CCNAv7 (2020) – New Questions Part 5

Question 1 - Answer: B D

Which two QoS tools are used to guarantee minimum bandwidth to certain traffic?
(Choose two)

A. FIFO
B. CBWFQ
C. LLC
D. WFQ
E. RSVP

Explanation

First-in, first-out (FIFO): FIFO entails no concept of priority or classes of traffic. With FIFO,
transmission of packets out the interface occurs in the order the packets arrive, which means no
QoS

Weighted fair queueing (WFQ): offers dynamic, fair queuing that divides bandwidth across
queues of traffic based on weights. In standard WFQ, packets are classified into flows according to
one of four criteria: the source Internet Protocol address (IP address), the destination IP address,
the source Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port, or the
destination TCP or UDP port.

Class-based weighted fair queueing (CBWFQ) extends the standard WFQ functionality to
provide support for user-defined traffic classes. For CBWFQ, you define traffic classes based on
match criteria including protocols, access control lists (ACLs), and input interfaces. Packets
satisfying the match criteria for a class constitute the traffic for that class. A queue is reserved for
each class, and traffic belonging to a class is directed to the queue for that class.
Once a class has been defined according to its match criteria, you can assign it characteristics. To
characterize a class, you assign it bandwidth, weight, and maximum packet limit. The bandwidth
assigned to a class is the guaranteed bandwidth delivered to the class during congestion.

The Resource Reservation Protocol (RSVP) protocol allows applications to reserve bandwidth
for their data flows. It is used by a host, on the behalf of an application data flow, to request a
specific amount of bandwidth from the network. RSVP is also used by the routers to forward
bandwidth reservation requests.

Question 2

Drag and drop the SNMP manager and agent identifier commands from the left onto the
functions on the right.

Answer:
+ show snmp group: displays the SNMP security model in use
+ show snmp community: displays the SNMP access string
+ show snmp chassis: displays the SNMP server serial number
+ show snmp engineID: displays the IP address of the remote SNMP device
+ show snmp host: displays information about the SNMP recipient

Explanation:

The command “show snmp group” displays the names of groups on the router and the security
model, the status of the different views, and the storage type of each group. Below is an example
of this command.

The “show snmp engineID” displays the identification of the local SNMP engine and all remote
engines that have been configured on the router. The following example specifies
00000009020000000C025808 as the local engineID and 123456789ABCDEF000000000 as the
remote engine ID, 171.69.37.61 as the IP address of the remote engine (copy of SNMP) and 162 as
the port from which the remote device is connected to the local device:

Router# show snmp engineID

Local SNMP engineID: 00000009020000000C025808
Remote Engine ID IP-addr Port
123456789ABCDEF000000000 171.69.37.61 162

The “show snmp community” command display the SNMP community strings configured on the
switch.

switch# show snmp community

Community Group / Access context acl_filter
--------- -------------- ------- ----------
public network-admin
switch#

The “show snmp host” command displays details such as IP address of the Network Management
System (NMS), notification type, SNMP version, and the port number of the NMS. The following is
sample output from the show snmp host command.

Router# show snmp host

Notification host: 10.2.28.6 udp-port: 162 type: inform
user: public security model: v2c
traps: 00001000.00000000.00000000

The “show snmp chassis” command displays the SNMP server serial number. The output is self-
explanatory.
Router# show snmp chassis
01506199

Question 3 - Answer: C
Which type of security program is violated when a group of employees enters a building
using the ID badge of only one person?

A. intrusion detection
B. user awareness
C. physical access control
D. network authorization

Question 4 - Answer: D

A network administrator needs to aggregate 4 ports into a single logical link which
must negotiate layer 2 connectivity to ports on another switch. What must be
configured when using active mode on both sides of the connection?

A. 802.1q trunks
B. Cisco vPC
C. LLDP
D. LACP

Question 5 - Answer: A

In which situation is private IPv4 addressing appropriate for a new subnet on the
network of an organization?

A. There is limited unique address space, and traffic on the new subnet will stay local within the
organization.
B. The network has multiple endpoint listeners, and it is desired to limit the number of broadcasts.
C. Traffic on the subnet must traverse a site-to-site VPN to an outside organization.
D. The ISP requires the new subnet to be advertised to the internet for web services.

Question 6 - Answer: C D

Aside from discarding, which two states does the switch port transition through while
using RSTP (802.1w)? (Choose two)

A. listening
B. blocking
C. forwarding
D. learning
E. speaking

Explanation: There are only three port states left in RSTP that correspond to the three possible
operational states. The 802.1D blocking, and listening states are merged into the 802.1w
discarding state.

* Discarding – the port does not forward frames, process received frames, or learn MAC addresses
– but it does listen for BPDUs (like the STP blocking state)
* Learning – receives and transmits BPDUs and learns MAC addresses but does not yet forward
frames (same as STP).
* Forwarding – receives and sends data, normal operation, learns MAC address, receives and
transmits BPDUs (same as STP).

STP State (802.1d) RSTP State (802.1w)

Blocking Discarding
 Listening Discarding
Learning Learning
Forwarding Forwarding
Although the learning state is also used in RSTP but it only takes place for a short time as
compared to STP. RSTP converges with all ports either in forwarding state or discarding state.

Question 7 - Answer: C

What is a role of wireless controllers in an enterprise network?

A. serve as the first line of defense in an enterprise network

B. support standalone or controller-based architectures
C. centralize the management of access points in an enterprise network
D. provide secure user logins to devices on the network

Question 8 - Answer: D

How do servers connect to the network in a virtual environment?

A. wireless to an access point that is physically connected to the network

B. a cable connected to a physical switch on the network
C. a virtual switch that links to an access point that is physically connected to the network
D. a software switch on a hypervisor that is physically connected to the network

Question 9 - Answer: A

Which CRUD operation corresponds to the HTTP GET method?

A. read
B. update
C. create
D. delete

Explanation: CRUD is short for CREATE, READ, UPDATE and DELETE operations. “GET” request is
used to get a resource from a server. If you perform a “GET” request, the server looks for the data
you requested and sends it back to you. In other words, a “GET” request performs a “READ”
operation.

Question 10 - Answer: D

With REST API, which standard HTTP header tells a server which media type is expected
by the client?

A. Accept-Encoding: gzip, deflate

B. Accept-Patch: text/example; charset=utf-8
C. Content-Type: application/json; charset=utf-8
D. Accept: application/json

Question 11 - Answer: A

Which device tracks the state of active connections in order to make a decision to
forward a packet through?
A. firewall
B. wireless access point
C. router
D. wireless LAN controller

Explanation: Stateful inspection firewalls keep track of connection status. Ports can be
dynamically opened and closed if necessary for completing a transaction. For example, when you
make a connection to a server using HTTP, the server will initiate a new connection back to your
system on a random port. A stateful inspection firewall will automatically open a port for this return
connection.

Question 12 - Answer: D

Which device controls the forwarding of authentication requests for users when
connecting to the network using a lightweight access point?

A. TACACS server
B. wireless access point
C. RADIUS server
D. wireless LAN controller

Question 13 - Answer: A

Refer to the exhibit. A network administrator has been tasked with securing VTY access
to a router. Which access-list entry accomplishes this task?

A. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh

B. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq scp
C. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
D. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq https

Explanation: In order to secure VTY access to a router, we can allow only SSH to access the
device.

Question 14 - Answer: A

A network administrator must enable DHCP services between two sites. What must be
configured for the router to pass DHCPDISCOVER messages on to the server?
A. a DHCP Relay Agent
B. DHCP Binding
C. a DHCP Pool
D. DHCP Snooping

Explanation: If the DHCP Server is not on the same subnet with the DHCP Client, we need to
configure the router on the DHCP client side to act as a DHCP Relay Agent so that it can forward
DHCP messages between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent,
simply put the “ip helper-address <IP-address-of-DHCP-Server>” command under the interface
that receives the DHCP messages from the DHCP Client.

As we know, router does not forward broadcast packets (it drops them instead) so DHCP messages
like DHCPDISCOVER message will be dropped. But with the “ip helper-address …” command, the
router will accept that broadcast message and cover it into a unicast packet and forward it to the
DHCP Server. The destination IP address of the unicast packet is taken from the “ip helper-address
…” command.

Question 15 - Answer: B

Refer to the exhibit. PC1 is trying to ping PC3 for the first time and sends out an ARP to
S1. Which action is taken by S1?

A. It forwards it out G0/3 only

B. It is flooded out every port except G0/0
C. It drops the frame
D. It forwards it out interface G0/2 only

Question 16 - Answer: D

Refer to the exhibit. What is the result if Gig1/11 receives an STP BPDU?
 switch(config)#interface gigabitEthernet 1/11
switch(config-if)#switchport mode access
switch(config-if)#spanning-tree portfast
switch(config-if)#spanning-tree bpduguard enable

A. The port transitions to STP blocking

B. The port transitions to the root port
C. The port immediately transitions to STP forwarding
D. The port goes into error-disable state

Explanation: BPDU Guard feature allows STP to shut an access port in the event of receiving a
BPDU and put that port into err-disabled state.

Question 17 - Answer: B

An engineer must configure traffic for a VLAN that is untagged by the switch as it
crosses a trunk link. Which command should be used?

A. switchport trunk allowed vlan 10

B. switchport trunk native vlan 10
C. switchport mode trunk
D. switchport trunk encapsulation dot1q

Question 18 - Answer: A

What is the maximum bandwidth of a T1 point-to-point connection?

A. 1.544 Mbps
B. 2.048 Mbps
C. 34.368 Mbps
D. 43.7 Mbps

Explanation: The speeds of these links are shown as below:

+ T1: 1.544 Mbps
+ 10BaseT: 10 Mbps
+ 100BaseT (often referred to as FastEthernet): 100Mbps

Question 19 - Answer: A

How does a Cisco Unified Wireless network respond to Wi-Fi channel overlap?

A. It alternates automatically between 2.4 GHz and 5 GHz on adjacent access points
B. It allows the administrator to assign channels on a per-device or per-interface basis.
C. It segregates devices from different manufacturers onto different channels.
D. It analyzes client load and background noise and dynamically assigns a channel.

Question 20 - Answer: D

What does a switch use to build its MAC address table?

A. VTP
B. DTP
C. egress traffic
D. ingress traffic

Explanation: The MAC addresses in the CAM table are the source MAC addresses only. Therefore
it only learns MAC address from ingress traffic.

Question 21 - Answer: B

Which network plane is centralized and manages routing decisions?

A. policy plane
B. control plane
C. management plane
D. data plane

Question 22 - Answer: D

What does a router do when configured with the default DNS lookup settings, and a URL
is entered on the CLI?

A. initiates a ping request to the URL

B. prompts the user to specify the desired IP address
C. continuously attempts to resolve the URL until the command is cancelled
D. sends a broadcast message in an attempt to resolve the URL

Explanation: With default DNS lookup settings, the router will sends broadcast message to
resolve an URL. Consider the following example:

R1#test
Translating "test"...domain server (255.255.255.255)
% Unknown command or computer name, or unable to find computer address

In the output above we typed an unrecognized command “test”. The router entered the DNS
resolution process which lasted about a minute.

Question 23 - Answer: B

Refer to the exhibit.

 Switch 1
VLAN 110 – 32778 0018.184e.3c00
Switch 2
VLAN 110 – 24586 001a.e3ff.a680
Switch 3
VLAN 110 – 28682 0022.55cf.cc00
Switch 4
VLAN 110 – 64000 0e38.7363.657f

Which switch becomes the root of the spanning tree for VLAN 110?

A. Switch 1
B. Switch 2
C. Switch 3
D. Switch 4

Explanation: The switch with lowest Bridge Priority would become the root bridge for that VLAN.
In this case Switch 2 has the lowest Bridge Priority of 24586 so it will become the root bridge.

Question 24 - Answer: C

Refer to the exhibit.

An administrator must configure interfaces Gi1/1 and Gi1/3 on switch SW11 PC-1 and
PC-2 must be placed in the Data VLAN and Phone-1 must be placed in the Voice VLAN.
Which configuration meets these requirements?
 Option A Option B
interface gigabitethernet1/1 interface gigabitethernet1/1
switchport mode access switchport mode access
switchport access vlan 8 switchport access vlan 9
! !
interface gigabitethernet1/3 interface gigabitethernet1/3
switchport mode access switchport mode trunk
switchport voice vlan 8 switchport voice vlan 8
switchport access vlan 9 switchport access vlan 9

Option C Option D
interface gigabitethernet1/1 interface gigabitethernet1/1
switchport mode access switchport mode access
switchport access vlan 8 switchport access vlan 8
! !
interface gigabitethernet1/3 interface gigabitethernet1/3
switchport mode access switchport mode trunk
switchport access vlan 8 switchport voice vlan 8
switchport voice vlan 9 switchport access vlan 9

A. Option A
B. Option B
C. Option C
D. Option D

Explanation: According to the exhibit above, we have to configure VLAN 8 as access vlan and
VLAN 9 as voice vlan.

The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. You can
configure a voice VLAN with the “switchport voice vlan …” command under interface mode. The
full configuration is shown below:

Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport voice vlan 20

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4500-series-switches/
69632-configuring-cat-ip-phone.html

Note: When you connect an IP phone to a switch using a trunk link, it can cause high CPU utilization
in the switches. As all the VLANs for a particular interface are trunked to the phone, it increases the
number of STP instances the switch has to manage. This increases the CPU utilization. Trunking
also causes unnecessary broadcast / multicast / unknown unicast traffic to hit the phone link.

In order to avoid this, remove the trunk configuration and keep the voice and access VLAN
configured along with Quality of Service (QoS). Technically, it is still a trunk, but it is called a
Multi-VLAN Access Port (MVAP). Because voice and data traffic can travel through the same
port, you should specify a different VLAN for each type of traffic. You can configure a switch port to
forward voice and data traffic on different VLANs. Configure IP phone ports with a voice VLAN
configuration. This configuration creates a pseudo trunk, but does not require you to manually
prune the unnecessary VLANs.

Question 25

Refer to exhibit. - Answer: D

 Which configuration must be applied to the router that configures PAT to translate all
addresses in VLAN 200 while allowing devices on VLAN 100 to use their own IP
addresses?

Option A
Router1(config)#access-list 99 permit 209.165.201.2 0.0.0.0
Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload
Router1(config)#interface gi2/0/1.200
Router1(config)#ip nat inside
Router1(config)#interface gi1/0/0
Router1(config)#ip nat outside

Option B
Router1(config)#access-list 99 permit 209.165.201.2 255.255.255.255
Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload
Router1(config)#interface gi2/0/1.200
Router1(config)#ip nat inside
Router1(config)#interface gi1/0/0
Router1(config)#ip nat outside

Option C
Router1(config)#access-list 99 permit 192.168.100.0 0.0.0.255
Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload
Router1(config)#interface gi2/0/1.200
Router1(config)#ip nat inside
Router1(config)#interface gi1/0/0
Router1(config)#ip nat outside

Option D
Router1(config)#access-list 99 permit 192.168.100.32 0.0.0.31
Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload
Router1(config)#interface gi2/0/1.200
Router1(config)#ip nat inside
Router1(config)#interface gi1/0/0
Router1(config)#ip nat outside

A. Option A
B. Option B
C. Option C
D. Option D

Question 26 - Answer: A
How does a switch process a frame received on Fa0/1 with the destination MAC address
of 0e38.7363.657b when the table is missing the address?

A. It floods the frame to all interfaces except Fa0/1.

B. It forwards the frame back out of interface Fa0/1.
C. It drops the frame immediately.
D. It holds the frame until the MAC address timer expires and then drops the frame.

Question 27 - Answer: B

What is a benefit of VRRP?

A. It provides traffic load balancing to destinations that are more than two hops from the source.
B. It provides the default gateway redundancy on a LAN using two or more routers.
C. It allows neighbors to share routing table information between each other.
D. It prevents loops in a Layer 2 LAN by forwarding all traffic to a root bridge, which then makes
the final forwarding decision.

Question 28 - Answer: D

Which protocol does an IPv4 host use to obtain a dynamically assigned IP address?

A. ARP
B. DNS
C. CDP
D. DHCP

Question 29 - Answer: A

Refer to the exhibit.

Option A Option B
ip access-list standard 99 ip access-list standard 99
permit 10.100.100.0 0.0.0.255 permit 10.100.100.0 0.0.0.255
deny 192.168.0.0 0.0.255.255 deny 192.168.0.0 0.255.255.255

Option C Option D
ip access-list standard 100 ip access-list standard 199
permit 10.100.100.0 0.0.0.255 permit 10.100.100.0 0.0.0.255
deny 192.168.0.0 0.255.255.255 deny 192.168.0.0 0.0.255.255

An access list is required to permit traffic from any host on interface G0/0 and deny
traffic from interface Gi0/1. Which access list must be applied?

A. Option A
B. Option B
C. Option C
D. Option D

Explanation: The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only
Option A & B are correct. The subnet on interface Gi0/1 is 192.168.0.0/16 so we have to use the
ACL statement “deny 192.168.0.0 0.0.255.255“
Question 30 - Answer: C

Which condition must be met before an NMS handles an SNMP trap from an agent?

A. The NMS must be configured on the same router as the SNMP agent
B. The NMS must receive a trap and an inform message from the SNMP agent within a configured
interval
C. The NMS software must be loaded with the MIB associated with the trap
D. The NMS must receive the same trap from two different SNMP agents to verify that it is reliable

=============== New Questions (added on 30th-Jan-2021)===============

Question 31 - Answer: B

What is a characteristic of a SOHO network?

A. connects each switch to every other switch in the network

B. enables multiple users to share a single broadband connection
C. provides high throughput access for 1000 or more users
D. includes at least three tiers of devices to provide load balancing and redundancy

Explanation: SOHO is the abbreviation for Small Office/Home Office network.

These days, many budding entrepreneurs and small business owners prefer to work from home or
to maintain only a small office. Budding entrepreneurs and small business owners need small
network and access to the Internet for their daily work. SOHO network is a solution for this type of
network requirement. SOHO network is meant for use in small businesses. Most cases, SOHO
networks are configured for privately owned business or individuals who are self-employed.
SOHO networks are small LANs (Local Area Networks). Typically, SOHO networks consists of less
than 10 computers. Network service servers like DNS server, email server, web server etc., are
typically configured outside SOHO network.

Question 32 - Answer: D

Which resource is able to be shared among virtual machines deployed on the same
physical server?

A. applications
B. operating system
C. VM configuration file
D. disk

Question 33 - Answer: A

Which implementation provides the strongest encryption combination for the wireless
environment?
A. WPA2 + AES
B. WPA + AES
C. WEP
D. WPA + TKIP

Explanation: AES is a more secure encryption protocol introduced with WPA2 and it is currently
the strongest encryption type for WPA2-PSK.

Question 34 – Answer: D

Refer to the exhibit.

After running the code in the exhibit, which step reduces the amount of data that the
NETCONF server returns to the NETCONF client, to only the interface’s configuration?

A. Use the xml library to parse the data returned by the NETCONF server for the interface’s
configuration.
B. Create an XML filter as a string and pass it to get_config() method as an argument.
C. Create a JSON filter as a string and pass it to the get_config() method as an argument.
D. Use the JSON library to parse the data returned by the NETCONF server for the interface’s
configuration.

Explanation

In the exhibit above, we are getting the running config of the device then we can use JSON library
to filter the data later.

=============== New Questions (added on 5th-Feb-2021) ===============

Question 35 - Answer: A D
What are two functions of an SDN controller? (Choose two)

A. coordinating VTNs
B. Layer 2 forwarding
C. tracking hosts
D. managing the topology
E. protecting against DDoS attacks

Explanation

Software-defined networking (SDN) and network function virtualization (NFV) have emerged as the
most promising candidates for improving network function and protocol programmability and
dynamic adjustment of network resources. On the one hand, SDN is responsible for providing an
abstraction of network resources through well-defined application programming interfaces. This
abstraction enables SDN to perform network virtualization, that is, to slice the physical
infrastructure and create multiple coexisting application-specific virtual tenant networks (VTNs)
with specific quality-of-service and service-levelagreement requirements, independent of the
underlying optical transport technology and network protocols.

Reference: https://ieeexplore.ieee.org/abstract/document/7331131

Question 36 - Answer: D

If a switch port receives a new frame while it is actively transmitting a previous frame,
how does it process the frames?

A. The previous frame is delivered, the new frame is dropped, and a retransmission request is sent.
B. The new frame is delivered first, the previous frame is dropped, and a retransmission request is
sent.
C. The two frames are processed and delivered at the same time.
D. The new frame is placed in a queue for transmission after the previous frame.

Explanation

Each port in the switch has the ability to hold frames in memory, before transmitting them onto the
Ethernet cable connected to the port. For example, if the port is already busy transmitting when a
frame arrives for transmission, then the frame can be held for the short time it takes for the port to
complete transmitting the previous frame.

Reference: https://www.oreilly.com/library/view/ethernet-switches/9781449367299/ch01.html

Question 37 - Answer: C

Which WAN topology provides a combination of simplicity quality, and availability?

A. partial mesh
B. full mesh
C. point-to-point
D. hub-and-spoke
Explanation

Advantages/Disadvantages of Leased Lines

Advantages

Simplicity: Point-to-point communication links require minimal expertise to install and maintain.

Quality: Point-to-point communication links usually offer high service quality, if they have adequate
bandwidth. The dedicated capacity removes latency or jitter between the endpoints.

Availability: Constant availability is essential for some applications, such as e-commerce. Point-to-
point communication links provide permanent, dedicated capacity, which is required for VoIP or
Video over IP.

Disadvantages

Cost: Point-to-point links are generally the most expensive type of WAN access. The cost of leased-
line solutions can become significant when they are used to connect many sites over increasing
distances. In addition, each endpoint requires an interface on the router, which increases
equipment costs.

Limited flexibility: WAN traffic is often variable, and leased lines have a fixed capacity, so the
bandwidth of the line seldom matches the need exactly. Any change to the leased line generally
requires a site visit by ISP personnel to adjust capacity.

Reference: https://www.ciscopress.com/articles/article.asp?p=2832405&seqNum=5

Question 38 - Answer: B

Refer to the exhibit.

The ntp server 192.168.0.3 command has been configured on Router1 to make it an NTP
client of router 2. Which command must be configured on Router2 so that it operates in
server-only mode and relies only on its internal clock?

A. Router2(config)#ntp passive
B. Router2(config)#ntp master 4
C. Router2(config)#ntp server 172.17.0.1
D. Router2(config)#ntp server 192.168.0.2

Explanation

An Authoritative NTP Server can distribute time even when it is not synchronized to an existing
time server. To configure a Cisco device as an Authoritative NTP Server, use the ntp
master [stratum] command.

Question 39 - Answer: C

Refer to the exhibit.

A network engineer must configured communication between PC A and the File Server.
To prevent interruption for any other communications, which command must be
configured?

A. Switch trunk allowed vlan 12

B. Switchport trunk allowed vlan none
C. Switchport trunk allowed vlan add 13
D. Switchport trunk allowed vlan remove 10-11

Explanation: Switch A does not allow VLAN 13 to go through so we must add VLAN 13 to the
allowed list of interface Gi0/1 of SwitchA by the command “switchport trunk allowed vlan add 13”.

Question 40 - Answer: A

Why does a switch flood a frame to all ports?

A. The destination MAC address of the frame is unknown

B. The source MAC address of the frame is unknown
C. The source and destination MAC addresses of the frame are the same
D. The frame has zero destination MAC addresses

Explanation

If the destination MAC address is not in the CAM table (that is, unknown unicast), the switch sends
the frame out all other ports that are in the same VLAN as the received frame. This is
called flooding. It does not flood the frame out the same port on which the frame was received.

Question 41 - Answer: A

When DHCP is configured on a router, which command must be entered so the default
gateway is automatically distributed?
 A. default-router
B. default-gateway
C. ip helper-address
D. dns-server

Explanation

The following example shows how to configure a DHCP Server on a Cisco router:

Configuration Description

Router(config)#ip dhcp pool CLIENTS Create a DHCP Pool named CLIENTS

Router(dhcp-config)#network 10.1.1.0 /24 Specifies the subnet and mask of the

DHCP address pool

Router(dhcp-config)#default-router 10.1.1.1 Set the default gateway of the DHCP

Clients

Router(dhcp-config)#dns-server 10.1.1.1 Configure a Domain Name Server (DNS)

Router(dhcp-config)#domain-name 9tut.com Configure a domain-name

Router(dhcp-config)#lease 0 12 Duration of the lease (the time during

which a client computer can use an
assigned IP address). The syntax is
“lease {days[hours] [minutes] |
infinite}”. In this case the lease is
12 hours. The default is a one-day
lease.
Before the lease expires, the client
typically needs to renew its address
lease assignment with the server

Router(dhcp-config)#exit

Router(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.10 The IP range that a DHCP Server should
not assign to DHCP Clients. Notice this
command is configured under global
configuration mode

Question 42 - Answer: D

What is a network appliance that checks the state of a packet to determine whether the
packet is legitimate?
A. Layer 2 switch
B. LAN controller
C. load balancer
D. firewall

Question 43 - Answer: A

How is the native VLAN secured in a network?

A. separate from other VLANs within the administrative domain

B. give it a value in the private VLAN range
C. assign it as VLAN 1
D. configure it as a different VLAN ID on each end of the link

Explanation

If we assign the native VLAN to private VLAN, it will not be able to communicate with other devices
-> Answer B is not correct.

VLAN 1 is the native VLAN by default -> Answer C is not correct.

The native VLAN number must match between two ends; otherwise the “native VLAN mismatch”
error will occur -> We cannot configure different VLAN ID on each end -> Answer D is not correct.

We should assign the native VLAN to an unused VLAN on our network so that no one can access it.
This also mitigate VLAN hopping attack (this attack is used on native VLAN).

Question 44 - Answer: A

Which command on a port enters the forwarding state immediately when a PC is

connected to it?

A. switch(config)#spanning-tree portfast default

B. switch(config)#spanning-tree portfast bpduguard default
C. switch(config-if)#spanning-tree portfast trunk
D. switch(config-if)#no spanning-tree portfast

Explanation

Although this question said “which command on a port” but it gave two answers in global
configuration mode so it is a bit unclear. But we believe the correct answer should be “spanning-
tree portfast default”, which enables PortFast on all non-trunking interfaces.

Note: The command “spanning-tree portfast trunk” enables portfast on a trunk port. The trunk
port enters the STP forwarding-state immediately or upon a linkup event, thus bypassing the
listening and learning states.

=============== New Questions (added on 8th-Feb-2021) ===============

Question 45 - Answer: D

What is the purpose of a southbound API in a control based networking architecture?

A. facilities communication between the controller and the applications
B. integrates a controller with other automation and orchestration tools
C. allows application developers to interact with the network
D. facilities communication between the controller and the networking hardware

Question 46 - Answer: B

Which switch technology establishes a network connection immediately when it is

plugged in?

A. UplinkFast
B. PortFast
C. BPDU guard
D. BackboneFast

Explanation

Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled
will go to forwarding state immediately without passing the listening and learning state. Therefore
it can save about 30 to 45 seconds to transition through these states.

UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree
Protocol (STP) in the event of the failure of an uplink.

Question 47 - Answer: D

What causes a port to be placed in the err-disabled state?

A. latency
B. nothing plugged into the port
C. shutdown command issued on the port
D. port security violation

Explanation: When a port security is violated, that port can be put into errdisable state.

Question 48 - Answer: D

Which technology is appropriate for communication between an SDN controller and

applications running over the network?

A. OpenFlow
B. Southbound API
C. NETCONF
D. REST API

Explanation: Software-defined northbound application program interfaces (SDN northbound APIs)

are usually SDN RESTful APIs used to communicate between the SDN Controller and the services
and applications running over the network.

Note: OpenFlow and NETCONF are Southbound APIs used for most SDN implementations.

============== New Questions (added on 14th-Feb-2021) ==============

Question 49 - Answer: A

Which security program element involves installing badge readers on data-center doors
to allow workers to enter and exit based on their job roles?
A. physical access control
B. biometrics
C. role-based access control
D. multifactor authentication

Explanation: Badge reader is a small, inexpensive reader connected to the USB port of any PC,
which can read the information encoded on a badge (barcode, microchip or RFID, magnetic stripe)
and restore it on any computer software. An example of badge reader is shown below:

The purpose of access control is to grant entrance to a building or office only to those who are
authorized to be there.

This paragraph is quoted from Cisco 200-301 Official Cert Guide:

Physical access control: Infrastructure locations, such as network closets and data centers, should
remain securely locked. Badge access to sensitive locations is a scalable solution, offering an audit
trail of identities and timestamps when access is granted. Administrators can control access on a
granular basis and quickly remove access when an employee is dismissed.

Question 50 - Answer: A

What is a characteristic of private IPv4 addressing?

A. used without tracking or registration

B. issued by IANA in conjunction with an autonomous system number
C. traverse the Internet when an outbound ACL is applied
D. composed of up to 65,536 available addresses

Explanation: Only private address of class A (10.0.0.0 – 10.255.255.255) includes 16,777,216 so

answer D is not correct.

Question 51 - Answer: A

Which network action occurs within the data plane?

A. compare the destination IP address to the IP routing table

B. make a configuration change from an incoming NETCONF RPC
C. run routing protocols (OSPF, EIGRP, RIP, BGP)
D. reply to an incoming ICMP echo request

Explanation
The following list details some of the more common actions that a networking device does that fit
into the data plane:
+ De-encapsulating and re-encapsulating a packet in a data-link frame (routers, Layer 3 switches)
+ Adding or removing an 802.1Q trunking header (routers and switches)
+ Matching an Ethernet frame’s destination Media Access Control (MAC) address to the MAC
address table (Layer 2 switches)
+ Matching an IP packet’s destination IP address to the IP routing table (routers, Layer 3 switches)
+ Encrypting the data and adding a new IP header (for virtual private network [VPN] processing)
+ Changing the source or destination IP address (for Network Address Translation [NAT]
processing)
+ Discarding a message due to a filter (access control lists [ACLs], port security)

Reference: https://www.ciscopress.com/articles/article.asp?p=2995354&seqNum=2

CCNAv7 (2020) – New Questions Part 6

Question 1 - Answer: A E

What are two improvements provided by automation for network management in an

SDN environment? (Choose two)

A. Artificial intelligence identifies and prevents potential design failures

B. Data collection and analysis tools establish a baseline for the network
C. New devices are onboarded with minimal effort
D. Machine learning minimizes the overall error rate when automating troubleshooting processes
E. Proprietary Cisco APIs leverage multiple network management tools

Question 2 - Answer: B

A network administrator must to configure SSH for remote access to router R1. The
requirement is to use a public and private key pair to encrypt management traffic to
and from the connecting client. Which configuration, when applied, meets the
requirements?
A.
R1#enable
R1#configure terminal
R1(config)#ip domain-name cisco.com
R1(config)#crypto key generate ec keysize 1024
B.
R1#enable
R1#configure terminal
R1(config)#ip domain-name cisco.com
R1(config)#crypto key generate rsa modulus 1024
C.
R1#enable
R1#configure terminal
R1(config)#ip domain-name cisco.com
R1(config)#crypto key generate ec keysize 2048
D.
R1#enable
R1#configure terminal
R1(config)#ip domain-name cisco.com
R1(config)#crypto key encrypt rsa name myKey

A. Option A
B. Option B
C. Option C
D. Option D

Explanation

Both RSA, elliptic curve cryptography (ECC) are asymmetrical encryption so it satisfies the
requirement of this question (to use a public and private key pair). Asymmetrical encryption is
different from symmetrical encryption in that to send data in a single direction, two associated
keys are needed. One of these keys is known as the private key, while the other is called the public
key.

To generate an Elliptic Curve (EC) key pair, use the crypto key generate ec keysize command in
global configuration mode.
crypto key generate ec keysize {256 | 384} [exportable] [label key-label]

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c4.html

-> EC only supports 256 or 384 bit key size -> Answer A and answer C are not correct.

The command “crypto key generate rsa modulus 1024” generate a 1024 bit RSA key pair. Although
1024-bit or smaller key pair should not be used but it is the only correct answer in this question.

Note: The command “crypto key encrypt rsa name …” is used to encrypt the RSA key.

Question 3 - Answer: A
An engineer observes high usage on the 2.4GHz channels and lower usage on the 5GHz
channels. What must be configured to allow clients to preferentially use 5GHz access
points?

A. Client Band Select

B. OEAP Split Tunnel
C. 11ac MU-MIMO
D. Re-Anchor Roamed Clients

Explanation: Band selection works by regulating probe responses to clients and it can be enabled
on a per-WLAN basis. It makes 5-GHz channels more attractive to clients by delaying probe
responses to clients on 2.4-GHz channels.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/
b_cg83_chapter_011100.html

Question 4 - Answer: C

When a WLAN with WPA2 PSK is configured in the Wireless LAN Controller GUI which
format is supported?

A. Unicode
B. base64
C. ASCII
D. decimal

Explanation

When configuring a WLAN with WPA2 Preshared Key (PSK), we can choose the encryption key
format as either ASCII or HEX.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/
b_wl_16_10_cg/multi-preshared-key.pdf

Question 5 - Answer: C

Which networking function occurs on the data plane?

A. facilitates spanning-tree elections

B. processing inbound SSH management traffic
C. forwarding remote client/server traffic
D. sending and receiving OSPF Hello packets

Question 6 - Answer: D

What does an SDN controller use as a communication protocol to relay forwarding

changes to a southbound API?

A. XML
B. Java
C. REST
D. OpenFlow

Explanation: OpenFlow and NETCONF are Southbound APIs used for most SDN implementations.

Note: SDN northbound APIs are usually RESTful APIs used to communicate between the SDN
Controller and the services and applications running over the network.
Question 7 - Answer: A

A network engineer must configure the router R1 GigabitEthernet1/1 interface to

connect to the router R2 GigabitEthernet1/1 interface. For the configuration to be
applied the engineer must compress the address
2001:0db8:0000:0000:0500:000a:400F:583B. Which command must be issued on the
interface?

A. ipv6 address 2001:db8::500:a:400F:583B

B. ipv6 address 2001 db8:0::500:a:4F:583B
C. ipv6 address 2001:0db8::5:a:4F:583B
D. ipv6 address 2001::db8:0000::500:a:400F:583B

Question 8 - Answer: B

An administrator must secure the WLC from receiving spoofed association requests.
Which steps must be taken to configure the WLC to restrict the requests and force the
user to wait 10 ms to retry an association request?

A. Enable Security Association Teardown Protection and set the SA Query timeout to 10
B. Enable the Protected Management Frame service and set the Comeback timer to 10
C. Enable 802.1x Layer 2 security and set the Comeback timer to 10
D. Enable MAC filtering and set the SA Query timeout to 10

Explanation: Comeback timer specifies the time which an associated client must wait before the
association can be tried again when first denied with a status code 30.

SA query timeout specifies the amount of time the WLC waits for a response from the client for the
query process.

Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/
212576-configure-802-11w-management-frame-prote.html

Note: We can use either 802.1x or PSK as the authentication key management method so answer C
is not correct.
Question 9 - Answer: D

What is the benefit of using FHRP?

A. balancing traffic across multiple gateways in proportion to their loads

B. reduced management overhead on network routers
C. reduced ARP traffic on the network
D. higher degree of availability

Question 10 - Answer: C

Which 802.11 management frame type is sent when a client roams between access
points on the same SSID?

A. Authentication Request
B. Probe Request
C. Reassociation Request
D. Association Request

Explanation

Association request frame – (0x00) Sent from a wireless client, it enables the AP to allocate
resources and synchronize. The frame carries information about the wireless connection including
supported data rates and SSID of the network to the wireless client that wants to associate. If the
request is accepted, the AP reserves memory and establishes an association ID for the device.

Association response frame – (0x01) Sent from an AP to a wireless client containing the
acceptance or rejection to an association request. If it is an acceptance, the frame contains
information, such as an association ID and supported data rates.

Reassociation request frame – (0x02) A device sends a reassociation request when it drops from
range of the currently associated AP and finds another AP with a stronger signal. The new AP
coordinates the forwarding of any information that may still be contained in the buffer of the
previous AP.

Reassociation response frame – (0x03) Sent from an AP containing the acceptance or rejection
to a device reassociation request frame. The frame includes information required for association,
such as the association ID and supported data rates.

Probe request frame – (0x04) Sent from a wireless client when it requires information from
another wireless client.

Authentication frame – (0x0B) The sending device sends an authentication frame to the AP
containing its identity.

Reference: https://www.ii.pwr.edu.pl/~kano/course/module8/8.2.1.4/8.2.1.4.html

Question 11 - Answer: A

What is a similarity between OM3 and OM4 fiber optic cable?

A. Both have a 50 micron core diameter

B. Both have a 9 micron core diameter
C. Both have a 62.5 micron core diameter
D. Both have a 100 micron core diameter

Explanation: At present, there are four kinds of c: OM1, OM2, OM3 and OM4. The letters “OM”
stand for optical multi-mode. OM3 and OM4 fibers will support upcoming 40 and 100 Gb/s speeds.
OM2, OM3, OM4 and OM5 have 50 micron core diameter.

Question 12 - Answer: B

Which protocol does an access point use to draw power from a connected switch?

A. Internet Group Management Protocol

B. Cisco Discovery Protocol
C. Adaptive Wireless Path Protocol
D. Neighbor Discovery Protocol

Explanation

Restrictions for Cisco Discovery Protocol

…
These TLVs are supported only by the access point:
+ Power Consumption TLV: 0x0010—The maximum amount of power consumed by the access
point.
+ Power Request TLV:0x0019—The amount of power to be transmitted by a powerable device in
order to negotiate a suitable power level with the supplier of the network power

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/
b_cg75/b_cg75_chapter_010001.pdf

CDP is the protocol used by Cisco access points to advertise their power requirements to power-
sourcing devices.

Question 13 - Answer: D

When deploying syslog, which severity level logs informational message?

A. 0
B. 2
C. 4
D. 6

Explanation: Syslog levels are listed below

Leve Keyword Description

l
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. By default, the router will
send informational messages (level 6). That means it will send all the syslog messages from level 0
to 6.

Question 14 - Answer: C

Refer to the exhibit.

Which command must be executed for Gi1/1 on SW1 to passively become a trunk port if
Gi1/1 on SW2 is configured in desirable or trunk mode?

A. switchport mode trunk

B. switchport mode dot1-tunnel
C. switchport mode dynamic auto
D. switchport mode dynamic desirable

Explanation: To form a trunk in this question, we can use either (dynamic) “auto” or (dynamic)
“desirable” mode or even “trunk” mode but only dynamic auto mode will passively form a trunk
port.

Question 15 - Answer: A

Refer to the exhibit.

An engineer must configure GigabitEthernet1/1 to accommodate voice and data traffic.
Which configuration accomplishes this task?

Option A Option B
interface gigabitethernet1/1 interface gigabitethernet1/1
switchport mode access switchport mode access
switchport access vlan 300 switchport access vlan 400
switchport voice vlan 400 switchport voice vlan 300

Option C Option D
interface gigabitethernet1/1 interface gigabitethernet1/1
switchport mode trunk switchport mode trunk
switchport access vlan 300 switchport trunk vlan 300
switchport voice vlan 400 switchport trunk vlan 400

A. Option A
B. Option B
C. Option C
D. Option D

Question 16 - Answer: B

What describes the operation of virtual machines?

A. Virtual machines are responsible for managing and allocating host hardware resources
B. Virtual machines are operating system instances that are decoupled from server hardware
C. Virtual machines are the physical hardware that support a virtual environment
D. In a virtual machine environment, physical servers must run one operating system at a time

Explanation: Hypervisors are responsible for managing and allocating host hardware resources,
not virtual machines -> Answer A is not correct. Virtual machines are not the physical hardware but
virtual instances -> Answer C is not correct. In a virtual machine environment, a Type 1 physical
server usually run a hypervisor (not operating system) to create multiple virtual machines. Answer
D is not correct. Only answer B is the best choice left.

Question 17 - Answer: A

What is a role of access points in an enterprise network?

A. connect wireless devices to a wired network
B. support secure user logins to devices or the network
C. integrate with SNMP in preventing DDoS attacks
D. serve as a first line of defense in an enterprise network

Question 18 - Answer: A

Refer to the exhibit.

SiteA#show interface TenGigabitEthernet0/1/0

TenGigabitEthernet0/1/0 is up, line protocol is up
Hardware is BUILT-IN-EPA-8x10G, address is aabb.cc00.0100 (bia aabb.cc00.0100)
Description: Connection to SiteB
Internet address is 10.10.10.1/30
MTU 8146 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 166/255, txload 1/255, rxload 1/255
Full Duplex, 10000Mbps, link type is force-up, media type is SFP-LR
5 minute input rate 265746000 bits/sec, 24343 packets/sec
5 minute output rate 123245000 bits/sec, 12453 packets/sec

SiteB#show interface TenGigabitEthernet0/1/0

TenGigabitEthernet0/1/0 is up, line protocol is up
Hardware is BUILT-IN-EPA-8x10G, address is 0000.0c00.750c (bia 0000.0c00.750c)
Description: Connection to SiteA
Internet address is 10.10.10.2/30
MTU 8146 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Full Duplex, 10000Mbps, link type is force-up, media type is SFP-LR
5 minute input rate 123245000 bits/sec, 15343 packets/sec
5 minute output rate 265746000 bits/sec, 12453 packets/sec

Shortly after SiteA was connected to SiteB over a new single-mode fiber path, users at
SiteA report intermittent connectivity issues with applications hosted at SiteB. What is
the cause of the intermittent connectivity issue?

A. Interface errors are incrementing

B. An incorrect SFP media type was used at SiteA
C. High usage is causing high latency
D. The sites were connected with the wrong cable type

Explanation: The txload and rxload on both sites are 1/255 so the interfaces are not busy in
transmitting and receiving traffic. But the reliability on SiteA is only 166/255 which indicates input
and output errors increase. Reliability is calculated by this formula:

reliability = number of packets / number of total frames.

Question 19 - Answer: C

Refer to the exhibit.

Only four switches are participating in the VLAN spanning-tree process.
Branch-1: priority 614440
Branch-2: priority 39082416
Branch-3: priority 0
Branch-4: root primary

Which switch becomes the permanent root bridge for VLAN 5?

A. Branch-1
B. Branch-2
C. Branch-3
D. Branch-4

Explanation

Priority 0 is the lowest priority of a bridge so it will be elected the root bridge.

Note: The command “root primary” only checks the current root bridge priority and tries to use a
better (lower) priority value to become the new root bridge. But it does not ensure the local switch
will become the root bridge. If another switch has priority of 0 and we issue the “root primary”
command then it will inform that it cannot become root, as it cannot get a value lower than 0.

Question 20 - Answer: B

Refer to the exhibit.

The entire contents of the MAC address table are shown. Sales-4 sends a data frame to
Sales-1. What does the switch do as it receives the frame from Sales-4?

A. Map the Layer 2 MAC address to the Layer 3 IP address and forward the frame
B. Insert the source MAC address and port into the forwarding table and forward the frame to
Sales-1
C. Perform a lookup in the MAC address table and discard the frame due to a missing entry
D. Flood the frame out of all ports except on the port where Sales-1 is connected

Explanation: The Sales-1 information was already learned by the switch so it just forwards the
frames to Sales-1. The switch also learns the information of Sales-4 because this is the first time
this host communicates to other hosts.

Question 21 - Answer: D

Which technology allows for multiple operating systems to be run on a single host
computer?

A. virtual device contexts

B. network port ID visualization
C. virtual routing and forwarding
D. server virtualization

Question 22 - Answer: A

Refer to the exhibit.

An administrator must turn off the Cisco Discovery Protocol on the port configured with
last usable address in the 10.0.0.0/30 subnet. Which command set meets the
requirement?
A. interface gi0/1
no cdp enable
B. interface gi0/1
clear cdp table
C. interface gi0/0
no cdp run
D. interface gi0/0
no cdp advertise-v2

Explanation: In order to disable CDP on an interface, we have to use the “no cdp enable” under
interface mode. Note: “no cdp run” is a global configuration command.

Question 23 - Answer: C E

Which two QoS tools provides congestion management? (Choose two)

A. FRTS
B. CAR
C. PQ
D. PBR
E. CBWFQ

Question 24 - Answer: D

What occurs when overlapping Wi-Fi channels are implemented?

A. The wireless network becomes vulnerable to unauthorized access

B. Wireless devices are unable to distinguish between different SSIDs
C. Network communications are open to eavesdropping
D. Users experience poor wireless network performance

Question 25 - Answer: C

Which JSON data type is an unordered set of attribute-value pairs?

A. array
B. string
C. object
D. Boolean

Explanation: An object is an unordered collection of zero or more name/value pairs. For example
{“name”:”John”}. Objects are denoted by curly brackets, which means that the order is not
guaranteed. For example, if you send a request {“name”:”9tut”,”preferredColor”:”Blue”}, it is not
always guaranteed that the receiver receives them in the same order.

Note: In contrast to object, an array is an ordered sequence of zero or more values. For example
[“a”,”b”,”c”]. Arrays use square brackets to denote arrays. Order is guaranteed in JSON arrays.

Question 26 - Answer: A

An engineer needs to add an old switch back into a network. To prevent the switch from
corrupting the VLAN database which action must be taken?

A. Add the switch in the VTP domain with a lower revision number
B. Add the switch in the VTP domain with a higher revision number
C. Add the switch with DTP set to dynamic desirable
D. Add the switch with DTP set to desirable

Explanation: If you add a higher revision number switch to the network then all other switches in
the current network will learn from the newly added one. And all current VLAN databases will be
overwritten.

Question 27 - Answer: A

Which WLC port connects to a switch to pass normal access-point traffic?

A. distribution system
B. service
C. redundancy
D. console

Explanation

Redundancy Port is used for High-Availability (HA) deployment designs when there are two WLCs
available. In this setup, both WLCs are physically connected with each other through the
Redundant Port using an Ethernet cable. The redundancy port is used for configuration, operational
data synchronization and role negotiation between the primary and secondary controllers.

The service port is used for out-of-band management of the controller and system recovery and
maintenance in the event of a network failure.

The distribution system ports are the most important ports on the WLC as they connect the
internal logical interfaces and wireless client traffic to the rest of our network. The SFP Ports are
able to accept fiber optic or Ethernet copper interfaces, with the use of the appropriate SFPs.

The service-port interface is used for out-of-band management of the controller.

=============== New Questions (added on 7th-Mar-2021) ===============

Question 28 - Answer: C
An engineering team asks an implementer to configure syslog for warning conditions
and error conditions. Which command does the implementer configure to achieve the
desired result?

A. logging trap 2
B. logging trap 3
C. logging trap 4
D. logging trap 5

Explanation: Syslog levels are listed below

Leve Keyword Description

l
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informationa Informational messages
l
7 debugging Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. If we configure syslog level 4
then it will send all the syslog messages from level 0 to 4.

Question 29

Drag and drop the 802.11 wireless standards from the left onto the matching
statements on the right.

Answer:

+ 802.11b: Supports a maximum data rate of 11 Mbps

+ 802.11a: Operates in the 5 GHz band only and supports a maximum data rate of 54 Mbps
+ 802.11ac: Operates in the 5 GHz band only and supports a maximum data rate that can exceed
100 Mbps
 + 802.11n: Operates in the 2.4 GHz and 5 GHz bands
+ 802.11g: Operates in the 2.4 GHz band only and supports a maximum data rate of 54 Mbps

Explanation

Wireless Standards

IEEE Frequency/ Speed Topology Transmission Range Access

Standard Medium Method
802.11 2.4GHz RF 1 to 2Mbps Ad hoc/infrastructure 20 feet indoors. CSMA/CA
802.11a 5GHz Up to 54Mbps Ad hoc/infrastructure 25 to 75 feet indoors; range can be CSMA/CA
affected by building materials.
802.11b 2.4GHz Up to 11Mbps Ad hoc/infrastructure Up to 150 feet indoors; range can be CSMA/CA
affected by building materials.
802.11g 2.4GHz Up to 54Mbps Ad hoc/infrastructure Up to 150 feet indoors; range can be CSMA/CA
affected by building materials.
802.11n 2.4GHz/5GHz Up to 600Mbps Ad hoc/infrastructure 175+ feet indoors; range can be CSMA/CA
affected by building materials.

802.11ac uses dual-band wireless technology, supporting simultaneous connections on both 2.4
GHz and 5 GHz Wi-Fi devices. 802.11ac offers backward compatibility to 802.11a/b/g/n and
bandwidth rated up to 1300 Mbps on the 5 GHz band plus up to 450 Mbps on 2.4 GHz.

Question 30 - Answer: C E

Which two protocols are supported on service-port interfaces? (Choose two)

A. RADIUS
B. TACACS+
C. Telnet
D. SCP
E. SSH

Explanation: The service-port interface controls communications through and is statically mapped
by the system to the service port. The service port can be used for out-of-band management.
The service port can obtain an IPv4 address using DHCP, or it can be assigned a static IPv4
address, but a default gateway cannot be assigned to the service-port interface. Static IPv4 routes
can be defined through the controller for remote network access to the service port.
If the service port is in use, the management interface must be on a different supernet from the
service-port interface.

The service-port interface supports the following protocols:

+ SSH and Telnet
+ HTTP and HTTPS
+ SNMP
+ FTP, TFTP, and SFTP
+ Syslog
+ ICMP (ping)
+ NTP
Note: TACACS+ and RADIUS are not supported through the service port.

Question 31 - Answer: D

Refer to the exhibit.

 How must router A be configured so that it only sends Cisco Discovery Protocol
Information to router C?

Option A Option B
conf t conf t
RouterA(config)#no cdp run RouterA(config)#cdp run
RouterA(config)#interface gi0/0/1 RouterA(config)#interface gi0/0/1
RouterA(config)#cdp enable RouterA(config)#cdp enable
Option C Option D
conf t conf t
RouterA(config)#cdp run RouterA(config)#cdp run
RouterA(config)#interface gi0/0/0 RouterA(config)#interface gi0/0/0
RouterA(config)#cdp enable RouterA(config)#no cdp enable

A. Option A
B. Option B
C. Option C
D. Option D

Explanation

If CDP is disabled globally, you cannot enable it on each interface using the “cdp enable” interface
configuration mode command.

Reference: https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/command/reference/cpt95_cr/
cpt95_cr_chapter_01101.pdf

Therefore in order to enable CDP on a specific interface only, we must:

1. Enable CDP globally
2. Disable CDP on other interfaces.

============== New Questions (added on 5th-May-2021) ===============

Question 32 - Answer: D

What is the function of a hub-and-spoke WAN topology?

A. supports application optimization

B. provides direct connections between subscribers
C. supports Layer 2 VPNs
D. allows access restrictions to be implemented between subscriber sites

Question 33 - Answer: C

Which global command encrypts all passwords in the running configuration?

A. enable secret
B. enable password-encryption
C. service password-encryption
D. password-encrypt

Explanation

The service password-encryption command will encrypt all current and future passwords so any
password existed in the configuration will be encrypted.

CCNAv7 (2020) – New Questions Part 7

Question 1 - Answer: D

Which level of severity must be set to get informational syslogs?

A. alert
B. critical
C. notice
D. debug

Explanation: The Syslog levels are

Leve Keyword Description

l
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informationa Informational messages
l
7 debugging Debugging messages
If you specify a level, that level and all the higher levels will be displayed. Therefore in order to
receive informational syslog we must set to level 6 or level 7.

Question 2 - Answer: B

What is a characteristic of cloud-based network topology?

A. physical workstations are configured to share resources

B. services are provided by a public, private, or hybrid deployment
C. onsite network services are provided with physical Layer 2 and Layer 3 components
D. wireless connections provide the sole access method to services

Explanation

In private cloud, the resources are dedicated to an organization without sharing with anyone else -
> Answer A is not correct.

Nowadays, onsite network services (network devices in a cloud) can be run in a virtualization
environment -> Answer C is not correct.

We can access the services via both cable or wireless connections -> Answer D is not correct.

Cloud computing can be categorized into three general types:

+ Public cloud is cloud computing that’s delivered via the internet and shared across
organizations.
+ Private cloud is cloud computing that is dedicated solely to your organization.
+ Hybrid cloud is any environment that uses both public and private clouds.

Question 3 - Answer: D

A network analyst is tasked with configured the date and time on a router using EXEC
mode. The date must be set to 12:00am. Which command should be used?

A. Clock timezone
B. Clock summer-time-recurring
C. Clock summer-time date
D. Clock set

Explanation: In this example, the clock time is set to 12:00 am with the clock date of January 1,
2020.

R1#clock set 12:00:00 jan 1 2020

Question 4 - Answer: A

Which HTTP status code is returned after a successful REST API request?

A. 200
B. 301
C. 404
D. 500

Explanation

HTTP defines these standard status codes that can be used to convey the results of a client’s
request. The status codes are divided into the five categories.
1xx: Informational – Communicates transfer protocol-level information.
2xx: Success – Indicates that the client’s request was accepted successfully.
3xx: Redirection – Indicates that the client must take some additional action in order to complete
their request.
4xx: Client Error – This category of error status codes points the finger at clients.
5xx: Server Error – The server takes responsibility for these error status codes.

Question 5 - Answer: D

Refer to the exhibit.

When PC-A sends traffic to PC-B, which network component is in charge of receiving the
packet from PC-A verifying the IP addresses, and forwarding the packet to PC-B?

A. Layer 2 switch
B. firewall
C. Load balancer
D. Router

Question 6 - Answer: A

Refer to the exhibit.

Router1#show ip route
Gateway of last resort is not set
 209.165.200.0/27 is subnetted, 1 subnets
B 209.165.200.224 [20/0] via 10.10.12.2, 00:08:34
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.10.10.0/28 is directly connected, GigabitEthernet0/0
C 10.10.11.0/30 is directly connected, FastEthernet2/0
O 10.10.13.0/24 [110/2] via 10.10.10.1, 00:09:25, GigabitEthernet0/0
C 10.10.12.0/30 is directly connected, GigabitEthernet0/1

Which action is taken by the router when a packet is sourced from 10.10.10.2 and
destined for 10.10.10.16?

A. It discards the packets

B. It uses a route that is similar to the destination address
C. It floods packets to all learned next hops
D. It queues the packets waiting for the route to be learned

Explanation: The destination 10.10.10.16 does not belong to 10.10.10.0/28 subnet (range from
10.10.10.0 to 10.10.10.15) and there are no default route in this routing table so it will discard the
packets.

Question 7

Drag and drop the functions of DHCP from the left onto any of the positions on the
right. Not all functions are used.

Answer:

1 – maintains an address pool

2 – offers domain name server configuration
3 – reduces the administrative burden for onboarding end users
4 – assigns IP addresses to local hosts for a configurable lease time

Explanation

The following example shows how to configure a DHCP Server on a Cisco router:

Configuration Description
Router(config)#ip dhcp pool CLIENTS Create a DHCP Pool named CLIENTS
Router(dhcp-config)#network 10.1.1.0 /24 Specifies the subnet and mask of the DHCP address
pool
Router(dhcp-config)#default-router 10.1.1.1 Set the default gateway of the DHCP Clients
Router(dhcp-config)#dns-server 10.1.1.1 Configure a Domain Name Server (DNS)
Router(dhcp-config)#domain-name 9tut.com Configure a domain-name
Router(dhcp-config)#lease 0 12 Duration of the lease (the time during which a client
computer can use an assigned IP address). The syntax
is “lease {days[hours] [minutes] | infinite}”. In
this case the lease is 12 hours. The default is a
one-day lease.
Before the lease expires, the client typically needs
to renew its address lease assignment with the server
Router(dhcp-config)#exit
Router(config)# ip dhcp excluded-address The IP range that a DHCP Server should not assign to
10.1.1.1 10.1.1.10 DHCP Clients. Notice this command is configured under
global configuration mode

Question 8 - Answer: D

What is the function of a controller in controller-based networking?

A. It is a pair of core routers that maintain all routing decisions for a campus
B. It centralizes the data plane for the network
C. It is the card on a core router that maintains all routing decisions for a campus
D. It serves as the centralized management point of an SDN architecture

Explanation: In constrast to distributed architecture, centralized (or controller-based)

architectures centralizes the control of networking devices into one device, called SDN controller.

Question 9 - Answer: D

When a switch receives a frame for a known destination MAC address, how is the frame
handed?

A. flooded to all ports except the one from which it originated

B. broadcast to all ports
C. forwarded to the first available port
D. sent to the port identified for the known MAC address

Question 10

Drag and drop the IPv6 address type characteristics from the left to the right.
Answer:

Link-Local Address:
+ attached to a single subnet
+ configured only once per interface

Unique Local Address:

+ addresses with prefix FC00::/7
+ addressing for exclusive use internally without Internet routing

Explanation

A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7. It is the approximate IPv6
counterpart of the IPv4 private address. It is not routable on the global Internet.

Note: In the past, Site-local addresses (FEC0::/10) are equivalent to private IP addresses in IPv4 but
now they are deprecated.

Link-local addresses only used for communications within the local subnet. It is usually created
dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on 48-bit
MAC address).

Question 11 - Answer: D

Why was the RFC 1918 address space defined?

A. preserve public IPv6 address space

B. support the NAT protocol
C. reduce instances of overlapping IP addresses
D. conserve public IPv4 addressing

Explanation: The RFC 1918 is Address Allocation for Private Internets, which reserves IP
addresses for private and internal use. These addresses can be used for networks that do not need
to connect to the Internet.

Question 12 - Answer: A

What is the purpose of using First Hop Redundancy Protocol in a specific subnet?
A. forwards multicast hello messages between routers
B. sends the default route to the hosts on a network
C. filter traffic based on destination IP addressing
D. ensures a loop-free physical topology

Explanation: In fact there is no correct answer for this question. But if we have to choose one,
answer A is the best one as the routers in a FHRP group do sent multicast hello messages among
them. But “forwards multicast hello messages” is surely not the purpose of FHRP. The main
purpose of FHRP is to provide redundancy to the gateway router.

Question 13 - Answer: B

After installing a new Cisco ISE server, which task must the engineer perform on the
Cisco WLC to connect wireless clients on a specific VLAN based on their credentials?

A. Enable the Authorized MIC APs against auth-list or AAA.

B. Enable the allow AAA Override
C. Disable the LAG Mode or Next Reboot.
D. Enable the Event Driven RRM.

Explanation

Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN
based on the credentials supplied by the user. This task of assigning users to a specific VLAN is
handled by a RADIUS authentication server, such as Cisco ISE. This can be used, for example, to
allow the wireless host to remain on the same VLAN as it moves within a campus network.

In order to accomplish dynamic VLAN assignment with WLCs based on ISE to AD group mapping,
these steps must be performed:
+ ISE to AD integration and configuration of authentication and authorization policies for users on
ISE
+ WLC configuration to support dot1x authentication and AAA override for SSID ‘office_hq’
+ End client supplicant configuration

Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/99121-vlan-acs-ad-config.html

Question 14

An engineer is configuring an encrypted password for the enable command on a router

where the local user database has already been configured. Drag and drop the
configuration commands from the left into the correct sequence on the right. Not all
commands are used.
Answer:

+ first: enable
+ second: configure terminal
+ third: enable secret $fkg!@34i4
+ fourth: exit

Explanation: This question is not clear as it did not specify if it wanted an encrypted password for
the enable command or it wanted to encrypted existed password. But

Question 15 - Answer: A

Refer to the exhibit.

Router R4 is dynamically learning the path to the server. If R4 is connected to R1 via

OSPF Area 20, to R2 via R2 BGP, and to R3 via EIGRP 777, which path is installed in the
routing table of R4?

A. the path through R2, because the EBGP administrative distance is 20

B. the path through R2, because the IBGP administrative distance is 200
C. the path through R1, because the OSPF administrative distance is 110
D. the path through R3, because the EIGRP administrative distance is lower than OSPF and BGP

Explanation

The Administrative Distance of EBGP is 20 which is smallest (AD of EIGRP is 90 and AD of OSPF is
110) so R4 will choose the path via EBGP.

According to the figure, we see R4 belongs to BGP AS 65513 while R2 belongs to BGP AS 65512 so
surely they are EBGP, not IBGP.
Question 16 - Answer: D

What is a function of the Cisco DNA Center Overall Health Dashboard?

A. It summarizes daily and weekly CPU usage for servers and workstations in the network.
B. It provides detailed activity logging for the 10 devices and users on the network.
C. It summarizes the operational status of each wireless device on the network.
D. It provides a summary of the top 10 global issues.

Explanation

The bottom of Cisco DNA Center Overall Health Dashboard displays the top 10 issues, if any, that
must be addressed.

Question 17 - Answer: B

Which protocol requires authentication to transfer a backup configuration file from a

router to a remote server?

A. TFTP
B. FTP
C. DTP
D. SMTP
Explanation: The FTP protocol requires a client to send a remote username and password on each
FTP request to a server.When you copy a configuration file from the router to a server using FTP,
the Cisco IOS software sends the first valid username it encounters in the following list:

1. The username specified in the copy privileged EXEC command,if a username is specified.
2. The username set by the ip ftp username global configuration command, if the command is
configured.
3. Anonymous.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-mgmt/configuration/xe-16-
7/sysimgmgmt-xe-16-7-book/sysimgmgmt-ftp.pdf

Question 18 - Answer: D

Where is the interface between the control plane and data plane within the software-
defined architecture?

A. application layer and the management layer

B. application layer and the infrastructure layer
C. control layer and the application layer
D. control layer and the infrastructure layer

Explanation: Maybe we should understand this question “What are the layers inside control plane
and data plane within the software-defined architecture?” However, this question is still not clear.

The Open Networking Foundation identifies three main parts of the Software-defined networking
(SDN): Application layer; Control layer and Infrastructure layer. SDN separates a router’s control
plane from the data (forwarding) plane. The control plane makes routing decisions. The data plane
forwards data (packets) through the router. With SDN routing, decisions are made remotely instead
of on each individual router.

Question 19 - Answer: D

Which action does the router take as it forwards a packet through the network?

A. The router replaces the source and destination labels with the sending router interface label as a
source and the next hop router label as a destination
B. The router encapsulates the source and destination IP addresses with the sending router IP
address as the source and the neighbor IP address as the destination
C. The router encapsulates the original packet and then includes a tag that identifies the source
router MAC address and transmit transparently to the destination
D. The router replaces the original source and destination MAC addresses with the sending router
MAC address as the source and neighbor MAC address as the destination

Explanation: While transferring data through many different networks, the source and destination
IP addresses are not changed. Only the source and destination MAC addresses are changed.

Question 20 - Answer: C

When a site-to-site VPN is configured, which IPsec mode provides encapsulation and
encryption of the entire original IP packet?

A. IPsec tunnel mode with AH

B. IPsec transport mode with AH
C. IPsec tunnel mode with ESP
D. IPsec transport mode with ESP

Explanation

IPSec can be configured to operate in two different modes, Tunnel (default) and Transport mode.
Transport mode encapsulation retains the original IP header. With tunnel mode, the entire original
IP packet is protected by IPSec -> In this question we must choose tunnel mode.

The AH protocol provides a mechanism for authentication only. The ESP protocol provides
data confidentiality (encryption) and authentication (data integrity, data origin authentication, and
replay protection) -> We must use ESP.

Reference: https://www.ibm.com/docs/en/zos/2.4.0?topic=ipsec-ah-esp-protocols

Question 21 - Answer: B E

Refer to the exhibit.

Which two commands, when configured on router R1, fulfill these requirements? (Choose two)
– Packets toward the entire network 2001:db8:23::/64 must be forwarded through router R2.
– Packets toward host 2001:db8:23::14 preferably must be forwarded through R3.

A. ipv6 route 2001:db8:23::/128 fd00:12::2

B. ipv6 route 2001:db8:23::14/128 fd00:13::3
C. ipv6 route 2001:db8:23::14/64 fd00:12::2
D. ipv6 route 2001:db8:23::14/64 fd00:12::2 200
E. ipv6 route 2001:db8:23::/64 fd00:12::2

Question 22 - Answer: A

What is the role of a firewall in an enterprise network?

A. determines which packets are allowed to cross from unsecured to secured networks
B. processes unauthorized packets and allows passage to less secure segments of the network
C. forwards packets based on stateless packet inspection
D. explicitly denies all packets from entering an administrative domain

Question 23 - Answer: C
What is the benefit of configuring PortFast on an interface?

A. After the cable is connected, the interface uses the fastest speed setting available for that cable
type
B. The frames entering the interface are marked with higher priority and then processed faster by
a switch
C. After the cable is connected, the interface is available faster to send and receive user data
D. Real-time voice and video frames entering the interface are processed faster

Question 24 - Answer: A

How are VLAN hopping attacks mitigated?

A. manually implement trunk ports and disable DTP

B. configure extended VLANs
C. activate all ports and place in the default VLAN
D. enable dynamic ARP inspection

Explanation

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device
can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping
can be accomplished by switch spoofing or double tagging.
a. Switch spoofing:

The attacker can connect an unauthorized Cisco switch to a Company switch port. The
unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the
attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through
the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

To mitigate this type of attack, we can disable DTP.

Question 25

Drag and drop the statement about networking from the left into the corresponding
networking types on the right. Not all statements are used.

Answer:

Controller-Based Networking:
+ This type deploys a consistent configuration across multiple devices
+ Southbound APIs are used to apply configurations

Traditional Networking:
+ This type requires a distributed management plane
+ A distributed control plane is needed

Question 26 - Answer: C

Refer to the exhibit.

R1#show ip route
--output omitted--
Gateway of last resort is 192.168.14.4 to network 0.0.0.0

C 172.16.1.128/25 is directly connected, GigabitEthernet1/1/0

C 192.168.12.0/24 is directly connected, FastEthernet0/0
C 192.168.13.0/24 is directly connected, FastEthernet0/1
C 192.168.14.0/24 is directly connected, FastEthernet1/0
C 172.16.16.1 is directly connected, Loopback1
192.168.10.0/24 is variably subnetted, 3 subnets, 3 masks
O 192.168.10.0/24 [110/2] via 192.168.14.4, 00:03:01, FastEthernet1/0
O 192.168.10.32/27 [110/11] via 192.168.13.3, 00:00:11, FastEthernet0/1
O 192.168.0.0/16 [110/2] via 192.168.15.5, 00:05:11, FastEthernet1/1
D 192.168.10.1/32 [90/52778] via 192.168.12.2, 00:05:11, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 192.168.14.4, 00:05:11, FastEthernet1/0

If R1 receives a packet destined to 172.16.1.1, to which IP address does it send the

packet?

A. 192.168.12.2
B. 192.168.13.3
C. 192.168.14.4
D. 192.168.15.5

Explanation: The packet destined to 172.16.1.1 would match the default route (the last line) so it
sends the packet to 192.168.14.4.

Question 27 Answer: A E

Which two components are needed to create an Ansible script that configures a VLAN
on a switch? (Choose two)

A. task
B. cookbook
C. recipe
D. model
E. playbook

Question 28 - Answer: C

How are the switches in a spine-and-leaf topology interconnected?

A. Each leaf switch is connected to two spine switches, making a loop.

B. Each leaf switch is connected to a central leaf switch, then uplinked to a core spine switch.
C. Each leaf switch is connected to each spine switch.
D. Each leaf switch is connected to one of the spine switches.

Explanation

With Leaf-Spine, the network uses Layer 3 routing so STP is no longer required. Spine-leaf
architectures rely on protocols such as Equal-Cost Multipath (ECPM) routing to load balance traffic
across all available paths while still preventing network loops. This allows all connections to be
utilized at the same time while still remaining stable and avoiding loops within the network.
-> Answer A is not correct because spine-and-leaf topology does not “make a loop” because it does
not run STP, it runs ECPM.

Every leaf switch connects to every spine switch in the fabric. The path is randomly chosen so that
the traffic load is evenly distributed among the top-tier switches.
Reference: https://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-
switches/white-paper-c11-737022.html

Question 29 - Answer: A

In software-defined architecture, which place handles switching for traffic through a

Cisco router?

A. Data
B. Control
C. Management
D. Application

Question 30 - Answer: A C

Which two protocols must be disabled to increase security for management connections
to a Wireless LAN Controller? (Choose two)

A. Telnet
B. SSH
C. HTTP
D. HTTPS
E. TFTP

Explanation:We can connect to Cisco WLC via HTTP/HTTPS and SSH/Telnet so in order to increase
security we must disable HTTP and Telnet which are unsecured protocols.

Question 31 - Answer: A

When a client and server are not on the same physical network, which device is used to
forward requests and replies between client and server for DHCP?

A. DHCP relay agent

B. DHCP server
C. DHCPDISCOVER
D. DHCPOFFER

Explanation

If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure the router
on the DHCP client side to act as a DHCP Relay Agent so that it can forward DHCP messages
between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent, simply put the “ip
helper-address <IP-address-of-DHCP-Server>” command under the interface that receives the
DHCP messages from the DHCP Client.

As we know, router does not forward broadcast packets (it drops them instead) so DHCP messages
like DHCPDISCOVER message will be dropped. But with the “ip helper-address …” command, the
router will accept that broadcast message and cover it into a unicast packet and forward it to the
DHCP Server. The destination IP address of the unicast packet is taken from the “ip helper-address
…” command.

Question 32 - Answer: C

An implementer is preparing hardware for virtualization to create virtual machines on a

host. What is needed to provide communication between hardware and virtual
machines?

A. straight cable
B. router
C. hypervisor
D. switch

Question 33 - Answer: A C

What are two characteristics of the distribution layer in a three-tier network

architecture? (Choose two)

A. provides a boundary between Layer 2 and Layer 3 communications

B. designed to meet continuous, redundant uptime requirements
C. serves as the network aggregation point
D. physical connection point for a LAN printer
E. is the backbone for the network topology

Explanation

A typical enterprise hierarchical LAN campus network design includes the following three layers:
+ Access layer: Provides workgroup/user access to the network
+ Distribution layer: Provides policy-based connectivity and controls the boundary between the
access and core layers
+ Core layer: Provides fast transport between distribution switches within the enterprise campus
Reference: https://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

The Distribution layer acts as an aggregation point for all the Access layer devices.

Question 34 - Answer: C

Which QoS tool can you use to optimize voice traffic on a network that is primarily
intended for data traffic?

A. WRED
B. FIFO
C. PQ
D.WFQ

Explanation

With Priority Queueing (PQ), traffic is classified into high, medium, normal, and low priority queues.
The high priority traffic is serviced first, then medium priority traffic, followed by normal and low
priority traffic. -> Therefore we can assign higher priority for voice traffic.

Also with PQ, higher priority traffic can starve the lower priority queues of bandwidth. No
bandwidth guarantees are possible -> It is still good because this network is mostly used for data
traffic so voice traffic amount is small.

With First In First Out (FIFO) or Weighted Fair Queueing (WFQ), there is no priority servicing so they
are not suitable here.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/qos_solutions/QoSVoIP/
QoSVoIP.html

Weighted Random Early Detection (WRED) is just a congestion avoidance mechanism. WRED
measures the size of the queues depending on the Precedence value and starts dropping packets
when the queue is between the minimum threshold and the maximum threshold -> It does not
have priority servicing either.

Question 35 - Answer: D

On workstations running Microsoft Windows, which protocol provides the default

gateway for the device?

A. STP
B. DNS
C. SNMP
D. DHCP

Question 36 - Answer: A B

Refer to the exhibit.

R2#show ip route
C 192.168.1.0/26 is directly connected, FastEthernet0/1

Which two prefixes are included in this routing table entry? (Choose two)
A. 192.168.1.17
B. 192.168.1.61
C. 192.168.1.64
D. 192.168.1.127
E. 192.168.1.254

Question 37 - Answer: C E

Which two primary drivers support the need for network automation? (Choose two)

A. Increasing reliance on self-diagnostic and self-healing

B. Eliminating training needs
C. Policy-derived provisioning of resources
D. Reducing hardware footprint
E. Providing a single entry point for resource provisioning

Question 38 - Answer: D

What is the difference in data transmission delivery and reliability between TCP and
UDP?

A. UDP sets up a connection between both devices before transmitting data. TCP uses the three-
way handshake to transmit data with a reliable connection.
B. TCP transmits data at a higher rate and ensures packet delivery. UDP retransmits lost data to
ensure applications receive the data on the remote end.
C. UDP is used for multicast and broadcast communication. TCP is used for unicast communication
and transmits data at a higher rate with error checking.
D. TCP requires the connection to be established before transmitting data. UDP transmits data at a
higher rate without ensuring packet delivery.

Question 39 - Answer: A

What are network endpoints?

A. a threat to the network if they are compromised

B. support inter-VLAN connectivity
C. act as routers to connect a user to the service prowler network
D. enforce policies for campus-wide traffic going to the internet

Explanation: A network endpoint is any device that is physically an end point on a network.
Laptops, desktops, mobile phones, tablets, servers, and virtual environments can all be considered
endpoints. Network endpoints may be a threat to our networks if they are compromised.

Question 40 - Answer: D

What does physical access control regulate?

A. access to specific networks based on business function

B. access to servers to prevent malicious activity
C. access to computer networks and file systems
D. access to networking equipment and facilities

Explanation: Cisco Physical Access Control is a comprehensive IP-based solution that uses the IP
network as a platform for integrated security operations.
Question 41

Drag and drop the DNS lookup components from the left onto the functions on the
right.

Answer:

+ service that maps hostname to IP addresses: DNS

+ local database of address mappings that improves name resolution performance: cache
+ in response to client requests, queries a name server for IP address information: name resolver
+ component of a URL that indicates the location or organization type: domain
+ disables DNS services on a Cisco device: no ip domain-lookup

Question 42 - Answer: D

What must be considered when using 802.11a?

A. It is compatible with 802.11g and 802.11-compliant wireless devices

B. It is chosen over 802.11b/g when a lower-cost solution is necessary
C. It is susceptible to interference from 2.4 GHz devices such as microwave ovens.
D. It is used in place of 802.11b/g when many nonoverlapping channels are required

Explanation: 802.11a offers as many as 12 non-overlapping channels. With more channels, larger
number of users can be accommodated with no performance degradation.

Question 43

This question is duplicated so we removed it.

Question 44 - Answer: A

An engineer configures interface Gi1/0 on the company PE router to connect to an ISP.

Neighbor discovery is disabled.

interface Gi1/0
description HQ_DC3392-9383
duplex full
 speed 100
negotiation auto
lldp transmit
lldp receive

Which action is necessary to complete the configuration if the ISP uses third-party
network devices?

A. Enable LLDP globally

B. Disable autonegotiation
C. Disable Cisco Discovery Protocol on the interface
D. Enable LLDP-MED on the ISP device

Explanation: From the output we see LLDP has been enabled on Gi1/0 interface but this questions
said “neighbor discovery is disabled”. Therefore we must turn on LLDP globally with the “lldp run”
under global configuration mode: Router(config)# lldp run

Note: LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices such as IP phones and network devices such as switches. It specifically provides
support for voice over IP (VoIP) applications and provides additional TLVs for capabilities discovery,
network policy, Power over Ethernet, inventory management, and location information

Question 45 - Answer: C

How does QoS optimize voice traffic?

A. reducing bandwidth usage

B. by reducing packet loss
C. by differentiating voice and video traffic
D. by increasing jitter

Explanation

With Priority Queueing (PQ) in QoS, traffic is classified into high, medium, normal, and low priority
queues. The high priority traffic is serviced first, then medium priority traffic, followed by normal
and low priority traffic. -> Therefore we can assign higher priority for voice traffic.

Question 46 - Answer: A D
Which two events occur automatically when a device is added to Cisco DNA Center?
(Choose two)

A. The device is assigned to the Global site.

B. The device is placed into the Unmanaged state.
C. The device is placed into the Provisioned state.
D. The device is placed into the Managed state.
E. The device is assigned to the Local site.

Explanation: Device in Global Site: When you successfully add, import, or discover a device, Cisco
DNA Center places the device in the Managed state and assigns it to the Global site by default.
Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global
site, Cisco DNA Center does not change these settings on the device.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/2-1-2/admin_guide/
b_cisco_dna_center_admin_guide_2_1_2/b_cisco_dna_center_admin_guide_2_1_1_chapter_010.html

Question 47 - Answer: C E

What are two benefits of using the PortFast feature? (Choose two)

A. Enabled interfaces are automatically placed in listening state

B. Enabled interfaces wait 50 seconds before they move to the forwarding state
C. Enabled interfaces never generate topology change notifications.
D. Enabled interfaces that move to the learning state generate switch topology change
notifications
E. Enabled interfaces come up and move to the forwarding state immediately

Explanation: Portfast does two things for us:

+ Interfaces with portfast enabled that come up will go to forwarding mode immediately, the
interface will skip the listening and learning state.
+ A switch will never generate a topology change notification for an interface that has portfast
enabled.

Question 48 - Answer: B

A network administrator is asked to configure VLANs 2, 3 and 4 for a new

implementation. Some ports must be assigned to the new VLANs with unused
remaining. Which action should be taken for the unused ports?

A. configure port in the native VLAN

B. configure ports in a black hole VLAN
C. configure in a nondefault native VLAN
D. configure ports as access ports

Explanation: Black hole VLAN is a VLAN that is unused where you put unused ports in or hosts
that you don’t want to be on the network.

Question 49 - Answer: A

Which function is performed by DHCP snooping?

A. rate-limits certain traffic

B. listens to multicast traffic for packet forwarding
C. provides DDoS mitigation
D. propagates VLAN information between switches

Explanation: We can use the command “ip dhcp snooping limit rate” to set the number of DHCP
request that can be received in a second.

Question 50 - Answer: C

Which plane is centralized by an SDN controller?

A. data plane
B. management plane
C. control plane
D. services plane

Question 51 - Answer: A D

What are two similarities between UTP Cat 5e and Cat 6a cabling? (Choose two)

A. Both support runs of up to 100 meters.

B. Both support runs of up to 55 meters.
C. Both operate at a frequency of 500 MHz.
D. Both support speeds of at least 1 Gigabit.
E. Both support speeds up to 10 Gigabit.

Question 52 - Answer: C

Refer to the exhibit.

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

1.1.1.1 1 2WAY/DROTHER 00:00:35 172.16.10.1 GigabitEthernet0/0
2.2.2.2 1 2WAY/DROTHER 00:00:35 172.16.10.2 GigabitEthernet0/0
4.4.4.4 1 FULL/BDR 00:00:35 172.16.10.4 GigabitEthernet0/0
5.5.5.5 1 FULL/DR 00:00:35 172.16.10.5 GigabitEthernet0/0

R5 is the current DR on the network, and R4 is the BDR. Their interfaces are flapping, so
a network engineer wants the OSPF network to elect a different DR and BDR. Which set
of configurations must the engineer implement?

Option A Option B
R4(config)#interface gi0/0 R2(config)#interface gi0/0
R4(config-if)#ip ospf priority 20 R2(config-if)#ip ospf priority 259
R5(config)#interface gi0/0 R3(config)#interface gi0/0
R5(config-if)#ip ospf priority 10 R3(config-if)#ip ospf priority 256

Option C Option D
R3(config)#interface gi0/0 R5(config)#interface gi0/0
R3(config-if)#ip ospf priority 255 R5(config-if)#ip ospf priority 120
R2(config)#interface gi0/0 R4(config)#interface gi0/0
R2(config-if)#ip ospf priority 240 R4(config-if)#ip ospf priority 110

A. Option A
B. Option B
C. Option C
D. Option D

Explanation: We need to increase the priority of R1, R2 or R3 router so that they would win the
DR/BDR election. The priority determines which routers are selected as the area’s DR and BDR, and
can range from 0 to 255 -> Option B is not correct while Option C is correct.

Question 53 - Answer: E

Refer to the exhibit.

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.30.10 to network 0.0.0.0

192.168.30.0/29 is subnetted, 2 subnets

C 192.168.30.0 is directly connected, FastEthernet0/0
C 192.168.30.8 is directly connected, Serial0/0.1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
O IA 192.168.10.32/28 [110/193] via 192.168.30.10, 00:11:34, Serial0/0.1
O IA 192.168.10.0/27 [110/192] via 192.168.30.10, 00:11:34, Serial0/0.1
192.168.20.0/30 is subnetted, 1 subnets
O IA 192.168.20.0 [110/128] via 192.168.30.10, 00:11:34, Serial0/0.1
192.168.50.0/32 is subnetted, 1 subnets
C 192.168.50.1 is directly connected, Loopback0
O*IA 0.0.0.0/0 [110/84] via 192.168.30.10, 00:11:21, Serial0/0.1

What is the metric of the route to the 192.168.10.33/28 subnet?

A. 84
B. 110
C. 128
D. 192
E. 193

Explanation: From the line “O IA 192.168.10.32/28 [110/193] via 192.168.30.10, 00:11:34,

Serial0/0.1″, the metric is the second parameter in square bracket.

Question 54

Drag and drop the AAA terms from the left onto the description on the right.
Answer:

+ tracks activity: accounting

+ verifies access rights: authorization
+ updates session attributes: CoA
+ verifies identity: authentication

Explanation

AAA stands for Authentication, Authorization and Accounting.

+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)

RADIUS CoA (Change of Authorization) is a feature that allows a RADIUS server to adjust an active
client session.

Question 55 - Answer: D

Which access layer threat-mitigation technique provides security based on identity?

A. using a non-default native VLAN

B. Dynamic ARP Inspection
C. DHCP snooping
D. 802.1x

Explanation

802.1X is a network authentication protocol that opens ports for network access when an
organization authenticates a user’s identity and authorizes them for access to the network. The
user’s identity is determined based on their credentials or certificate, which is confirmed by the
RADIUS server.