to enter and exit based on their job
roles?

1. multifactor authentication

2. biometrics

3. physical access control

4. role-based access control

62 / 99

62. An engineer observes high usage on the 2.4GHz channels and lower usage on the 5GHz channels. What must be configured to allow clients to
preferentially use 5GHz access points?

1. 11ac MU-MIMO

2. Re- Anchor Roamed Clients

3. OEAP Split Tunnel

4. Client Band Select

63 / 99

63. What are network endpoints?

1. . act as routers to connect a user to the service prowler network

2. enforce policies for campus-wide traffic going to the internet

3. a threat to the network if they are compromised

4. support inter-VLAN connectivity

64 / 99

64. Which two components are needed to create an Ansible script that configures a VLAN on a switch? (Choose two.)

1. playbook

2. task

3. cookbook

4. recipe

5. model

65 / 99

65. What are two benefits of using the PortFast feature? (Choose two)

1. . Enabled interfaces wait 50 seconds before they move to the forwarding state

2. Enabled interfaces never generate topology change notifications

3. Enabled interfaces come up and move to the forwarding state immediately

4. Enabled interfaces that move to the learning state generate switch topology change notifications

5. Enabled interfaces are automatically placed in listening state

66 / 99

66. After installing a new Cisco ISE server, which task must the engineer perform on the Cisco WLC to connect wireless clients on a specific VLAN
based on their credentials?

1. Enable the allow AAA Override

2. Enable the Authorized MIC APs against auth-list or AAA.

3. Disable the LAG Mode or Next Reboot.

4. Enable the Even: Driven RRM

67 / 99

67. What are two similarities between UTP Cat 5e and Cat 6a cabling? (Choose two.)

1. Both support runs of up to 100 meters.

2. Both support runs of up to 55 meters.

3. Both support speeds of at least 1 Gigabit

4. Both operate at a frequency of 500 MHz.

5. Both support speeds up to 10 Gigabit.

68 / 99

68. Which mode must be set for APs to communicate to a Wireless LAN Controller using the Control and Provisioning of Wireless Access Points
(CAPWAP) protocol?

1. route

2. lightweight

3. bridge

4. autonomous

69 / 99

69. What Is the path for traffic sent from one user workstation to another workstation on a separate switch In a Ihree-lter architecture model?

1. access – distribution – distribution – access

2. access -distribution – core – distribution – access

3. access – core – access

4. access – core – distribution – access

70 / 99

70. Refer to the exhibit. Which two commands, when configured on router R1, fulfill these requirements? (Choose two.)
Packets towards the entire network 2001:db8:2::/64 must be forwarded through router R2.
Packets toward host 2001:db8:23::14 preferably must be forwarded through R3.

1. Ipv6 route 2001:db8:23::14/128 fd00:13::3

2. Ipv6 route 2001:db8:23::/128 fd00:12::2

3. Ipv6 route 2001:db8:23::/64 fd00:12::2

4. Ipv6 route 2001:db8:23::14/64 fd00:12::2

5. Ipv6 route 2001:db8:23::14/64 fd00:12::2 200

71 / 99

71. What uses HTTP messages to transfer data to applications residing on different hosts?

1. OpFlex

2. REST

3. OpenFlow

4. OpenStack

72 / 99

72. Which JSON data type is an unordered set of attribute- value pairs?

1. array

2. Boolean

3. string

4. object

73 / 99

73. Which HTTP status code is returned after a successful REST API request?

1. 200

2. 301

3. 404

4. 500

74 / 99

74. Which WLC port connects to a switch to pass normal access-point traffic?

1. console

2. redundancy

3. service

4. distribution system

75 / 99

75. Which condition must be met before an NMS handles an SNMP trap from an agent?

1. The NMS must be configured on the same router as the SNMP agent

2. The NMS must receive a trap and an inform message from the SNMP agent within a configured interval

3. The NMS must receive the same trap from two different SNMP agents to verify that it is reliable.

4. The NMS software must be loaded with the MIB associated with the trap

76 / 99

76. Which access layer threat-mitigation technique provides security based on identity?

1. using a non-default native VLAN

2. DHCP snooping

3. 802.1x

4. Dynamic ARP Inspection

77 / 99

77. Which two primary drivers support the need for network automation? (Choose two.)

1. Providing a ship entry point for resource provisioning

2. Policy-derived provisioning of resources

3. Reducing hardware footprint

4. ncreasing reliance on self-diagnostic and self-healing

5. Eliminating training needs

78 / 99

78. Refer to the exhibit. Which change to the configuration on Switch allows the two switches to establish an GtherChannel?

1. Change the protocol to EtherChannel mode on.

2. Change the protocol to PAqP and use auto mode

3. Change the LACP mode to desirable

4. Change the LACP mode to active

79 / 99

79. Which communication interaction takes place when a southbound API Is used?

1. between the SON controller and services and applications on the network

2. between network applications and switches and routers on the network

3. between the SON controller and switches and routers on the network

4. between the SDN controller and PCs on the network

80 / 99

80. Which level of severity must be set to get informational syslogs?

1. debug

2. critical

3. alert

4. notice

81 / 99

81. What does an SDN controller use as a communication protocol to relay forwarding changes to a southbound API?

1. REST

2. XML

3. OpenFlow

4. Java

82 / 99

82. Where is the interface between the control plane and data plane within the softwaredefined architecture?

1. application layer and the management layer

2. application layer and the infrastructure layer

3. control layer and the infrastructure layer

4. control layer and the application layer

83 / 99

83. An engineer must configure the IPv6 address 2001:0db8:0000:0000:0700:0003:400F:572B on the serial0/0 interface of the HQ router and wants
to compress it for easier configuration. Which command must be issued on the router interface?

1. ipv6 address 2001:db8:0::700:3:4F:572B

2. ipv6 address 2001:db8::700:3:400F:572B

3. ipv6 address 2001::db8:0000::700:3:400F:572B

4. ipv6 address 2001:Odb8::7:3:4F:572B

84 / 99

84. What is the function of a controller in controller-based networking?

1. It serves as the centralized management point of an SDN architecture

2. It centralizes the data plane for the network

3. It is a pair of core routers that maintain all routing decisions for a campus

4. It is the card on a core router that maintains all routing decisions for a campus

85 / 99

85. Which technology allows for multiple operating systems to be run on a single host computer?

1. Server Virtualization

2. network port ID visualization

3. virtual device contexts

4. virtual routing and forwarding

86 / 99

86. Which network action occurs within the data plane?

1. make a configuration change from an incoming NETCONF RPC

2. reply to an incoming ICMP echo request

3. run routing protocols (OSPF, EIGRP, RIP, BGP)

4. compare the destination IP address to the IP routing table

87 / 99

87. Which networking function occurs on the data plane?

1. forwarding remote client/server traffic

2. processing inbound SSH management traffic

3. sending and receiving OSPF Hello packets

4. facilitates spanning-tree elections

88 / 99

88. When deploying syslog, which severity level logs informational message?

1. 0

2. 2

3. 4

4. 6

89 / 99

89. What causes a port to be placed in the err-disabled state?

1. shutdown command issued on the port

2. latency

3. nothing plugged into the port

4. port security violation

90 / 99

90. What describes the operation of virtual machines?

1. In a virtual machine environment, physical servers must run one operating system at a time

2. Virtual machines are the physical hardware that support a virtual environment

3. Virtual machines are responsible for managing and allocating host hardware resources

4. . Virtual machines are operating system instances that are decoupled from server hardware

91 / 99

91. An implementer is preparing hardware for virtualization to create virtual machines on a host. What is needed to provide communication between
hardware and virtual machines?

1. switch

2. straight cable

3. hypervisor

4. router

92 / 99

92. A network analyst is tasked with configured the date and time on a router using EXEC mode. The date must be set to 12:00am. Which
command should be used?

1. Clock summer-time date

2. Clock set

3. Clock summer-time-recurring

4. Clock timezone

93 / 99

93. What does physical access control regulate?

1. access 😮 computer networks and file systems

2. access to spec fie networks based on business function

3. access to servers to prevent malicious activity

4. access to networking equipment and facilities

94 / 99

94. An engineer configures interface Gi1/0 on the company PE router to connect to an ISP Neighbor discovery is disabled. Which action is
necessary to complete the configuration if the ISP uses third-party network devices?

1. Disable autonegotiation

2. Enable LLDP-MED on the ISP device

3. Disable Cisco Discovery Protocol on the interface

4. Enable LLDP globally

95 / 99

95. Which technology is appropriate for communication between an SDN controller and applications running over the network?

1. REST API

2. Southbound API

3. NETCONF

4. OpenFlow

96 / 99

96. Which two protocols are supported on service-port interfaces? (Choose two.)

1. Telnet

2. TACACS+

3. RADIUS

4. SSH

5. SCP

97 / 99

97. How does WPA3 improve security?

1. It uses SAE for authentication.

2. It uses TKIP for encryption.

3. It uses a 4-way handshake for authentication

4. It uses RC4 for encryption

98 / 99

98. Which protocol does an access point use to draw power from a connected switch?

1. Adaptive Wireless Path Protocol

2. Cisco Discovery Protocol

3. Neighbor Discovery Protocol

4. Internet Group Management Protocol

99 / 99

99. Which QoS tool is used to optimize voice traffic on a network that is primarily intended for data traffic?

1. WRED

2. FIFO

3. WFQ

4. PQ

Your score is

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

Created by

Rabiul Islam

CCNA Question Part-6

1 / 109

1. Refer to the exhibit. An engineer assumes a configuration task from a peer Router A must establish an OSPF neighbor relationship with
neighbor 172.1.1.1 The output displays the status of the adjacency after 2 hours. What is the next step in the configuration process for the
routers to establish an adjacency?

1. Set the router B OSPF ID to the same value as its IP address

2. Configure router A to use the same MTU size as router B

3. Set the router B OSPF ID to a nonhost address.

4. Configure a point-to-point link between router A and router B.

2 / 109

2. Refer to the exhibit. An IP subnet must be configured on each router that provides enough addresses for the number of assigned hosts and
anticipates no more than 10% growth for now hosts. Which configuration script must be used?

1. R7# configure terminal interface Fa1/0 ip address 10.1.56.1 255.255.192.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.224.0 no shutdown R9# configure terminal interface Fa 1/1 ip address 10.23.96.1 255.255.128.0 no shutdown

2. R7# configure terminal interface Fa1/0 ip address 10.1.56.1 255.255.248.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.254.0 no shutdown R9# configure terminal interface Fa1/1 ip address 10.23.96.1 255.255.248.0 no shutdown

3. R7# configure terminal interface Fa 1/0 ip address 10.1.56.1 255.255.252.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.255.0 no shutdown R9# configure terminal interface Fa 1/1 ip address 10.23.96.1 255.255.240.0 no shutdown

4. R7# configure terminal interface Fa 1/0 ip address 10.1.56.1 255.255.240.0 no shutdown R8# configure terminal interface Fa0/0 ip address 10.9.32.1 255.255.224.0 no shutdown R9# configure terminal interface Fa1/1 ip address 10.23.96.1 255.255.192.0 no shutdown

3 / 109

3. Which Layer 2 switch function encapsulates packets for different VLANs so that the packets traverse the same port and maintain traffic
separation between the VLANs?

1. VLAN marking

2. VLAN DSCP

3. VLAN numbering

4. VLAN tagging

4 / 109

4. A Cisco engineer is configuring a factory-default router with these three passwords:
The user EXEC password for console access is p4ssw0rd1
The user EXEC password for Telnet access is s3cr3t2
The password for privileged EXEC mode is pnv4t3p4ss.

Which command sequence must the engineer configured

1. . enable secret priv4t3p4ss ! line con 0 password login p4ssword1 ! line vty 0 15 password login s3cr3t2 login

2. enable secret privilege 15 priv4t3p4ss ! line con 0 password p4ssword1 login ! line vty 0 15 password s3cr3t2 login

3. enable secret priv4t3p4ss ! line con 0

4. enable secret priv4t3p4ss ! line con 0 password p4ssword1 login ! line vty 0 15 password s3cr3t2 login

5 / 109

5. Refer to the exhibit. A static route must be configured on R14 to forward traffic for the 172 21 34 0/25 network that resides on R86 Which
command must be used to fulfill the request?

1. ip route 172.21.34.0 255.255.128.0 10.73.65.64

2. ip route 172.21.34.0 255.255.255.192 10.73.65.65

3. ip route 172.21.34.0 255.255.255.0 10.73.65.65

4. ip route 172.21.34.0 255.255.255.128 10.73.65.66

6 / 109

6. Refer to the exhibit. Between which zones do wireless users expect to experience intermittent connectivity?

1. between zones 3 and 4

2. between zones 3 and 6

3. between zones 2 and 5

4. between zones 1 and 2

7 / 109

7. Refer to the exhibit. Which network prefix was learned via EIGRP?

1. 172.16.0.0/16

2. 207.165.200.0/24

3. 192.168.2.0/24

4. 192.168.1.0/24

8 / 109

8. What is a requirement for nonoverlapping Wi-Fi channels?

1. different security settings

2. unique SSIDs

3. different transmission speeds

4. discontinuous frequency ranges

9 / 109

9. Refer to the exhibit. Web traffic is coming in from the WAN interface. Which route takes precedence when the router is processing traffic
destined for the LAN network at 10.0.10.0/24?

1. via next-hop 10.0.1.50

2. via next-hop 10.0.1.5

3. via next-hop 10.0.1.4

4. via next-hop 10.0.1.100

10 / 109

10. Refer to the exhibit. Which next-hop IP address does Routed use for packets destined to host 10.10.13.158?

1. 10.10.12.2

2. 10.10.10.5

3. 10.10.10.9

4. 10.10.11.2

11 / 109

11.

Which device permits or denies network traffic based on a set of rules?

1. firewall

2. wireless controller

3. switch

4. access point

12 / 109

12. Refer to the exhibit. What is a reason for poor performance on the network interface?

1. The interface is operating at a different speed than the connected device.

2. The interface is receiving excessive broadcast traffic.

3. The bandwidth setting of the interface is misconfigured

4. The cable connection between the two devices is faulty

13 / 109

13. Refer to the exhibit. An engineer has started to configure replacement switch SW1. To verify part of the configuration, the engineer issued the
commands as shown and noticed that the entry for PC2 is missing. Which change must be applied to SW1 so that PC1 and PC2 communicate
normally?

1. SW1(config)#interface fa0/2 SW1(config-if)#no switchport mode trunk SW1(config-if)#no switchport trunk allowed vlan 3 SW1(config-if)#switchport mode access

2. SW1(config)#interface fa0/2 SW1(config-if)#no switchport access vlan 2 SW1(config-if)#no switchport trunk allowed vlan 3 SW1(config-if)#switchport trunk allowed vlan 2

3. SW1(config)#interface fa0/1 SW1(config-if)#no switchport access vlan 2 SW1(config-if)#switchport access vlan 3 SW1(config-if)#switchport trunk allowed vlan 2

4. SW1(config)#interface fa0/1 SW1(config-if)#no switchport access vlan 2 SW1(config-if)#switchport trunk native vlan 2 SW1(config-if)#switchport trunk allowed vlan 3

14 / 109

14. Which QoS traffic handling technique retains excess packets in a queue and reschedules these packets for later transmission when the
configured maximum bandwidth has been surpassed?

1. traffic policing

2. traffic shaping

3. weighted random early detection

4. traffic prioritization

15 / 109

15. Refer to the exhibit. Packets received by the router from BGP enter via a serial interface at 209 165 201 1 Each route is present within the
routing table Which interface is used to forward traffic with a destination IP of 10.1.1.19?

1. F0/4

2. F0/3

3. F0/1

4. F0/0

16 / 109

16. Which interface mode must be configured to connect the lightweight APs in a centralized architecture?

1. access

2. trunk

3. WLAN dynamic

4. management

17 / 109

17. Refer to the exhibit. All VLANs are present in the VLAN database. Which command sequence must be applied to complete the configuration?

1. Interface FastEthernet0/1 switchport trunk allowed vlan add 10 vlan 10 private-vlan isolated

2. interface FastEthernet0/1 switchport mode access switchport voice vlan 10

3. Interface FastEthernet0/1 switchport trunk native vlan 10 switchport trunk allowed vlan 10,15

4. Interface FastEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,15

18 / 109

18. Refer to the exhibit. An engineer is configuring an EtherChannel using LACP between Switches 1 and 2. Which configuration must be applied so
that only Switch 1 sends LACP initiation packets?

1. Switch1(config-if)#channel-group 1 mode on Switch2(config-if)#channel-group 1 mode active

2. Switch1{config-if)#channel-group 1 mode active Switch2(config-if)#channel-group 1 mode passive

3. Switch1(config-if)#channel-group 1 mode passive Switch2(config-if)#channel-group 1 mode active

4. Switch 1 (config-if)#channel-group 1 mode on Swrtch2(config-if)#channel-group 1 mode passive

19 / 109

19. Refer to the exhibit. A network engineer must update the configuration on Switch2 so that it sends LLDP packets every minute and the
information sent via LLDP is refreshed every 3 minutes Which configuration must the engineer apply?

1. Switch2(config)#lldp timer 60 Switch2(config)#lldp holdtime 180

2. Switch2(config)#lldp timer 1 Switch2(config)#lldp tlv-select 3

3. Switch2(config)#lldp timer 60 Switch2(config)#lldp tlv-select 180

4. Switch2(config)#lldp timer 1 Switch2(config)#lldp holdtime 3

20 / 109

20. Which virtual MAC address is used by VRRP group 1?

1. 0000.5E00.0101

2. 0007.c061.bc01

3. 0050.0c05.ad81

4. 0500.3976.6401

21 / 109

21. A network engineer is Installing an IPv6-only capable device. The client has requested that the device IP address be reachable only from the
internal network. Which type of IPv6 address must the engineer assign?

1. unique local address

2. aggregatable global address

3. IPv4-compatible IPv6 address

4. link-local address

22 / 109

22. What is an expected outcome when network management automation is deployed?

1. Custom applications are needed to configure network devices

2. Software upgrades are performed from a central controller

3. Complexity increases when new device configurations are added

4. A distributed management plane must be used

23 / 109

23. How are the switches in a spine-and-leaf topology interconnected?

1. Each leaf switch is connected to one of the spine switches

2. Each leaf switch is connected to a central leaf switch, then uplinked to a core spine switch.

3. Each leaf switch is connected to each spine switch

4. Each leaf switch is connected to two spine switches, making a loop

24 / 109

24. Refer to the exhibit. Users need to connect to the wireless network with IEEE 802. 11r-compatible devices. The connection must be maintained
as users travel between floors or to other areas in the building. What must be the configuration of the connection?

1. Select the WPA Policy option with the CCKM option.

2. Enable Fast Transition and select the FT PSK option

3. Disable AES encryption

4. Enable Fast Transition and select the FT 802.1x option

25 / 109

25. What is a function of an endpoint on a network?

1. provides wireless services to users in a building

2. connects server and client devices to a network

3. forwards traffic between VLANs on a network

4. allows users to record data and transmit to a tile server

26 / 109

26. A network engineer must implement an IPv6 configuration on the vlan 2000 interface to create a routable locally-unique unicast address that is
blocked from being advertised to the internet. Which configuration must the engineer apply?

1. interface vlan 2000 Ipv6 address fc00:0000:aaaa:a15d:1234:2343:8aca/64

2. interface vlan 2000 ipv6 address ffc0:0000:aaaa::1234:2343/64

3. interface vlan 2000 ipv6 address fd00::1234:2343/64

4. interface vlan 2000 ipv6 address fe80;0000:aaaa::1234:2343/64

27 / 109

27. Refer to the exhibit. Which route must be configured on R1 so that OSPF routing is used when OSPF is up. but the server is still reachable
when OSPF goes down?

1. ip route 10.1.1.0 255.255.255.0 gi0/1 125

2. ip route 10.1.1.10 255.255.255.255 gi0/0 125

3. ip route 10.1.1.10 255.255.255.255 172.16.2.2 100

4. ip route 10.1.1.0 255.255.255.0 172.16.2.2 100

28 / 109

28. An engineer is installing a new wireless printer with a static IP address on the Wi-Fi network. Which feature must be enabled and configured to
prevent connection issues with the printer?

1. static IP tunneling

2. client exclusion

3. DHCP address assignment

4. passive client

29 / 109

29. Refer to the exhibit. Which two commands must be added to update the configuration of router R1 so that it accepts only encrypted
connections? (Choose two)

1. crypto key generate rsa 1024

2. line vty 0 4

3. ip ssh version 2

4. transport input ssh

5. username CNAC secret R!41!4319115@

30 / 109

30. Refer to the exhibit. The following must be considered:
SW1 is fully configured for all traffic
The SW4 and SW9 links to SW1 have been configured
The SW4 interface Gi0/1 and Gi0/0 on SW9 have been configured

The remaining switches have had all VLANs added to their VLAN database.

Which configuration establishes a successful ping from PC2 to PC7 without interruption to traffic flow between other PCs?

1. Option B

2. Option A

31 / 109

31. Which type of IPv6 address is similar to a unicast address but is assigned to multiple devices on the same network at the same time?

1. link-local address

2. multicast address

3. anycast address

4. global unicast address

32 / 109

32. A network engineer must configure two new subnets using the address block 10 70 128 0/19 to meet these requirements:
The first subnet must support 24 hosts
The second subnet must support 472 hosts
Both subnets must use the longest subnet mask possible from the address block.
Which two configurations must be used to configure the new subnets and meet a requirement to use the first available address in each subnetfor the router interfaces? (Choose two)

1. interface vlan 1148 ip address 10.70.148.1 255.255.254.0

2. interface vlan 1234 ip address 10.70.159.1 255.255.254.0

3. interface vlan 3002 ip address 10.70.147.17 255.255.255.224

4. interface vlan 4722 ip address 10.70.133.17 255.255.255.192

5. interface vlan 155 ip address 10.70.155.65 255.255.255.224

33 / 109

33. OSPF must be configured between routers R1 and R2. Which OSPF configuration must be applied to router R1 to avoid a DR/BDR election?

1. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 hello interval 15 interface e1/1 Ip address 192.168.1.1 255.255.255.252

2. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 interface e1/1 ip address 192.168.1.1 255.255.255.252 ip ospf cost 0

3. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 interface e1/1 ip address 192.168.1.1 255.255.255.252 ip ospf network point-to-point

4. router ospf 1 network 192.168.1.1 0.0.0.0 area 0 interface e1/1 ip address 192.168.1.1 255.255.255.252 ip ospf network broadcast

34 / 109

34. Which QoS per-hop behavior changes the value of the ToS field in the IPv4 packet header?

1. policing

2. classification

3. shaping

4. marking

35 / 109

35. Refer to the exhibit. An engineer built a new L2 LACP EtherChannel between SW1 and SW2 and executed these show commands to verify the
work. Which additional task allows the two switches to establish an LACP port channel?

1. Change the channel-group mode on SW2 to auto

2. Configure the interface port-channel 1 command on both switches.

3. Change the channel-group mode on SW1 to desirable.

4. Change the channel-group mode on SW1 to active or passive.

36 / 109

36. A network administrator is setting up a new IPv6 network using the 64-bit address 2001 0EB8 00C1 2200:0001 0000 0000 0331/64 To simplify
the configuration the administrator has decided to compress the address Which IP address must the administrator configure?

1. ipv6 address 2001:EB8:C1:22:1::331/64

2. ipv6 address 21:EB8:C1:2200:1::331/64

3. ipv6 address 2001 :EB8:C 1:2200.1 ::331-64

4. ipv6 address 2001:EB8:C1:2200:1:0000:331/64

37 / 109

37. Refer to the exhibit. What must be configured to enable 802.11w on the WLAN?

1. Set Fast Transition to Enabled

2. Enable WPA Policy.

3. Enable MAC Filtering.

4. Set PMF to Required

38 / 109

38. Refer to the exhibit. Router R1 resides in OSPF Area 0. After updating the R1 configuration to influence the paths that it will use to direct traffic,
an engineer verified that each of the four Gigabit interfaces has the same route to 10.10.0.0/16. Which interface will R1 choose to send traffic to
reach the route?

1. GigabitEthernet0/0

2. GigabitEthernet0/3

3. GigabltEthornet0/1

4. GigabitEthernet0/2

39 / 109

39. Which PoE mode enables powered-device detection and guarantees power when the device is detected?

1. static

2. dynamic

3. auto

4. active

40 / 109

40. A Cisco engineer must configure a single switch interface to meet these requirements
accept untagged frames and place them in VLAN 20
accept tagged frames in VLAN 30 when CDP detects a Cisco IP phone
Which command set must the engineer apply?

1. switchport mode access switchport access vlan 20 switchport voice vlan 30

2. switchport mode dynamic desirable switchport access vlan 20 switchport trunk allowed vlan 30 switchport voice vlan 30

3. switchport mode trunk switchport access vlan 20 switchport voice vlan 30

4. switchport mode dynamic auto switchport trunk native vlan 20 switchport trunk allowed vlan 30 switchport voice vlan 30

41 / 109

41. Refer to the exhibit. Site A was recently connected to site B over a new single-mode fiber path. Users at site A report Intermittent connectivity
Issues with applications hosted at site B. What is the reason for the problem?

1. The wrong cable type was used to make the connection.

2. physical network errors are being transmitted between the two sites

3. Heavy usage is causing high latency

4. An incorrect type of transceiver has been inserted into a device on the link

42 / 109

42. Refer to the exhibit. Which configuration enables DHCP addressing for hosts connected to interface FastEthernet0/1 on router R4?

1. interface FastEthernetO/0 ip helper-address 10.0.1.1 ! access-list 100 permit host 10.0.1.1 host 10.148.2.1 eq bootps

2. interface FastEthernot0/1 ip helper-address 10.0.1.1 ! access-list 100 permit tcp host 10.0.1.1 eq 67 host 10.148.2.1

3. interface FastEthernet0/1 ip helper-address 10.0.1.1 ! access-list 100 permit udp host 10.0.1.1 eq bootps host 10.148.2.1

4. interface FastEthernet0/0 ip helper-address 10.0.1.1 ! access-list 100 permit udp host 10.0.1.1 eq bootps host 10.148.2.1

43 / 109

43. What is a function of a Next-Generation IPS?

1. correlates user activity with network events

2. makes forwarding decisions based on learned MAC addresses

3. integrates with a RADIUS server to enforce Layer 2 device authentication rules

4. serves as a controller within a controller-based network

44 / 109

44. Refer to the exhibit. Which command must be issued lo enable a floating static default route on router A?

1. ip route 0.0.0.0 0.0.0.0 192.168.1.2

2. ip default-gateway 192.168.2.1

3. ip route 0.0.0.0 0.0.0.0 192.168.1.2 10

4. ip route 0.0.0.0 0.0.0.0 192.168.2.1 10

45 / 109

45. What is the purpose of the ip address hcp command?

1. to configure an Interface as a DHCP server

2. to configure an interface as a DHCP relay

3. to configure an interface as a DHCP helper

4. to configure an interface as a DHCP client

46 / 109

46. What is a capability of FTP in network management operations?

1. devices are directly connected and use UDP to pass file information

2. encrypts data before sending between data resources

3. offers proprietary support at the session layer when transferring data

4. uses separate control and data connections to move files between server and client

47 / 109

47. An engineer is configuring remote access to a router from IP subnet 10.139.58.0/28. The domain name, crypto keys, and SSH have been
configured. Which configuration enables the traffic on the destination router?

1. Option A

2. Option B

3. Option D

4. Option C

48 / 109

48. Refer to the exhibit. Router R1 currently is configured to use R3 as the primary route to the Internet, and the route uses the default
administrative distance settings. A network engineer must configure R1 so that it uses R2 as a backup, but only if R3 goes down. Which
command must the engineer configure on R1 so that it correctly uses R2 as a backup route, without changing the administrative distance
configuration on the link to R3?

1. ip route 0,0.0.0 0.0.0.0 g0/1 6

2. ip route 0.0.0.0 0.0.0.0 209.165.200.226 1

3. ip route 0.0.0.0 0.0.0.0 209.165.201.5 10

4. ip route 0.0.0.0 0.0.0.0 g0/1 1

49 / 109

49. Refer to the exhibit. An engineer is configuring a new router on the network and applied this configuration. Which additional configuration allows
the PC to obtain its IP address from a DHCP server?

1. Configure the ip address dhcp command under interface Gi0/0

2. Configure the ip dhcp smart-relay command globally on the router

3. Configure the ip helper-address 172.16.2.2 command under interface Gi0/0

4. Configure the ip dhcp relay information command under interface Gi0/1

50 / 109

50. Refer to the exhibit. The DHCP server and clients are connected to the same switch. What is the next step to complete the DHCP configuration
to allow clients on VLAN 1 to receive addresses from the DHCP server?

1. Configure the ip dhcp relay information option command on the interface that is connected to the DHCP client.

2. Configure the ip dhcp snooping trust command on the interlace that is connected to the DHCP client.

3. Configure the Ip dhcp relay information option command on the interface that is connected to the DHCP server.

4. Configure the ip dhcp snooping trust command on the interface that is connected to the DHCP server.

51 / 109

51. Refer to the exhibit. A network engineer is in the process of establishing IP connectivity between two sites. Routers R1 and R2 are partially
configured with IP addressing. Both routers have the ability to access devices on their respective LANs. Which command set configures the IP
connectivity between devices located on both LANs in each site?

1. Option B

2. Option A

3. Option C

4. Option D

52 / 109

52. In software-defined architecture, which place handles switching for traffic through a Cisco router?

1. Data

2. application

3. Control

4. Management

53 / 109

53. Refer to the exhibit. Which configuration allows routers R14 and R86 to form an OSPFv2 adjacency while acting as a central point for exchanging OSPF

information between routers?

1. Option A

2. Option B

3. Option C

4. Option D

54 / 109

54. What is a requirement when configuring or removing LAG on a WLC?

1. The management interface must be reassigned if LAG disabled

2. The Incoming and outgoing ports for traffic flow must be specified If LAG Is enabled.

3. The controller must be rebooted after enabling or reconfiguring LAG

4. Multiple untagged interfaces on the same port must be supported.

55 / 109

55. What is a similarly between 1000BASE-LX and 1000BASE-T standards?

1. Both support up to 550 meters between nodes

2. Both cable types support LP connectors

3. Both cable types support Rj-45 connectors

4. Both use the same data-link header and trailer formats

56 / 109

56. Refer to the exhibit. Which two commands must be configured on router R1 to enable the router to accept secure remote-access connections?
(Choose two)

1. ip ssh pubkey-chain

2. login console

3. transport input telnet

4. username cisco password 0 Cisco

5. crypto key generate rsa

57 / 109

57. Refer to the exhibit. An engineer is configuring the HO router. Which IPv6 address configuration must be applied to the router fa0’1 interface for
the router to assign a unique 64-brt IPv6 address to Itself?

1. ipv6 address 2001:DB8:0:1:C601:42FE:800F:7/64

2. ipv6 address 2001:DB8:0:1:C601:42FF:FE0F:7/64

3. ipv6 address 2001 :DB8:0:1:FE80:C601:420F:7/64

4. ipv6 address 2001 :DB8:0:1:FFFF:C601:420F:7/64

58 / 109

58. Which two network actions occur within the data plane? (Choose two.)

1. Run routing protocols

2. Reply to an incoming ICMP echo request

3. Add or remove an 802.1Q trunking header

4. Match the destination MAC address to the MAC address table.

5. Make a configuration change from an incoming NETCONF RPC

59 / 109

59. Which protocol is used for secure remote CLI access?

1. HTTP

2. SSH

3. Telnet

4. HTTPS

60 / 109

60. What is the function of the controller in a software-defined network?

1. forwarding packets

2. multicast replication at the hardware level

3. making routing decisions

4. fragmenting and reassembling packets

61 / 109

61. Refer to the exhibit. Traffic that is flowing over interface TenGigabitEthernet0/0 experiences slow transfer speeds. What is the reason for the
issue?

1. a duplex incompatibility

2. queuing drops

3. heavy traffic congestion

4. a speed conflict

62 / 109

62. Refer to the exhibit. The entire MAC address table for SW1 is shown here:
SW1#show mac-address-table
Mac Address Table
Vlan Mac Address Type Ports
000c.8590.bb7d DYNAMIC Fa0/1
010a.7a17.45bc DYNAMIC FaO/3
7aa7.4037.8935 DYNAMIC FaO/4
SW1#

What does SW1 do when Br-4 sends a frame to Br-2?

1. It floods the frame out of all ports except on the port where Br-2 is connected.

2. It inserts the source MAC address and port into the forwarding table and forwards the frame to Br-2.

3. It performs a lookup in the MAC address table for Br-4 and discards the frame due to a missing entry.

4. It maps the Layer 2 MAC address for FaO/3 to the Layer 3 IP address and forwards the frame.

63 / 109

63. Which action is taken by the data plane within a network device?

1. provides CLI access to the network device

2. constructs a routing table based on a routing protocol

3. forwards traffic to the next hop

4. looks up an egress interface in the forwarding information base

64 / 109

64. A network engineer is configuring a switch so that it is remotely reachable via SSH. The engineer has already configured the host name on the
router. Which additional command must the engineer configure before entering the command to generate the RSA key?

1. ip ssh authentication-retries 2

2. ip domain-name domain

3. crypto key generate rsa modulus 1024

4. password password

65 / 109

65. Refer to the exhibit. Which action must be taken to ensure that router A is elected as the DR for OSPF area 0?

1. Configure the router A interfaces with the highest OSPF priority value within the area

2. Configure the OSPF priority on router A with the lowest value between the three routers

3. Configure router B and router C as OSPF neighbors of router A

4. Configure router A with a fixed OSPF router ID

66 / 109

66. What is a function of a Layer 3 switch?

1. transmit broadcast traffic when operating in Layer 3 mode exclusively

2. move frames between endpoints limited to IP addresses

3. forward Ethernet frames between VLANs using only MAC addresses

4. flood broadcast traffic within a VLAN

67 / 109

67. Refer to the exhibit. Which IPv6 configuration is required for R17 to successfully ping the WAN interface on R18?

1. Option A

2. Option B

3. Option D

4. Option C

68 / 109

68. Refer to the exhibit. Traffic sourced from the loopback0 Interface is trying to connect via ssh to the host at 10.0.1.15. What Is the next hop to the
destination address?

1. 192.168.0.40

2. 192.168.0.4

3. 192.168.0.7

4. 192.168.3.5

69 / 109

69. What is the purpose of an SSID?

1. It provides network security

2. It identities an individual access point on a WLAN

3. It identifies a WLAN

4. It differentiates traffic entering access posits

70 / 109

70. Which action implements physical access control as part of the security program of an organization?

1. backing up syslogs at a remote location

2. configuring enable passwords on network devices

3. setting up IP cameras to monitor key infrastructure

4. configuring a password for the console port

71 / 109

71. Refer to the exhibit. Which route must be configured on R1 so that OSPF routing is used when OSPF is up. but the server is still reachable
when OSPF goes down?

1. ip route 10.1.1.0 255.255.255.0 172.16.2.2 100

2. ip route 10.1.1.10 255.255.255.255 172.16.2.2 100

3. ip route 10.1.1.0 255.255.255.0 gi0/1 125

4. ip route 10.1.1.10 255.255.255.255 gi0/0 125

72 / 109

72. Refer to the exhibit. Which minimum configuration items are needed to enable Secure Shell version 2 access to R15?

1. . Router(config)#ip domain-name cisco.com Router(config)#crypto key generate rsa general-keys modulus 1024 Router(config)#ip ssh version 2 Router(config-line)#line vty 0 15 Router(config-line)#transport input all Router(config)#ip ssh logging events

2. Router(config)#hostname R15 R15(config)#ip domain-name cisco.com R15(config)#crypto key generate rsa general-keys modulus 1024 R15(config)#ip ssh version 2 R15(config-line)#line vty 0 15 R15(config-line)#transport input ssh

3. Router(config)#hostname R15 R15(config)#crypto key generate rsa general-keys modulus 1024 R15(config-line #line vty 0 15 R15(config-line)#transport input ssh R15(config)#ip ssh source-interface Fa0/0 R15(config)#ip ssh stricthostkeycheck

4. Router(config)#crypto key generate rsa general-keys modulus 1024 Router(config)#ip ssh version 2 Router(config-line #line vty 0 15 Router(config-line)#transport input ssh Router(config)#ip ssh logging events R15(config)#ip ssh stricthostkeycheck

73 / 109

73. An engineer is configuring router R1 with an IPv6 static route for prefix 2019:C15C:0CAF:E001::/64. The next hop must be
2019:C15C:0CAF:E002::1 The route must be reachable via the R1 Gigabit 0/0 interface. Which command configures the designated route?

1. R1(config)#ip route 2019:C15C:0CAF:E001::/64 GigabitEthernet0/0

2. R1(config-if)#ip route 2019:C15C:0CAF:E001::/64 GigabitEthernet0/0

3. R1(config-if)#ipv6 route 2019:C15C:0CAF:E001::/64 2019:C15C:0CAF:E002::1

4. R1(config)#ipv6 route 2019:C15C:0CAF:E001::/64 2019:C15C:0CAF:E002::1

74 / 109

74. Which protocol uses the SSL?

1. SSH

2. HTTP

3. Telnet

4. HTTPS

75 / 109

75. Refer to the exhibit. The router has been configured with a supernet to accommodate the requirement for 380 users on a subnet The
requirement already considers 30% future growth. Which configuration verifies the IP subnet on router R4?

1. Subnet: 10.7.54.0 Subnet mask: 255.255 254.0 Broadcast address: 10.7.54.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

2. Subnet: 10.7.54.0 Subnet mask: 255.255.255.0 Broadcast address: 10.7.54.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

3. Subnet: 10.7.54.0 Subnet mask: 255.255.128.0 Broadcast address: 10.7.55.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

4. Subnet: 10.7.54.0 Subnet mask: 255.255.254.0 Broadcast address: 10.7.55.255 Usable IP address range: 10.7.54.1 – 10.7.55.254

76 / 109

76. R1 as an NTP server must have:
NTP authentication enabled
NTP packets sourced from Interface loopback 0
NTP stratum 2

NTP packets only permitted to client IP 209.165.200.225
How should R1 be configured?

1. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 nntp access-group server-only 10 ntp master 2 ! access-list 10 permit 209.165.200.225

2. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp interface Loopback0 ntp access-groud server-only 10

3. ntp authenticate ntp authentication-key 2 sha1 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 ! access-list 10 permit udp host 209.165.200.225 any eq 123

4. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp stratum 2 ! access-list 10 permit udp host 209.165.200.225 any eq 123

77 / 109

77. Refer to the exhibit. Host A sent a data frame destined for host D What does the switch do when it receives the frame from host A?

1. It shuts down the port Fa0/1 and places it in err-disable mode

2. It experiences a broadcast storm

3. It drops the frame from the switch CAM table

4. It floods the frame out of all ports except port Fa0/1

78 / 109

78. Refer to the exhibit. R1 learns all routes via OSPF Which command configures a backup static route on R1 to reach the 192.168.20.0/24
network via R3?

1. R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.30.2 111

2. R1(config)#ip route 192.168.20.0 255.255.0.0 192.168.30.2

3. R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.30.2 90

4. R1(config)#ip route 192.168.20.0 255.255.255.0 192.168.30.2

79 / 109

79. Refer to the exhibit. How should the configuration be updated to allow PC1 and PC2 access to the Internet?

1. . Change the ip nat inside source command to use interface GigabitEthernet0/0

2. Add either the ip nat {inside|outside} command under both interfaces.

3. Modify the configured number of the second access list

4. Remove the overload keyword from the ip nat inside source command.

80 / 109

80. Which wireless security protocol relies on Perfect Forward Secrecy?

1. WEP

2. WPA

3. WPA2

4. WPA3

81 / 109

81. Which two components comprise part of a PKI? (Choose two.)

1. preshared key that authenticates connections

2. clear-text password that authenticates connections

3. RSA token

4. CA that grants certificates

5. one or more CRLs

82 / 109

82. Which two spanning-tree states are bypassed on an interface running PortFast? (Choose two.)

1. forwarding

2. listening

3. disabled

4. learning

5. blocking

83 / 109

83. Which value is the unique identifier that an access point uses to establish and maintain wireless connectivity to wireless network devices?

1. VLANID

2. RFID

3. SSID

4. WLANID

84 / 109

84. What are two characteristics of a public cloud Implementation? (Choose two.)

1. It provides services that are accessed over the Internet.

2. It Is a data center on the public Internet that maintains cloud services for only one company.

3. It enables an organization to fully customize how It deploys network resources.

4. It is owned and maintained by one party, but it is shared among multiple organizations.

5. It supports network resources from a centralized third-party provider and privately-owned virtual resources

85 / 109

85. Refer to the exhibit. Which command configures OSPF on the point-to-point link between routers R1 and R2?

1. router-id 10.0.0.15

2. neighbor 10.1.2.0 cost 180

3. network 10.0.0.0 0.0.0.3 area 0

4. ipospf priority 100

86 / 109

86. Which WLC management connection type is vulnerable to man-in-the-middle attacks?

1. Telnet

2. HTTPS

3. console

4. SSH

87 / 109

87. Refer to the exhibit. An engineer is asked to insert the new VLAN into the existing trunk without modifying anything previously configured. Which
command accomplishes this task?

1. switchport trunk allowed vlan all

2. switchport trunk allowed vlan add 104

3. switchport trunk allowed vlan 100-104

4. switchport trunk allowed vlan 104

88 / 109

88. An engineer must configure R1 for a new user account. The account must meet these requirements:
It must be configured in the local database.
The username is engineer.
It must use the strongest password configurable.

Which command must the engineer configure on the router?

1. R1(config)# username englneer2 secret 4 S1Sb1Ju$kZbBS1Pyh4QzwXyZ

2. R1 (config)# username engineer2 algorithm-type scrypt secret test2021

3. R1(config)# username engineer2 secret 5 .password S1$b1Ju$kZbBS1Pyh4QzwXyZ

4. R1(config)# username engineer2 privilege 1 password 7 test2021

89 / 109

89. Which type of network attack overwhelms the target server by sending multiple packets to a port until the half-open TCP resources of the target
are exhausted?

1. reflection

2. teardrop

3. SYN flood

4. amplification

90 / 109

90. How does Rapid PVST+ create a fast loop-free network topology?

1. It uses multiple active paths between end stations.

2. lt requires multiple links between core switches

3. It generates one spanning-tree instance for each VLAN

4. It maps multiple VLANs into the same spanning-tree instance

91 / 109

91. Refer to the exhibit. Which switch becomes the root of a spanning tree for VLAN 20 if all li links are of equal speed?

1. SW4 = 64000 0041.454d.407f

2. SW2 = 28692 004a.14e5.4077

3. SW3 = 32788 0022.55cf.dd00

4. SW1 = 24596 0018.184e.3c00

92 / 109

92. Which type of traffic Is sent with pure iPsec?

1. unicast messages from a host at a remote site lo a server at headquarters

2. broadcast packets from a switch that is attempting to locate a MAC address at one of several remote sites

3. multicast traffic from a server at one site to hosts at another location

4. spanning-tree updates between switches that are at two different sites

93 / 109

93. Which characteristic differentiates the concept of authentication from authorization and accounting?

1. user-activity logging

2. consumption-based billing

3. service limitations

4. identity verification

94 / 109

94. Which type of API allows SDN controllers to dynamically make changes to the network?

1. northbound API

2. southbound API

3. SOAP API

4. REST API

95 / 109

95. Which configuration must be used?

1. R5(config)#int Gi0/1 R5(config-if)#no cdp run R5(config-if)#exit R5(config)#lldp run R5(config)#cdp enable R5#sh cdp neighbor R5#sh lldp neighbor

2. R5(config)#int Gi0/1 R5(config-if)#no cdp enable R5(config-if)#exit R5(config)#no lldp run R5(config)#cdp run R5#sh cdp neighbor R5#sh lldp neighbor

3. R5(config)#int Gi0/1 R5(config-if)#no cdp enable R5(config-if)#exit R5(config)#lldp run R5(config)#no cdp run R5#sh cdp neighbor detail R5#sh lldp neighbor

4. R5(config)#int Gi0/1 R5(config-if)#no cdp enable R5(config-if)#exit R5(config)#no lldp run R5(config)#cdp run R5#sh cdp neighbor detail R5#sh lldp neighbor

96 / 109

96. Refer to the exhibit. Which plan must be Implemented to ensure optimal QoS marking practices on this network?

1. Trust the IP phone markings on SW1 and mark traffic entering SW2 at SW2.

2. Remark traffic as it traverses R1 and trust all markings at the access layer

3. As traffic enters from the access layer on SW1 and SW2. trust all traffic markings

4. . As traffic traverses MS1 remark the traffic, but trust all markings at the access layer

97 / 109

97. Refer to the exhibit. Routers R1 and R3 have the default configuration The router R2 priority is set to 99 Which commands on R3 configure it as
the DR in the 10.0 4.0/24 network?

1. R3(config)#interface Gig0/0 R3(config-if)i=ip ospf priority 1

2. . R3(config)#interface Gig0/1 R3(config-if)#ip ospf priority 100

3. R3(config)#interface Gig0/1 R3(config-if)#ip ospf priority 0

4. R3(config)#interface Gig0/0 R3(config-if)#ip ospf priority 100

98 / 109

98. Refer to the exhibit. A company is configuring a failover plan and must implement the default routes in such a way that a floating static route will
assume traffic forwarding when the primary link goes down. Which primary route configuration must be used?

1. ip route 0.0.0.0 0.0.0.0 192.168.0.2 GigabitEthernetl/0

2. ip route 0.0.0.0 0.0.0.0 192.168.0.2 floating

3. ip route 0.0.0.0 0.0.0.0 192.168.0.2 tracked

4. ip route 0.0.0.0 0.0.0.0 192.168.0.2

99 / 109

99. Refer to the exhibit. An engineer is updating the R1 configuration to connect a new server to the management network. The PCs on the
management network must be blocked from pinging the default gateway of the new server. Which command must be configured on R1 to
complete the task?

1. R1(config)#ip route 172.16.2.2 255.255.255.248 gi0/1

2. R1(conflg)#ip route 172.16.2.0 255.255.255.0 192.168.1.15

3. R1(conflg)#ip route 172.16.2.0 255.255.255.0 192.168.1.5

4. R1(config)#ip route 172.16.2.2 255.255.255.255 gi0/0

100 / 109

100. Refer to the exhibit. Packets received by the router from BGP enter via a serial interface at 209.165.201.10. Each route is present within the
routing table. Which interface is used to forward traffic with a destination IP of 10.10.10.24?

1. F0/10

2. F0/11

3. F0/13

4. F0/12

101 / 109

101. What is a function of Opportunistic Wireless Encryption in an environment?

1. provide authentication

2. offer compression

3. protect traffic on open networks

4. increase security by using a WEP connection

102 / 109

102. Which field within the access-request packet is encrypted by RADIUS?

1. authenticator

2. authorized services

3. username

4. password

103 / 109

103. Refer to the exhibit. Switch A is newly configured. All VLANs are present in the VLAN database. The IP phone and PC A on Gi0/1 must be
configured for the appropriate VLANs to establish connectivity between the PCs. Which command set fulfills the requirement?

1. SwitchA(config-if)#switchport mode access SwitchA(config-if)#switchport access vlan 50 SwitchA(config-if)#switchport voice vlan untagged

2. SwitchA(config-if)#switchport mode trunk SwitchA(config-if)#switchport trunk allowed vlan 50, 51 SwitchA(config-if)#mls qos trust cos

3. SwitchA(config-if)#switchport mode trunk SwitchA(config-if)#switchport trunk allowed vlan add 50, 51 SwitchA(config-if)#switchport voice vlan dot1p

4. SwitchA(config-if)#switchport mode access SwitchA(config-if)#switchport access vian 50 SwitchA(config-if)#switchport voice vlan 51

104 / 109

104. Which type of organization should use a collapsed-core architecture?

1. large and must minimize downtime when hardware fails

2. large and requires a flexible, scalable network design

3. small but is expected to grow dramatically in the near future

4. small and needs to reduce networking costs currently

105 / 109

105. Refer to the exhibit. Users on existing VLAN 100 can reach sites on the Internet. Which action must the administrator take to establish
connectivity to the Internet for users in VLAN 200?

1. Define a NAT pool on the router.

2. Update the NAT_INSIDE_RANGES ACL

3. Configure static NAT translations for VLAN 200

4. Configure the ip nat outside command on another interface for VLAN 200

106 / 109

106. What is the difference between IPv6 unicast and anycast addressing?

1. IPv6 unicast nodes must be explicitly configured to recognize the unicast address, but IPv6 anycast nodes require no special configuration

2. . An individual IPv6 unicast address is supported on a single interface on one node but an IPv6 anycast address is assigned to a group of interfaces on multiple nodes.

3. IPv6 anycast nodes must be explicitly configured to recognize the anycast address, but IPv6 unicast nodes require no special configuration

4. Unlike an IPv6 anycast address, an IPv6 unicast address is assigned to a group of interfaces on multiple nodes

107 / 109

107. Refer to the exhibit. Which two configurations must the engineer apply on this network so that R1 becomes the DR? (Choose two.)

1. R1(config)#interface fastethernet 0/0 R1(config-if)#ip ospf priority 0

2. R1(config)#router ospf 1 R1(config-router)#router-id 192.168.100.1

3. R3(config)#interface fastethernet 0/0 R3(config-if)#ip ospf priority 200

4. R1(config)#interface fastethernet 0/0 R1(config-if)#ip ospf priority 200

5. R3(config)#interface fastethernet 0/0 R3(config-if)#ip ospf priority 0

108 / 109

108. What is one reason to implement LAG on a Cisco WLC?

1. to enable connected switch ports to failover and use different VLANs

2. to allow for stateful and link-state failover

3. to increase security and encrypt management frames

4. to provide link redundancy and load balancing

109 / 109

109. Refer to the exhibit. The link between PC1 and the switch is up. but it is performing poorly. Which interface condition is causing the performance
problem?

1. There is a speed mismatch on the interface

2. There is a duplex mismatch on the interface

3. There is an issue with the fiber on the switch interface.

4. There is an interface type mismatch

Your score is

LinkedIn Facebook Twitter VKontakte