Visit here for our full Cisco 350-401 exam dumps and practice test questions.
Question 161
A network engineer needs to configure OSPF to prevent routing loops in a hub-and-spoke topology. Which OSPF network type should be configured on the hub router?
A) Broadcast
B) Point-to-point
C) Point-to-multipoint
D) Non-broadcast
Answer: C
Explanation:
Hub-and-spoke topologies require careful OSPF configuration to prevent routing loops and ensure optimal path selection. Point-to-multipoint network type is ideal for hub-and-spoke designs because it treats the network as a collection of point-to-point links, prevents split-horizon issues, eliminates the need for designated router election, and naturally supports hub-and-spoke topology without additional configuration.
Point-to-multipoint network type creates host routes to all neighbors, establishing direct point-to-point adjacencies between hub and each spoke. This eliminates the problems associated with NBMA networks where spokes cannot communicate directly, preventing suboptimal routing through the hub.
Configuration benefits include automatic neighbor discovery on broadcast networks, no DR/BDR election reducing complexity, each spoke maintaining independent adjacency with hub, optimal routing without artificial next-hop manipulation, and simplified configuration compared to NBMA alternatives.
Topology advantages show spokes learning routes directly from hub, preventing spoke-to-spoke traffic from routing incorrectly, eliminating split-horizon issues common in other types, maintaining loop-free topology naturally, and supporting dynamic spoke additions without reconfiguration.
Implementation considerations require configuring same network type on all routers, understanding that point-to-multipoint uses multicast hellos on broadcast networks, recognizing increased routing table entries from host routes, planning for scalability with many spokes, and testing failover scenarios.
Comparison with alternatives shows broadcast type requires full mesh connectivity, point-to-point inappropriate for multipoint networks, non-broadcast requires manual neighbor configuration, and point-to-multipoint provides best balance.
Best practices include using point-to-multipoint for hub-and-spoke DMVPN, configuring non-broadcast on Frame Relay, applying appropriate hello and dead timers, implementing authentication for security, and documenting network design decisions.
Why other options are incorrect:
A) Broadcast network type assumes full mesh connectivity, requires DR/BDR election, creates split-horizon issues in hub-and-spoke, causes suboptimal routing, and isn’t appropriate for partial mesh topologies.
B) Point-to-point type is for connections between exactly two routers, doesn’t support multiple neighbors on single interface, inappropriate for hub-and-spoke multipoint networks, and would require multiple subinterfaces.
D) Non-broadcast requires manual neighbor configuration, adds administrative overhead, requires DR/BDR election, still has NBMA limitations, and point-to-multipoint non-broadcast variation is better choice if needed.
Question 162
An engineer must configure HSRP to provide gateway redundancy. Which virtual MAC address format does HSRP version 2 use?
A)0C07.ACxx
B)5E00.01xx
C)0C9F.Fxxx
D)B400.xxyy
Answer: C
Explanation:
Understanding FHRP (First Hop Redundancy Protocol) MAC address formats is essential for troubleshooting and design. HSRP version 2 uses 0000.0C9F.Fxxx as its virtual MAC address format, where xxx represents the HSRP group number in hexadecimal, enabling support for group numbers 0-4095, providing unique identification, and differentiating from HSRPv1.
HSRP version 2 introduced expanded group number range, new MAC address format to avoid conflicts, improved timers with millisecond precision, IPv6 support, and better scalability for large deployments.
MAC address structure shows vendor ID 0000.0C (Cisco OUI), HSRP v2 identifier 9F, group identifier F, followed by three hex digits for group number, enabling 4096 possible groups compared to HSRPv1’s 256 groups.
Version differences include HSRPv1 supporting groups 0-255, HSRPv2 supporting groups 0-4095, different multicast addresses (v1 uses 224.0.0.2, v2 uses 224.0.0.102), improved authentication options, and backward compatibility considerations.
Implementation considerations require matching HSRP versions on all group members, understanding that versions are not interoperable, configuring appropriate group numbers within version limits, verifying MAC address assignment, and documenting version selection rationale.
Troubleshooting scenarios involve verifying correct MAC address format, checking for MAC address conflicts, confirming consistent version configuration, validating group number ranges, and using show standby commands for verification.
Common issues include version mismatch between routers, exceeding group number limits, MAC address conflicts with other protocols, incorrect multicast group configuration, and authentication failures.
Best practices recommend using HSRPv2 for new deployments, maintaining consistent versions across infrastructure, documenting group assignments, implementing authentication, monitoring HSRP state changes, and planning for scalability.
Why other options are incorrect:
A) 0000.0C07.ACxx is HSRP version 1 MAC address format, supports only 256 groups (0-255), uses different range identifier, and isn’t compatible with HSRPv2 requirements.
B) 0000.5E00.01xx is VRRP (Virtual Router Redundancy Protocol) MAC address format, different FHRP protocol, uses IANA-assigned range, not Cisco proprietary, and completely different protocol.
D) 0007.B400.xxyy is GLBP (Gateway Load Balancing Protocol) MAC address format, supports different redundancy model, provides load balancing capability, and represents different Cisco FHRP implementation.
Question 163
A network administrator must configure port security to allow only specific MAC addresses. Which violation mode allows traffic from allowed addresses but drops frames from unauthorized addresses without shutting down the port?
A) Shutdown
B) Restrict
C) Protect
D) Monitor
Answer: B
Explanation:
Port security violation modes determine switch behavior when unauthorized MAC addresses are detected. Restrict mode provides balanced security by dropping frames from unauthorized MAC addresses, incrementing violation counters, generating SNMP traps and syslog messages, allowing traffic from authorized addresses to continue, keeping the port operational, and providing administrative visibility into security violations.
Restrict mode offers middle-ground security between protective shutdown and silent protect mode, maintaining network connectivity while enforcing security policy and alerting administrators to potential security issues.
Mode behaviors show restrict dropping unauthorized frames, incrementing violation counter, generating security violation notifications, maintaining port in operational state, continuing to forward authorized traffic, and providing administrative feedback.
Security considerations include restrict providing visibility into attacks, enabling response without service disruption, allowing legitimate traffic continuation, supporting gradual security hardening, and balancing security with availability.
Comparison with modes shows shutdown disabling port requiring manual recovery, protect silently dropping violations without alerts, restrict providing notifications with continued operation, and each mode serving different security requirements.
Implementation approach involves configuring port security with switchport port-security command, setting maximum MAC addresses, specifying allowed MAC addresses, configuring violation mode to restrict, and monitoring violation counters.
Monitoring requirements include regularly checking violation counters, reviewing syslog messages, investigating violation patterns, validating authorized MAC addresses, and responding to security incidents appropriately.
Use cases include environments requiring security visibility, networks needing operational continuity, situations where immediate port shutdown too disruptive, gradual security policy enforcement, and monitoring security compliance.
Best practices recommend using restrict mode for production environments, implementing SNMP monitoring, configuring appropriate alert thresholds, documenting authorized MAC addresses, regularly auditing port security, and training staff on violation responses.
Why other options are incorrect:
A) Shutdown mode disables port completely on violation, requires manual administrative intervention, causes service disruption, too severe for many environments, though provides strongest security response.
C) Protect mode silently drops unauthorized frames, doesn’t increment counters, generates no alerts, provides no administrative visibility, and prevents security monitoring.
D) Monitor is not a valid port security violation mode. Only shutdown, restrict, and protect are available violation mode options in Cisco switches.
Question 164
An engineer needs to configure VTP to prevent propagation of VLAN changes from a new switch. Which VTP mode should be configured?
A) Server mode
B) Client mode
C) Transparent mode
D) Off mode
Answer: C
Explanation:
VTP (VLAN Trunking Protocol) modes control VLAN database synchronization behavior. Transparent mode prevents the switch from participating in VTP domain synchronization, allows local VLAN configuration changes, forwards VTP advertisements without processing, prevents receiving VLAN updates from domain, protects local VLAN database, and provides isolation from VTP domain changes.
Transparent mode is essential for switches requiring independent VLAN management while still forwarding VTP advertisements to maintain domain connectivity for other switches.
Mode characteristics include maintaining local VLAN database independent from domain, forwarding VTP advertisements without modification, not synchronizing with domain configuration, allowing local VLAN creation and deletion, ignoring VTP configuration revision numbers, and protecting against accidental VLAN deletion.
Security benefits show transparent mode preventing rogue switches from affecting VLAN database, isolating critical switches from domain changes, protecting against configuration revision number attacks, maintaining stable VLAN configuration, and reducing VTP-related outages.
Implementation scenarios include connecting new switches to network, integrating switches from different organizations, maintaining independent VLAN management, protecting critical infrastructure switches, and preventing VTP domain pollution.
Configuration considerations require understanding VTP domain still visible, advertisements still forwarded through switch, local VLANs not advertised to domain, extended-range VLANs supported (1006-4094), and configuration stored in running-config not vlan.dat.
VTP version considerations show VTP version 3 providing enhanced features, supporting transparent mode improvements, enabling extended VLAN range, providing better security, and maintaining backward compatibility.
Best practices recommend using VTP transparent or off mode for most deployments, avoiding VTP in modern networks when possible, implementing manual VLAN management, documenting VLAN standards, and considering automation alternatives.
Why other options are incorrect:
A) Server mode allows creating, modifying, and deleting VLANs, synchronizes changes throughout domain, can affect entire VTP domain, propagates configuration to other switches, and creates risk of unintended changes.
B) Client mode receives VLAN updates from servers, cannot create or modify VLANs locally, synchronizes with domain configuration, vulnerable to VTP attacks, and doesn’t provide isolation needed.
D) Off mode disables VTP completely, doesn’t forward VTP advertisements, creates VTP domain discontinuity, may break VTP operation for downstream switches, though provides complete isolation.
Question 165
A company needs to implement QoS to prioritize voice traffic. Which DSCP value is recommended for voice bearer traffic?
A) CS5 (40)
B) AF41 (34)
C) EF (46)
D) CS3 (24)
Answer: C
Explanation:
Quality of Service requires proper traffic classification and marking. EF (Expedited Forwarding) with DSCP value 46 is the industry standard for voice bearer traffic, provides low latency and low jitter, ensures priority queuing treatment, aligns with RFC 3246 recommendations, guarantees consistent voice quality, and represents best practice for VoIP implementations.
EF PHB (Per-Hop Behavior) provides premium service with guaranteed bandwidth, strict priority queuing, minimal delay and jitter, and dedicated queue treatment essential for real-time voice communications.
Voice traffic requirements include latency under 150ms for acceptable quality, jitter under 30ms for consistent experience, packet loss under 1% to prevent audio degradation, dedicated bandwidth for active calls, and priority treatment through network.
DSCP marking strategy shows voice bearer traffic using EF (46), voice signaling using CS3 (24), video conferencing using AF41 (34), critical data using AF31 (26), and best effort using default (0).
QoS implementation requires classification at network edge, marking with appropriate DSCP values, queuing with priority mechanisms, bandwidth allocation per traffic class, and congestion management throughout path.
Voice traffic characteristics include small packet sizes (typically 60-200 bytes), constant bit rate during conversations, bidirectional traffic flows, sensitivity to delay and jitter, and requiring consistent treatment.
Deployment considerations involve provisioning adequate bandwidth, implementing CAC (Call Admission Control), configuring LLQ (Low Latency Queuing), monitoring voice quality metrics, and validating end-to-end QoS.
Best practices recommend marking voice bearer at EF, separating signaling and media traffic, implementing trust boundaries, policing at network edge, monitoring QoS effectiveness, and documenting QoS policies.
Why other options are incorrect:
A) CS5 (40) is typically used for video conferencing, provides high priority but not as critical as EF, doesn’t match voice bearer standards, and isn’t optimal for voice traffic.
B) AF41 (34) is used for video traffic, provides assured forwarding with drop precedence, insufficient priority for voice, doesn’t guarantee low latency, and inappropriate for real-time voice.
C) CS3 (24) is used for voice signaling (SIP, H.323), appropriate for call setup, not for bearer traffic, lower priority than needed, and doesn’t provide voice quality guarantees.
Question 166
An engineer must configure BGP to prefer a specific path for outbound traffic. Which BGP attribute should be modified to influence outbound path selection?
A) AS-PATH
B) LOCAL_PREF
C) MED
D) WEIGHT
Answer: D
Explanation:
BGP path selection for outbound traffic requires manipulating attributes locally. WEIGHT is the most effective attribute for controlling outbound path selection because it has highest precedence in BGP decision process, is Cisco proprietary and locally significant, applies only to the local router, doesn’t propagate to other routers, provides granular control per route, and represents first criterion in BGP best path algorithm.
Weight ranges from 0 to 65,535 with higher values preferred, set locally on received routes, takes precedence over all other BGP attributes, and provides immediate local path selection control.
BGP path selection order follows weight (highest), local preference, locally originated routes, AS-PATH length (shortest), origin type, MED (lowest), eBGP over iBGP, lowest IGP metric, oldest eBGP path, and lowest router ID.
Weight manipulation involves setting per-neighbor using neighbor weight command, per-route using route-map, default weight 0 for learned routes, 32768 for locally originated, and immediate effect on outbound path selection.
Use cases include preferring specific ISP for outbound traffic, load balancing across multiple connections, implementing primary/backup scenarios, optimizing traffic paths, and controlling outbound traffic engineering.
Implementation approach requires identifying desired outbound paths, configuring weight values appropriately, higher weight on preferred paths, verifying BGP table shows correct best path, and monitoring traffic patterns.
Alternative attributes show LOCAL_PREF affects iBGP domain-wide, AS-PATH prepending affects inbound from others, MED suggests to neighbors, and WEIGHT provides local-only control.
Best practices recommend using weight for local outbound control, documenting weight values and rationale, maintaining consistent policy, combining with other attributes for comprehensive TE, and monitoring path selection.
Why other options are incorrect:
A) AS-PATH affects inbound path selection from other AS, manipulated by prepending, propagates throughout BGP, influences how others reach you, not optimal for controlling your outbound traffic.
B) LOCAL_PREF influences outbound within AS, affects all routers in iBGP domain, doesn’t provide per-router control, lower precedence than weight, though useful for AS-wide policy.
C) MED suggests inbound path preference to neighboring AS, affects how others send traffic to you, not for controlling your outbound, and lowest precedence among commonly used attributes.
Question 167
A network team needs to implement dynamic routing that supports VLSM and converges quickly. Which routing protocol characteristic is most important?
A) Distance vector with periodic updates
B) Link-state with triggered updates
C) Classful routing protocol
D) Hybrid with distance vector
Answer: B
Explanation:
Modern network requirements demand efficient routing protocols. Link-state with triggered updates provides optimal combination of features including VLSM support, rapid convergence through immediate update propagation, complete topology visibility, efficient bandwidth utilization, scalable design, and superior performance for enterprise networks.
Link-state protocols like OSPF and IS-IS maintain complete topology database, calculate best paths using SPF algorithm, send updates only when changes occur, converge quickly through triggered updates, and support classless addressing.
Link-state advantages include fast convergence from triggered updates, detailed topology awareness, support for VLSM and CIDR, hierarchical design capability, efficient use of bandwidth, and scalability for large networks.
Convergence mechanisms show link-state protocols detecting topology changes immediately, flooding LSAs through network, all routers updating topology database, running SPF calculation, updating routing table, and resuming forwarding quickly.
VLSM support enables efficient IP address allocation, supports variable subnet masks, allows address summarization, optimizes address space utilization, and provides routing table efficiency.
Protocol comparison shows OSPF providing link-state with area hierarchy, EIGRP using advanced distance vector with fast convergence, RIP limited by distance vector constraints, and BGP designed for inter-AS routing.
Convergence factors include hello/dead timer configuration, LSA propagation delay, SPF calculation time, routing table update speed, and FIB programming time.
Implementation considerations require proper area design for scalability, configuring appropriate timers, implementing summarization, monitoring protocol performance, and capacity planning.
Best practices recommend using link-state protocols for enterprise core, implementing hierarchical design, optimizing timers for convergence, monitoring adjacencies, and documenting network design.
Why other options are incorrect:
A) Distance vector with periodic updates converges slowly, sends full updates regularly, inefficient bandwidth use, susceptible to loops, and RIP doesn’t support VLSM in version 1.
C) Classful routing protocols don’t support VLSM, waste address space, limited to natural subnet boundaries, deprecated in modern networks, and insufficient for current requirements.
D) Hybrid with distance vector describes EIGRP, which has good convergence but link-state generally preferred, and “hybrid” term is somewhat marketing terminology.
Question 168
An administrator must configure a trunk port between two switches. Which protocol is the IEEE standard for trunk encapsulation?
A) ISL
B)1Q
C) VTP
D) DTP
Answer: B
Explanation:
Trunk encapsulation standards ensure vendor interoperability. 802.1Q is the IEEE standard trunk encapsulation protocol, universally supported across vendors, uses VLAN tagging in Ethernet frames, maintains frame structure with additional tag, supports up to 4096 VLANs, enables native VLAN concept, and represents industry standard for VLAN trunking.
802.1Q inserts 4-byte tag into Ethernet frame after source MAC address, includes VLAN ID, priority bits, and CFI flag, maintains backward compatibility with untagged frames, and enables inter-switch VLAN communication.
Frame format shows 802.1Q adding tag with TPID (0x8100), TCI containing PCP (priority), DEI (drop eligible), and VID (VLAN ID), maintaining original frame with tag inserted, and recalculating FCS.
Native VLAN concept allows untagged frames on trunk for backward compatibility, defaults to VLAN 1, requires matching configuration on both ends, carries untagged traffic, and needs careful security consideration.
Configuration requirements include setting trunk encapsulation to dot1q, configuring allowed VLANs appropriately, matching native VLAN on both sides, verifying trunk operation, and documenting VLAN assignments.
Security considerations involve changing native VLAN from default, pruning unused VLANs, implementing VLAN access-lists, preventing VLAN hopping attacks, and monitoring trunk ports.
Compatibility advantages show 802.1Q working across all vendors, supporting multi-vendor environments, enabling standard-based design, providing maximum flexibility, and ensuring future compatibility.
Best practices recommend using 802.1Q for all trunks, changing native VLAN from 1, allowing only necessary VLANs, implementing trunk security features, and documenting trunk configurations.
Why other options are incorrect:
A) ISL (Inter-Switch Link) is Cisco proprietary, deprecated protocol, not supported on newer switches, encapsulates entire frame, and lacks vendor interoperability.
C) VTP (VLAN Trunking Protocol) manages VLAN database, not trunk encapsulation, Cisco proprietary, operates over trunks, and serves different purpose.
D) DTP (Dynamic Trunking Protocol) negotiates trunk formation, not encapsulation protocol, Cisco proprietary, creates security risks, and often disabled in production.
Question 169
A company needs to implement wireless security using the strongest available authentication method. Which authentication should be configured?
A) WPA2-Personal with PSK
B) WPA2-Enterprise with 802.1X
C) WPA3-Personal
D) Open with MAC filtering
Answer: B
Explanation:
Enterprise wireless security requires robust authentication mechanisms. WPA2-Enterprise with 802.1X provides strongest authentication using individual user credentials, integrates with existing authentication infrastructure, enables per-user accountability, supports certificate-based authentication, provides centralized credential management, and implements industry-standard security framework.
802.1X authentication uses EAP (Extensible Authentication Protocol) framework, authenticates users against RADIUS server, generates unique encryption keys per session, supports various EAP methods, and provides enterprise-grade security.
Authentication process shows wireless client connecting to AP, AP acting as authenticator, forwarding authentication to RADIUS server, server validating credentials, granting or denying access, and generating session keys.
EAP methods include EAP-TLS using certificates for strongest security, PEAP-MS-CHAPv2 for username/password with server certificate, EAP-FAST using PACs, and EAP-TTLS providing flexibility.
Security advantages show individual user credentials preventing credential sharing, per-user accountability for compliance, centralized management in RADIUS, dynamic key generation per session, and certificate validation preventing rogue AP attacks.
Implementation requirements include deploying RADIUS server infrastructure, configuring AAA on wireless controller, distributing certificates when needed, creating user accounts centrally, and setting up wireless profiles.
Integration benefits leverage existing Active Directory, support single sign-on scenarios, enable role-based access control, provide audit trails, and simplify credential lifecycle management.
Best practices recommend implementing WPA2-Enterprise for all corporate wireless, using strong EAP methods like EAP-TLS, maintaining RADIUS server redundancy, monitoring authentication logs, and planning migration to WPA3-Enterprise.
Why other options are incorrect:
A) WPA2-Personal uses shared pre-shared key, same credential for all users, no individual accountability, difficult key management, and insufficient for enterprise environments.
C) WPA3-Personal improves PSK security with SAE, better than WPA2-Personal, but still shared credential model, not per-user authentication, and less secure than Enterprise methods.
D) Open with MAC filtering provides minimal security, MAC addresses easily spoofed, no encryption without additional measures, and completely inadequate for enterprise security requirements.
Question 170
An engineer must configure EIGRP authentication to secure routing updates. Which authentication type does EIGRP support?
A) MD5 authentication only
B) SHA authentication only
C) MD5 and SHA-256 authentication
D) IPsec encryption
Answer: C
Explanation:
EIGRP routing security requires authentication to prevent malicious routing updates. EIGRP supports both MD5 and SHA-256 authentication, with SHA-256 providing stronger cryptographic protection, MD5 supported for backward compatibility, authentication preventing rogue router injection, protecting against routing table manipulation, and ensuring routing update integrity.
EIGRP authentication verifies that routing updates originate from trusted sources, uses key chains for key management, supports key rotation for security, applies to all EIGRP packets, and provides per-interface configuration.
Authentication methods include MD5 authentication available in all EIGRP versions, HMAC-SHA-256 introduced in EIGRP named mode, both methods preventing unauthorized updates, and SHA-256 providing stronger cryptographic protection.
Implementation requirements show configuring key chain with keys, setting key strings, associating key chain with interface, enabling authentication mode, and verifying neighbor relationships maintain.
Key chain configuration involves creating uniquely named key chains, defining key numbers for rotation, setting key strings as passwords, configuring accept and send lifetimes for rotation, and applying to interfaces.
Security benefits include preventing routing injection attacks, protecting against route manipulation, ensuring update authenticity, enabling secure neighbor relationships, and maintaining routing integrity.
Named vs Classic mode shows named mode supporting SHA-256, classic mode limited to MD5, named mode providing enhanced features, migration path to stronger authentication, and backward compatibility considerations.
Best practices recommend using SHA-256 for new deployments, implementing key rotation policies, maintaining key chain consistency, monitoring authentication failures, documenting key management, and planning security maintenance.
Why other options are incorrect:
A) MD5 authentication only was correct for classic mode, but named mode added SHA-256, limiting answer to MD5 is incomplete, and doesn’t reflect current EIGRP capabilities.
B) SHA authentication only is incorrect, MD5 still supported, both methods available depending on mode, and backward compatibility maintained.
D) IPsec encryption is separate security mechanism, not native EIGRP authentication, adds significant overhead, used for different purposes, and isn’t EIGRP authentication method.
Question 171
A network administrator needs to configure NAT to translate multiple private addresses to a pool of public addresses. Which NAT type should be used?
A) Static NAT
B) Dynamic NAT
C) PAT (NAT Overload)
D) Policy NAT
Answer: B
Explanation:
Network Address Translation methods serve different use cases. Dynamic NAT translates multiple private addresses to pool of public addresses, assigns public addresses from pool dynamically, releases addresses when connections close, enables multiple internal hosts sharing address pool, provides one-to-one translation during session, and optimizes public address utilization.
Dynamic NAT differs from static by using temporary mappings, translating addresses on-demand, returning addresses to pool after timeout, supporting larger internal networks than available public addresses, and providing flexibility.
Configuration elements include defining inside and outside interfaces, creating access-list for permitted sources, defining pool of public addresses, associating ACL with NAT pool, and monitoring translation table.
Pool exhaustion occurs when all pool addresses in use, additional translation requests denied until addresses available, users experiencing connection failures, requiring pool sizing based on concurrent connections, and monitoring utilization.
Use cases include organizations with limited public addresses, servers needing temporary external access, balancing public address utilization, providing outbound internet access, and managing address scarcity.
Advantages over alternatives show dynamic NAT providing true one-to-one translation during session, preserving end-to-end addressing principles better than PAT, supporting protocols requiring distinct addresses, and enabling address pool sharing.
Monitoring requirements include tracking pool utilization, identifying exhaustion events, analyzing usage patterns, planning capacity, and troubleshooting translation failures.
Best practices recommend sizing pools appropriately, monitoring utilization, implementing timeouts correctly, documenting address assignments, planning for growth, and considering PAT as alternative.
Why other options are incorrect:
A) Static NAT provides permanent one-to-one mapping, doesn’t share addresses, requires same number of public as translated private addresses, expensive for many hosts, and inappropriate when addresses should be shared dynamically.
B) PAT (Port Address Translation) or NAT Overload translates many private addresses to single or few public addresses using port numbers, different from question’s “pool of addresses” requirement, though more common in practice.
D) Policy NAT translates based on policy criteria, provides selective translation, adds complexity, and doesn’t specifically address multiple-to-pool requirement.
Question 172
An engineer must configure EtherChannel using LACP. Which mode combination on both switches creates an active negotiation?
A) Both sides in ON mode
B) Both sides in passive mode
C) Active and passive mode
D) Desirable and auto mode
Answer: C
Explanation:
EtherChannel aggregates multiple physical links into logical bundle. Active and passive mode combination creates proper LACP EtherChannel because active mode initiates negotiation, passive mode responds to negotiation, at least one side must be active for protocol negotiation, both sides can communicate and form bundle, and this represents standard LACP implementation.
LACP (Link Aggregation Control Protocol) is IEEE 802.3ad standard for dynamic link aggregation, provides negotiation protocol, detects configuration errors, monitors link health, and enables automatic bundle formation.
LACP modes include active mode sending LACP packets proactively, passive mode waiting for LACP packets, active/active combination working with both initiating, active/passive combination working with one initiating, and passive/passive failing due to neither initiating.
Negotiation process shows devices exchanging LACP protocol data units, comparing port configurations, selecting ports for bundle, establishing operational EtherChannel, and maintaining bundle health.
Configuration considerations require matching speed and duplex, same VLAN configuration, consistent switch port type (access or trunk), compatible EtherChannel protocols, and proper mode selection.
Advantages over static include LACP detecting misconfigurations, identifying link failures, automating bundle management, providing standards-based approach, and enabling cross-vendor compatibility.
Best practices recommend using LACP over static On mode, configuring active/passive or active/active, implementing consistent port configuration, monitoring bundle status, and documenting channel groups.
Troubleshooting involves verifying protocol mode compatibility, checking physical link status, validating port configuration consistency, reviewing LACP statistics, and checking for errors.
Why other options are incorrect:
A) Both sides in ON mode disables negotiation protocol, creates static bundle, doesn’t use LACP, provides no error detection, and misses LACP benefits despite question asking for LACP.
B) Both sides in passive mode prevents bundle formation, neither side initiates negotiation, LACP requires at least one active side, and bundle won’t establish.
D) Desirable and auto modes belong to PAgP (Cisco proprietary), not LACP, different protocol, and question specifically requires LACP configuration.
Question 173
A company needs to implement network access control for endpoints. Which Cisco solution provides device profiling and posture assessment?
A) Cisco ASA
B) Cisco ISE
C) Cisco ACI
D) Cisco DNA Center
Answer: B
Explanation:
Network access control solutions secure endpoint connectivity. Cisco ISE (Identity Services Engine) provides comprehensive NAC capabilities including device profiling to identify endpoints, posture assessment checking security compliance, authentication and authorization, policy enforcement, guest access management, and centralized identity services.
ISE combines AAA services with advanced policy engine, enabling dynamic authorization based on user identity, device type, location, time, and security posture, integrating with existing identity stores, and providing visibility into network devices.
Device profiling automatically identifies and classifies endpoints by collecting attributes through various probes, classifying based on device type, creating device profiles, enabling policy decisions based on device type, and maintaining device database.
Posture assessment validates endpoint security compliance by checking antivirus status, OS patch levels, security software, configuration compliance, remediating non-compliant devices, and enforcing access policies.
Core functions include RADIUS authentication services, certificate services for secure communication, guest management for visitor access, BYOD onboarding for personal devices, TrustSec for segmentation, and profiling services.
Integration capabilities show ISE integrating with Active Directory, LDAP, external databases, MDM solutions, threat intelligence platforms, and security ecosystem.
Use cases include securing wired and wireless access, implementing BYOD policies, managing guest access, enforcing security compliance, segmenting network access, and providing visibility.
Best practices recommend deploying distributed ISE architecture, implementing redundancy, integrating with identity stores, defining clear policies, monitoring continuously, and maintaining software updates.
Why other options are incorrect:
A) Cisco ASA is firewall and VPN platform, provides perimeter security, doesn’t offer NAC capabilities, lacks device profiling and posture, and serves different security function.
B) Cisco ACI is data center SDN solution, provides network automation, focuses on application-centric policy, not NAC platform, and addresses different use case.
D) Cisco DNA Center provides network management and automation, offers some assurance features, but ISE specialises for NAC, and DNA Center orchestrates but delegates NAC to ISE.
Question 174
An administrator must configure STP to prevent loops while allowing rapid convergence. Which Spanning Tree Protocol version should be used?
A) STP (802.1D)
B) PVST+
C) RSTP (802.1w)
D) MST (802.1s)
Answer: C
Explanation:
Spanning Tree Protocol evolution addresses convergence speed requirements. RSTP (Rapid Spanning Tree Protocol) 802.1w provides loop prevention with rapid convergence, achieving sub-second convergence in most scenarios, maintaining backward compatibility with 802.1D, introducing new port states and roles, providing faster transition to forwarding, and representing significant improvement over original STP.
RSTP reduces convergence time from 30-50 seconds to typically 1-2 seconds, uses proposal-agreement mechanism for rapid transition, eliminates listening state, introduces alternate and backup port roles, and enables faster topology changes.
Convergence improvements include edge ports transitioning immediately to forwarding, point-to-point links using rapid transition, proposal-agreement handshake between switches, backup paths pre-calculated and ready, and topology change notifications processed efficiently.
Port states show RSTP simplifying to discarding, learning, and forwarding states compared to STP’s five states, reducing transition time, maintaining loop prevention, and enabling faster convergence.
Port roles include root port toward root bridge, designated port forwarding on segment, alternate port providing backup to root, backup port providing redundant connection to segment, and disabled port not participating.
Compatibility considerations show RSTP operating in 802.1D mode when detecting legacy switches, maintaining interoperability, allowing gradual migration, and supporting mixed environments during transition.
Implementation requirements involve enabling RSTP globally or per-VLAN, configuring PortFast equivalent for edge ports, setting link types for optimization, tuning timers appropriately, and monitoring convergence.
Best practices recommend deploying RSTP for faster convergence, configuring edge ports appropriately, using point-to-point links where possible, implementing root bridge redundancy, monitoring topology changes, and documenting STP design.
Why other options are incorrect:
A) STP (802.1D) is original protocol, converges slowly (30-50 seconds), uses five port states, lacks rapid convergence features, and superseded by RSTP for modern networks.
B) PVST+ is Cisco’s per-VLAN STP, based on 802.1D, same slow convergence as STP, provides per-VLAN root bridge flexibility, but doesn’t address convergence speed requirement.
D) MST (802.1s) provides efficient multiple VLAN support, reduces overhead, good for large deployments, but RSTP better answers “rapid convergence” requirement, and MST builds on RSTP anyway.
Question 175
A network team needs to implement IPv6 addressing using stateless autoconfiguration. Which protocol enables hosts to automatically configure addresses?
A) DHCPv6
B) SLAAC
C) ARP
D) NDP only
Answer: B
Explanation:
IPv6 autoconfiguration simplifies address assignment. SLAAC (Stateless Address Autoconfiguration) enables hosts to automatically configure IPv6 addresses without central servers, uses Router Advertisement messages from routers, combines network prefix with interface identifier, generates addresses independently, reduces administrative overhead, and represents fundamental IPv6 feature.
SLAAC allows hosts discovering network prefix through Router Advertisements, creating full address using EUI-64 or privacy extensions, configuring default gateway automatically, and obtaining basic network parameters without server dependency.
SLAAC process shows host generating link-local address, sending Router Solicitation, receiving Router Advertisement with prefix, combining prefix with interface ID, performing Duplicate Address Detection, and configuring address automatically.
Router Advertisement contains network prefix information, prefix length, default gateway, prefix lifetime, flags controlling address configuration, and optional parameters like MTU.
Address formation uses network prefix from RA (first 64 bits), interface identifier from MAC address using EUI-64 or randomly generated for privacy, creating complete 128-bit address, and maintaining uniqueness.
Advantages include no server infrastructure required, zero-configuration networking, automatic renumbering capability, reduced administrative burden, supporting mobile environments, and simplifying deployment.
Privacy considerations show EUI-64 revealing MAC address, privacy extensions generating random identifiers, balancing traceability versus privacy, supporting temporary addresses, and enabling security requirements.
Comparison with DHCPv6 shows SLAAC providing address only, DHCPv6 offering additional options like DNS servers, stateless DHCPv6 combining both, stateful DHCPv6 controlling all parameters, and deployment choosing based on requirements.
Best practices recommend enabling SLAAC for simplicity, combining with DHCPv6 for DNS information, implementing privacy extensions when appropriate, monitoring address assignment, and documenting configuration approach.
Why other options are incorrect:
A) DHCPv6 is stateful configuration, requires server infrastructure, provides centralized control, offers additional options beyond SLAAC, but question specifically asks for stateless autoconfiguration.
C) ARP is IPv4 protocol for MAC address resolution, doesn’t exist in IPv6, replaced by NDP, completely unrelated to address autoconfiguration.
D) NDP (Neighbor Discovery Protocol) includes SLAAC but is broader, encompasses address resolution, router discovery, neighbor unreachability detection, and SLAAC is specific answer for autoconfiguration.
Question 176
An engineer must configure a router to filter traffic based on Layer 4 information. Which ACL type should be used?
A) Standard ACL
B) Extended ACL
C) MAC ACL
D) Time-based ACL
Answer: B
Explanation:
Access Control Lists provide traffic filtering capabilities at different layers. Extended ACL enables filtering based on Layer 4 information including TCP/UDP port numbers, supports source and destination addresses, evaluates protocol types, provides granular control, matches on multiple criteria simultaneously, and represents comprehensive filtering solution.
Extended ACLs numbered 100-199 or 2000-2699, or named extended ACLs, filter based on source/destination IP addresses, protocol type (TCP, UDP, ICMP, etc.), source/destination port numbers, TCP flags, and other Layer 3/4 parameters.
Filtering capabilities include matching TCP/UDP port numbers for applications, filtering specific protocols, evaluating packet flags, combining multiple criteria, creating complex policies, and providing detailed control.
Configuration syntax shows specifying permit or deny, defining protocol (IP, TCP, UDP, ICMP), setting source and destination addresses with wildcards, including port numbers with operators (eq, gt, lt, range), and optional parameters like established or log.
Common use cases include blocking specific applications by port, allowing only required services, implementing security policies, filtering by application protocol, creating DMZ access rules, and controlling traffic flows.
Port matching operators enable eq (equal) matching exact port, gt (greater than) for port ranges, lt (less than) for ranges, neq (not equal) excluding ports, and range for port spans.
Placement considerations require applying extended ACLs close to source, minimizing unnecessary traffic, reducing network load, optimizing resource utilization, and improving security effectiveness.
Best practices recommend placing most specific rules first, using named ACLs for clarity, documenting ACL purposes, reviewing rules regularly, implementing logging selectively, and maintaining ACL standards.
Why other options are incorrect:
A) Standard ACL filters only on source IP address, numbered 1-99 or 1300-1999, doesn’t examine Layer 4 information, insufficient for port-based filtering, and limited to Layer 3.
C) MAC ACL filters based on Layer 2 MAC addresses, operates at data link layer, doesn’t examine Layer 4, used for non-IP traffic, and completely different purpose.
D) Time-based ACL adds temporal dimension to standard or extended ACLs, not separate type, can combine with extended ACL features, but doesn’t define Layer 4 capability itself.
Question 177
A company needs to implement multicast routing for video streaming. Which protocol is used for hosts to join multicast groups?
A) PIM
B) IGMP
C) DVMRP
D) MSDP
Answer: B
Explanation:
Multicast communication requires hosts to signal group membership. IGMP (Internet Group Management Protocol) enables hosts to communicate multicast group membership to local routers, operates between hosts and directly connected routers, signals joining and leaving groups, allows routers to discover interested hosts, and represents fundamental protocol for multicast host interaction.
IGMP versions include IGMPv1 with basic membership, IGMPv2 adding leave messages, and IGMPv3 supporting source-specific multicast, each providing progressively enhanced capabilities.
Protocol operation shows hosts sending membership reports when joining groups, routers querying for group members periodically, hosts responding with current memberships, leave messages informing quick departure, and routers maintaining group membership database.
Message types include membership queries from routers discovering members, membership reports from hosts declaring membership, leave group messages for IGMPv2+, and version-specific messages for compatibility.
Querier election determines which router queries on multi-access networks, uses lowest IP address for selection, ensures single querier per subnet, prevents duplicate queries, and maintains efficiency.
Group membership management enables routers learning which groups have interested hosts, building multicast forwarding state, pruning unnecessary traffic, optimizing bandwidth, and delivering only to interested receivers.
IGMP snooping at Layer 2 prevents multicast flooding, forwards multicast only to interested ports, improves switch efficiency, reduces unnecessary traffic, and optimizes multicast delivery.
Best practices recommend enabling appropriate IGMP version, configuring snooping on switches, tuning query intervals, monitoring group membership, implementing ACLs when needed, and documenting multicast design.
Why other options are incorrect:
A) PIM (Protocol Independent Multicast) is router-to-router protocol, builds multicast distribution trees, not used by hosts, operates between routers, and serves different purpose than host membership.
B) DVMRP (Distance Vector Multicast Routing Protocol) is legacy multicast routing protocol, operates between routers, not between hosts and routers, and largely obsolete.
D) MSDP (Multicast Source Discovery Protocol) connects multicast domains, operates between RPs, provides inter-domain multicast, not for host membership, and specialized use case.
Question 178
An administrator must configure a switch port to automatically detect and configure IP phone power and VLAN. Which technology should be enabled?
A) PoE
B) CDP
C) LLDP
D) LLDP-MED
Answer: D
Explanation:
IP phone deployment requires automatic configuration capabilities. LLDP-MED (Link Layer Discovery Protocol – Media Endpoint Discovery) provides comprehensive phone discovery and configuration, extends LLDP for VoIP devices, automatically configures voice VLAN, negotiates power requirements, enables location services, and represents industry standard for endpoint provisioning.
LLDP-MED standardized in IEEE 802.1AB and ANSI-TIA-1057, supports multi-vendor environments, provides network connectivity devices with capabilities discovery, enables zero-touch deployment, and extends beyond Cisco proprietary solutions.
LLDP-MED capabilities include network policy for VLAN and QoS configuration, power management through extended power negotiation, location information for emergency services, inventory management with device details, and extended capabilities beyond basic LLDP.
Network policy TLV communicates voice VLAN assignment, Layer 2 priority for QoS, DSCP marking values, and application-specific parameters, enabling automatic phone configuration.
Power negotiation extends PoE capabilities, provides fine-grained power management, enables precise power allocation, supports higher power devices, and optimizes power distribution.
Comparison with alternatives shows CDP being Cisco proprietary, LLDP providing basic discovery, LLDP-MED extending for VoIP specifically, and MED providing comprehensive endpoint provisioning.
Implementation requirements involve enabling LLDP globally and on ports, configuring LLDP-MED capabilities, defining network policies for voice, setting power parameters, and verifying phone registration.
Best practices recommend using LLDP-MED in multi-vendor environments, maintaining consistent policies, documenting phone VLAN design, monitoring power utilization, and testing phone discovery.
Why other options are incorrect:
A) PoE provides power only, doesn’t configure VLAN, no discovery protocol, requires separate VLAN configuration, and insufficient for automatic configuration requirement.
B) CDP is Cisco proprietary discovery protocol, provides device information, can assist phone configuration, but LLDP-MED is standards-based, multi-vendor solution specifically designed for media endpoints.
C) LLDP provides basic neighbor discovery, exchanges device information, lacks media-specific capabilities, doesn’t include network policy for phones, and LLDP-MED extends specifically for VoIP.
Question 179
A network team needs to implement redundancy for inter-VLAN routing. Which technique provides active-active gateway redundancy?
A) HSRP
B) VRRP
C) GLBP
D) STP
Answer: C
Explanation:
Gateway redundancy protocols provide fault tolerance for default gateways. GLBP (Gateway Load Balancing Protocol) uniquely provides active-active redundancy where multiple routers forward traffic simultaneously, distributes client load across gateways, eliminates single active forwarding limitation, optimizes bandwidth utilization, provides both redundancy and load balancing, and represents advanced Cisco solution.
GLBP enables multiple routers acting as default gateway simultaneously, distributing forwarding responsibility, maintaining redundancy, responding to ARP requests with different virtual MAC addresses, and balancing traffic across available gateways.
GLBP operation shows one AVG (Active Virtual Gateway) managing group, up to four AVFs (Active Virtual Forwarders) forwarding traffic, AVG assigning virtual MAC addresses, clients receiving different MAC addresses, and traffic distributing automatically.
Load balancing methods include round-robin distributing sequentially, weighted balancing based on capacity, host-dependent maintaining client-gateway consistency, and customizable algorithms for optimization.
Advantages over alternatives demonstrate GLBP utilizing all routers for forwarding, HSRP/VRRP using only one active router, GLBP maximizing bandwidth, eliminating idle backup routers, and improving resource utilization.
Redundancy features maintain gateway availability if AVF fails, promote standby AVF automatically, continue forwarding through remaining AVFs, maintain client sessions, and provide transparent failover.
Configuration considerations require defining GLBP group number, configuring virtual IP address, setting priority for AVG election, selecting load balancing method, and configuring preemption if desired.
Best practices recommend implementing GLBP when load distribution needed, configuring appropriate priorities, monitoring group status, documenting forwarder assignments, testing failover scenarios, and maintaining software compatibility.
Why other options are incorrect:
A) HSRP provides active-standby redundancy only, one router forwards while others standby, doesn’t load balance, wastes standby capacity, though provides solid redundancy.
B) VRRP also active-standby model, one master forwards, backups idle, no load balancing, industry standard but similar to HSRP in active-standby limitation.
D) STP prevents Layer 2 loops, provides switch path redundancy, not gateway redundancy protocol, doesn’t provide inter-VLAN routing redundancy, and completely different purpose.
Question 180
An engineer must configure SNMP to provide encrypted authentication and privacy. Which SNMP version should be used?
A) SNMPv1
B) SNMPv2c
C) SNMPv3
D) SNMPv2u
Answer: C
Explanation:
Network management security requires protecting SNMP communications. SNMPv3 provides comprehensive security features including encrypted authentication using hashing algorithms, privacy through encryption of SNMP payloads, message integrity verification, access control through view-based access, user-based security model, and representing only SNMP version with robust security.
SNMPv3 addresses security vulnerabilities of earlier versions, implements authentication preventing spoofing, encrypts messages protecting confidentiality, provides replay protection, enables granular access control, and supports security best practices.
Security levels include noAuthNoPriv providing no security (backward compatible), authNoPriv providing authentication without encryption, and authPriv providing both authentication and privacy encryption.
Authentication protocols show HMAC-MD5 for authentication, HMAC-SHA for stronger authentication, both preventing message tampering, verifying message origin, and ensuring integrity.
Privacy protocols include DES-56 for basic encryption, 3DES for enhanced security, AES-128/192/256 for strongest encryption, protecting payload confidentiality, and preventing eavesdropping.
User-based security requires configuring usernames, associating authentication passwords, setting privacy keys, defining access views, and enabling role-based management.
Implementation requirements involve configuring SNMPv3 users with authentication, enabling privacy with encryption, defining security levels, creating views for access control, and testing secure communication.
Migration considerations show SNMPv3 supporting backward compatibility, allowing gradual transition, maintaining existing monitoring, and upgrading security incrementally.
Best practices recommend using SNMPv3 exclusively, implementing authPriv security level, using strong passwords, rotating credentials regularly, limiting access views, and monitoring SNMP security events.
Why other options are incorrect:
A) SNMPv1 uses community strings as plaintext passwords, no encryption, no authentication, highly insecure, deprecated, and completely inadequate for security requirements.
B) SNMPv2c improves functionality but maintains community string security, still plaintext, no encryption or authentication, and doesn’t meet security requirements.
D) SNMPv2u was proposed party-based security, never widely adopted, superseded by SNMPv3, not standard implementation, and SNMPv3 is proper secure version.
