CCNA 200-301 Practice Test 1 - Résultats

Question 1
What command is used to manually select a root port on a local switch?
spanning-tree vlan 10 priority 128
spanning-tree vlan 10 port cost 5
spanning-tree vlan 10 pathcost 5
Bonne réponse
spanning-tree vlan 10 cost 5

Explication générale
STP selects a forwarding path to the root bridge from all neighbor
switches. BPDUs are sent from the root bridge and each interface adds a
cost to the frame calculated based on the interface speed. For example,
1000 Mbps has a default port cost assigned of 4. If you have SW-1 -> SW-2
-> SW-3 -> to the root bridge, then path cost from SW-1 is 12. It is a
cumulative cost of 4 (1000 Mbps) times three links.
Configuring an interface with lower port cost using spanning-tree vlan
cost command affect how traffic is forwarded to the root bridge. RPVST+
elects a root bridge per VLAN and interface cost is calculated per VLAN.
For example, configure spanning-tree vlan 10 cost 5 command on
Gi1/1 to select Gi1/2 as root port on a local switch. This is despite the fact
that both interfaces are the same bandwidth and Gi1/1 has a lower port
ID. The tie breaker is switch port with lowest port ID and that is Gi1/1 for
default root port selection. This configuration change would enable
forwarding to root bridge via Gi1/2 instead since Gi1/1 is now assigned a
higher port cost. Conversely, the priority command is configured on a
switch to select root port on a downstream neighbor. The default spanning
tree port priority assigned to all switch ports is 128.

Domaine
Network Access

Question 2
What cable type is required to connect the same device type?
Bonne réponse
crossover
rollover
straight-through
serial
SFP
Explication générale
Most of the cabling currently deployed to a modern network is comprised
of straight-through copper. That is the cabling type used for connecting
host endpoints and access points to a network switch.
Crossover cable is used when connecting two switches or two
routers for example. The straight-through cable is used to connect
dissimilar devices such as switch to router or host to switch. Network
devices from the same class are connected with a crossover cable type.
Connecting switch to switch for example, would require a crossover cable
to flip the Tx and Rx pins. There are a variety of WAN cables that are
customized for each protocol standard. Most have been based on a serial
interface standard.

The rollover cable is a Cisco proprietary cable designed specifically for

connecting to the console port of a Cisco device. It is often used for initial
configuration and where remote management isn't an option. Terminal
emulation software is available with PuTTY or SecureCRT. There are
transceivers such as SFP that support a variety of cable types and network
media such as Fiber.
Domaine
Network Fundamentals

Question 3
What two services are provided by DHCP snooping? (select two)
Sélection correcte
permit DHCP OFFER messages on trusted ports
detect Layer 2 broadcast storms
detect ARP spoofing activity
Sélection correcte
prevent DHCP server spoofing
Explication générale
DHCP snooping prevents unauthorized (rogue) hosts from spoofing a
legitimate DHCP server with man-in-the-middle (MITM) attack. The hacker
machine responds to DHCP DISCOVER and DHCP REQUEST messages from
DHCP clients on the local subnet before a legitimate DHCP server does.
This is the result of DHCP server being located on a different subnet than
clients.
DHCP snooping is a Layer 2 security feature that acts like a firewall
between DHCP clients and DHCP servers. The security protocol builds a
database table on a switch with IP-to-MAC bindings and VLAN
membership.
This is accomplished using information extracted from DHCP messages
intercepted between client and DHCP server. DHCP snooping drops DHCP
OFFER messages on an untrusted switch port or when source MAC address
of host does not match binding table entries. This prevents DHCP server
spoofing from a hacker machine connected to a switch.
DHCP snooping is configured per VLAN on Cisco switches. All access edge
(host) switch ports are untrusted by default and uplinks to network devices
should be explicitly configured with trusted state. DHCP DISCOVER and
REQUEST messages from hosts are only forwarded to DHCP server via
trusted interfaces. DHCP OFFER messages from a DHCP server is only
permitted on trusted switch ports.
Configure DHCP snooping globally on the switches and also enable it on at
least one VLAN. This should be done as a last step to prevent disable of
DHCP services while doing the configuration.
switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan 1,10
The following interface-level commands enable a trusted interface on the
forwarding path to a DHCP server and rate limiting. This would also include
the switch port connected to DHCP server. This feature is supported on
access, trunk, and EtherChannel physical interfaces.
switch(config-if)#ip dhcp snooping trusted
switch(config-if)#ip dhcp snooping limit rate 100

Domaine
Security Fundamentals
Question 4
What three IOS commands will display the operational status of IPv4
configured addresses? (select three)
show interfaces trunk
Sélection correcte
show protocols
Sélection correcte
show interfaces
show running-config
Sélection correcte
show ip interface brief
Explication générale
The operational status (up/up) of any Cisco network interface can be
verified with the following IOS commands:
show ip interface brief
show protocols
show interfaces
The purpose of show running-config is only to verify how a network
interface is configured (administrative status).
The show interfaces trunk command only displays the operational
status of a switch interface with trunk mode enabled (Layer 2).
Domaine
Network Fundamentals

Question 5
What IOS command enables CDP globally after it has been disabled?
cdp enable
Bonne réponse
cdp run
service cdp
cdp
Explication générale
CDP is a Layer 2 Cisco proprietary neighbor discovery protocol. The
purpose is to discover configuration and detect operational status of
directly connected Cisco devices. The CDP protocol sends multicast frames
using a reserved MAC address to all neighbors at 60 second intervals as
shown. It confirms the connection between local and neighbor interface is
operational at Layer 2 (data link) as well.

CDP Operational Features

• Neighbor discovery
• Power negotiation
• IP phone configuration
• Detect duplex mismatch
• Detect native VLAN mismatch
Cisco IP phone appears to CDP as a unique neighbor device with an IP
address assigned. During phone boot process, IP phone receives voice
VLAN configuration from the switch. It is used for negotiation of power
level (PoE) as well between switch and powered devices such as wireless
access point and IP phone.

There is some error detection available with CDPv2 including duplex

mismatch and native VLAN mismatch on a trunk. SNMP agent with a
defined CDP MIB allows monitoring software to query devices for
information. CDP must be enabled on switches with Cisco IP Phone
connected to download configuration.
CDP Neighbor Information
The output from show cdp neighbor command displays a lists of all
connected neighbors. That is provided the neighbor does not have CDP
disabled on the connected interface. Any switch ports that are assigned
STP blocking state are unaffected by CDP. There is additional neighbor
configuration information available with show cdp
neighbor detail command. The detail keyword displays the following
information.
• IOS version number
• Hardware platform
• Hardware capabilities
• IP address of connecting interface
• Local Interface sending CDP frame
• Remote Interface receiving CDP frame
• Port ID
• Frame polling interval
• Device type
• Device hostname
CDP is enabled on Cisco devices globally by default including the network
interfaces. The following IOS command enables CDP globally on the
network device including all interfaces, if it has been disabled.
switch (config)# cdp run
The following command enables CDP on a specific interface only with the
following IOS interface level command.
switch(config-if)# cdp enable
Domaine
Network Access
Question 6
What are two possible reasons why routers cannot establish an OSPF
adjacency? (select two)
incorrect process ID
there is no area 0
incorrect wildcard mask
Sélection correcte
hello timer mismatch
Ethernet interface is point-to-point network type
Sélection correcte
duplicate router ID
Explication générale
OSPF hello timers must match on the interfaces of directly connected
neighbors.
OSPF router ID must be unique for neighbors to form an adjacency. In fact,
router ID must be unique for the routing domain.
Single-area OSPF allows for assigning any number to the area. It is only
multi-area OSPF that requires an area 0. The process identifier is only
locally significant and Ethernet interface can be assigned point-to-point
network type. That is configured instead of broadcast network type when
neighbors are directly connected across WAN.
OSPF enables routes to advertise based on a subnet and wildcard mask
with network area command. Any interface that is not within subnet
range defined by the wildcard mask won’t advertise OSPF routes. That
does not however prevent adjacency as long as physical interfaces are in
the same subnet. OSPF neighbors can form adjacency and not necessarily
advertise any routes.
Domaine
IP Connectivity

Question 7
What is the primary purpose of OSPF router ID? (select the best answer)
Bonne réponse
identify OSPF router to routing domain
identify OSPF process ID to neighbors
identify OSPF router to backbone area
identify OSPF routes assigned to an interface
identify OSPF hello packets
Explication générale
OSPF routers must be assigned a router ID that is a unique identifier within
an OSPF routing domain. Each router is identified with a router ID in the
OSPF link state database generated for each area. The router ID is
advertised in routing updates to identify where routes originate. It is only
a 32-bit dotted decimal label and not advertised as a route.
The following commands configure a router ID for an OSPF process.
Duplicate router ID will prevent FULL adjacency for directly connected
neighbors. It also causes routing inconsistencies and convergence errors
when it is not unique across routing domain.
router ospf 1
router-id [Link]
Domaine
IP Connectivity

Question 8
What spanning tree protocol enhancement will prevent switching loops?
BPDU Filter
Bonne réponse
BPDU guard
PortFast
Root guard
Explication générale
The purpose of spanning tree protocol is to prevent switching loops that
cause broadcast storms. There are also enhancements that provide
services to optimize spanning tree operation. BPDU guard and Loop guard
are the only enhancements that will shutdown a port to prevent switch
loops. PortFast is implemented on edge ports to transition them to
forwarding state for faster convergence. BPDU Filter disables spanning
tree and could actually cause switching loops for some topologies. Root
guard prevents a switch from being elected root bridge and does not
prevent switching loops.

Domaine
Network Access

Question 9
What are two advantages of private RFC 1918 addressing? (select two)
Sélection correcte
conserve address space
multiple address classes
internet connectivity
Sélection correcte
network security
easier to manage
Explication générale
The primary advantages of private RFC 1918 addressing is address
conservation and network security. It is only RFC 1918 addresses that are
assigned to internal hosts and network devices. They are assigned to a
privately managed routing domain that is not routable across the internet.
As a result, the same addresses are assignable to different companies.
Only public addressing is uniquely assigned. There is added security since
the private addresses are not exposed to the internet.
Domaine
Network Fundamentals

Question 10
What would prevent any VLAN interface from becoming operational
(up/up) on a switch?
assigning VLAN to a routed port
assigning VLAN to a trunk port
assigning VLAN to an access port
Bonne réponse
assigning VLAN to a switch port that is not active
Explication générale
VLAN interfaces transition to up/up state when at least one switch port in
that VLAN is active. This is referred to as autostate. VLAN interfaces server
as default gateway for VLANs on a switch and also support HSRP. The
VLAN must exist and be assigned to either an access port or a trunk port
that is up/up (operational).
VLANs are not supported on routed ports of a multilayer switch.
(CCNA exam: read the question carefully)
The trunk interface must also be configured to allow VLAN. There is
synchronization with spanning tree protocol as well. This is done so VLAN
interfaces are only active when STP election (convergence) has completed
before forwarding state is enabled. This prevents routing protocols from
forwarding packets to a VLAN interface and causing routing black holes.
The following is an example of VLAN interface (SVI) configuration on a
Cisco multilayer switch for assigning a default gateway to VLAN 10.
vlan 10
!
interface Gi0/0
switchport mode access
switchport access vlan 10
!
interface vlan 10
description default gateway for VLAN 10
ip address [Link] [Link]
Domaine
IP Connectivity

Question 11
What route is selected in the routing table for packets arriving with
[Link] as destination IP address?
[Link]/26
[Link]/25
[Link]/28
Bonne réponse
[Link]/27
Explication générale
The longest prefix match rule is used to select a route already
installed in the routing table as a forwarding decision. Each route has
a specific network address and prefix (subnet mask) length.
The route with longest prefix is selected from multiple
routes within range of the destination IP address. This refers to the
match portion since a route can have a longer prefix and IP addressing
that is out of range.
For example, [Link]/28 and [Link]/27 have the same network
address with different prefix lengths.
For packets arriving with [Link] as destination IP address, the router
would select [Link]/27 instead of [Link]/28 route. This will occur
despite the fact that [Link]/28 has a longer prefix since it is out of
range.

[Link]/27
[Link] - [Link]
[Link] (broadcast address)
([Link] is within range of [Link] - [Link])
---------------------------
[Link]/28
[Link] - [Link]
[Link] (broadcast address)
([Link] is not within range of [Link] - [Link] )
---------------------------
The router would select [Link]/28 route if it were advertised, since
destination IP address is within range and route has longer prefix.
[Link]/28
[Link] - [Link]
[Link] (broadcast address)
([Link] is within range of [Link] - [Link])
Know subnetting for the CCNA exam since it is required for multiple
different topics.
Domaine
IP Connectivity

Question 12
What are three primary differences between TCP and UDP? (select three)
Sélection correcte
TCP provides flow control and error correction
Sélection correcte
TCP is connection-oriented
TCP provides best effort delivery model
TCP is preferred for video streaming
Sélection correcte
TCP provides retransmission of dropped packets
TCP is faster than UDP
Explication générale
TCP provides reliable, connection-oriented connectivity with error
recovery, flow control and retransmission. The purpose is to detect,
prevent and correct packet drops. It is less efficient than UDP with
increased overhead and packet processing. TCP increases latency for
applications with flow control and retransmission.
UDP is much faster than TCP however it is connectionless with lower
latency and only best effort delivery. It is suited to applications where
some packet loss is acceptable such as voice and video streaming. There
is data integrity check performed with CRC/FCS checksum on arriving
frames. UDP datagrams with errors are discarded so that only error
detection is provided.
All network applications are either designed for TCP or UDP transport
protocol. There are UDP applications however they are often network
protocols such as SNMP and NTP for example.
Domaine
Network Fundamentals

Question 13
What occurs after the host client is assigned a DHCP address and before it
can connect to a server?
proxy ARP
Bonne réponse
DNS query
DHCP lease
MAC address table update
Explication générale
There are various network addressing services that enable network
communication. DNS is a network protocol that resolve a hostname to an
unknown IP address. For example, web-based applications are based on
domain names and hostnames that must be resolved (mapped) to an IP
address. There are network services such as NTP, DHCP, and TFTP as well
that rely on DNS for proper operation. IP addresses enable routing of
packets between subnets so it is fundamental to data communications.
There is a DNS query sent to DNS server that resolves the IP address of a
server. That occurs after client receives IP addressing from a DHCP server.
DNS server resolves hostname and returns destination IP address of server
that is added to IP packet header. ARP broadcast is then sent to learn the
MAC address of server based on known IP address.
Domaine
IP Services

Question 14
When does a router discard a packet? (select the best answer)
no connected route exists
Bonne réponse
no default route exists
no static route exist
no OSPF route exists
no destination IP address exists in IP header
Explication générale
The router will discard a packet when there is no route at all. That would
include dynamic routes (OSPF etc.), static route and finally default route.
All packets forwarded from any source must have a destination IP address
in IP header or they are not sent at all.
Domaine
IP Connectivity

Question 15
What OSPF network type is assigned to Ethernet network interfaces of
directly connected OSPF neighbors?
Bonne réponse
broadcast
point-to-multipoint
multipoint
point-to-point
Explication générale
You can enable OSPF globally or per interface, however both methods
assign interface/s to an OSPF process. IGP routing protocols are based on
network interfaces as opposed to the physical device. OSPF router
interfaces all connect to an area. They also exchange routing updates with
all directly connected OSPF neighbors. There are some exceptions where a
configuration is per routing domain such as reference bandwidth.
OSPF automatically assigns network type based on the network interface
media. For example, broadcast network type is assigned to an Ethernet
interface independent of the network topology. Ethernet is a multi-
access broadcast network where multiple routers are assigned to a
broadcast domain. The purpose of a VLAN is to create a Layer 2 broadcast
domain on a network switch. OSPF automatically elects DR/BDR routers on
a broadcast network to send routing updates.
There are Serial interfaces as well that are assigned point-to-point network
type. It is not a shared broadcast link as with an Ethernet segment. Serial
interfaces connect only to a single neighbor on a point-to-point link and DR
election is not required.
Domaine
IP Connectivity

Question 16
Select three network overlays?
Sélection correcte
CAPWAP
OSPF
multilayer switch
Sélection correcte
IPsec VPN
Sélection correcte
VXLAN
Explication générale
Cisco has recently started promoting the idea of switching fabric for data
center network access. It describes a full-mesh interconnect topology
between leaf and spine switches, called Spine-Leaf (Clos) architecture. It is
characterized by low latency, redundancy, load balancing and scalability.
Each leaf switch is directly connected to all spine switches for single-hop
topology architecture.
Network Underlay
The switching fabric is a physical underlay designed for high-speed
transport of east-west traffic within a data center. In fact, east-west traffic
(between servers) accounts for most on-premises and internet data
throughput. It is called an underlay when there is a fabric overlay built on
top of the underlay.
The underlay is physical hardware and network protocols. The switching
infrastructure is a physical underlay designed for high-speed transport of
traffic within a data center. In fact, server to server traffic account for most
on-premises and internet data throughput. It is called an underlay when
there is a fabric overlay built on top of the underlay. Some examples of
underlay components include switches, routers, DTP, STP, and OSPF.
• Network access used for data transport
• Based on full mesh interconnection topology
• Comprised of network devices, protocols and configuration
• Network devices must support programmability
• Physical server endpoints and virtual (VM) servers not part of underlay
Network Overlay
There is a fabric overlay that is built on top of (or over) an underlay. An
overlay is comprised of multiple virtual interconnects between endpoints.
In the context of overlays, an endpoint can be either a host or network
device. The overlay virtual connections are enabled with encapsulation
from protocols such as IPsec VPN, CAPWAP, and VXLAN.
So, an overlay is software-based and comprised of network protocols and
overlay address tables. Consider that overlays logically create single point-
to-point connections between leaf switches and a single spine switch. That
same topology has multiple physical connections from leaf switches to all
spine switches. The purpose of overlays are to solve limitations inherent
with physical switch topologies such as STP, routing loops, broadcasts and
address overlap. In addition, it enables multi-tenant service and enhanced
mobility. Cisco Catalyst Center is the management plane architecture for
fabric overlays.
Domaine
Automation and Programmability

Question 17
What are two advantages of Network Address Translation? (select two)
enables security of packets while in transit across the internet
eliminates the need for DHCP requests
Sélection correcte
eases management of internet connectivity
Sélection correcte
conceals private IP address assignments from the internet
increases the private IP address space that can be assigned
Explication générale
The primary advantage of NAT is to map multiple private IP addresses to a
single or multiple public routable IP addresses. The ISP does not have a
public routable IP address available for every private IP address. NAT
allows for configuring a pool of public IP addresses. The private IP address
is dynamically mapped for that internet session only. As a result there is
no requirement to re-address local hosts for internet access.
The NAT translation has the advantage of protecting the private IP address
assignments. The private addresses are concealed, providing additional
security for internet connectivity. The remote hosts send packets to the
public destination IP address.
Domaine
IP Services

Question 18
What are two differences between virtual machines (VM) and containers in
the cloud? (select two)
containers provide more security and support multiple
applications
Sélection correcte
containers are much faster than VMs
Sélection correcte
containers delete data when shutdown
VMs require less memory and CPU utilization than containers
containers do not share host operating system

Explication générale
Virtual Machine (virtualized server)
The primary components of a virtualized solution include hypervisor,
virtual machine (VM) and server hardware. The number of virtual
machines (VM) that can be supported on a single server is based on
memory, CPU, network interface, and hard disk space. The server
hardware at data centers is often not 100% utilized. The advent of server
virtualization has consolidated applications to fewer physical servers. It is
cost effective and optimizes available hardware.
The virtual machine (VM) is a separate logical machine with its own guest
operating system and application. The request for server hardware is
made to hypervisor. Each virtual machine is assigned a percentage of CPU,
memory, disk space, and interface bandwidth. This is based on application
requirements. There are often multiple virtual machines (VM) that are
installed on each physical server. Virtual machines are packaged with an
application and operating system that is already configured.
 Single/multiple applications with guest operating system
 Larger GB file size with VM spin-up in minutes
 Dynamic configuration states with restore function
 Hypervisor shares (mediates) host hardware among VMs
 More stability and security than containers

Containers (virtualized application)

Containerization is a new architecture that is not based on a hypervisor.
Containers are virtualized applications with a containerization engine that
shares a host operating system (OS) among single/multiple containers.
The containers are packaged with the required application and system
files except any operating system. They all share the host operating
system to virtualize the operating system for increased scalability.
 Container engine shares host operating system among containers
 Smaller MB file size with faster container spin-up in msec
 Single application only per container with static configuration
 Lightweight memory/CPU usage that is scalable and portable
 Less security with host operating system sharing
 Data is deleted when shutdown unless backup exists
Containers are faster than virtual machines however there is less security
compared with virtual machines. This is the result of sharing a host
operating system. The containers only provide process-level isolation as a
result. Hypervisor architecture makes virtual machines slower than
containers. The primary difference between virtual machines and
containerization is virtualization architecture. Each virtual machine
packages an application, settings and guest operating system on a
physical server. Multiple virtual machines share (virtualize) server
hardware via hypervisor software. As a result you can deploy multiple
different platforms (Windows, Linux, Ubuntu, etc) on a physical server.

Domaine
Network Fundamentals

Question 19
What cabling media provides the longest distance (range) between
switches?
Twinax
Bonne réponse
Single-Mode Fiber (SMF)
STP
Multi-Mode Fiber (MMF)
T1
Explication générale
Refer to the table that lists popular Ethernet cabling media standards with
media type, speed, and distance specifications. The LAN cabling media
with longest distance is Single-Mode Fiber (SMF). Most data center
implementations include MMF and SMF cabling for rack connections. The
access layer is comprised mostly of unshielded twisted pair (UTP) and
shielded twisted pair (STP) copper cabling for hosts. Wireless access points
now support 2.5 Gbps and 5 Gbps cabling for compatibility with 802.11ax
standard. There are also serial interfaces such as T1 (1.544 Mbps) and DSL
for WAN connectivity between routers. Twinax is copper media cable that
supports 10 Gbps at maximum distance of 10m.

Domaine
Network Fundamentals

Question 20
What are two primary advantages of single-area OSPF design? (select two)
smaller topology table
less CPU utilization
Sélection correcte
easier to manage
Sélection correcte
faster convergence
scalable
Explication générale
Single-area OSPF design is easier to manage and troubleshoot. There is
also faster route convergence and performance response time. It is only
suitable for small and medium sized network domains.
There is less scalability however since all routers share a single area and
create larger routing tables. CPU utilization increases as more routers are
added to the area. There is no route summarization and route flapping
affects all routers within a single area.
Domaine
IP Connectivity

Question 21
What is the correct syntax for an IPv6 static route?
Bonne réponse
ipv6 route [Link]/64 [Link]
ipv6 route [Link]/64 2001:/3
ipv6 router [Link] [Link]/64
ip route [Link]/64 [Link]
Explication générale
IPv6 packet forwarding must first be enabled globally on the network
device with ipv6 unicast-routing command. The following commands
configure an IPv6 static route to destination network
[Link]/64 with [Link] as next hop address.
ipv6 unicast-routing
ipv6 route [Link]/64 [Link]
The following alternate command configures an IPv6 static route with next
hop as a local interface. The router forwards all packets out local interface
Gig0/0 destined for [Link]/64 network address (subnet).
ipv6 route [Link]/64 Gigabitethernet0/0
The other option for configuring an IPv6 static route include the next hop
IPv6 address that is fully specified. It applies only to a broadcast (Ethernet)
network. The local interface must be specified as well when the next hop is
an IPv6 link-local (FE80::2) address.
ipv6 route [Link]/64 Gig0/0 FE80::2
This table lists examples for different IPv6 route types that are available.

Domaine
Network Fundamentals

Question 22
Refer to the exhibit. What router ID does R1 advertise with a default OSPF
configuration?
R1#show ip interface brief
Interface IP-Address OK? Method Status
Protocol
GigabitEthernet0/0/1 [Link] YES manual up
up
GigabitEthernet0/0/0 [Link] YES manual up up
GigabitEthernet0/0/2 [Link] YES manual up up
Bonne réponse
[Link]
[Link]
loopback interface
[Link]
Explication générale
In this example, the output from show ip ospf neighbor command on R2
is used to verify OSPF neighbor adjacency with R1. That confirms the
router ID assigned to R1 is the highest physical IP address ([Link])
on that router. There is no loopback interface address configured on R1.
This was verified with output from show ip interface brief command. In
addition, there is no manually configured router ID with a default
OSPF configuration. This would have taken precedence over a physical IP
address or loopback IP address.
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
[Link] 1 FULL/DR [Link] [Link]
GigabitEthernet0/0/0
Domaine
IP Connectivity

Question 23
What is the corresponding CRUD operation for an HTTP GET verb?
PUT
POST
PATCH
Bonne réponse
READ
Explication générale
The purpose of CRUD is primarily manipulation of database records for a
variety of traditional application platforms. Recently, it has been adapted
as well for web-based applications. REST APIs are based on HTTP methods
or verbs that perform operations on web-based applications. CRUD
methods are mapped to HTTP verbs for creating REST APIs and compliance
with REST architecture.
You can define a REST API for creating web services based on CRUD
operations as a result. For example, consider an online shopping cart
where CRUD is used to READ a web page where some CCNA books are
listed. The next operation is CREATE to checkout and send payment for
selected item. You could then change your shipping location with an
UPDATE operation. The DELETE operation is used to remove/cancel a
shopping cart session that was started.
Domaine
Automation and Programmability

Question 24
What IOS command permits Telnet traffic only between client [Link] and
server [Link]?
access-list 100 permit ip host [Link] host [Link] eq telnet
access-list 100 permit tcp [Link] [Link] host [Link] eq 23
access-list 100 permit tcp host [Link] [Link] any eq 23
Bonne réponse
access-list 100 permit tcp host [Link] host [Link] eq 23
Explication générale
The following IOS command permits Telnet traffic from host [Link] to
host [Link]
access-list 100 permit tcp host [Link] host [Link] eq 23
The access control list (ACL) statement reads from left to right as - permit
all tcp traffic from source host only to destination host that is Telnet (23).
The TCP refers to applications that are TCP-based. The UDP keyword is
used for applications that are UDP-based such as SNMP for instance.
------------------------------------------------------------------------------
ACL is incorrect. The 'permit ip' command allows all applications and does
not support individual application ports.
access-list 100 permit ip host [Link] host [Link] eq telnet
------------------------------------------------------------------------------
ACL is incorrect. The host command does not support subnets and any
enables all destinations.
access-list 100 permit tcp host [Link] [Link] any eq 23
------------------------------------------------------------------------------
ACL is incorrect. The source is a subnet instead of single host address.
access-list 100 permit tcp [Link] [Link] host [Link] eq 23
------------------------------------------------------------------------------
The following describes components of an extended ACL. The example
ACL shown denies HTTP traffic from hosts on [Link]/24 subnet to any
server.
Domaine
Security Fundamentals

Question 25
What three IOS commands are mandatory to enable SSHv2 on a Cisco
network device? (select three)
ip ssh v2
crypto generate rsa key
Sélection correcte
ip domain-name
Sélection correcte
ip ssh version 2
transport input ssh
Sélection correcte
crypto key generate rsa
Explication générale
The new standard for remote management of Cisco network devices is
SSHv2. There is Telnet protocol that is still available however it sends
session data as clear-text across the network. SSHv2 provides an
encrypted communication between source and destination. That is
particularly relevant considering the sophistication of hacker attacks.
There is a separate user authentication for SSH as well that improves
security. In fact, any internet public network interface should only permit
SSH inbound on VTY lines.
Configure SSHv2 for remote management with session encryption.
Step 1: Configure local authentication with privilege level 15 (highest).
username admin privilege 15 password ccnaexam
Step 2: Configure domain name for unique session key name.
ip domain-name [Link]
Step 3: Configure SSH version 2
ip ssh version 2
Step 4: Create 768-bit RSA session encryption key.
crypto key generate rsa
The name for the keys will be: [Link]
Choose the size of the key modulus in the range of 360 to
2048 for your General Purpose Keys. Choosing a key modulus
greater than 512 may take a few minutes.
How many bits in the modulus [512]: 768
Step 5: Enable local authentication on VTY lines and allow only
SSH management protocol inbound.
line vty 0 4
login local
transport input ssh (this command is optional to allow only SSH
management traffic)
Cisco default is transport input all command that allows all
management traffic. Local authentication must be configured with a
username and password.
Domaine
IP Services

Question 26
How does Ansible communicate with network devices when implemented
with Cisco Catalyst Center?
HTTPS
UDP
Bonne réponse
SSH
ICMP
HTTP
Explication générale
The primary difference in configuration management tools is how network
nodes (client) are updated. Ansible has an agentless architecture where
there is no software installed on client nodes. The "push mode" of Ansible
relies on dynamic polling from a server and communication with network
devices is via SSH protocol. Cisco DNA Center was renamed to Cisco
Catalyst Center.
Domaine
Automation and Programmability

Question 27
Refer to the network topology drawing. Select two commands that when
configured on router-1, would provide a static route to network
[Link]/24 connected to router-3? (select two)
ip route [Link] [Link] S0/2
ip route [Link] [Link] S1/1
Sélection correcte
ip route [Link] [Link] S0/1
Sélection correcte
ip route [Link] [Link] [Link]
ip route [Link] [Link] [Link]
Explication générale
The following are two options for configuring a static route on router-1 to
network address [Link]/24
router-1(config)# ip route [Link] [Link] [Link]
router-1(config)# ip route [Link] [Link] S0/1
The first static route command configures the next hop as the IP address
of a neighbor router interface ([Link]). The second static route
configures the next hop of local exit interface S0/1 (Serial0/1) on router-
1. Wildcard masks are not used when configuring static routes. The correct
format for a static route is the following:
ip route [destination IP address] [subnet mask] [next hop IP address] [local
exit interface]
Domaine
IP Connectivity

Question 28
What two statements correctly describe switch trunking operation? (select
two)
enable communication between different subnets
trunking is permitted on Layer 3 EtherChannel
Sélection correcte
enable communication between the same VLAN only
Sélection correcte
forward multiple VLANs across Layer 2 domain
enable communication between the same or different VLANs
Explication générale
The purpose of a switch trunk is to forward multiple VLANs between
switches across a Layer 2 domain. They enable communication between
the same VLANs only. The switch port must be configured for trunk mode
to enable forwarding of multiple VLANs. That allows communication
between hosts assigned to the same VLAN that span switches. Forwarding
multiple VLANs across a switch link is automatically enabled with 802.1q
VLAN tagging feature.

Static vs Dynamic
There is a choice to configure either static trunking or dynamic trunking.
When static trunking is configured, you are telling the switch to explicitly
turn up a trunk. There is no negotiation, however the same static trunk
configuration must be enabled on the neighbor switch port. The other
option is a dynamic (negotiated) trunk that is conditional based on how
connected switches are configured. Layer 2 EtherChannel support access
mode and trunk mode interfaces.
The following interface level commands enables static trunking on a switch
interface. The switchport nonegotiate command turns off DTP frames as a
recommended best practice.
switch(config)# interface gigabitethernet0/1
switch(config-if)# switchport mode trunk
switch(config-if)# switchport nonegotiate
Domaine
Network Access

Question 29
What router is elected Designated Router (DR) when all have a default
configuration?
router-2 (router ID = [Link])
Bonne réponse
router-4 (router ID = [Link])
router-1 (router ID = [Link])
router-3 (router ID = [Link])
Explication générale
OSPF designated router (DR) advertises routing updates to all connected
spokes on a shared (broadcast) network. The most common example of a
broadcast network type is Ethernet. OSPF DR minimizes routing updates
between OSPF neighbors on a broadcast network. It is a hub router that
advertises routing updates via [Link] multicast address. Consider that
a network broadcast segment refers to a common subnet or VLAN. Cisco
default configuration assigns equal priority 1 to all routers.
Designated Router (DR) Election
1. Router default OSPF priority = 1
2. Router with highest configured OSPF priority is elected DR
3. Router with highest router ID address is elected DR when
priorities are equal. First preference is an explicitly configured
router ID.
4. When no router ID is explicitly configured, the highest loopback address
is assigned as router ID for a router. DR election then compares that router
ID with neighbors for DR election.
5. Router assigns the highest physical interface address as router ID for
OSPF when no loopback interface exists. DR election then compares that
router ID with neighbors for DR election.
6. Router with second highest priority is elected BDR.
7. Router with second highest router ID is elected BDR.
All OSPF routers send routing updates via [Link] multicast address to
DR and BDR routers. The Cisco OSPF priority setting on a default router
configuration has a value of 1. That is assigned to an OSPF enabled
interface. The router priority is configurable to influence DR election. In
this example, router-4 has the highest router ID and is elected
designated router (DR) for [Link] subnet.
Backup Designated Router
OSPF elects Backup Designated Router (BDR) on each broadcast domain.
The purpose of BDR is to provide failover or redundancy to the elected DR.
All routing updates from connected non-DR and non-BDR routers called
spokes, are sent to the DR. The same routing updates are also sent to the
elected BDR. The difference is that BDR never sends updates to spoke
routers. That is only done from the elected DR. Anytime there is a DR
failure, then BDR is automatically assigned as DR for that subnet or VLAN.

Domaine
IP Connectivity

Question 30
What are two characteristics of IPv6 anycast addressing? (select two)
packets sent to anycast address is forwarded to the fastest router
interface
Sélection correcte
the same anycast address is assigned to multiple router
interfaces
OSPF routing protocol does not support forwarding anycast traffic
anycast addresses are assigned to host interfaces only
Sélection correcte
packets sent to anycast address is forwarded to the nearest
router
Explication générale
IPv6 anycast addressing is often associated with load balancing and
redundancy for global connectivity across the internet. The same IPv6
anycast address is assigned to multiple router interfaces at different
locations that serve as default gateway for hosts. Packets are forwarded or
routed to the nearest default gateway where hosts are attached. The
advantage is of course minimizing latency for hosts that change locations
such as from west coast to east coast or international. IPv6 anycast
addresses cannot be assigned to host interfaces or used as the source
address of an IPv6 packet.
Domaine
Network Fundamentals

Question 31
What spanning tree port type on a switch interface has lowest cost to the
root bridge?
alternate port
bridge port
Bonne réponse
root port
designated port
Explication générale
Spanning Tree election assigns a root bridge per VLAN, along with
designated, root and alternate ports to neighbor switches. The root
port is a switch port on a neighbor switch that has the least cost path to
the root bridge. STP calculates cost based on interface speed
(bandwidth) with higher bandwidth path preferred. It is a primary
forwarding link to the root bridge that received the best BPDU. There is
only a single root bridge elected for any spanning tree instance (VLAN).
The local switch compares BPDUs arriving when there are multiple links to
the root bridge, and selects switch port with lowest cost path.
Domaine
Network Access

Question 32
What wireless topology enables Layer 2 roaming between different access
points for a single SSID?
BSS
BSSID
IBSS
Bonne réponse
ESS
Explication générale
Basic Service Set (BSS) is comprised of multiple wireless clients connected
to a single access point within a Layer 2 domain. BSSID is the 48-bit
physical base MAC address assigned to a radio interface on an access
point. There are virtual MAC addresses derived from the physical MAC
address that are assigned to each SSID when multiple SSIDs are
configured. The physical MAC address is incremented by one to create a
unique BSSID per SSID.
Extended Service Set (ESS) is comprised of multiple BSS cells from
different access points that have a common SSID (WLAN). This enables
seamless roaming between access points within a Layer 2 domain and
different channels. The default infrastructure mode enables
communication between all wireless clients via centralized access point.
Independent Service Set (IBSS) or ad hoc mode enables wireless clients to
communicate directly without an access point.
Domaine
Network Fundamentals

Question 33
What problem is solved with FHRP to restore network connectivity for
clients?
Bonne réponse
default gateway interface is down
network congestion
switch port to host is down
DHCP is not working correctly
first hop IP address is incorrect on host machine
Explication générale
First Hop Redundancy Protocol (FHRP) is a routing configuration that
creates a virtual router from at least two physical routers. The purpose is
to enable default gateway redundancy or failover. All packets from a host
are automatically forwarded to the standby default gateway when the
primary gateway fails. As a result the standby router becomes the new
default gateway for endpoints at the access layer.
There are both open standard and Cisco proprietary protocols that enable
FHRP. The most commonly deployed FHRP in the enterprise is Cisco HSRP.
The purpose of a default gateway is to provide routing services to
endpoints. It is a network interface with an IP address on a Layer 3
network device.
The default gateway is an upstream router or Layer 3 switch for client and
server endpoints. Any packets destined for a remote subnet are forwarded
to the default gateway. DHCP service is often enabled to automatically
configure a default gateway address on each endpoint. There is only a
single default gateway address on any host client or network server.
Domaine
IP Connectivity

Question 34
What correctly describes DHCP snooping operation when enabled on a
Cisco switch?
all switch ports are trusted with a default configuration
Bonne réponse
DHCP OFFER messages are dropped on untrusted switch ports
DHCP REQUEST messages are dropped on untrusted switch ports
DHCP DISCOVER messages are dropped on untrusted switch ports
Explication générale
DHCP enabled clients send DISCOVERY and REQUEST messages to the
DHCP server. This is normal and must be permitted on untrusted ports for
hosts to communicate with DHCP server and request IP address settings.
DHCP OFFER messages are dropped on untrusted ports to prevent a
hacker or any unauthorized host from sending IP address settings to
clients on the network. Trusted ports are explicitly configured on uplinks in
the forwarding path from host switch to DHCP server.
Domaine
Security Fundamentals

Question 35
What two statements correctly describe the characteristics of Terraform?
(select two)
Terraform is a procedural language
Terraform is based on SSH transport
Sélection correcte
Terraform is a deployment and orchestration tool
Sélection correcte
Terraform communicates with providers
Terraform managed nodes have an agent
Explication générale
Terraform is a deployment and orchestration tool for managing network
changes via code (IaC) instead of manual CLI. It is used typically for day 0
and day 1 initial implementation. Infrastructure as Code (IaC) is automated
provisioning and management of infrastructure with machine readable
configuration files (code) instead of manual hardware configuration. The
configuration files are often referred to as definition files.
Terraform is a declarative language meaning it specifies the desired
end state for a deployment. The configuration files can be written with
elements in any order using the Go language. Terraform will ensure that
all elements are applied in the order required by the device/controller. This
contrasts with procedural programming that is based on steps or
instructions and a specific order for an end result.
Terraform projects are defined at the folder level and HCL file is stored
with an approved provider. The workflow is a defined procedure that
communicate with device/controller to configure agentless managed
nodes. Enable RESTCONF and YANG on Cisco network devices for
communication with Terraform.
Registered public providers are required for Terraform to communicate
with managed nodes to deploy infrastructure. HTTPS is required for
communication with REST APIs since there is no support for SSH.
Terraform execution plan is the configuration code (IaC) comprised of
provider and resources.
Terraform provider: This is a third party plugin that provides resources
and communicates with Terraform via REST API for implementation (Cisco
IOS-XE, Catalyst Center etc.)
Terraform resource: This is a configuration parameter (state) used for
implementation via REST API operations (GET, POST, PUT, DELETE). Some
examples include VLAN, subnet, or OSPF.
Terraform module: This is a logical reusable container with declarative
configuration files, associated resources, and declared provider/s.
Terraform workspace: This enables management of multiple
infrastructure with single configuration state
This is an example of code for Cisco ACI provider authentication
provider "aci" {
username = "admin"
password = "!v3G@!4@Y"
url = "[Link]
insecure = true
}
Ressources
Introduction to Terraform
Domaine
Automation and Programmability

Question 36
How is metric value calculated for EIGRP with a default configuration?
Bonne réponse
bandwidth and delay
delay
hop count
interface cost
Explication générale
EIGRP considers only bandwidth and delay with a default configuration
when calculating composite path metric for routes.
Domaine
IP Connectivity

Question 37
What two options are available when configuring WPA2-PSK passphrase
within the wireless controller GUI? (select two)
base128
Sélection correcte
ascii
decimal
UTF
Sélection correcte
hexadecimal
Explication générale
WPA permits either ascii or hexadecimal format for a pre-shared
passphrase key. The passphrase string must have between 8-63
characters.
Domaine
Security Fundamentals

Question 38
What is the length of an IPv6 address?
Bonne réponse
128 bits
48 bits
32 bits
64 bits
Explication générale
IPv6 addressing is based on hexadecimal notation with values from
numbers 0-9 and A to F. Each address is comprised of eight groups with
four hexadecimal values of 4 bits each. There are as a result 16 bits per
group and with eight groups per IPv6 address equals 128 bits.

The figure illustrates structure of a standard IPv6 address. There is a 64-bit

network portion and 64-bit host identifier. The 64-bit network prefix is
further comprised of a 48-bit routing prefix and 16-bit local subnet ID. The
network prefix is similar to the IPv4 network address portion. The host
identifier is similar to the IPv4 host portion. The subnet ID allows for
subnetting with variable-length subnet masks (VLSM). IPv6 addresses are
allocated by a Regional Internet Registry (RIR).
The primary reason for migrating to or enabling support for IPv6 is
scalability. The IPv4 public routable address space is near depleted. In
addition there is increasing demand for public addresses resulting from
new cloud services and mobile devices. Enabling IPv6 support now will
ease migration over so that public routable addresses will be available for
internet connectivity. IPv6 decreases network traffic by eliminating
broadcast messages with multicasting technique. Ease of management
with address autoconfiguration is an advantage as well.
Domaine
Network Fundamentals

Question 39
What defines the start and stop point of a JSON array?
( ) normal brackets
{ } curly brackets
Bonne réponse
[ ] square brackets
" " double quotes
Explication générale
JSON is a popular data encoding method for REST API requests sent
between network servers. There is a syntax format with JSON strings
comprised of arrays and objects.
The start and stop characters to define an array are square
brackets [ ]. There are also curly brackets { } that are used to define
object start and stop points. The double quotes are required for each
name and value with multiple name/value pairs separated with commas.
Domaine
Automation and Programmability

Question 40
What route is installed in the local routing table when [Link]/26
network is advertised or configured from all of the following route sources?
EIGRP route
OSPF route
Bonne réponse
static route
floating static route
default route
Explication générale
Routes are installed in the global routing table based on administrative
distance (AD). The route with lowest AD is installed when routes are
advertised from multiple route sources to the same destination network
address (subnet) with same prefix length.
In this example, static routes and default routes have the lowest
administrative distance (1). The static route however has a more specific
route than default route and would be installed. Default route is
automatically installed and only used when no other route exists. Any
directly connected interface (host route) has the lowest administrative
distance (0) of all route sources.
Domaine
IP Connectivity

Question 41
What configuration is supported for L2/L3 EtherChannel load balancing?
Layer 3 EtherChannel only supports source and destination ports
EtherChannel load balances traffic equally among all active
interfaces
Bonne réponse
Layer 2 EtherChannel can load balance source and destination
MAC address or IP address
Layer 2 EtherChannel only supports source and destination MAC
address
Explication générale
EtherChannel load balancing algorithm for Cisco switches varies between
different models. There is no equal load balancing algorithm to a
destination. EtherChannel is configurable to load balance either
source and destination MAC address, IP address or port number.
For example, the default for Layer 2 EtherChannel is load balancing traffic
across multiple links based on source and destination MAC address. Layer
3 EtherChannel can also load balance based on a variety of options.
• src-dst-mac
• src-dst-ip
• src-dst-port
Domaine
Network Access

Question 42
What DTP mode supports negotiation of access mode and trunk mode
interfaces?
switchport mode dynamic desirable
switchport mode access
Bonne réponse
switchport mode dynamic auto
switchport mode dynamic active
switchport mode dynamic trunk
Explication générale
DTP dynamic auto mode listens for DTP packets from neighbors. There is
a trunk established when the neighbor switch is configured with
dynamic desirable mode or is a static trunk. The switch port with
dynamic auto configured reverts to an access port when trunk negotiation
fails. DTP mode is displayed as auto mode whether the switch port is
configured for dynamic auto or dynamic desirable.
switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 auto n-802.1q trunking 1
Gi0/2 on 802.1q trunking 999
Port Vlans allowed on trunk
Gi0/1 10-12
Gi0/2 10-12
Port Vlans allowed and active in management domain
Gi0/1 10,11,12
Gi0/2 10,11,12
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 10,11,12
Gi0/2 10,11,12
Domaine
Network Access

Question 43
How do you disable the Cisco switch aging timer to prevent MAC address
flushing from the MAC address table?
Bonne réponse
mac-address-table aging-time 0
no mac-address-table aging-time
mac address-table aging-time none
mac address-table aging-time disable
Explication générale
The default aging timer for switch MAC table entries is 300 seconds.
The timer is configurable with mac-address-table aging-time command
to a higher or lower value. The aging timer is disabled when the value is
configured to zero. The result is that MAC entries are never flushed (age
out) from the MAC address table. As a result, MAC flooding is eliminated to
learn and refresh MAC address entries.
mac-address-table aging-time 0
Domaine
Network Access

Question 44
What interface on a Cisco wireless controller is responsible for CAPWAP
tunnel addressing?
Bonne réponse
ap-manager interface
service port interface
dynamic interface
virtual interface
Explication générale
Distribution System Ports
Gigabit Ethernet 802.1q trunk connection between wireless controller and
switch for multiple VLANs. The distribution system is typically comprised of
LACP Etherchannel (802.3ad) with multiple physical links.

Dynamic Interfaces
Layer 3 interfaces that map each WLAN (SSID) to a wired VLAN for
forwarding across the distribution port/s. Each dynamic interface is a
unique subnet and you can assign them to a single or multiple distribution
ports.

Management Interface
Layer 3 interface that is used for in-band management of the wireless
controller and connectivity to network services such as AAA, Syslog, and
SNMP. It also provides communication between controllers and access
points. This is the only ping-able network interface on the controller and
web user interface (Web UI) is supported.
AP-Manager Interface
Layer 3 interface that provides communication with lightweight access
points (LAP) once they join the controller. This interface is integrated with
the management interface by default and provides CAPWAP tunnel IP
addressing. Cisco supports multiple AP-Manager interfaces with one or
more access points per interface assigned based on load conditions.

Virtual Interface
Layer 3 interface for communication between controller and wireless
clients for supporting mobility management, DHCP relay, and guest web
authentication. Traffic is not forwarded across the distribution system
ports to the switch. It is mandatory to assign a unique non-routable IP
address such as from [Link]/24, [Link]/24, or [Link]/24
reserved addressing for example.
Service Port
Layer 3 Gigabit Ethernet interface used for troubleshooting, system
recovery, and maintenance. This is an out-of-band management port that
is non-routable and connects to an access port on the switch. Assign a
different VLAN and SVI to the service port from the management interface.
Configure an IPv4 static route on the controller if your management
workstation is on a different subnet.

Console Port
Cisco serial asynchronous interface for out-of-band management of
controller. This is a direct physical connection to RJ-45 port with terminal
emulation software for initial configuration, troubleshooting, and recovery.
Domaine
Network Access

Question 45
What are three advantages of next-generation firewalls over traditional
firewalls? (select three)
Sélection correcte
throughput
Sélection correcte
real-time monitoring
cost
open standard
Sélection correcte
malware protection
load balancing
Explication générale
Cisco Next-Generation Firewalls (NGFW) is a security appliance that
optimizes security for connecting directly to internet-based and cloud
services. That includes data center, branch office, remote and mobile
devices. The newer firewall provides inbound/outbound stateful packet
inspection to application-layer and and higher throughput. There is
dynamic monitoring, detection and prevention as well. For example,
intrusion prevention sensors (IPS) examine inbound and outbound packets
for vulnerabilities, exploits, worms and viruses. There are a variety of
mitigation actions available that are configurable.

Domaine
Network Fundamentals

Question 46
What two statements correctly describe idempotency in the context of
REST API architecture? (select two)
Sélection correcte
REST API operation performed multiple times does not change the
result
POST operation is idempotent
REST API operation performed multiple times changes the result
Sélection correcte
GET operation is idempotent
Explication générale
REST APIs are based on HTTP GET, POST, PUT, and DELETE operations. Any
operation is idempotent if the result of initial request does not change
when performed multiple times. As a result, GET, PUT, and DELETE
operations are idempotent while POST operation is not. That means you
could get different results with a POST operation when it is repeated.
Domaine
Automation and Programmability

Question 47
What is the maximum number of host addresses that are assignable to
network interfaces with a class C address of [Link]/24?
none
255
256
1
Bonne réponse
254
Explication générale
Class C subnetting is available for class C, class B and class A addresses.
[Link]/24 is a class C address with a default (classful) subnet mask
of [Link] so it is not subnetting. There is only a single subnet
[Link] with host address range [Link]/24 to [Link]/24
that enables 254 hosts addresses. The next classful subnet is
[Link]/24 with 254 host addresses available.

Domaine
Network Fundamentals

Question 48
What is the default QoS trust state for Cisco network interfaces?
none
trusted
Bonne réponse
untrusted
disabled
Explication générale
The trust state of a switch for example, determines how the marking is
interpreted for inbound traffic. The default trust setting for a Cisco switch
is untrusted. The switch will remark the Class of Service (CoS) or DSCP
value to zero (0) for all inbound packets on an untrusted interface. The
switch will examine inbound marking and forward unaltered when trust
state is enabled. For example, voice packets marked as CoS 5 from an IP
phone are forwarded with that value.

Ethernet frames from host traffic in a data VLAN are remarked from a
default zero (0) to a configured value on a trusted interface. The switch
will trust Cisco IP phone connected and trust the CoS marking. CDP must
be enabled at the switch for phone detection to work. The 802.1q protocol
used for trunking has 802.1p priority field for Class of Service (CoS)
marking and only applied to trunk interfaces.
• Packets from a trusted device are not remarked on upstream device
• Trust boundary defines the point where trusted packets start
Domaine
IP Service

Question 49
What IOS command is used to display the collection of OSPF neighbor link-
states?
show ip ospf link-state
show ip ospf neighbors
Bonne réponse
show ip ospf database
show ip ospf lsa database
show ip ospf summary
Explication générale
OSPF creates a global topology database with all Link State
Advertisements (LSA) sent from all OSPF neighbors.
IOS command show ip ospf database displays the database topology
table. It is a global table comprised of all OSPF link-states for an OSPF
domain. The local database table is exchanged between all OSPF
neighbors. It creates a network topology used to calculate best path
(shortest) to a destination. The network topology and path cost for each
link is considered as part of the calculation. The OSPF routing table is
updated with the destination subnet and preferred next hop address.
Domaine
IP Connectivity

Question 50
How do you verify trunk mode that is operational on a switch interface?
show trunking summary
show interfaces
Bonne réponse
show interfaces trunk
show ip interfaces detail
show trunk interface
Explication générale
The following displays the operational status of switch-1. The operational
status has default settings except VLANs allowed. This is a static trunk
since on mode is operational instead of DTP auto mode and n-
802.1q encapsulation.
switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/1 11-12
Port Vlans allowed and active in management domain
Gi1/1 1,11,12
Port Vlans in spanning tree forwarding state and not pruned
Gi1/1 1,11,12
Domaine
Network Access

Question 51
What are two configuration characteristics and feature support of OSPFv2?
(select two)
hop count is 15
route summarization is automatic
Sélection correcte
hop count is unlimited
classful routing protocol
Sélection correcte
classless routing protocol
unequal path cost load balancing is supported
Explication générale
OSPF is a link-state routing protocol that builds and maintains a global
topology database. That is accomplished with the exchange of link-state
advertisements (LSA) between OSPF neighbors. Topology and routing
information is communicated in LSAs. Event-triggered updates are sent
only when a link failure occurs to conserve bandwidth.
OSPF Characteristics
• link-state routing protocol
• classless routing protocol
• hop count is unlimited
• metric = interface cost (bandwidth)
• global view database topology table
• shortest (best) route calculated from topology table
• event-triggered routing updates only
• automatic route summarization not supported
• scalable to large enterprise domains
• fast convergence when there is link failure
• load balancing across equal cost paths only
OSPF is characterized by well-defined hierarchical layers that enable route
summarization and smaller routing tables per router. The routing updates
are minimized when there are link failures enabling faster convergence. In
addition routing issues such as flapping and routing loops are limited to an
OSPF area.
There is a mandatory common backbone area 0 only for multi-area OSPF.
All other areas must connect to the OSPF backbone area. That is required
to advertise routes between areas. OSPFv2 refers to the version of OSPF
that only supports IPv4 addressing on network interfaces. It is the most
widely deployed version of OSPF for dynamic routing. The area number for
single-area OSPF does not have to be numbered area 0.
OSPF is an IP-only routing protocol that is well suited to current intranet
and internet connectivity. Consider as well that internet and cloud-based
services are IP-only connections. The single-area OSPF design reduces the
routing tables and number of LSAs advertised between routers. All areas
must be connected directly to the backbone, or via a virtual link.
Domaine
IP Connectivity

Question 52
What interface counter errors are caused by duplex mismatch?
MTU mismatch
Bonne réponse
CRC
giants
udld
Explication générale
CRC and late collision errors occur mostly when there is a duplex setting
mismatch between directly connected neighbor switches. Collisions can
also occur from a bad network interface or cable length that exceeds 100
meters. Giant frames (1600 bytes) result from either a faulty network
interface hardware or MTU misconfiguration on an interface.
The output of show interfaces list various Layer 2 errors including runts,
giants, collisions, and CRC errors. Gigabit Ethernet ports do not support
half-duplex at all. The older 10/100/1000 interfaces permitted half-duplex
with lower speed settings.
Domaine
Network Fundamentals

Question 53
What two IOS commands will display subnet mask information for all
active network interfaces on a Cisco router? (select two)
Sélection correcte
show interfaces
show ip interface brief
ipconfig /all
Sélection correcte
show protocols
show ip protocols
Explication générale
The most common IOS commands to display operational status is show ip
interface brief. That command does not include subnet mask information
for Layer 3 physical interfaces or VLAN interfaces (SVI). The following IOS
commands will display operational status and the subnet mask assigned to
all Layer 3 interfaces.
• show protocols
• show interfaces
Domaine
Network Fundamentals

Question 54
What global IOS command is used to configure username admin with
highest privilege level access and secret password cisconet?
username admin privilege 15 enable secret cisconet
username admin privilege 16 secret 7 cisconet
username admin privilege 16 secret password cisconet
Bonne réponse
username admin privilege 15 secret cisconet
Explication générale
The following IOS command will configure a username called admin with
privilege level 15 and secret password cisconet. The secret password uses
an MD5 hash by default to encrypt that is more secure than type 7
encryption. Note that secret passwords do not require service password
encryption. Some network devices have multiple password types however
and would use service password-encryption.
username admin privilege 15 secret cisconet
Domaine
Security Fundamentals

Question 55
How is spanning tree port cost calculated on a Cisco switch port channel?
based on the fastest member interface
Bonne réponse
aggregate bandwidth of channel
spanning tree protocol does not support logical interfaces
based on the slowest member interface
Explication générale
Cisco calculates spanning tree port cost for a port channel based on the
aggregate bandwidth of all member physical ports. This occurs since
spanning tree is based on individual interfaces. As a result, spanning tree
detects only a single logical interface and would forward or block the port
channel interface based on STP election. The port cost calculation is
undocumented however the interface bandwidth correlates to a numerical
value as a starting point. For example, Gigabit Ethernet (GE) is 4 and a
port channel with 4 x GE = 3 port cost assigned to the port channel.
Individual physical switch ports are assigned a port cost based on the
same calculation. That value is added to the cumulative costs of all switch
ports to the root bridge and this is path cost. STP calculates the lowest
path cost and elects a root port for each switch for path forwarding.
Domaine
Network Access

Question 56
What statement is correct when comparing authentication and
authorization?
Bonne réponse
authentication is before authorization
authentication determines file level access
WPA2-PSK is a user authentication protocol
authorization is network level access
Explication générale
AAA is a well-established security framework for controlling and
monitoring network access. It is based on authentication, authorization
and accounting of all requests to access network services and data. There
are often multiple security solutions that are integrated based on the
unique requirements of each company. For example, solutions to manage
physical access, surveillance systems, network devices and web servers
are all different. The common elements of the AAA model should be
included when deploying your security solution. The following describes
and compared each element of the AAA security model.
Authentication
This is security control verifies the identity of a device and/or user before
authorization to data. Network level access is initially based on some
authentication protocol or technique. The traditional username/password
identity credential has been a standard for years. It is being replaced with
Multi-Factor Authentication (MFA) for more robust layered authentication.
Authorization
This security control is in effect only after user authentication has been
verified. The purpose of user authorization is to permit or deny access to
data, services and commands. It is much more complex and involves
permission levels for device modes, files and data that exist.
Accounting
This security service includes monitoring, logging and auditing of all
security events. Any request for network access generates an event record
that is stored for all users and transactions. The transaction would consist
of username, time stamp, event type, and resources accessed. In addition,
any user access denied is logged and alerts sent based on severity level. It
is used for tracking, sending alerts, notifications, attack forensics and
auditing.
Domaine
Security Fundamentals
Question 57
What are three characteristics of Spine-Leaf architecture? (select three)
Layer 2 only
Sélection correcte
designed for east-west traffic
designed for north-south traffic
Sélection correcte
full mesh topology
Sélection correcte
alternative to older STP designs
Explication générale
More recently, cloud computing, virtualization and programmability has
changed traditional data center architecture. Traffic flow is now mostly
east-west for data centers with virtualized servers and N-tier applications.
The common characteristic of newer web-based applications is multiple
server-server transactions. It is a distributed application model where most
traffic now moves between servers.
Cisco is now promoting what is called Spine-Leaf architecture. It is
comprised of a 2-Tier layered design with switches connected via full mesh
topology. There are leaf switches connected in a full mesh topology to
each spine switch. As a result, each switch is only a single-hop to a
neighbor for east-west traffic with low latency connections. Newer fabric
architecture defines a physical underlay and virtual overlay that supports
L2 and/or L3 designs. The virtual overlay is unique to Spine-Leaf and
required for programmability and SDN applications. Cisco DNA Center is
based on fabric architecture.

Domaine
Network Fundamentals

Question 58
What additional route is added to routing table when a network interface is
configured with IP address [Link]/24?
Bonne réponse
[Link]/32
[Link]/24
[Link]/32
none
Explication générale
Connected routes are not manually configured or dynamic. They are
automatically added to a routing table. The route entry includes a local
network interface. Local router interfaces are configured with an IP
address that is within a particular subnet. Anytime routing services are
enabled, you will notice at least some connected routes in the routing
table. The router installs a corresponding local host route for each
connected interface. It is assigned a /32 subnet mask that indicates a host
route.
C [Link]/24 is directly connected, Ethernet1/0
L [Link]/32 is directly connected, Ethernet1/0
Domaine
IP Connectivity

Question 59
What two statements correctly describe SDN architecture? (select two)
Sélection correcte
SDN architecture decouples the control plane and data plane
SDN controller is not responsible for policy plane traffic
SDN architecture has a centralized data plane
Sélection correcte
SDN controller is a centralized control plane with a policy engine
SDN architecture decouples management plane and control plane
Explication générale
Software Defined Networking (SDN) is an architecture that separates the
control plane from the data plane. The purpose for that is to abstract
underlying network infrastructure. That allows programmability of
supported network devices. It is similar to the hypervisor paradigm shift
that abstracts (separates) server hardware from software components
including operating systems, applications and virtual appliances. The same
idea is applied to the network infrastructure with overlays and
programmable services.
The following statements correctly describe SDN architecture:
• SDN architecture decouples the control plane and data plane
• Control plane is a software module instead of a physical processor
• SDN controller is a centralized control plane with a policy engine
• Network infrastructure devices provide data plane forwarding
Domaine
Automation and Programmability

Question 60
Select two statements that correctly describe frame switching operation?
(select two)
Layer 2 access switch does frame rewrite
Sélection correcte
switch will flood frame out all ports except where the frame was
learned when destination MAC address is not in MAC address
table
switch only reads destination MAC address
Sélection correcte
switch reads source and destination MAC address
switch will flood frame out all ports when destination MAC
address is not in MAC address table
Explication générale
The primary purpose of a switch is to make forwarding decisions based on
destination MAC address. The MAC address table is created with a list of
destination MAC address for each connected device. In addition the switch
port assigned and VLAN membership. The Gigabit Ethernet ports are full-
duplex that define a single collision domain per switch port.
The following is a list of network services provided by switches:
• Switches only read Ethernet frame header and forward traffic.
• Switches create and maintain the MAC address table.
• Switches create separate collision domains per Gigabit port.
• Switches create separate broadcast domains per VLAN.
The Gigabit Ethernet (or faster) switch port supports full-duplex traffic
between the host and network switch. That eliminates collisions and
creates a collision domain per port. The fact that there are no collisions
increases data rate and decreases network latency for host connections.
ARP Broadcast Frame
The host first sends an ARP request packet to learn the MAC address of a
server. That happens whether they are both assigned to the same VLAN or
different VLAN (subnet). ARP broadcast frame is forwarded by switch out
all ports to learn the MAC address of default gateway. This only occurs
when the host has first started and there is no entry in host ARP
table.
The switch forwards broadcast frame with destination MAC address
[Link] out all ports and eventually arrives at default gateway
(router or L3 switch). The router responds to host with the MAC address of
LAN interface (default gateway).
The host then creates an IP packet with destination IP address of server
and frame with MAC address of default gateway. From there, router will
send a proxy ARP broadcast on network to learn MAC address of a server
on a remote subnet. ARP response is sent from server with MAC address to
router that forwards onto host. All ARP tables are updated per Layer 3 hop
between source and destination.

MAC Learning and Aging

MAC address learning occurs when the destination MAC address is not in
the MAC address table. The purpose of flooding is to learn the MAC
address of any unknown device. The switch will unicast flood
(duplicate) a frame that has an unknown destination MAC address
to all ports except inbound port where the frame was
learned. Anything connected to the switch will read the frame destination
MAC address and will drop it unless there is a match. The server for
example, with the requested MAC address will respond to switch that in
turn will update the MAC address table.
MAC learning is triggered as well when the aging time expires for an
address. The switch removes MAC address table entries every 300
seconds as a default. Configuring the MAC aging timer to zero disables
aging of MAC addresses. This occurs when a MAC address has been
flushed from the local table via aging timer.
Frame Switching
The host sends packets with an IP header encapsulated in a frame. The
source and destination IP address are required for end-to-end connectivity.
Layer 2 switch does not examine or understand IP addressing. They can
only examine Layer 2 frame within a data message for source and
destination MAC address.
The following explains what happens when a host sends data to a server
for an already established network session.
1. The switch adds the source MAC address of the incoming frame if it
is not listed in the MAC address table. That is a destination MAC address
for any frames destined for that host. This is how the MAC address table is
initially populated.
2. The switch does a MAC address table lookup for the server destination
MAC address and forwarding port. The packet is forwarded to router if
server is on a different subnet than the host.
3. The switch floods the frame out of all switch ports except the port
where the source MAC address was learned. This only occurs when the
destination MAC address is no longer in the MAC address table.
4. The local server with the matching destination MAC address responds to
the switch with a frame that has source MAC address of server.
5. The default gateway would respond to L2 switch with server MAC
address from an ARP table lookup, if the server is on a remote subnet.
6. The switch then updates MAC address table with MAC address of server
and forwarding port.
Domaine
Network Access

Question 61
What is the correct syntax for an IPv6 default route?
Bonne réponse
ipv6 route ::/0 [Link]
ipv6 route [Link]/0 [Link]
ipv6 route [Link] :/0
ipv6 route /0 [Link]/32
Explication générale
Cisco network devices support default routing with interfaces that have an
IPv6 address. The following global configuration commands will configure
an IPv6 default route with next hop [Link] address. The next
hop address is assigned to the interface of an ISP router for an internet
connection.
router(config)# ipv6 unicast-routing
router(config)# ipv6 route ::/0 [Link]
Domaine
Network Fundamentals

Question 62
What are two primary services provided by DHCP? (select two)
configure private addressing only
Sélection correcte
configure TCP/IP address settings on hosts
assign physical and logical addressing dynamically
Sélection correcte
renew host addressing automatically
Explication générale
DHCP is an addressing service responsible for dynamic configuration and
management of IP parameters. DHCP server supports allocation of
dynamic addressing to clients that include hosts and network devices.
DHCP also manages the renewal of IP addressing from an address pool.
DHCP address pool is defined on the DHCP server along with the lease
time period. The DHCP address pool is a range of IP addresses reserved for
dynamic assignment to clients. DHCP server assigns IP address, default
gateway address and DNS server address as a minimum. That is required
for basic network connectivity. Optionally, TFTP server address is
configurable to download IP phone settings.
DHCP Features
• Assign and renew IP addresses from a designated pool
• Configure TCP/IP address settings on hosts
• IP address is assigned to each host for a fixed lease time
• DHCP client sends periodic request to renew same IP address
• Ping or Gratuitous ARP is used to detect IP address conflicts
• IP address is removed from pool when a conflict is resolved
The host IP address renewal is based on lease time setting. The host will
typically keep using the same IP address assigned. The lease renewal
request is sent to the DHCP server when the lease time expires. The DHCP
server will extend the lease again for the lease time setting. The network
address and broadcast address should not be included with the DHCP pool
for dynamic assignment.
DHCP Client
DHCP server is responsible for dynamic configuration of host endpoint IP
settings. DHCP must first be enabled on each client. That prompts the host
to send a DHCP request to DHCP server on startup. The clients do not
know the address of the nearest DHCP server. It could be an IOS DHCP
server or a third party DHCP server. As a result, there is a broadcast sent
initially from a host to locate the nearest DHCP server.
Automatic Private IP Addressing (APIPA)
APIPA private addressing is initially assigned to all DHCP enabled Windows
clients. It is a self-configured host address that is only advertised within a
local subnet. DHCP clients are temporarily assigned APIPA addressing
while waiting for a dynamic address to be allocated. The range is from
[Link] - [Link] with class B subnet mask. The host client
checks for a DHCP server at regular intervals and replaces it with DHCP
addressing.
To request a new IP address manually, issue ipconfig /release
/renew host command. That will release the current IP address assigned
to a host interface and request a new IP address. The DHCP server would
assign a random IP address from the pool. Never include network address
or broadcast address in DHCP pool.
The DHCP server is responsible for dynamic configuration of host IP
settings. In addition it manages the renewal of new IP addresses from an
address pool. DHCP can assign addressing to network interfaces on host
endpoints and Cisco network devices.
Domaine
IP Services

Question 63
What two statements correctly describe VRF operation? (select two)
VRFs can only be assigned to physical interfaces
VRFs enable virtualization of physical routers
Sélection correcte
VRFs enable routing table virtualization
Sélection correcte
VRFs permit overlapping IP address space
Explication générale
The purpose of VRFs is to create multiple virtual routing tables on the
same router. This enables segmentation of IP addressing and routing
processes between VRFs for multi-tenant customer isolation. Each VRF
maintains IP addressing that could overlap with other addressing on the
same or different routers since it enables data path isolation.
VRFs are also used to isolate (segment) management, guest, and external
traffic from private internal traffic. This required for security purposes and
to implement separate addressing domains. VRFs do not virtualize routers
since there is no virtualization of the IOS operating system or router
hardware. An example of a VRF within the cloud is AWS VPC routing
tables.
Domaine
Network Fundamentals

Question 64
Refer to the topology drawing. OSPF auto-cost reference-bandwidth
1000 command is configured on all routers. What is the OSPF cost metric
of [Link]/24 route on R1 from host to server?
Bonne réponse
13
12
4
3
22
Explication générale
OSPF calculates cost metric for each outgoing interface between source
and destination. Refer to the topology drawing and calculation at each
outbound interface to the server. Since the reference bandwidth was
modified to 1000 Mbps (GE) that would change cost metric from the
default 100 Mbps. The cost metric is cumulative so that each interface is
added for a sum of 13 from R1 with route entry [Link]/24 [110/13].
cost = reference bandwidth / interface bandwidth

Domaine
IP Connectivity

Question 65
What wildcard mask is used to select or advertise a single host IP address?
Bonne réponse
[Link]
[Link]
[Link]
[Link]
Explication générale
Any network interface address with /32 subnet mask is a host address and
[Link] is the wildcard mask equivalent. The following is an example of a
wildcard mask that would advertise a loopback interface that has /32
subnet mask to OSPF area 0. The network area command only advertises
a network or host address if the existing interface is within range.
interface loopback0
ip address [Link] [Link]
!
router ospf 1
network [Link] [Link] area 0
Ressources
How to Calculate a Wildcard Mask in Seconds
Domaine
Network Fundamentals

Question 66
What are two applications of Generative AI for network operations? (select
two)
detect configuration errors and software bugs
malware detection
Sélection correcte
code for network automation
performance optimization
Sélection correcte
translate system error messages
Explication générale
Generative AI (GenAI) has some interesting applications within the context
of network operations that assist with implementation and network
support.
Some examples include generating Ansible code for automation and
configuration scripts for Catalyst 9000 switches. You could also prompt
ChatGPT or Google Gemini to translate system error messages for
troubleshooting purposes. ChatGTP will provide an explanation of the error
code that could include an explanation of possible root causes and
solutions.
1. create machine learning algorithm
2. review or analyze large datasets
3. apply training techniques to build LLM
4. refine through continual self-learning, trial and error and feedback
5. generate original content
GenAI Content Examples
 Ansible code for automation
 Catalyst 9000 configuration scripts
 Tier 1 support chatbots
 Summarize technical documents
 Educational training content
 Articles and presentations
Domaine
Automation and Programmability
Question 67
What two commands enable management of Cisco devices from a web
browser with encryption and authentication enabled? (select two)
ip https server
ip https secure-server
Sélection correcte
ip http authentication local
ip http local authentication
Sélection correcte
ip http secure-server
Explication générale
Cisco devices can be configured and managed from a web browser for
easier management. The following global commands enable an encrypted
session to a device with local authentication. There is an option to
authenticate users with AAA server as well.
ip http secure-server
ip http authentication local
Domaine
Network Access

Question 68
What subnet mask enables at least 40 host IP addresses per subnet?
[Link] (/27)
Bonne réponse
[Link] (/26)
[Link] (/29)
[Link] (/28)
Explication générale
Refer to the Class C subnetting table for a subnet mask that enables at
least 40 hosts addresses. The nearest subnet mask is [Link]
(/26) that allows you to assign a maximum of 62 host IP addresses to
network interfaces.
Domaine
Network Fundamentals

Question 69
Refer to the network topology drawing. Select the correct IOS command to
configure a backup floating static route on router-1 to destination
[Link]/24?

ip route [Link] [Link] [Link] 1

ip route [Link] [Link] [Link]
Bonne réponse
ip route [Link] [Link] [Link] 2
ip route [Link] [Link] [Link] 200

Explication générale
The following IOS command will configure a backup static route (floating)
on router-1 to subnet [Link]/24 with an administrative distance of 2.
It is recommended to configure an administrative distance lower than any
routing protocol. That would prevent router from using an OSPF route for
example that could exist, and forward across another path.
ip route [Link] [Link] [Link] 2
• destination subnet (route) = [Link]
• subnet mask = [Link] (/24)
• next hop IP address = [Link]
• administrative distance = 2
The default administrative distance for a static route is 1. Assigning a
higher value of 2 to the static route makes it a floating static route. That is
often used to enable a backup route when a primary link fails. The router
installs floating static route in the routing table when an interface fails
between router-1 and router-3. Traffic destined for subnet [Link] is
forwarded to next hop address [Link] backup path when the primary
static route is unavailable.

The following is an alternate floating static route to [Link]/24 subnet.

The next hop is local exit interface S0/0 on router-1 instead of next hop IP
address of connected neighbor (router-2).
ip route [Link] [Link] S0/0 2
The following options are incorrect:
 ip route [Link] [Link] [Link] 200 - This is a
floating static route with the same next hop as the existing primary
static route.
  ip route [Link] [Link] [Link] 1 - This is a static
route installed with an alternate path to destination. Router could
select this backup link instead of primary since load balancing is
enabled.
 ip route [Link] [Link] [Link] - This is a static route
with next hop address that is not directly connected.
Domaine
IP Connectivity

Question 70
Where are wireless client roaming decisions made?
Bonne réponse
host
RADIUS server
wireless controller
access point
switch

Explication générale
Wireless clients initiate and make roaming decisions for 802.11 network
connectivity. It is triggered when receive signal (RSSI) drops below a
specific threshold. Clients send probe requests with off-channel scanning
to all access points. The client waits for probe responses, and selects the
access point with best signal quality.
Domaine
Network Access

Question 71
What virtual MAC address does VRRP auto-generate for group 12?
Bonne réponse
0000.5E00.010C
0000.0C07.AC0C
0007.B400.0C0F
0000.0C9F.F00C
Explication générale
VRRP is an open standard FHRP that is implemented to create a virtual
gateway from two or more routers. There is an active master router and a
backup router that is operational only when the primary router fails. For
practical purposes, VRRP is typically deployed for internet firewall and load
balancer failover. It also supports multivendor (third party) implementation
with Cisco equipment.
There is a virtual IP address and virtual MAC address that essentially
creates a virtual gateway for enabled routers. The virtual MAC address
format is [Link] where xx=group number. As a
result, 0000.5E00.010C represents the virtual MAC address for group 12
since (0C) is the hexadecimal equivalent of decimal 12. The group number
is also referred to as virtual router ID (VRID) to identify a group of VRRP
routers. HSRP is deployed within the data center to enable first hop
redundant gateway for hosts.
0000.5E00.010C (VRRP)
0000.0C07.AC0C (HSRPv1)
0000.0C9F.F00C (HSRPv2)
0007.B400.0C0F (GLBP)
Domaine
IP Connectivity

Question 72
What statement correctly describes the operation of BPDU Filter on a
switch port?
BPDU Filter is an alternative to BPDU guard when PortFast is
disabled
BPDU Filter only allows switch port to receive BPDU messages
BPDU Filter enables spanning tree compatibility with a third party
switch
Bonne réponse
BPDU Filter disables spanning tree operation
Explication générale
The purpose of BPDU Filter is to essentially disable spanning tree
operation on a switch port. This is accomplished by filtering all inbound
and outbound BPDU messages on a switch port. BPDU Filter will also
remove PortFast state on a switch port when BPDU messages are received
and transitions to normal edge port.
This protocol can potentially cause Layer 2 loops since spanning tree
designed to prevent loops is disabled. This feature is sometimes
implemented when there is a connection to a third party network where
isolation of spanning tree domains is required. This would prevent
disabling of a third party managed switch that has BPDU guard enabled
and remove spanning tree between data centers.
Broadcast storm could occur for example if you plug your IP phone and
desktop into different cubicle wall jacks with BPDU Filter enabled. This
creates a Layer 2 loop since there is no port blocking with BPDU guard to
prevent it. The switch forwards traffic between the ports since BPDU Filter
configures a normal edge port. As a result, use caution when
implementing BPDU Filter to prevent switching loops.
spanning-tree bpdufilter enable (interface-level command)
spanning-tree portfast bpdufilter default (global command)
Domaine
Network Access

Question 73
What correctly describes network operation within a virtualized
environment?
broadcast radiation is eliminated within a virtual environment
broadcast radiation occurs between virtual machines and physical
switches
Bonne réponse
broadcasts and multicasts are sent between virtual machines
802.1q encapsulation is not supported within a virtual
environment
Explication générale
There are extensive broadcasts and multicasts sent between virtual
machines to enable network communication. This often creates large
Layer 2 broadcast domains that can lead to broadcast radiation storms.
VLANs are recommended to limit broadcast traffic and minimize large
Layer 2 domains within the virtualized environment.
There is no support for broadcasts or multicasts between virtual machines
and physical switches. Examples of virtual machines include servers and
virtual appliances. There is support for trunking traffic from multiple VLANs
with 802.1q encapsulation. The primary function of a virtual switch is to
connect virtual machines (VM) and forward traffic between them. The
virtual switch is itself a virtual machine and does require the services of a
hypervisor.
Domaine
Network Fundamentals

Question 74
What are the components of a standard ACL?
source address, subnet mask, protocol
Bonne réponse
source address, wildcard mask
source address, wildcard mask, destination subnet
source address, subnet mask, destination subnet

Explication générale
The standard access list allows for only specifying a source address and
wildcard mask. The wildcard mask is used for filtering purposes. The
number range is from 1-99 and 1300-1999. It is comprised of permit or
deny statement/s from a source address with a wildcard mask only. The
source address can be a host address, subnet, or range of subnets.
access-list 99 deny [Link] [Link]
access-list 99 permit any
The single deny statement requires that you add permit any as a last
statement for any standard ACL or all packet are denied from all sources.
Cisco standard and extended ACL statements should be ordered in
sequence from most specific to least specific.
access-list 99 deny host [Link]
access-list 99 permit any
Domaine
Security Fundamentals

Question 75
Refer to the routing table. What route will DC-1 select for packets with
destination IP address [Link]?
S [Link]/26 [1/0]
S* [Link]/0 [1/0]
D [Link]/24 [90/3072]
Bonne réponse
 [Link]/27 [110/2]

Explication générale
This is a longest match rule question with multiple routes from different
route sources to the same destination. The static route and EIGRP route
are within IP address range including broadcast address. They have a
shorter prefix (/26 and /24) than OSPF (/27) however and not selected.

OSPF Route
-------------------------------
[Link]/27 (network address - subnet zero)
[Link]/27 - [Link]/27
[Link]/27 (broadcast address)
([Link] is within IP address range [Link] - [Link])

Static Route
-------------------------------
[Link]/26 (network address)
[Link]/26 - [Link]/26
[Link]/26 (broadcast address)
([Link] is within range however /26 is a shorter prefix than
OSPF route)

EIGRP Route
-------------------------------
[Link]/24 (network address)
[Link]/24 - [Link]/24
[Link]/24 (broadcast address)
([Link] is within range however /24 is a shorter prefix than
OSPF route)
Ressources
How to Analyze a Routing Table
Domaine
IP Connectivity

Question 76
What are three examples of solutions for physical access security? (select
three)
RSA token fob
Sélection correcte
biometric scan
certificate
Sélection correcte
swipe card
Sélection correcte
rack lock
Explication générale
Any strategy must verify user identity based on at least two or more
independent security credentials. This is where multi-factor authentication
really pays off. Consider that multiple security layers exist from when
you swipe an ID card, enter a building and then access data.
Biometrics are astoundingly effective as an identity credential that is
difficult to steal. The scan is dynamic when authenticating for physical
access security, however biometric records are stored for comparison
purposes and have been hacked recently. Biometric security credential
cannot be shared as with a password or smartphone. Some of the most
common biometrics include fingerprint, facial scan and voice recognition.
There is also traditional physical rack locks for example, that are still
quite effective when deploying physical layer security.
Domaine
Security Fundamentals

Question 77
How is wireless controller LAG interface connected to switch-side
interfaces? (select the best answer)
Bonne réponse
802.3ad
PAgP only
static mode only
dynamic interfaces

Explication générale
Cisco wireless controllers support Link Aggregation Group (LAG) to bundle
multiple physical controller ports into a static EtherChannel (LAG)
interface. The advantage is higher bandwidth, redundancy and load
balancing. Cisco appliance-based controllers have multiple Ethernet ports
available for switch connectivity. There is support for only a single LAG
group per wireless controller device.
Cisco wireless controllers support 802.3ad or PAgP for dynamic
EtherChannel to switch-side interface/s. EtherChannel is also configured
with trunking to forward traffic from multiple VLANs between the wired
and wireless network. The dynamic interfaces within controller map SSIDs
to wired VLANs across distribution system ports (LAG).

Ressources
Cisco Wireless LAN Controller Ports and Interfaces
Cisco WLC Configuration Guide
Domaine
Network Access

Question 78
What routing protocol has the lowest administrative distance?
RIP
IS-IS
OSPF
Bonne réponse
eBGP
EIGRP
Explication générale
It is important to know the administrative distance (AD) values for static
and dynamic routes, since it is part of route selection topic. The routing
protocol with lowest (preferred) administrative distance from all options is
external BGP (eBGP). The router considers administrative distance only
when multiple routes exist to the same destination. AD value determines
what route is installed in the global routing table.
• eBGP (20)
• EIGRP (90)
• OSPF (110)
• IS-IS (115)
• RIP (120)
Domaine
IP Connectivity

Question 79
What three channels are non-overlapping in 2.4 GHz frequency band?
(select three)
10
Sélection correcte
1
Sélection correcte
11
Sélection correcte
6
2
Explication générale
Cisco wireless infrastructure supports both automatic and manual channel
assignment. Configuration of a radio policy assigns a frequency band to an
RF cell. There are only three non-overlapping channels (1,6,11)
assignable from 2.4 GHz band. As a result, with more than three
access points, you start assigning from channel 1 again.
Channel separation of 20 MHz is required to avoid channel overlap
interference. Selecting the wider 5 GHz band will allow more channels for
assignment. 5 GHz enables channel bonding of adjacent channels for
higher bandwidth (data rate). That reduces the number of non-overlapping
channels assignable.
Dynamic Channel Assignment (DCA) is a feature available on wireless
controllers that assigns channels to access points automatically. The
controller monitors noise interference and selects a different channel for
access point. Some examples of noise interference include co-channel and
adjacent channel interference. There are also non-802.11 sources of
interference such as bluetooth for example. DCA is not recommended for
delay-sensitive traffic such as voice and video. The result is higher data
throughput for wireless clients.
Domaine
Network Fundamentals

Question 80
What are two services provided by OSPF hello packets? (select two)
Sélection correcte
enable neighbor adjacency
synchronize neighbor link-state databases
router ID selection
Sélection correcte
DR/BDR election
negotiate operational settings between neighbors
Explication générale
The OSPF link-state routing protocol builds and maintains a topology
database. The hello packets discover neighbors and establish neighbor
adjacencies first. They are also exchanged between neighbors to elect
DR/BDR routers on a broadcast network type. OSPF does not create
adjacency between neighbors that have any mismatch such as timers.
Hello packets do not detect mismatches or negotiate operational settings,
they only advertise settings to neighbors.
Domaine
IP Connectivity

Question 81
What are three characteristics of Generative AI? (select three)
generate duplicate content from structured datasets
Sélection correcte
hallucinations
Sélection correcte
generate original content from unstructured datasets
Sélection correcte
self-correction
collect and analyze real-time data
Explication générale
Artificial Intelligence (AI) is the simulation or mimic of human learning,
reasoning, and self-correction by computer systems. Cisco has added AI
features to several management platforms to enhance troubleshooting,
security, and performance optimization capabilities. This has been
accomplished with a subset of AI called machine learning (ML) that
identify and learn patterns from datasets without explicit programming or
instructions. The source for datasets vary based on whether it
is generative AI (GenAI) or predictive AI.
Machine learning algorithms use data (text, images, numerical) that
train large language models (LLM) to predict or identify patterns. Some
examples of large language models include ChatGPT and Google Gemini.
Machine learning allows for self-correction through trial and error, pattern
recognition, and human reinforcement feedback. There is also deep
learning that is a subset of machine learning based on unstructured
datasets and neural networks.
Generative AI (GenAI) is a further subset of deep learning (DL) that
generates or creates original content from existing unstructured datasets.
Some examples of unstructured datasets include Wikipedia and GitHub.
This could also include private datasets (or sources) for technical
documentation, developer code, and configuration scripts. There is no
support for real-time telemetry as a data source since this is predictive AI.
The user input prompts trigger analysis of datasets to generate content
whether it is text or multimodal (text, images, videos) content. It is
important to note that generative AI is subject to errors called
hallucinations. This is caused by factors such as language models that
have not detected false data or instructions that are not explicit. Other
causes could include insufficient training data, biased data, or outdated
information.
AI -> ML -> DL -> GenAI -> LLM (ChatGPT)
Ressources
Understanding AI and LLMs as a Network Engineer
Domaine
Automation and Programmability

Question 82
What three attributes are preferred for route and best path selection?
(select three)
route with highest administrative distance
Sélection correcte
route with longest prefix match
Sélection correcte
route with lowest metric
route with highest metric
route with shortest prefix match
Sélection correcte
route with lowest administrative distance
Explication générale
The routing algorithm selects routes to install in the routing table and
routing table lookup for best path selection. There is a next hop associated
with each route for packet forwarding between source and destination.
There are often routes advertised from multiple routing sources to the
same and different destinations. That includes dynamic routing protocols
and static routes.
Cisco Route Selection Algorithm
1. Route with lowest administrative distance is installed in routing table
when routes exist from different routing protocols to the same
destination.
2. Route with lowest metric is installed in routing table when multiple
routes exist from the same routing protocol to the same destination.
Multiple routes with equal metrics from the same routing protocol are
installed and load balanced based on routing protocol support.
3. Routing table lookup is based on longest prefix match when multiple
routes with different prefix lengths exist in the routing table to the same
destination.
All routes with the same network address (prefix) and prefix
length (subnet mask length) are considered as the same
destination. For example [Link]/27 route has network address
[Link] and /27 prefix length.
Longest prefix match selects the route in the routing table with longest
prefix provided the route is within range of the destination IP address.
Examples are included with this practice test course. Know subnetting
for CCNA.
Domaine
IP Connectivity

Question 83
What IOS command is used to configure 1:1 NAT translation from private
web server address to an internet routable address?
Bonne réponse
ip nat inside source static
ip nat inside static source
ip nat overload
ip nat inside static
ip nat inside source list
Explication générale
The purpose of static NAT is to configure a 1:1 persistent mapping
between local IP address (private) and global IP address (public). That is
required since private IP addresses are not routable to outside hosts.
There is inbound and outbound NAT translation since any network session
has a forwarding and reverse path (bidirectional).
Cisco only permits a single static NAT translation per public routable IP
addresses. They exist as permanent entries in the NAT translation table
unless the router is turned off. There are two methods for static NAT
translation that accomplish the same result.

ip nat inside source static

• Translates source IP address of packets that travel inside to outside
(internet).
• Translates destination IP address of packets that travel outside to inside.
ip nat outside source static
• Translates source IP address of packets that travel outside to inside.
• Translates destination IP address of packets that travel inside to outside.
The following IOS command configures static NAT on router-2 for hosts to
access a cloud web server. Since it is a web server, TCP port 80 must be
included to create TCP socket addresses.
ip nat inside source static tcp [Link] 80 [Link] 80
-> packets inbound from the internet to web server translate destination
IP address to [Link]
-> packets outbound from web server to internet translate source IP
address to [Link]
or alternate method:

ip nat outside source static tcp [Link] 80 [Link] 80

-> packets inbound from internet to web server translate source IP
address to [Link]
-> packets outbound from web server to internet translate destination IP
address to [Link]
The following example defines different types of NAT addressing:
• Inside local IP address is private address assigned to a host-1 on the
inside network.
• Inside global IP address is a public routable address of router-1 assigned
by ISP.
• Outside global IP address is a public routable address assigned to router-
2 (cloud).
• Outside local IP address is private address of cloud web server as it
appears to hosts.
Domaine
IP Services

Question 84
What is an operational mode for Cisco lightweight access points?
roaming
CAPWAP
Bonne réponse
client
admin
Explication générale
The popularity of wireless has led to more controller-based wireless
infrastructure. Most enterprise access points are now managed from
wireless controllers. The default operational mode is local mode where
wireless clients connect via CAPWAP tunnel to controller. CAPWAP is a
tunnel that connects access point and controller through a network
switch. There is also client mode that supports connectivity between
access points. Flexconnect mode is often deployed at branch offices so
that wireless clients can failover to local switching when controller is
unavailable.
On startup, there is a discovery process where access points join a
controller. The access point obtains an IP address from a DHCP server if
that is enabled. Cisco wireless controller then does a push of the access
point configuration, policy settings and also updated IOS software image
where required.
Advantages of Wireless LAN Controllers
• Easier management and deployment of access points.
• Configuration of wireless user policies across the network.
• Dynamic RF cell management and channel assignment.
Standard network services available include internal DHCP server and
DHCP relay

Domaine
Network Access

Question 85
How are route advertisements enabled between OSPF neighbors?
default route
per interface only
network range command
network area command only
Bonne réponse
network area command or per interface

Explication générale
OSPF network area command enables OSPF routing on all local interfaces
that are assigned an address within the subnet range specified. The routes
are advertised to the area assigned and all neighbor/s assigned to that
area.
For example, an interface assigned [Link] is enabled for OSPF
when network area command is configured with [Link]/16 or
[Link]/24 network address. The subnet (route) is then advertised to
the area assigned.
The following example will advertise [Link]/24 subnet (prefix)
from any local interface assigned within that same subnet to all OSPF
neighbors in area 0.
router ospf 1
router-id [Link]
network [Link] [Link] area 0
This example advertises [Link]/16 and [Link]/24 subnets from
any local interface within either subnet range to area 0.
router ospf 1
router-id [Link]
network [Link] [Link] area 0
network [Link] [Link] area 0
OSPF can be enabled directly on a network interface as well. For example,
assigning interface Gi0/1 to OSPF process 1 and area 0 would require ip
ospf 1 area 0 interface command. OSPF will advertise the subnet
assigned to that local interface ([Link]/24) to OSPF neighbors. It
takes precedence as well over network area command.
interface gigabitethernet0/1
ip address [Link] [Link]
ip ospf 1 area 0
no shut
Domaine
IP Connectivity

Question 86
What is the purpose of a southbound interface?
communication between control plane and SDN applications
communication between SDN controller and management plane
communication between SDN controller and control plane
Bonne réponse
communication between SDN controller and physical devices
Explication générale
The SDN controller provides centralized management where the network
appears as a single logical switch. Network services are dynamically
configurable when the control plane is moved from physical infrastructure
to a software-based SDN controller with API modules.
SDN overlay is comprised of a separate control plane and management
plane. The southbound interface (API) provides connectivity between SDN
Controller and the data plane of physical and virtual (VM) network devices.
SDN controllers push configuration updates via southbound interfaces to
network devices responsible for data plane forwarding. Some examples of
southbound interfaces include Ansible, OpenFlow, and NETCONF.
Domaine
Automation and Programmability

Question 87
Refer to the routing table. What route will DC-1 select for packets with
destination IP address [Link]?

Bonne réponse
EIGRP route
[Link]/16
OSPF route
static route
none

Explication générale
This question requires knowledge of subnetting since only EIGRP route
[Link]/27 is within range of [Link] destination IP address. The
static route and OSPF route have a longer prefix than EIGRP, however
longest match rule only applies to routes within range of a destination IP
address. Refer to the subnetting table for easy subnet reference lookup.

EIGRP Route
-------------------------------
D [Link]/27 [90/3072]
[Link]/27 (network address - subnet zero shown here for reference)
[Link]/27 - [Link]/27 (host IP address range)
[Link]/27 (broadcast address)
Next Subnet
[Link]/27 (network address)
[Link]/27 - [Link]/27
[Link]/27 (broadcast address)
([Link] is within IP address range [Link] - [Link])

Static Route
-------------------------------
S [Link]/29 [1/0]
[Link]/29 (network address)
[Link]/29 - [Link]/29
[Link]/29 (broadcast address)
([Link] is not within IP address range [Link] -
[Link])

OSPF Route
-------------------------------
O [Link]/28 [110/2]
[Link]/28 (network address)
[Link]/28 - [Link]/28
[Link]/28 (broadcast address)
([Link] is not within IP address range [Link] -
[Link])
Domaine
IP Connectivity

Question 88
How does the Cisco routing algorithm populate a routing table when a
route to the same destination is advertised from multiple sources?
highest metric
all routes are installed
administrative distance and longest prefix match rule
longest prefix match rule
Bonne réponse
lowest administrative distance
Explication générale
The routing table is populated based on administrative distance (AD) when
a route is advertised from different route sources to the same destination
network. This refers to the installation of routes in the global routing table.
All routes with the same network address (subnet) and prefix
length (subnet mask length) are considered as the same
destination.
Cisco route selection algorithm will install the route
with lowest administrative distance when different route sources
advertise a route to the same destination.
The following example has routes from four different route sources with
the same network address ([Link]) and prefix length (/27). The static
route has the lowest administrative distance (1) and would be installed in
routing table.
EIGRP (AD = 90) - [Link]/27 [90/3072]
OSPF (AD = 110) - [Link]/27 [110/3]
Static (AD = 1) - [Link]/27 [1/0] --> static route is installed in
routing table
BGP (AD = 20) - [Link]/27 [20/0]
There are also routes that are added automatically when advertised since
they have a different prefix length. This occurs whether the route is to the
same destination or a different destination. Cisco routing algorithm
considers routes with different prefix lengths as different
destinations and installs them all.
Routing table lookup is based on longest match rule when the
router has installed routes from multiple route sources. Any single route
only to a destination is automatically selected since none other exist. The
default route is only selected when no route exists at all.
Route with lowest metric is installed when multiple routes are advertised
from the same routing protocol to the same destination.
Domaine
IP Connectivity

Question 89
What are two components of a Virtual Machine (VM)? (select two)
hypervisor
firewall
Sélection correcte
operating system
Sélection correcte
application
processor
Explication générale
The primary components of a virtualized solution include hypervisor,
virtual machine (VM) and server hardware. The number of virtual
machines (VM) that can be supported on a single server is based on
memory, CPU, interface bandwidth, and hard disk space.
The server hardware at data centers is often not 100% utilized. The advent
of server virtualization has consolidated applications to fewer physical
servers. It is cost effective and optimizes available hardware. The virtual
machine (VM) is a separate logical machine with its own operating system
and application. The request for server hardware is made to hypervisor.
Each virtual machine is assigned a percentage of CPU, memory, disk
space, and interface bandwidth based on system requirements.

Cisco network virtualization model includes tenant segmentation, security

policies and virtual machines. Tenant traffic is segmented with various
techniques for path isolation. Network access is managed with security
policies and virtual network services based on virtual machines (VM).
Primary services of the virtualization model:
• Network access control
• Tenant segmentation
• Virtual machines (VM)
The primary characteristics of cloud computing architecture:
• Resource pooling
• Elastic capacity
• Metered billing
• Multi-tenancy
• Anywhere access
Domaine
Network Fundamentals

Question 90
What IOS command will configure local username admin with privileged
EXEC mode authorization and password cisconet?
username admin privilege 15 password 7 cisconet
username admin privilege level 16 password cisconet
Bonne réponse
username admin privilege 15 password cisconet
username admin privilege level 15 cisconet

Explication générale
User identity requires that you create accounts with username and
password credentials. There is no user authentication provided with an
enable password. Anyone with knowledge of that password is granted full
access unless privilege level is specified. Cisco local authentication allow
network administrators to create local accounts on the network device.
It is a local security database with user accounts that are comprised of
username/password credentials. Each account can be assigned unique
security level authorization as well based on roles. The following global
command creates a new local account on a Cisco device. It is comprised of
username admin, password cisconet and privileged EXEC mode security
authorization access.
username admin privilege 15 password cisconet
The security authorization level 15 configured is privileged EXEC mode. It
is the highest user authorization with access to all commands. The
following IOS global command creates a local authentication account with
username cisconet and password cisco. The user authorization level 1
configured is user EXEC mode. That is the lowest authorization with access
to only user mode prompt commands. You can however start a Telnet
session with only privilege level 1.
username cisconet privilege 1 password cisco
It is a common practice to copy/paste encrypted passwords between
similar network devices. The following command would include the
encrypted password that was generated from the previous command.
The following IOS global command creates a new local account on a Cisco
device. It assigns username admin and privilege level 15. The password
7 designates that you are copying a hidden (encrypted) password instead
of a new password. The encrypted password is copy/pasted from
configuration script of another device.

Domaine
Security Fundamentals

Question 91
What IOS command is used to verify NTP operations and stratum level?
Bonne réponse
router#show ntp status
router#show associations ntp
router#show ntp detail
router#show ntp server
router#show ntp neighbors
Explication générale
DNS name servers were explained as an addressing service that resolve
(learn) an IP address from a known hostname. There are time servers as
well that synchronize clocks on all Cisco network devices. The architecture
is based on a centralized public time source that synchronize clocks of
client network devices.
The network service is enabled with Network Time Protocol (NTP) that is
supported on Cisco IOS. The primary purpose of NTP is to synchronize
clocks within a private administrative domain for system messages and
time stamps. It is important to accurately record when an event occurred
for reporting, auditing and troubleshooting purposes. It extends to
applications such as video surveillance, security logs and financial
transactions. The following command displays NTP operational status such
as server synchronization and stratum level for a Cisco device.
router#show ntp status
The idea of an accurate, centralized time source is foundational to time
services architecture. Time synchronization is based on Coordinated
Universal Time (UTC) for time services globally. The time zone is
configured as an offset from UTC. For example, Pacific Standard Time
(PST) is represented as UTC -08:00 (eight hours behind UTC).
Stratum Levels
NTP is based on a hierarchy of public and/or private time servers that start
from a top-level authoritative time source. The authoritative time source is
typically an atomic clock on the internet. The public NTP time servers are
connected directly to an atomic clock (stratum 0) and are designated as
stratum 1 servers. NTP stratum describes how many hops a device is from
the authoritative time source. Higher level stratum devices receive
updates from same (peer) or lower stratum devices.
For example, an internet router with a public interface configured to
synchronize with a public NTP time server is stratum 2. The internet router
is a client that points to the NTP public time server IP address with ntp
server command. The internal clock on that router is updated at regular
polling intervals. Any downstream client that is receiving updates from the
internet router is assigned stratum 3. The same ntp server command is
configured on client that points to the upstream internet router.
Domaine
IP Services

Question 92
What IOS command is required to negotiate a channel group for LACP?
channel group 10 desirable mode
Bonne réponse
channel-group 10 mode active
channel group 10 mode on
channel-group 10 mode desirable
channel-group 10 mode auto
Explication générale
EtherChannel bundles multiple physical switch links between switches into
a single logical port channel interface. It is referred to as Link
Aggregation Group (LAG). The advantages of EtherChannel include
redundancy and higher bandwidth between switches. For example,
bundling 8 Gigabit ports creates a logical 8 Gbps port channel interface.
Cisco switches support assigning a maximum of 8 switch ports to a single
EtherChannel bundle.
LACP is an open standard that enables dynamic negotiation of an
EtherChannel between Cisco switches. There is support for connecting
multivendor equipment as well. LACP modes include active and
passive. LACP protocol enables configuration of 16 switch ports however
only 8 ports that can be active. The additional switch ports are standby
and operational only when a primary port fails. Traffic is forwarded across
all available links.
The network topology drawing is an EtherChannel configured based on
LACP. The network administrator can select ether access mode or trunk
mode for individual switch ports. All switch port settings assigned to a port
channel must match to prevent err-disabled state. The switch port settings
must match on all port channel members of both switches.

EtherChannel Switch Port Settings

• Speed
• Duplex
• Switchport mode (access/trunk)
• Protocol (LACP/PAgP)
• LACP mode (active/passive)
LACP is enabled on both switches with the channel-group command. It is
switch-1 that is sending negotiating LACP negotiation frames with active
mode enabled. The neighbor switch is configured to either listen for LACP
frames with passive mode or active mode as well. EtherChannel is
configured with trunking when there are multiple VLANs and switchport
nonegotiate turns DTP frames OFF. The port channel 10 interface is
automatically created when configuring physical switch ports.
interface gigabitethernet1/1
switchport mode trunk
switchport nonegotiate
channel-group 10 mode active
Domaine
Network Access

Question 93
What are two advantages of automation? (select two)
point-in-time configuration
silo approach
Sélection correcte
centralized management
distributed management
Sélection correcte
test and deploy
Explication générale
The advent of network programmability and automation tools is radically
changing how network infrastructure is managed. In fact, manufacturing
automation is an industrial example that caused production efficiency to
multiply. Compared with traditional networking, automation has
astonishing advantages that is transforming the management of wired,
wireless and virtualized network infrastructure. Network automation
lowers operational costs, enables deployment agility, and unified policies.

Previously, traditional networking was based on a silo view where each

network device was statically managed separately. There is much more
accomplished, in less time and at a lower cost while minimizing network
outages. Having a centralized, real-time network view is fundamental to
automation. Create unified policies for device configuration, security,
wireless and systems management. The following list of management
tasks are common to network automation.

Domaine
Automation and Programmability

Question 94
What security solution prevents connecting any unauthorized network
device hardware to the corporate network?
PortFast
VLAN access control list (VACL)
MACsec
Bonne réponse
port security
access control list (ACL)
Explication générale
The purpose of port security is to prevent any unauthorized endpoint
from access to the corporate network. For example, plugging an
unauthorized laptop from home or a switch into the Ethernet jack at work
could affect network operations. The switch port enabled with port security
would deny access based on the unknown MAC address.
It is a Layer 2 security feature configured on network access switches.
Cisco switches support sticky, static or dynamic port security modes.
Switch ports configured with port security will only accept frames from
addresses that have been dynamically learned or manually configured.
Note that port security feature cannot be enabled on trunk interfaces or
EtherChannel port interfaces.
Domaine
Security Fundamentals

Question 95
How are DHCP requests forwarded from clients when the DHCP server is
on a different subnet?
Bonne réponse
ip helper-address
dhcp option 150
dhcp option 43
proxy arp
dhcp default-server
Explication générale
It is common practice to centralize network addressing services where
possible. That would apply to DHCP and DNS where there are often
multiple redundant servers. They respond to client requests from across
the enterprise. The advantage of centralized management is to minimize
addressing errors and ease of deployment. DHCP servers are often not
located on the same subnet (or VLAN) as a client.
DHCP relay is a feature configured on either a Layer 3 switch or router. It
forwards DHCP requests from clients to a DHCP server located on a
different subnet than the client. It is actually an IOS command configured
on a network interface that points to the IP address of a DHCP server.
All DHCP requests from client hosts are then forwarded to the DHCP
server. DHCP relay agent is not required when a DHCP server is on the
same subnet as client. There is the option of enabling DHCP relay on a
physical interface or logical interface.
The ip helper-address is configured on the router interface that is
default gateway for clients. The following IOS commands is an example of
DHCP relay on a router interface. The default gateway for clients is router-
1 interface Gi1/0 and DHCP server is [Link] where requests are sent.
interface gigabitethernet1/0
ip helper-address [Link]
Domaine
IP Connectivity

Question 96
Refer to the network drawing where host-1 is sending a packet to server-1.
What is the source and destination MAC address at P1, and what is the
source and destination IP address at P2?
P1: source MAC address = [Link]
P1: destination MAC address = [Link]
P2: source IP address = [Link]
P2: destination IP address = [Link]
P1: source MAC address = [Link]
P1: destination MAC address = [Link]
P2: source IP address = [Link]
P2: destination IP address = [Link]
Bonne réponse
P1: source MAC address = [Link]
P1: destination MAC address = [Link]
P2: source IP address = [Link]
P2: destination IP address = [Link]
P1: source MAC address = [Link]
P1: destination MAC address = 0000.1234.5678
P2: source IP address = [Link]
P2: destination IP address = [Link]
Explication générale
The source and destination MAC address are rewritten at each router hop.
The switch only examines the source and destination MAC address. The
data messages are sent to server-1 at P1 with source MAC address of
host-1 network interface ([Link]). The destination MAC address
at P1 is router-1 interface Gi0/1 ([Link]).
The source and destination IP address does not change from host-1 to
server-1 in packets as they traverse the network.
The source IP address at P2 is [Link] (host-1) and destination IP
address is [Link] (server-1).
P1: source MAC address = [Link]
P1: destination MAC address = [Link]
P2: source IP address = [Link] (host-1)
P2: destination IP address = [Link] (server-1)
Domaine
IP Connectivity

Question 97
Refer to the network topology drawing. What route configured on router-1
will forward all traffic destined for the internet to router-2?

ip route [Link] [Link] [Link]

Bonne réponse
ip route [Link] [Link] [Link]
ip route 0/[Link] [Link]
ip route [Link] [Link] S1/0
ip route [Link] [Link] S0/0
Explication générale
The default route on router-1 forwards all traffic with an unknown
destination to next hop IP address [Link] of router-2. That occurs only
when there is no route in the routing table to the destination. It is typically
configured as a gateway of last resort on a router. There are somewhat
different syntax options for a default route.
ip route [Link] [Link] [Link]
or
ip route [Link]/0 [Link]
or
The local exit interface to a directly connected neighbor can be used
instead of next hop IP address.
ip route [Link] [Link] Se0/0
Domaine
IP Connectivity

Question 98
What feature is NOT supported with FlexConnect mode centralized
switching?
Layer 2 roaming
Bonne réponse
Layer 3 roaming
local authentication
remote authentication

Explication générale
The only feature listed that is not supported with FlexConnect centralized
(controller) switching mode is Layer 3 roaming.
Domaine
Network Access

Question 99
What spanning tree bridge priority setting is NOT permitted on a Cisco
switch?
4096
28672
Bonne réponse
1
0
32768
Explication générale
The default priority assigned to a Cisco switch is 32768. STP would elect
the switch with lowest base MAC address as root bridge when all switch
priorities are equal. The MAC address refers to the base address assigned
to a network device. It is possible to modify switch priority manually so
that a switch is designated as root bridge. The priority must be assigned in
increments of 4096 starting from zero (0) and switch with lowest priority is
elected root bridge.
Domaine
Network Access

Question 100
What are three advantages of SDN compared with traditional network
architecture? (select three)
Sélection correcte
open standard
distributed control plane
proprietary standard
Sélection correcte
software-based control plane
Sélection correcte
centralized control plane
Explication générale
Software Defined Networking (SDN) is an architecture that separates the
control plane from the data plane. The control plane on all network
devices is moved to an SDN controller. That effectively abstracts
underlying network infrastructure from control software. SDN controller is
responsible for building network tables and distributing to network devices
via southbound interfaces. Control plane protocols include OSPF, EIGRP,
BGP, DTP, and STP for example. The data plane represents network
devices that make routing and switch forwarding decisions based on
network tables. SDN controller also configures network devices via the
management plane.
• SDN decouples the control and data plane
• Control plane is software-based and not a hardware module
• SDN controller is a centralized control plane with a policy engine
• Network transport (infrastructure) is abstracted from software

Domaine
Automation and Programmability