Free CCNA 200-301 Practice Test – 2025 Updated

A: It causes a network loop when a violation occurs. Port security violation actions

(shutdown, restrict, protect) are designed to secure the port, not cause network loops.

B: It disables the native VLAN configuration as soon as port security is enabled. Enabling

port security does not inherently alter or disable the native VLAN configuration; these are

separate features.

D: It places the port in the err-disabled slate after 10 MAC addresses are statically

configured. The default maximum MAC addresses is 1, not 10. The violation occurs upon

learning MACs beyond the limit, not specifically after static configuration of a certain

number.

Cisco Systems, "Configuring Port Security," Catalyst 9300 Series Switches, Cisco IOS XE

Bengaluru 17.6.x, Security Configuration Guide.

URL: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/176/configurationguide/sec/b176sec9300cg/configuringportsecurity.html

/561

Relevant Sections: "Port Security Default Configuration" (states maximum MAC addresses

is 1, violation mode is Shutdown) and "Enabling Port Security on an Interface" (confirms

defaults apply to trunk ports).

Cisco Systems, "Catalyst 3750-X and 3560-X Switch Software Configuration Guide,

Release 15.0(2)SE and Later," Chapter: "Configuring Port Security."

URL:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x3560x/software/release/15

-02se/configuration/guide/scg3750x/swps.html

Relevant Section: "Port Security Default Settings" (Table 21-1 lists "Maximum number of

secure MAC addresses" as 1 and "Violation mode" as "shutdown"). "Port Security on Trunk

Ports" (explains port security applies to all VLANs on the trunk).

/561

A: broadcast to all ports on the switch

C: forwarded to the first available port

D: inspected and dropped by the switch

Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press. Chapter 2,

"Fundamentals of Ethernet LANs," Section: "Sending Data in Ethernet Networks,"

Subsection: "Switch Forwarding: The General Idea" (specifically discusses unknown unicast

frames and flooding).

"When a switch receives a frame whose destination MAC address is unicast, but that MAC

address is not in the MAC address table, the switch floods the frame. Flooding means that

the switch forwards a copy of the frame out all ports except the port on which the frame

arrived."

Cisco Networking Academy. (n.d.). CCNAv7: Switching, Routing, and Wireless Essentials.

Module 2: Switching Concepts, Section 2.2.2: The MAC Address Table.

/561

"If the destination MAC address is not in the table, the switch will forward the frame out all

ports except the incoming port. This is called an unknown unicast." (Accessible via Cisco

NetAcad learning platform).

Tanenbaum,

A. S., & Wetherall,

D. J. (2011). Computer Networks (5th ed.). Pearson

Education. Chapter 4, "The Medium Access Control Sublayer," Section 4.3.2 "Bridges and

Switches."

While a general networking textbook, it describes the fundamental operation: "If the

destination port is unknown, the frame is broadcast on all ports except the one it arrived on

(flooding)." (This aligns with the Cisco-specific behavior for unknown unicast frames).

/561

A. auto is a PAgP (proprietary) mode, not valid for LACP; channel will not form.

B. An IP address is configured on the logical Port-Channel, not on individual member ports;

it does not influence LACP state.

C. Interfaces are already up (CDP sees the neighbor); issuing no shutdown adds nothing.

/561

1. Cisco Systems, Configuring EtherChannels, Catalyst 9000 Series Switches IOS XE 17,

section LACP Modesactive and passive. https://www.cisco.com/c/en/us/td/docs/iosxml/ios/lanswitch/configuration/xe-17/lanswitch-xe-17-book/lnsw-etherchannel.html

2. IEEE Std 802.1AX-2020, clause 5.3.1: passive participants only respond to LACPDUs,

allowing aggregation when the peer is active.

/561

A: 255.255.255.240 This mask corresponds to a /28 prefix length (28 bits set to 1), not /29.

B: 255.255.255.128 This mask corresponds to a /25 prefix length (25 bits set to 1), not /29.

C: 255.255.248. This option is an improperly formatted mask. If interpreted as

255.255.248.0, it corresponds to a /21 prefix length, not /29.

1. Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press. Chapter

13, "Implementing IP Addressing and Subnetting," Table 13-6 "Common IPv4 Prefix Lengths

and Their Equivalent Dotted-Decimal Masks" (lists /29 as 255.255.255.248). Chapter 20,

"Learning IPv4 Routes with OSPFv2," discusses interpreting show ip route output, including

prefix lengths.

2. Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th

ed.). Pearson. Chapter 4, Section 4.3.2 "IP Addressing: CIDR" (explains the /x prefix

notation).

3. Cisco IOS IP Routing: Protocol-Independent Configuration Guide, Cisco IOS XE Release

3S. (n.d.). Displaying the IP Routing Table. Cisco. Retrieved from

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutepi/configuration/xe-3s/iri-xe-3sbook/iri-cfg-monitor-verify.html#GUID-A48873C7-059E-470B-B61C-39B9838F0371

(Illustrates show ip route command usage and output format, including prefix length

notation).

/561

A: to secure physical access to a data center: Cisco DNA Center is a network management

platform, not a system for controlling physical access to facilities.

B: to scan a network and generate a Layer 2 network diagram: While DNA Center can

discover devices and display network topology, this is a feature supporting its broader

management purpose, not the primary purpose itself.

D: to provide Layer 3 services to autonomous access points: DNA Center manages network

infrastructure, including wireless controllers or fabric-enabled APs, rather than directly

providing Layer 3 routing services to autonomous APs.

Cisco. (n.d.). Cisco DNA Center At-A-Glance. Cisco. Retrieved from

https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/dnacenter/nb-06-dna-center-aag-ctp-en.pdf (Page 1: "Cisco DNA Center is the network

management and command center for Cisco DNA... Automate device deployment...

Manage your network... Secure your network.")

Cisco. (n.d.). Cisco DNA Center Data Sheet. Cisco. Retrieved from

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dnacenter/datasheet-c78-739944.html (Section: "Product overview" - "Cisco DNA Center

provides a centralized management dashboard... for automation... and assurance.")

/561

Odom, W. (2020). CCNA 200-301 Official Cert Guide, Volume 2. Cisco Press. (Chapter 23:

Introduction to Controller-Based Networking - "Cisco DNA Center provides a centralized

GUI to design, provision, apply policy, and provide assurance for the enterprise network.")

/561

A. PSK Pre-Shared Key was the WPA/WPA2 authentication method; WPA3 replaces it with

SAE and still uses AES for encryption.

B. TKIP Deprecated after WPA; explicitly disallowed in WPA3 because it lacks modern

cryptographic strength.

C. SAE A password-authenticated key-exchange protocol, not an encryption algorithm; it

produces the keys that feed AES-based ciphers.

1. Wi-Fi Alliance, Wi-Fi CERTIFIED WPA3™ Security Technical Overview, §3.2: WPA3

networks use AES-CCMP-128 (or AES-GCMP-256 in WPA3-Enterprise-192) for data

encryption. https://www.wi-fi.org/file/wpa3-specification

2. IEEE Std 802.11-2020, Clause 12.4 & 12.6: CCMP/GCMP (AES) defined as required

suites; TKIP prohibited.

3. IEEE Std 802.11-2020, Annex J: Simultaneous Authentication of Equals (SAE) ¦ provides

authentication; encryption is achieved with AES-based CCMP or GCMP.

/561

A: per-device: This describes traditional management, where administrators often configure

each device individually, which Cisco DNA Center aims to overcome.

C: device-by-device hands-on: This is characteristic of traditional network management, not

the automated, centralized approach of Cisco DNA Center.

D: CLI-oriented device: While CLI access is still possible, Cisco DNA Center emphasizes

GUI-based management and automation, moving away from primarily CLI-oriented

traditional methods.

Cisco. (n.d.). Cisco DNA Center At-a-Glance. Cisco. Retrieved from

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dnacenter/nb-06-dna-center-aag-ctp-en.html (Page 1: "Cisco DNA Center is the network

management and command center for your Cisco DNA network. This centralized, intuitive

management hub...")

Cisco. (n.d.). Cisco DNA Center Solution Overview. Cisco. Retrieved from

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna/561

center/solution-overview-c22-738477.html (Page 2: "Traditional networks are hardware-

centric, manually configured, fragmented in their management...")

Odom, W. (2020). CCNA 200-301 Official Cert Guide, Volume 2. Cisco Press. (Chapter 23:

"Introduction to Controller-Based Networking" - discusses the shift from traditional per-

device management to centralized controller-based models like Cisco DNA Center).

/561

A. Routes are reversed/24 points to R2 and /32 to R3, contradicting the requirement.

B. Uses 255.255.0.0 (/16), not /24, so it covers many unintended networks.

D. Masks are incorrect (/16 for network, /24 for host), and next-hop directions are reversed.

1. Cisco IOS XE 17 IP Routing: Static Routes Configuration Guide Example: host (/32)

route overriding network route.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutestatic/configuration/xe-17/irs-xe17-book/irs-static-route.html#GUID-0715F5BB-B9F2-4C56-A743-5AC1A3D6E303

2. Doyle,

J. & Carroll,

J. Routing TCP/IP, Volume I, 2nd ed., Cisco Press, 2005. Section 3.2

Static Routes and Longest-Match Routing, pp. 76-78.

/561

A: snmp-server host: This command specifies a trap/inform receiver and can be used with

SNMPv1, v2c, or v3, depending on other parameters.

B: snmp-server community: This command configures community strings, which are

primarily used for SNMPv1 and SNMPv2c.

C: snmp-server enable traps: This command globally enables the sending of SNMP traps

and is not specific to any SNMP version.

Cisco IOS SNMP Configuration Guide: "Configuring SNMPv3 Users" section typically

details the snmp-server user command. For example, in the SNMP Configuration Guide,

Cisco IOS Release 15M&T, the snmp-server user command is described as: "To configure a

new user to an SNMP group for SNMPv3."

Direct URL (example for a specific IOS version, concept is general): Cisco.com, search for

"SNMP Configuration Guide" for relevant IOS. A general reference: Cisco Press, "CCNA

200-301 Official Cert Guide, Volume 1," Chapter 25: IP Services, section "Configuring and

Verifying SNMP." (While commercial prep, the underlying Cisco IOS command functionality

is standard).

Official Cisco Documentation (Conceptual): "Simple Network Management Protocol

Configuration Guide, Cisco IOS XE Gibraltar 16.12.x" - Chapter: Configuring SNMPv3. This

/561

guide states: "SNMPv3 provides for both security models and security levels. A security

model is an authentication strategy that is set up for a user and the group in which the user

resides. A security level is the permitted level of security within a security model." The

snmp-server user command is central to this. (Available via Cisco's public documentation

portal).

Cisco IOS Master Command List: Searching for snmp-server user will show its syntax and

purpose, clearly linking it to SNMPv3.

Direct URL (example): Cisco.com, search for "Cisco IOS Master Command List" and then

navigate to the specific command. For instance, snmp-server user command reference.

Academic Source (Conceptual understanding of SNMPv3):

Stallings, W. (2016). Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud.

Pearson Education, Inc. Chapter 5, "Network Management," discusses SNMPv3 and its

User-based Security Model (USM), which relies on configured users. (This provides the

theoretical background for why user configuration is key to SNMPv3).

/561

A – Priority 0 prevents the router from participating in the DR/BDR election.

C – Places R2 in a different IP subnet (10.0.1.0/24); it would not form adjacency on the

WAN link.

D – Subnet mismatch (10.0.1.0/27) prevents adjacency; also uses lower priority than option

B.

1. Cisco IOS “ip ospf priority” command— Cisco Networking Software Command Reference,

IP Routing OSPF, §“Usage Guidelines”.

https://www.cisco.com/c/en/us/td/docs/ios/iosxe/iproute/command/ir-cr-book/iri1.html#wp1050757

2. RFC 2328, OSPF Version 2, J. Moy, Internet Engineering Task Force, Apr 1998, §9.4

(Router Priority).

https://datatracker.ietf.org/doc/html/rfc2328#section-9.4

/561

A. key Keys are the names on the left side of the colon; R1, SW1 are on the right.

B. array An array is an ordered list enclosed in [ ]; R1, SW1 are individual elements, not the

array container itself.

D. object A JSON object is a collection of name/value pairs delimited by { }; R1, SW1 are

primitive string values inside the object, not the object itself.

1. IETF RFC 8259: The JavaScript Object Notation (JSON) Data Interchange Format, §2

Objects and Values https://www.rfc-editor.org/rfc/rfc8259#section-2

/561

2. ECMA-404: The JSON Data Interchange Standard, §5 Values https://www.ecmainternational.org/wp-content/uploads/ECMA-4042ndeditiondecember2017.pdf

/561

A: Single sign-on (SSO) is an authentication scheme for accessing multiple services with

one login; it can be secured by MFA but is not MFA itself.

C: Passwords that expire is a security policy for a single authentication factor (password),

not an additional, distinct factor required for MFA.

E: Shared password responsibility is an administrative policy or practice concerning

password management, not an authentication factor or MFA method.

1. Cisco, "What Is Multifactor Authentication (MFA)?" (No specific page, general article)

Direct URL: https://www.cisco.com/c/en/us/products/security/what-is-multifactorauthentication-mfa.html

This source defines MFA as requiring two or more verification factors and lists "Knowledge

(something only the user knows)" and "Possession (something only the user has)" as

categories, aligning with options B and D.

/561

2. Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press.

Chapter 27, "Securing Network Devices," Section: "Passwords and Alternative

Authentication Methods."

This guide states: "Multifactor authentication (MFA) requires more than one type of

authentication. The types are often listed as follows: Something you know (for example, a

password) [and] Something you have (for example, a smart card or a token device that

generates a one-time password)." This supports "unique user knowledge" (B) and "soft

tokens" (D) as components of MFA.

3. National Institute of Standards and Technology (NIST). (2017). NIST Special Publication

800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management.

Section 4, "Authentication Factors" (pp. 9-11).

Direct URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

This document defines authentication factors: "Something you know" (Section 4.1,

supporting option B) and "Something you have" (Section 4.2, of which soft tokens are an

example, supporting option D). MFA involves using factors from at least two of these

categories.

/561

A: If 203.0.113.1 (the static™ s next-hop) is unreachable, the static route is removed, not

installed.

C: Learning 203.0.113.1 via BGP merely provides recursive reachability; it does not trigger

installation while a lower-AD default still exists.

D: A change of next hop on the active eBGP default does not invalidate it; the route remains

preferred, so the static is still suppressed.

1. Cisco IOS IP Routing Configuration Guide, Administrative Distance explains that a route

with a higher AD becomes active only when lower-AD routes disappear.

https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocoleigrp/47834-ad-admin-distance.html (see section Floating Static Routes).

2. Odom, W. CCNA 200-301 Official Cert Guide, Vol 1, ch. 18 Static and Default Routes, pp.

387-389 discussion of floating statics and their installation behavior.

/561

A: Integrity checks (like MIC) verify that data has not been altered during transmission,

which is a separate security service from encryption's primary goal of confidentiality.

B: Encryption primarily ensures data confidentiality, not the detection or prevention of zero-

day attacks, which exploit unknown vulnerabilities in software or hardware.

D: Preventing unauthorized users from communicating is primarily the role of authentication

and access control mechanisms (e.g., WPA2-PSK, 802.1X), not encryption itself.

1. Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press. Chapter

13: Implementing Wireless LANs, Section: "Wireless LAN Security," Sub-section:

"Confidentiality with Encryption Protocols." (Specifically, "Wireless LANs use encryption to

encode the data so that if it is intercepted, the data cannot be interpreted (confidentiality).")

2. Cisco. (2018). Wireless LAN Security Overview. Cisco Design Guide. Retrieved from

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dgwrapper/ch2Secu.html (Section: "Confidentiality," "Encryption is the process of scrambling

data so that it cannot be read by anyone other than the intended recipient.")

3. Cisco. (2023). End-to-End Security with WPA2. Cisco Technical Document. Retrieved

from https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/200540/561

End-to-End-Security-with-WPA2.html (Defines encryption as: "The process of encoding

information to make it unreadable to unauthorized parties. In Wi-Fi, encryption protects the

confidentiality of data transmitted over the air.")

/561

A: Off-site syslog backup is a data-protection/continuity control, not a facility access

restriction.

B: Console-port passwords protect logical device access, not physical entry to

infrastructure.

C: Enable passwords secure privileged EXEC modeagain a logical access control, not a

physical one.

1. NIST Special Publication 800-53 Rev. 5, PE-6 Monitoring Physical Access, pp. 290-291.

https://doi.org/10.6028/NIST.SP.800-53r5

2. Cisco Systems, Physical Security IP Video Surveillance Design Guide, v2.5, Section 1.1

Role of Video Surveillance, 2013.

https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/PhysicalSecurity/IPVS/IPVS25/IP

VSdg.html

/561

B: to leverage a weighting scheme to provide uninterrupted service

C: to detect link failures without the overhead of Bidirectional Forwarding Detection

D: to hand over to end users the autodiscovery of virtual gateways

Cisco Systems, Inc. (2023). IP Routing: HSRP Configuration Guide, Cisco IOS XE

Cupertino 17.9.x (Catalyst 9300 Switches) - VRRP Overview. "VRRP enables a group of

routers to form a single virtual router. The LAN clients can then be configured with the

virtual router as their default gateway... VRRP is an IETF standard (RFC 5798) protocol..."

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutehsrp/configuration/xe-17-9/irxe-17-9-book/vrrp-overview.html (Specifically, the "VRRP Overview" section).

Hinden, R., & Deering, S. (2010). RFC 5798: Virtual Router Redundancy Protocol (VRRP)

Version 3 for IPv4 and IPv6. IETF. "VRRP specifies an election protocol that dynamically

assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP

router controlling the IPv4 or IPv6 address(es) associated with a virtual router is called the

Master, and it forwards packets sent to these IPv4 or IPv6 addresses." (Section 1:

Introduction).

/561

URL: https://datatracker.ietf.org/doc/html/rfc5798

Cisco Systems, Inc. (2023). IP Routing: HSRP Configuration Guide, Cisco IOS XE

Cupertino 17.9.x (Catalyst 9300 Switches) - GLBP Overview. "GLBP provides automatic

router backup for IP hosts configured with a single default gateway on a LAN... GLBP

performs a similar, but not identical, function for the user as the HSRP and the VRRP.

HSRP and VRRP protocols elect one member as the active router to forward packets to the

virtual router address. The other members in the group are redundant until the active router

fails. Another HSRP and VRRP limitation is that the routers in the group do not share the

traffic load." (This highlights how GLBP differs, particularly with weighting for load balancing,

which VRRP does not use).

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutehsrp/configuration/xe-17-9/irxe-17-9-book/glbp-overview.html

/561

A: The /16 prefix matches but is not the longest prefix; /25 is more specific.

B: A default gateway (0.0.0.0/0) is a last resort, used only if no other specific route matches.

C: The /24 prefix matches but is not the longest prefix; /25 is more specific.

1. Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th

ed.). Pearson. (Chapter 4, Section 4.3.2, The Forwarding Table, subsection "Longest prefix

matching").

Relevant quote: "When there are multiple matches, the router uses the longest prefix

matching rule; that is, it finds the longest matching entry in the table and forwards the

packet to the link interface associated with the longest prefix match."

2. Cisco. (n.d.). IP Routing: Protocol-Independent Configuration Guide, Cisco IOS XE

Gibraltar 16.12.x - Overview of IP Routing. Retrieved from

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutepi/configuration/16-12/iproute-pi16-12-book/iri-overview.html

/561

Relevant quote from section "Information About IP Routing": "The router selects a path by

finding the routing table entry that has the longest prefix match with the destination IP

address of the packet to be forwarded."

/561

A. dynamic auto still negotiates trunks; no MAC binding or maximum statementdoes not

meet exclusivity requirement.

B. nonegotiate stops DTP frames but default mode may remain dynamic auto; lacks explicit

access mode and specific MAC, so any first device could learn.

D. dynamic desirable actively forms trunks (violates no-tagging rule) and combines mutually

exclusive static and sticky MAC commands.

1. Cisco Catalyst 2960-X Switch Security Configuration Guide, Configuring Port Security,

Example 5-2 (switchport mode access + port-security + mac-address)

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/1524e/security/configurationguide/b1524econsolidated2960xcg/b1524econsolidated2960xcgc

hapter0110.html

2. Cisco IOS 15 Configuration Guide, LAN Switching About Dynamic Trunking Protocol

(DTP) shows dynamic auto/desirable negotiate trunks, not suitable for host ports.

https://www.cisco.com/c/en/us/td/docs/routers/access/800/820/software/configuration/guide/

15-5/b820SCG155/b820SCG155chapter0100011.html

/561

A: This describes "measured service," where resource usage is monitored, controlled, and

reported, providing transparency for both the provider and consumer.

C: This describes "resource pooling," where the provider's computing resources are pooled

to serve multiple consumers using a multi-tenant model.

D: This describes "on-demand self-service," where a consumer can unilaterally provision

computing capabilities as needed automatically without requiring human interaction with the

service provider.

National Institute of Standards and Technology (NIST). (September 2011). The NIST

Definition of Cloud Computing (Special Publication 800-145). Page 2. "Rapid elasticity.

Capabilities can be elastically provisioned and released, in some cases automatically, to

scale rapidly outward and inward commensurate with demand." Direct URL:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

Odom, W. (2020). CCNA 200-301 Official Cert Guide, Volume 2. Cisco Press. Chapter 23,

"Cloud Architecture," Section "Cloud Service Models and Common Cloud Terminology,"

subsection "Key Cloud Characteristics." "Rapid elasticity: The cloud can be scaled quickly,

easily, and often automatically."

Cisco. (2020). Understanding Cloud Computing. "Key Characteristics of Cloud Computing."

While specific page numbers vary by document version, Cisco documentation consistently

/561

aligns with NIST definitions for cloud characteristics like rapid elasticity, emphasizing the

ability to scale resources dynamically. (General reference to Cisco's cloud fundamentals

documentation, which typically reiterates NIST definitions).

/561

A: Reduce the risk of a network security breach: While using private addresses with

Network Address Translation (NAT) can provide some obscurity, it is not a primary security

mechanism and not the main reason for private addressing.

B: Comply with PCI regulations: PCI DSS compliance involves various security measures;

private addressing itself is not a direct mandate, though it can be part of a compliant

network design.

C: Comply with local law: IP addressing standards are typically governed by global or

regional internet registries and standards bodies (like IETF), not local laws mandating

private addressing.

RFC 1918: Address Allocation for Private Internets:

Section 3: "If a suitable subset of the IP address space is reserved for private use, it is not

visible from the global Internet... Routers in networks not using private address space,

especially those of Internet service providers, are expected to be configured to reject (filter

/561

out) routing information about private networks." This implies these routes do not populate

Internet router tables.

URL: https://datatracker.ietf.org/doc/html/rfc1918

Cisco Press, CCNA 200-301 Official Cert Guide, Volume 1, by Wendell Odom:

Chapter 14, "Fundamentals of IP Addressing and Routing," section "Private IPv4

Addresses": "The main benefit of private addressing is that it conserves public IPv4

addresses." and "routers on the internet are not allowed to forward packets that use private

IPv4 addresses." The conservation and non-routability directly contribute to manageable

global routing tables. (Specific page numbers vary by edition, but this concept is

fundamental to the private addressing discussion).

Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.).

Pearson.

Chapter 4, Section 4.4.2 "The Internet's Network Layer": Discusses how private IP

addresses and NAT help alleviate IPv4 address exhaustion. The non-globally-routable

nature of private IPs means they don't add to the global routing table burden. (e.g., p. 367-

369 in 7th edition, similar content in 8th).

/561

A: to rate-limit messages for different seventy levels from each device

C: to identify the source from which each syslog message originated

D: to control the number of syslog messages from different devices that are stored locally

1. Cisco IOS Configuration Guide - System Message Logging:

Source: Cisco, "Basic System Management Configuration Guide, Cisco IOS Release

15M&T" - Chapter: "System Message Logging".

Details: The section "Logging Severity Levels" states: "Logging severity levels enable you to

select the type of syslog messages to be displayed on the console or sent to a remote

syslog server." The logging trap level command is described as: "To limit messages logged

to the syslog servers to messages with a severity level at or numerically lower than the

specified level." This directly supports that configuring levels is about setting the severity

threshold for messages.

/561

URL (example for a specific IOS version, concept is general): Cisco IOS Basic System

Management Configuration Guide - System Message Logging (Refer to sections on

"Logging Severity Levels" and "Configuring Message Logging to a Syslog Server").

2. Cisco IOS XE System Message Logging Configuration Guide:

Source: Cisco, "System Message Logging Configuration Guide, Cisco IOS XE Cupertino

17.9.x" - Chapter: "Configuring System Message Logging".

Details: The guide explains: "You can control the types of messages that are sent to the

syslog server by specifying a severity level. All messages at that severity level and higher

(numerically lower) are sent." This reinforces that the purpose of configuring levels is to filter

messages based on their severity.

URL: Cisco IOS XE System Message Logging Configuration Guide (Refer to "Information

About System Message Logging" -> "Severity Levels").

/561

B: It increases the potential for MAC address flooding. This is incorrect. MAC address

learning reduces flooding for known unicast frames by allowing targeted forwarding.

C: It is disabled by default on all interfaces connected to trunks. This is incorrect. MAC

address learning is active and essential on trunk ports to learn MAC addresses from

devices in different VLANs.

D: It increases security on the management VLAN. This is incorrect. MAC address learning

itself is a forwarding mechanism, not a security feature. While features like port security

utilize MAC addresses, learning alone doesn't inherently increase security.

Cisco Systems, Inc. (2023). Catalyst 9300 Series Switches, Cisco IOS XE Bengaluru 17.6.x

(Programmable Switches) - Configuring MAC Addresses. "MAC address learning is enabled

by default on all VLANs and interfaces."

Direct URL: (A specific URL for this exact phrase in the latest 17.6.x guide can be hard to

pinpoint without direct access to the full, versioned documentation portal structure at the

time of query, but this is a standard statement in Cisco switch configuration guides). A

general reference:

/561

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/176/configurationguide/lyr2/b176lyr29300cg/configuringmacaddresses.html (Search for "MAC

address learning is enabled by default").

Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press. Chapter 2,

"Fundamentals of Ethernet LANs," section "Building the MAC Address Table: MAC

Learning." (States that the process is automatic and enabled by default).

Cisco Learning Network. CCNA Study Material - Switching Concepts. (Often states that

MAC address learning is enabled by default on all switch ports and for all VLANs).

Example: [https://learningnetwork.cisco.com/s/learning-plan-detailstandard?ltuiurlRecordId=a1c3i0000005hsKAAQ&ltuiurlRedirect=learning-plan-detail-

standard] (Within the CCNA learning path, switching fundamentals sections).

/561

B: control: Control frames (e.g., RTS, CTS, ACK) are used for coordinating access to the

wireless medium and ensuring reliable data delivery, not for association.

C: action: Action frames are a subtype of management frames used for extended

management capabilities, but Association Response is a distinct, fundamental management

frame type.

D: protected frame: This term describes the security status (e.g., encryption) of a frame,

typically a data frame, not its fundamental 802.11 type classification.

IEEE Std 802.11â„¢-2020 (Revision of IEEE Std 802.11-2016): "IEEE Standard for

Information Technology--Telecommunications and Information Exchange Between Systems

Local and Metropolitan Area Networks--Specific Requirements Part 11: Wireless LAN

Medium Access Control (MAC) and Physical Layer (PHY) Specifications."

Section 9.2.4, "Frame types," describes the three general frame types: Control, Data, and

Management.

Section 9.3.3, "Management frames," and Table 9-26"Management frame subtype values,"

explicitly list "Association response" as a Management frame (Subtype value 0001). (Page

1010, Table 9-26)

/561

Cisco Press, CCNA 200-301 Official Cert Guide, Volume 1, by Wendell Odom:

Chapter 17: Wireless LANs, section "802.11 MAC and Frame Types." This section typically

details that management frames include beacons, probes, authentication, and association

frames. (Specific page numbers vary by edition, but this content is standard). For example,

in one edition, this is discussed around page 470-472, where management frames are

defined to include Association Request/Response.

/561

A: Even if syntactically corrected (e.g., ::FF1F:1014:1011/96), this address falls within the

0000::/8 reserved range (RFC 4291), which is not for general unicast assignment on

interfaces.

C: This option contains invalid characters (e.g., ';', 'j') and spaces, and does not conform to

valid IPv6 address syntax.

E: This option contains invalid characters (e.g., 'W', 'l', ')') and does not conform to valid

IPv6 address syntax. The FF02:: prefix indicates a link-local multicast address.

RFC 4291: IP Version 6 Addressing Architecture:

Section 2.5.4 (Global Unicast Addresses): Defines 2000::/3 as GUAs. 2001::/16 falls into

this.

(URL: https://datatracker.ietf.org/doc/html/rfc4291#section-2.5.4)

/561

Section 2.5.1 (Reserved Addresses): Defines 0000::/8 as reserved.

(URL: https://datatracker.ietf.org/doc/html/rfc4291#section-2.5.1)

Section 2.7 (Multicast Addresses): Defines FF00::/8. FF02:: is link-local scope.

(URL: https://datatracker.ietf.org/doc/html/rfc4291#section-2.7)

RFC 3056: Connection of IPv6 Domains via IPv4 Clouds (6to4):

Section 2 (6to4 address format): Defines the 2002::/16 prefix for 6to4, stating these are

global unicast IPv6 addresses.

(URL: https://datatracker.ietf.org/doc/html/rfc3056#section-2)

Cisco Press, "CCNA 200-301 Official Cert Guide, Volume 1" (1st Edition by Wendell Odom):

Chapter 15, "Implementing IPv6 Addressing on Routers," p. 438: "Global unicast addresses

are addresses that are globally unique and routable on the IPv6 Internet."

Chapter 15, p. 443: Shows examples of configuring GUAs (e.g., 2001:DB8:1:1::1/64) on

router interfaces.

Chapter 15, p. 440: "IPv6 standards suggest that all IPv6 subnets should use a /64 prefix

length."

Cisco IOS XE IPv6 Configuration Guide (e.g., Cisco IOS XE Bengaluru 17.6.x): "IPv6

Addressing and Basic Connectivity Configuration Guide" - "Configuring IPv6 Addressing

and Basic Connectivity" section. (General principle, specific URL varies by exact IOS

version but content is consistent).

Example: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-mt/ip6-15mt-book/ip6-addrg-basic-conn.html (Illustrates GUA configuration on interfaces).

/561

A: Null0: This interface is associated with the 10.56.0.0/16 route. While the destination IP

matches this network, its prefix (/16) is shorter than /26, making it less specific and

therefore not the chosen route.

C: Vlan60: This interface is associated with the 10.56.0.0/24 route. Although its prefix (/24)

is longer than /16 and /17, it is shorter than /26. The longest match rule dictates the /26

route must be used.

D: Vlan59: This interface is associated with the 10.56.0.0/17 route. The destination IP

matches this network, but its prefix (/17) is not the longest match available in the routing

table.

Cisco Systems, Inc., "Route Selection in Cisco Routers," Document ID: 8651. This

document explains the routing decision process, stating, "If multiple routes exist to the same

destination, the router has to decide which route to use. The router does this by first

comparing the prefix lengths of the routes and choosing the one with the longest prefix

length."

URL: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routingprotocol-eigrp/8651-21.html

IETF RFC 1812, "Requirements for IP Version 4 Routers," June 1995. Section 5.2.4.3,

"Forwarding Algorithm," specifies the procedure for forwarding an IP datagram. It states,

"The Forwarding algorithm is to find the 'best match' or 'longest prefix match' route for the

packet's destination IP address in the router's conceptual forwarding table."

URL: https://datatracker.ietf.org/doc/html/rfc1812#section-5.2.4.3

/561

MIT OpenCourseWare, "6.033 Computer System Engineering - Spring 2018," Lecture 12:

Naming III (Routing). The lecture notes describe the IP forwarding logic: "Find the entry in

the forwarding table with the longest prefix that matches the destination address. Forward

the packet to the corresponding next hop."

URL: https://ocw.mit.edu/courses/6-033-computer-system-engineering-spring2018/resources/mit6_033s18_lec12/ (Specifically, PDF slide 17).

/561

A: DHCP relay agents forward DHCP requests to a DHCP server; they do not assign DNS

locally. The DHCP server provides DNS information.

B: An interface can be configured with multiple ip helper-address commands to forward

DHCP requests to multiple DHCP servers for redundancy or load distribution.

C: MAC-to-IP reservations are configured on the DHCP server, not determined or enforced

by the relay agent to identify a client's subnet.

For D & E (General Relay Agent Function and Configuration):

Cisco, "IP Addressing: DHCP Configuration Guide, Cisco IOS XE Release 3S - Configuring

DHCP Services," Section: DHCP Relay Agent. "A DHCP relay agent is any host that

forwards DHCP packets between clients and servers. Relay agents are used to forward

requests and replies between clients and servers when they are not on the same physical

/561

subnet." and "To enable the DHCP relay agent on an interface, you configure the IP

address of the DHCP server on the interface on which DHCP requests arrive."

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddrdhcp/configuration/xe3s/dhcp-xe-3s-book/dhcp-relay-agent.html (Specifically, the "DHCP Relay Agent" and "How

to Configure the DHCP Relay Agent" sections).

For why B is incorrect (Multiple Helper Addresses):

Cisco, "IP Addressing: DHCP Configuration Guide, Cisco IOS XE Release 3S - Configuring

DHCP Services," Section: How to Configure the DHCP Relay Agent. The documentation

implicitly supports multiple helper addresses by allowing the command to be entered

multiple times or by noting its function to forward to a specified server. More explicitly, older

guides like "Cisco IOS IP Addressing Services Configuration Guide, Release 15M&T" state:

"You can configure multiple helper addresses on an interface."

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddrdhcp/configuration/15mt/dhcp-15-mt-book/dhcp-relay-agent.html (See "Configuring the DHCP Relay Agent"

section).

For why A and C are incorrect (Relay Agent vs. Server Roles):

Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.).

Pearson. Chapter 4, Section 4.4.2 "The Dynamic Host Configuration Protocol (DHCP)". This

section describes the roles of DHCP clients, servers, and relay agents, clarifying that the

server handles IP address assignment, DNS information, and reservations, while the relay

agent forwards messages. (Specific page numbers vary by edition, but the DHCP section

clearly delineates these roles).

/561

A: FTP relies on TCP for reliable data transfer and error control; TFTP (Trivial File Transfer

Protocol) uses block numbers for sequencing and acknowledging data packets.

B: FTP supports user authentication through username and password credentials.

Anonymous FTP is a specific mode but does not mean FTP always operates without

authentication.

C: FTP uses TCP ports (21 for control, 20 or a dynamic port for data). UDP port 69 is the

well-known port for TFTP, not FTP.

1. Postel, J., & Reynolds, J. (1985). File Transfer Protocol (FTP). RFC 959. IETF.

For Correct Answer D (two connections): Sections 2.3 ("ESTABLISHING CONNECTIONS")

and 3 ("DATA TRANSFER FUNCTIONS").

For Incorrect Option B (authentication): Section 4.1 ("USER Command (USER)",

"PASSWORD Command (PASS)").

For Incorrect Option C (ports/protocol): Section 3.1 ("FTP Commands and Replies" -

specifies TCP port 21).

/561

Direct URL: https://datatracker.ietf.org/doc/html/rfc959

2. Odom, W. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press.

For Correct Answer D (two connections): Chapter 3, "Fundamentals of TCP/IP Transport

and Applications," section "Common TCP/IP Applications," subsection "File Transfer

Protocol (FTP)" (explains the control and data connections).

For Incorrect Option B (authentication): Ibid. (discusses FTP authentication).

For Incorrect Option C (ports/protocol): Ibid. (details FTP's use of TCP ports 20 and 21).

3. Sollins, K. (1992). The TFTP Protocol (Revision 2). RFC 1350. IETF.

For Incorrect Option A (block numbers): Section 2 ("Overview of the Protocol" - describes

TFTP's use of block numbers).

For Incorrect Option C (UDP port 69): Section 2 ("Overview of the Protocol" - states TFTP

uses UDP) and IANA port assignments confirm UDP port 69 for TFTP.

Direct URL: https://datatracker.ietf.org/doc/html/rfc1350

/561

B: Loopback0: The routing table does not show any route for the destination 172.18.32.38

that would use Loopback0 as the outgoing interface.

/561

C: 10.1.1.1: This is the next-hop IP address for the default route (S 0.0.0.0/0). A more

specific route (172.18.32.0/23) exists and is preferred.

D: 10.1.1.3: This is the next-hop IP address for the network 172.18.36.0/23, which does not

include the destination IP address 172.18.32.38.

1. Cisco Systems, "IP Routing: Route Selection in Cisco Routers." This document explains

the route selection process, including longest prefix match and administrative distance.

Specific section: "How a Cisco Router Selects the Best Route" or similar sections detailing

the longest match rule.

URL (General routing principles from Cisco):

https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocoleigrp/8651-21.html (While EIGRP specific, it covers general Cisco routing behavior like

longest match). A more general reference for IP routing fundamentals would be from Cisco

Press or foundational networking texts.

2. Cisco Press, "CCNA 200-301 Official Cert Guide, Volume 1" by Wendell Odom.

Specific chapter/section: Chapter 12: IP Routing, "The IP Routing Process" and "The IP

Routing Table." These sections detail how routers use the routing table, the longest prefix

match rule, and how directly connected routes are processed. For directly connected

networks, the router sends the packet out the listed interface.

3. Cisco IOS IP Routing: Protocol-Independent Command Reference, "show ip route"

command.

Specific section: Description of the show ip route output, explaining codes like 'C'

(Connected) and 'L' (Local), and how to interpret entries for directly connected networks.

URL (Example): https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutepi/command/iri-crbook/iri-s1.html#wp1970079158 (This link describes show ip route and its output fields).

/561

A: config sessions maxsessions 0: This command controls the maximum number of

concurrent management user sessions (like Telnet/SSH), not the timeout for a serial

session.

B: config sessions timeout 0: This command configures the timeout for general

management user sessions (e.g., Telnet, SSH, HTTP/HTTPS), not specifically for serial

console sessions.

D: config serial timeout 9600: This command sets a specific, finite timeout duration (9600

minutes) for the serial session, rather than preventing the timeout altogether as a value of 0

does.

Cisco Wireless LAN Controller Command Reference, Release 8.10:

For config serial timeout: "To configure the timeout for idle serial console sessions, use the

config serial timeout command. To disable the timeout, enter 0."

URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/command/reference/810/bcr810/commandsc.html#wp1900831111 (Navigate to or search for config serial timeout

within the document).

/561

For config session timeout: "To configure the timeout for idle management user sessions,

use the config session timeout command. To disable the session timeout, enter 0."

URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/command/reference/810/bcr810/commandsc.html#wp2000081111 (Navigate to or search for config session

timeout within the document).

Cisco Wireless LAN Controller Configuration Guide, Release 8.5:

Chapter: Configuring Controller Settings > Configuring General Controller Parameters >

Configuring Serial Port Parameters: "You can configure the timeout for idle serial console

sessions by entering this command: config serial timeout minutes ... Enter 0 to disable the

timeout."

URL: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/configguide/bcg85/configuringcontrollersettings.html#ID2039 (Section: Configuring Serial Port

Parameters)

/561

A: WPA2-Enterprise already utilized 802.1X. WPA3-Enterprise continues this, adding

enhancements like mandatory Protected Management Frames (PMF), but SAE (related to

option D) is a more fundamentally new WPA3 enhancement.

B: TKIP is an outdated and insecure encryption protocol associated with WPA and

deprecated in WPA2. WPA3 mandates the use of stronger AES-CCMP encryption.

C: While Public Key Infrastructure (PKI) can be part of WPA3-Enterprise solutions (e.g.,

with EAP-TLS), it's not a universal WPA3 enhancement for AP identification across all

modes, nor a defining feature of WPA3 itself.

1. Cisco. (n.d.). Wi-Fi Protected Access 3 (WPA3) Deployment Guide. Cisco. Retrieved from

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/88/WPA3DeploymentGuide.html (See sections "WPA3-Personal" and "Simultaneous

Authentication of Equals (SAE)" which state: "SAE is a secure key establishment protocol

between devices. It is resistant to offline dictionary attacks...").

2. Odom, W. (2020). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press. (Chapter

12: Wireless LAN Security, section "WPA3 Security": "WPA3-Personal leverages

/561

Simultaneous Authentication of Equals (SAE)...SAE is a secure key establishment protocol

that is more resistant to offline dictionary attacks than WPA2-PSK.").

3. Wi-Fi Alliance. (n.d.). Security: WPA3. Retrieved from https://www.wi-fi.org/discover-wifi/security (States WPA3-Personal offers "more resilient password-based

authentication...even when users choose passwords that fall short of typical complexity

recommendations" and "increased protection from password guessing attempts").

/561

A: The APs must be connected to the switch with multiple links in LAG mode: LAG is for

bandwidth aggregation or redundancy, not a primary requirement for VLAN differentiation

on FlexConnect APs.

B: The switch port mode must be set to trunk: While true and essential, if only one answer

is allowed and C is considered more specific to the AP's management connectivity (a

common point of failure), C might be prioritized. However, B is a fundamental prerequisite. If

multiple selections were allowed, B would also be correct.

D: IEEE 802.10 trunking must be disabled on the switch port: IEEE 802.10 is an old security

standard, not relevant to modern VLAN trunking, which uses IEEE 802.1Q.

1. Cisco Press - CCNA 200-301 Official Cert Guide, Volume 1, Wendell Odom:

Chapter 13: Wireless LAN Concepts, Section: "AP Management and Data VLANs". States:

"To support this, the switch port connected to an AP is typically configured as an 802.1Q

trunk. The AP™ s management IP address will exist on one specific VLAN, which should be

configured as the native VLAN on the trunk." This supports both B and C.

/561

2. Cisco, “FlexConnect Deployment Guide,” Switch Port Configuration section: “If client

traffic is locally switched to a VLAN other than the AP management VLAN, the switch port

must be configured as an 802.1Q trunk.”

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/aironet/116637-flexconnectap.html

3. Cisco Catalyst 9800 Configuration Guide, Release 17.9, “Configure FlexConnect” – note

on AP switch-port requirements for multiple VLANs (https://www.cisco.com/go/c9800-config

> Wireless > FlexConnect).

/561

A. Places the interface in area 2; if R1 is in area 0 the area mismatch still prevents an

adjacency.

B. Default hello interval on broadcast links is already 10 s; setting it again does not fix a

neighbor failure.

C. Default dead interval is already 40 s; matching values already exist, so this change is

irrelevant.

1. Cisco Systems, IP Routing: OSPF Configuration Guide, IOS 15.2 Configuring the OSPF

Router ID, sec. Duplicate Router IDs

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iprouteospf/configuration/15-mt/iro-15-mtbook/iro-ospf.html#GUID-A2DC4E55-5B46-4E39-90D1-0B287392B18E

2. RFC 2328: OSPF Version 2, J. Moy, §7.1 The Router ID, §10.5 Neighbor state

machine Two-way state (DuplicateRouterId event).

/561

A: Cable-pair usage is determined by PoE standard (mode A/B), not by auto vs. static

power settings.

C: Both modes can use default or user-configured wattage limits; this is not unique to auto

mode.

D: Power policing (monitoring actual draw) is enabled with the separate power inline police

command; it is not automatically tied to the auto setting.

1. Cisco Catalyst 3850 Switch Software Configuration Guide, Release 3.x, Configuring PoE

power inline {auto | static}, sec. 10.1

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/cons

olidatedguide/bconsolidated38503secg/bconsolidated38503secgchapter0100101.html

2. Cisco IOS Command Reference, Catalyst 2960, power inline static / auto, pages 115-

116.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12255se/command/reference/scg/CLIRef.pdf

/561

A: LAG: Link Aggregation Group (LAG) bundles multiple physical ports for increased

bandwidth/redundancy; the logical port still needs to be configured as access or trunk.

B: EtherChannel: This is Cisco's proprietary term for LAG. It describes link bundling, not the

VLAN handling mode of the port.

D: access: An access port carries traffic for only a single VLAN, which is insufficient when

an AP needs to map two or more VLANs.

Cisco Press. (2019). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press.

Chapter 10: Implementing Ethernet Virtual LANs. Specifically, the sections discussing VLAN

trunks: "A VLAN trunk is a point-to-point link between two network devices that carries more

than one VLAN. [...] VLAN trunks are useful for connections between two switches, between

a switch and a router, and between a switch and a server or access point that needs to

support multiple VLANs." (Content paraphrased for conciseness, concept directly

supported).

Cisco. (2018). VLANs on Aironet Access Points Configuration Example. Cisco Community.

/561

Available at: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200series/68062-VLAN-Aironet.html (Though an older document, the fundamental concept for

autonomous APs and VLANs remains valid).

The document states: "When you configure VLANs on an autonomous access point, you

must also configure the switch port, to which the AP connects, for a VLAN trunk." This

directly supports the need for a trunk port.

IEEE Std 802.1Qâ„¢-2018. (2018). IEEE Standard for Local and metropolitan area

networksBridges and Bridged Networks. IEEE Standards Association.

Section 6.7 "VLAN-aware Bridges" and Section 8.4 "Frame formats for tagged frames"

describe the mechanism by which tagged frames (used on trunk ports) carry VLAN

information. This standard underpins how trunk ports operate to carry multiple VLANs.

(Available through IEEE Xplore).

/561

Configuration with ip ospf priority 100 and protocol 88: This is incorrect because the OSPF

priority of 100 allows the router to participate in DR elections, and the access list filters for

the wrong protocol (88 is EIGRP, not OSPF).

Configuration with ip ospf priority 0 and protocol 88: This is incorrect because the access list

filters for the wrong protocol (88, EIGRP). While the OSPF priority is set correctly, the router

would block all OSPF Hello packets, preventing any adjacency from forming.

Configuration with ip ospf priority 100 and protocol 89: This is incorrect because the OSPF

priority is set to 100, which violates the requirement that the router never participate in DR

elections. The access list is correct, but the priority setting is wrong.

Cisco Systems, Inc., "IP Routing: OSPF Command Reference - ip ospf priority," Cisco IOS

IP Routing: OSPF Command Reference. This document confirms that setting the OSPF

priority to 0 prevents a router from becoming a DR or BDR.

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-crbook/ospf-a1.html#wp2782285168

Reference: See the description of the ip ospf priority command.

Cisco Systems, Inc., "IP Routing: OSPF Command Reference - router-id," Cisco IOS IP

Routing: OSPF Command Reference. This source specifies that the router-id command

manually configures the OSPF router ID for a routing process.

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-crbook/ospf-a1.html#wp4046180553

Reference: See the usage guidelines for the router-id command.

Cisco Systems, Inc., "IP Addressing: Services Command Reference - ip access-group,"

Cisco IOS IP Addressing Services Command Reference. This guide details how ip access-

group applies an IP access list to an interface to filter packets.

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-crbook/ipaddr-i1.html#wp9000100275

Reference: See the command description for ip access-group.

/561

Internet Assigned Numbers Authority (IANA), "Protocol Numbers". The official registry

maintained by IANA lists 89 as the protocol number for "Open Shortest Path First."

URL: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Reference: See the entry for Protocol Number 89.

/561

A: one - This is incorrect because it only counts the single, outermost root object and

ignores all eight of the nested objects.

B: four - This count is incorrect. It may result from an arbitrary counting method, perhaps

only counting the named objects (aaaUser, aaaUserDomain, aaaUserRole) and the root

object, which is not how JSON objects are defined.

C: seven - This count is also incorrect and does not align with the standard definition of a

JSON object as applied to the provided hierarchical structure.

/561

IETF RFC 8259: The standard for JSON. Section 4, "JSON Values," defines an object as a

structure beginning with { (left brace) and ending with } (right brace). This standard validates

counting each {...} block as a distinct object.

Source: Internet Engineering Task Force (IETF).

URL: https://www.rfc-editor.org/rfc/rfc8259.html#section-4

Specific Reference: Section 4, "JSON Values".

Cisco DevNet Documentation: Cisco's official developer documentation consistently uses

and refers to the standard JSON format. The "Working with JSON" guide reinforces the

standard object structure.

Source: Cisco Systems, Inc.

URL: https://developer.cisco.com/docs/ios-xe/guides/working-with-json/

Specific Reference: The section "What is JSON?" describes objects as collections of

key/value pairs enclosed in curly braces.

Introduction to Computer Science and Programming in Python (MIT OpenCourseWare):

University courseware materials on data structures confirm that in JSON, each pair of curly

braces {} defines a distinct dictionary-like object, which can be nested.

Source: Massachusetts Institute of Technology (MIT).

URL: https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-andprogramming-in-python-fall-2016/

/561

B: It passes unicast communication between hosts in a network. This describes the function

of network infrastructure devices like switches or routers, not an endpoint itself.

C: It transmits broadcast traffic between devices in the same VLAN. This is a function of a

network switch, which manages and forwards traffic within a VLAN, including broadcasts.

D: It provides security between trusted and untrusted sections of the network. This

describes the role of a firewall or a similar security appliance, not a general endpoint.

1. Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th

ed.). Pearson.

Chapter 1, Section 1.2.1 "The Network Edge": "End systems are also referred to as hosts

because they host (run) application programs such as a Web browser or Web server

program, or an e-mail client program or an e-mail server program." This supports that

endpoints (end systems/hosts) run applications used to access network services.

2. Cisco. (n.d.). What Is an Endpoint? Cisco. Retrieved from

https://www.cisco.com/c/en/us/products/security/what-is-an-endpoint.html

/561

"An endpoint is a remote computing device that communicates back and forth with a

network to which it is connected." This general definition aligns with devices users employ

to access network services.

3. IBM. (2023, November 13). What are endpoints? IBM Technology. Retrieved from

https://www.ibm.com/topics/endpoints

"Endpoints are physical devices that connect to and exchange information with a computer

network. Some examples of endpoints are mobile devices, desktop computers, virtual

machines, embedded devices, and servers." User-operated devices like mobile devices and

desktops are used to access network services.

/561

A: Uncheck the Guest User check box: This action relates to disabling guest access, not to

the session duration for users authenticated via Local EAP.

B: Check the Guest User Role check box: This action relates to enabling and configuring a

specific role for guest users, not the session duration for primary Local EAP users.

D: Clear the Lifetime (seconds) value: Clearing the value is ambiguous; it might revert to a

system default which could be a finite time, not guaranteeing unlimited access.

1. Cisco Wireless LAN Controller Configuration Guide, Release 8.5 - Configuring Local EAP

(Chapter: Configuring Security Solutions): "User Session TimeoutEnter the user session

timeout value in seconds. The valid range is from 0 to 86400 seconds. If you enter 0, the

session never times out."

Source: Cisco Official Documentation. (A specific URL would be to the guide, e.g., on

Cisco.com, but the content is standard across WLC configuration guides for relevant

releases). For example: https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/config-guide/bcg85/configuringsecuritysolutions.html (Search for "User Session Timeout"

under Local EAP section).

2. Cisco Wireless LAN Controller Configuration Guide, Release 8.10 - Configuring Local

EAP (Chapter: Configuring Security Solutions): This guide also confirms the behavior: "User

Session Timeout ... Enter the user session timeout value in seconds. The valid range is

from 0 to 86400 seconds. If you enter 0, the session never times out."

Source: Cisco Official Documentation.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/configguide/bcg810/configuringsecuritysolutions.html (Section: Configuring Local EAP > Local

EAP General Parameters).

3. General Principle in Network Device Configuration: Many networking systems adopt the

convention where a timeout value of '0' signifies an infinite or unlimited duration. This is a

common design pattern for such parameters. (This principle is widely reflected in vendor

documentation across the industry, including Cisco).

/561

A. Makes VLAN 10 the native VLAN, breaking current VLAN 2 connectivity to the non-trunk-

capable switch.

B. Interface is put in access mode; trunk-specific commands are syntactically invalid on an

access port.

C. Same syntax problem as B and additionally sets native VLAN 10, disrupting existing

hosts.

1. Cisco IOS XE switchport Command Reference section switchport mode and switchport

trunk native vlan: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/lanswitch/command/lsw-s2.html#GUIDE3A65;

2. Cisco Networking Academy, LAN Switching and Wireless v7, Ch. 3, pp. 134-138:

explanation of 802.1Q trunks, native VLAN behaviour, and switchport trunk allowed vlan.

/561

A. Enables 802.1X, which invokes RADIUS authenticationcontradicts the password instead

of RADIUS requirement.

B. Uses legacy WPA (TKIP) and CCKM, both unnecessary for simple PSK and less secure

than WPA2.

C. Adds WPA and 802.11r Fast Transition; neither is requested, introducing unneeded

complexity and weaker WPA (TKIP) support.

1. Cisco Wireless Controller Configuration Guide, Release 8.5 Configuring WPA2 with Pre-

Shared Keys, steps 2-4. https://www.cisco.com/c/en/us/td/docs/wireless/controller/85/config-guide/bcg85/wlansecurity.html#id95271

2. Cisco Wireless Controller Configuration Guide, Release 8.5 Protected Management

Frames (PMF) (default disabled).

/561

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/configguide/bcg85/wlansecurity.html#id95806

/561

A: Subnet Mask: The subnet mask 255.255.255.248 corresponds to a /29 prefix. This

correctly defines the network 10.2.2.0/29, which includes both the PC's address (10.2.2.2)

and the default gateway (10.2.2.1). This setting is correct.

C: Default Gateway: The default gateway is the router's IP address (10.2.2.1) on the local

network segment. It is correctly configured and is essential for routing traffic to external

networks like the internet. This setting is correct.

D: DHCP Server: The 0.0.0.0 address for the DHCP Server indicates that the PC's IP

address was configured statically, not assigned automatically by a DHCP server. This is a

valid configuration method and not the cause of the connectivity failure.

Microsoft Corporation. (2021). TCP/IP fundamentals for Windows. Microsoft Learn. In the

"Name resolution" section, it is stated: "For TCP/IP to work, you need an IP address for the

destination host. [...] Windows is a TCP/IP client, and it uses DNS name resolution services

to locate hosts and services via their names." This establishes the necessity of DNS.

URL: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/tcpipfundamentals-for-windows#name-resolution

Section: "Name resolution"

Cisco. (2024). IP Addressing and Subnetting for New Users. In the section "How Does a

Host Forward Traffic?", it explains that traffic destined for a different network is sent to the

default gateway. However, before this can happen, name resolution must occur if a

hostname is used. The guide implicitly separates the functions of DNS (name-to-address

mapping) and the gateway (forwarding).

URL: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/137883.html

Section: "Name Resolution" and "How Does a Host Forward Traffic?"

IETF RFC 5735. (2010). Special Use IPv4 Addresses. IETF. Section 3 defines 0.0.0.0/8 as

the block for "'This host on this network'". The address 0.0.0.0 is specified as a source

address for a host during its own IP address acquisition (e.g., DHCP). It is not a valid

address for a destination server, such as a DNS server.

URL: https://doi.org/10.17487/RFC5735

/561

Section: 3. "Special-Use IPv4 Addresses"

/561

A: Pool overlap with static entries is not shown; translation simply will not occur until the

ACL-to-pool binding is configured.

B: The outside interface is normally declared earlier with ip nat outside; exhibit shows only

the ACL/pool portion still missing.

C: No evidence indicates the access list is incorrectonly that it has not yet been associated

with the pool.

1. Cisco IOS 15.x IP Addressing: NAT Configuration Guide, Dynamic NAT with Pools, steps

1-4 see step 4: ip nat inside source list¦ pool¦ https://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddrnat/configuration/15-mt/nat-15-mt-book/iadnat-dyn.html

2. Cisco Networking Academy CCNA v7 Courseware, Module NAT for IPv4, section

Configure Dynamic NAT.

/561

/561

A. 192.168.32.97/27 sits in the fourth subnet (192.168.32.96/27) and is not the last usable

of the first subnet.

B. /28 mask supports only 14 hosts; 192.168.32.65/28 doesn™ t meet the 30-host

requirement and keeps the port in Layer-2 mode.

D. /28 mask again allows only 14 hosts; 192.168.32.62/28 is in the fourth /28 subnet and

keeps the port in Layer-2 mode.

1. Cisco Systems, IP Addressing and Subnetting for New Users, Section ˜Creating

Subnetworks™ , 2023.

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html

2. Cisco Catalyst 9000 Interface and Hardware Component Configuration Guide, Chapter

Configuring Layer 3 Interfaces, commands ˜no switchport™ and ˜ip address™ .

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9k/iosxe/17x/configuration/guide/ihc/b17-xihcc9300/configuringlayer3interfaces.html

3. Cisco Networking Academy, CCNA v7, 5.6 - Subnetting IPv4 Networks, pp. 5-6 (host

calculation and subnet increments).

https://skillsforall.com/course/ccna-module-5 (free courseware access).

/561

A: Cable defects cause link errors or port-down events, not unknown-MAC conditions, so

no frame flooding is triggered.

C: A single aged MAC entry is merely relearned; it does not create broad flooding unless

the entire table was flushed (covered by B).

D: Port-security restricts learning or forwards only trusted MACs; it drops or shuts the port, it

does not induce switch-wide flooding.

1. Cisco Systems, Understanding and Configuring Unicast Flooding, Doc ID 17053,

§˜Causes of Unknown Unicast Flooding™ lists STP topology changes and CAM table

overflow as primary causes. https://www.cisco.com/c/en/us/support/docs/bridgebridging/17053-46.html

2. Cisco Press, CCNP SWITCH 300-115 Official Cert Guide, Ch. 3 Layer-2 Switching

Unknown-unicast flooding triggered by CAM flush after STP TCN and by CAM table

overflow (ISBN 9780133859726, pp. 90-92).

/561

A: R1(conftg)#lp route 10.10.10.0 255.255.255.0 192.168.0.2 - This configures a route to

the 10.10.10.0/24 network, not a specific host route to 10.10.10.10.

/561

C: R1(config)#ip route 192.168.0.2 255.255.255.255 10.10.10.10 - This configures a host

route to 192.168.0.2, not to the server at 10.10.10.10. The destination and next-hop are

inappropriate for the stated goal.

D: R1(config)3|p route 0.0.0.0 0.0 0.0 192 168.0.2 - This configures a default route, which is

not a specific host route to the server 10.10.10.10.

1. Cisco Systems, "IP Routing: Protocol-Independent Configuration Guide, Cisco IOS XE

Release 3S - Configuring Static Routes". Available:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutepi/configuration/xe-3s/iproute-pixe-3s-book/iri-cfg-static-routes.html (Specifically, the section on "Static Routes" and the

syntax ip route prefix mask {ip-address | interface-type interface-number [ip-address]}). A

host route uses a mask of 255.255.255.255.

2. Cisco Systems, "Configuring a Gateway of Last Resort Using IP Commands". Available:

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13740defaultroute.html (This document explains default routes, differentiating them from specific

static/host routes).

3. Stallings, W. (2016). Data and Computer Communications (10th ed.). Pearson Education.

(Chapter 19 or similar sections on IP Routing often cover static, host, and default routes).

(General academic reference for routing principles).

/561

A: Lightweight with local switching disabled: This configuration (central switching) tunnels

all client traffic to the controller, violating the local termination requirement.

B: Local with AP fallback enabled: "Local" mode APs tunnel all traffic to the controller. AP

fallback refers to controller redundancy, not local traffic termination or full AP survivability at

the branch.

C: OfficeExtend with high availability disabled: OfficeExtend APs are primarily for

teleworkers, tunneling traffic to the corporate network, not for general branch office local

switching and survivability.

Cisco Wireless LAN Controller Configuration Guide, Release 8.5 - FlexConnect:

"FlexConnect is a wireless solution for branch office and remote office deployments. It

enables you to configure and control access points in a branch or remote office from the

corporate office through a wide area network (WAN) link... When the access point is

connected to the controller, it can also send traffic to the local network (local switching)."

(Specific section: FlexConnect Overview).

/561

URL: (A general search for "Cisco WLC Configuration Guide FlexConnect" will lead to the

relevant version, e.g., on Cisco.com. Example structure:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/configguide/bcg85/flexconnect.html)

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide - FlexConnect

Configuration: "FlexConnect APs can switch data traffic locally and perform client

authentication locally when the connection to the controller is lost. When they are connected

to the controller, they can also send traffic back to the controller." (Chapter: Configuring

FlexConnect, Section: Information About FlexConnect).

URL: (Search for "Cisco Catalyst 9800 FlexConnect Configuration Guide" on Cisco.com.

Example structure: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/173/config-guide/bwl173cg/flexconnect.html)

Understanding FlexConnect - Cisco Community: While a community forum, official Cisco

employee responses often clarify concepts. "FlexConnect APs can locally switch traffic if

configured to do so. This means that data traffic from clients associated to a FlexConnect

AP on a locally switched WLAN will be bridged onto the local VLAN at the AP." (This aligns

with official documentation).

Note: For formal citation, stick to official guides. This is for conceptual understanding.

Cisco OfficeExtend Access Points Deployment Guide: "Cisco OfficeExtend access points

(OEAPs) provide secure communications from a teleworker™ s home environment to the

corporate network." This highlights its primary use case, distinct from a branch office

requiring local switching for all clients.

URL: (Search for "Cisco OfficeExtend Access Points Deployment Guide" on Cisco.com.

Example structure:

https://www.cisco.com/c/en/us/td/docs/wireless/accesspoint/oeap/600/deployment/guide/oe

ap600deployguide.html)

/561

B. SW(config-if)#switchport port-security mac-address 0010.7B84.45E6: This command

statically configures a MAC address, contradicting the requirement for dynamic learning.

D. SW(config-if)#switchport port-security violation shutdown: This is the default violation

mode and disables the interface, which is contrary to the requirement.

E. SW(config-if)#switchport port-security mac-address sticky: While sticky learning involves

dynamic learning, it's a specific type that also adds MACs to the running config. The primary

need for "MAC addresses" (plural) to be learned dynamically is addressed by setting the

maximum if the default of 1 is insufficient. Basic dynamic learning (non-sticky) also fulfills

the "learned dynamically" criteria. Option C is more fundamental if multiple MACs are

implied.

Cisco IOS Interface and Hardware Component Command Reference - switchport port-

security command:

"By default, port security is disabled on an interface... When port security is enabled, the

default maximum number of secure MAC addresses is 1. The default violation mode is

shutdown."

URL: (A general search for "Cisco IOS switchport port-security command reference" on

Cisco's official documentation site would lead to relevant documents for specific switch

models/IOS versions. For example, for Catalyst 9300 Series:)

/561

Cisco Catalyst 9300 Series Switches Command Reference, IOS XE Bengaluru 17.6.x -

Interface and Hardware Component Commands: switchport port-security

switchport port-security maximum value: "To set the maximum number of secure MAC

addresses on the interface... The default is 1." (

/561

A: Correct prefix/mask but AD 115 is worse than OSPF (110); traffic could revert to an

OSPF path if one exists.

B: /24 route would divert all 10.10.2.0/24 trafficincluding 10.10.2.1through R3, violating

requirement.

C: Same issue as B; AD change does not fix overly broad prefix.

1. Cisco IOS XE Command Reference: ip route syntax, host route with /32 mask, optional

distance parameter. https://www.cisco.com/c/en/us/td/docs/iosxml/ios/iproutestatic/configuration/xe-17/irs-xe-17-book/irs-overview.html (Section: Static

Route Syntax)

2. Cisco TAC How Cisco Routers Choose the Best Route longest-prefix match first, then

administrative distance. https://www.cisco.com/c/en/us/support/docs/ip/routing-informationprotocol-rip/13718-56.html (Section: Route Selection Process)

/561

A. Excessive collisions are the symptom seen in the counters, not the underlying

configuration fault that produces them.

C. Port oversubscription occurs on a switch backplane, not on a single router interface; it

does not create late collisions.

D. CRC error counters would be high if bad frames were received; the exhibit shows

collisions, not CRC errors.

1. Cisco Systems, Troubleshooting Ethernet Duplex and Speed Mismatches, Section

˜SymptomsLate Collisions™ , https://www.cisco.com/c/en/us/support/docs/switches/catalyst6500-series-switches/118240-technote-duplex-00.html

2. IEEE Std 802.3-2018, Clause 4.4.2, Late collision generation due to duplex mismatch,

pp. 53-54.

3. Cisco Press, CCNA 200-301 Official Cert Guide, Vol.1, ch.10 Interface Troubleshooting,

pp. 254-255 (duplex mismatch and collision counters).

/561

A: Kerberos: Primarily a network authentication protocol for client-server applications; while

it can authenticate administrators, it's less directly involved in the authorization aspects of

device configuration compared to TACACS+ or RADIUS.

B: 802.1Q: An IEEE standard for VLAN tagging in Ethernet networks, unrelated to

administrator authentication or configuration of access points.

C: 802.1X: An IEEE standard for port-based network access control, used to authenticate

users or devices connecting to the network via an access point, not for authenticating

administrators to the access point for management.

1. TACACS+ & RADIUS for Device Administration:

Cisco. (n.d.). TACACS+ and RADIUS Comparison. Cisco Technology White Paper.

"TACACS+ ... is commonly used for device administration... TACACS+ provides router

/561

command authorization..." and "RADIUS combines authentication and authorization...

RADIUS is often the choice for remote access." (While the quote mentions remote access,

RADIUS is also used for device admin AAA).

Note: Specific Cisco whitepaper URLs can be volatile. The concept is widely documented in

Cisco's security and device administration guides. A general reference point: Cisco,

Securing User Services Configuration Guide, Cisco IOS XE Gibraltar 16.12.x - RADIUS.

Available from Cisco's official documentation site. (e.g.,

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/secusrrad/configuration/16-12/sec-usrrad-16-12-book/sec-usr-rad-overview.html - "RADIUS is a distributed client/server system

that secures networks against unauthorized access.")

Cisco. (n.d.). RADIUS Authentication, Authorization, and Accounting for Managing Cisco

Devices. Cisco Configuration Guide. (Illustrates RADIUS for device management).

Example from a Cisco guide: "You can use RADIUS for authentication, authorization, and

accounting (AAA) of users who manage Cisco devices." (Found in various Cisco IOS

configuration guides for AAA).

2. Kerberos:

Neuman, C., Yu, T., Hartman, S., & Raeburn, K. (2005). The Kerberos Network

Authentication Service (V5). RFC 4120. IETF. (Defines Kerberos primarily as an

authentication service).

URL: https://datatracker.ietf.org/doc/html/rfc4120 (Section 1: "Kerberos is a trusted third-

party authentication service.")

3. 802.1Q:

IEEE Std 802.1Q-2018. (2018). IEEE Standard for Local and metropolitan area

networksBridges and Bridged Networks. IEEE Standards Association. (Defines VLANs).

URL: https://standards.ieee.org/standard/8021Q-2018.html (Abstract and scope describe

VLAN tagging and bridge operations).

4. 802.1X:

IEEE Std 802.1X-2020. (2020). IEEE Standard for Local and metropolitan area

networksPort-Based Network Access Control. IEEE Standards Association. (Defines port-

based NAC for authenticating clients).

URL: https://standards.ieee.org/standard/8021X-2020.html (Abstract and scope describe

authenticating and authorizing devices to attach to a LAN or WLAN).

/561

A: Both have a 62.5 micron core diameter. This core diameter is characteristic of older

multimode fibers like OM1 and some OM2, not OM3 or OM4.

C: Both have a 100 micron core diameter. This is not a standard core diameter for common

telecommunication-grade multimode fibers like OM3 or OM4.

D: Both have a 9 micron core diameter. This core diameter is characteristic of single-mode

fibers (e.g., OS1, OS2), not multimode fibers like OM3 or OM4.

1. Corning Incorporated. (2021). Corning® ClearCurve® OM3 Multimode Fiber Product

Information Sheet PI1370. Page 1. Retrieved from Corning's official website. (Specifies

"Core Diameter: 50 ± 2.5 µm").

2. Corning Incorporated. (2021). Corning® ClearCurve® OM4 Multimode Fiber Product

Information Sheet PI1381. Page 1. Retrieved from Corning's official website. (Specifies

"Core Diameter: 50 ± 2.5 µm").

3. IEC 60793-2-10:2019. Optical fibres - Part 2-10: Product specifications - Sectional

specification for category A1 multimode fibres. International Electrotechnical Commission.

(This standard defines the specifications for multimode fiber categories, including A1a.2 for

OM3 and A1a.3 for OM4, both having a 50 µm core diameter). Abstract available at

https://webstore.iec.ch/publication/60005.

/561

4. Agrawal,

G. P. (2010). Fiber-Optic Communication Systems (4th ed.). Wiley. Chapter 2,

Section 2.2 "Optical Fibers: Structures, Waveguiding, and Fabrication" typically discusses

fiber types and their core/cladding dimensions. (Standard academic textbook confirming

multimode fiber dimensions).

/561

B: This statement is incorrect; UDP does not reliably guarantee delivery, while TCP is

designed for reliable delivery and retransmits lost packets.

C: UDP does not inherently use flow control mechanisms; TCP employs both flow control

and congestion control.

D: UDP does not use sequencing to ensure packets arrive in order; TCP uses sequence

numbers for ordered delivery.

1. Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th

ed.). Pearson.

/561

Regarding TCP acknowledgments and reliability: "TCP provides reliable data transfer. [...]

The sending and receiving TCP entities in the end systems exchange control information

about the segments they send and receive. This control information [which includes

acknowledgments] is used by the sender and receiver to implement a reliable data transfer

service." (Chapter 3.5, pp. 243-244). "A TCP sender retransmits a segment if it doesn™ t

receive an acknowledgment for the segment before a timeout event." (Chapter 3.5.4,

paraphrased, discussing reliable data transfer principles applied in TCP).

Regarding UDP's lack of acknowledgments: "UDP is an unreliable, connectionless protocol.

[...] UDP provides no acknowledgments, so the sender does not know whether a sent

segment has been received at the destination." (Chapter 3.3, pp. 229-231, paraphrased).

2. Postel, J. (1981). RFC 793: Transmission Control Protocol. Internet Engineering Task

Force (IETF).

Section 3.1 (Functional Specification - Basic Data Transfer): "TCP is able to transfer a

continuous stream of octets in each direction by packaging some number of octets into

segments for transmission through the internet system. In general, TCPs decide when to

block and forward data at their own convenience. [...] To achieve reliability, TCPs use

sequence numbers to track octets and acknowledgments to verify receipt."

3. Postel, J. (1980). RFC 768: User Datagram Protocol. Internet Engineering Task Force

(IETF).

Introduction: "This User Datagram Protocol (UDP) is defined to make available a datagram

mode of packet-switched computer communication in the environment of an interconnected

set of computer networks. This protocol assumes that the Internet Protocol (IP) is used as

the underlying protocol. This protocol provides a procedure for application programs to send

messages to other programs with a minimum of protocol mechanism. The protocol is

transaction oriented, and delivery and duplicate protection are not guaranteed." (This

highlights the lack of reliability mechanisms like acknowledgments).

/561

A: Omits the vlan keyword, so the MAC would be applied to the access VLAN, not the voice

VLAN.

C: Uses the sticky keyword, which tells the switch to learn the MAC dynamically rather than

configuring it manually.

D: Uses vlan voice; while syntactically valid, it is less precise than explicitly identifying

VLAN 4 as required.

1. Cisco Catalyst 2960/3560/3750 Switch Command Reference, switchport port-security

mac-address Syntax shows vlan {access | voice | vlan-id}.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/1502/se/command/reference/2960cr/cli.html#wp1253493

2. Cisco IOS Security Configuration Guide, Port Security chapter explains manual vs sticky

MAC address configuration. https://www.cisco.com/c/en/us/support/docs/security/iossecurity/17048-5.html

/561

A (Entry 1): While this route (192.168.10.0/23) contains the destination IP, its prefix is

shorter than those of Entry 2 and Entry 4. The longest match rule requires selecting the

most specific route.

B (Entry 2): This route (192.168.10.0/26) is a valid match but its prefix is shorter than Entry

4's prefix (/27). The router will prefer the more specific /27 route.

C (Entry 3): This entry (192.168.10.0 with mask 255.255.0.0) is not a valid match. Applying

the /16 mask to the destination IP 192.168.10.5 yields the network 192.168.0.0, which is

different from the network 192.168.10.0 specified in the entry.

IETF RFC 1812, "Requirements for IP Version 4 Routers":

Reference: Section 5.2.4.3, "Forwarding Algorithm".

Content: "When forwarding a datagram, a router MUST use the route in its routing table that

has the longest match with the datagram's destination IP address."

URL: https://datatracker.ietf.org/doc/html/rfc1812#section-5.2.4.3

Cisco Systems, "IP Routing: Protocol-Independent Configuration Guide, Cisco IOS XE

Gibraltar 16.11.x":

Reference: Chapter: "Configuring a Gateway of Last Resort Using IP Commands", Section:

"How a Router Selects a Route".

Content: "The router examines all routes in the table that match the destination address,

and if it finds more than one match, it uses the one with the longest prefix."

/561

URL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/16-11/iri16-11-book/configuring-a-gateway-of-last-resort-using-ip-commands.html

MIT OpenCourseWare, "6.02 Introduction to EECS II: Digital Communication Systems, Fall

2012":

Reference: Lecture 15 Notes, "Routing: How packets get from here to there".

Content: "What if an address matches more than one prefix? We use the longest prefix

match rule: the entry with the longest prefix that matches the destination address is the one

used."

URL: https://ocw.mit.edu/courses/6-02-introduction-to-eecs-ii-digital-communicationsystems-fall-2012/pages/lecture-notes/ (See Lecture 15 PDF)

/561

A: Software upgrades and file restoration are management plane tasks, not the primary

function of an SDN northbound API, which focuses on application-to-controller

communication.

B: While the SDN controller handles provisioning, the northbound API's function is to enable

applications to request these, not to "rely on" them as its defining characteristic.

C: Distributed processing for configuration describes a potential architectural feature of the

controller or system, not the specific function of the northbound API, which is an interface.

1. Kreutz, D., Ramos,

F. M. V., VerÃssimo,

P. E., Rothenberg,

C. E., Azodolmolky, S., &

Uhlig, S. (2015). Software-Defined Networking: A Comprehensive Survey. Proceedings of

the IEEE, 103(1), 14-76. (Specifically, Section III-A, "The Northbound Interface," p. 23: "The

northbound interface is used by applications to make their needs known to the controller.")

Direct URL (via IEEE Xplore): https://ieeexplore.ieee.org/document/6994383

2. Nunes,

B. A. A., Mendonca, M., Nguyen,

X. N., Obraczka, K., & Turletti,

T. (2014). A

Survey of Software-Defined Networking: Past, Present, and Future of Programmable

Networks. ACM Computing Surveys, 46(4), Article 50. (Specifically, Section 2.1, "SDN

/561

Architecture," p. 50:4: "The Northbound Interface (NBI) defines the communication channel

between SDN applications and the SDN controller.")

Direct URL (via ACM Digital Library): https://dl.acm.org/doi/10.1145/2650497

3. Open Networking Foundation (ONF). (n.d.). SDN Architecture Overview. (While ONF is

an industry consortium, its foundational documents on SDN architecture are widely

referenced in academic literature and define these concepts). The ONF architecture clearly

depicts the northbound API as the interface between the Network Applications and the SDN

Controller.

A representative document often cited is the "SDN Architecture Issue 1". While direct links

to specific versions can change, university courseware often refers to these foundational

concepts. For example, Stanford's CS244 course materials on SDN discuss this

architecture. (e.g., https://cs244.stanford.edu/ - specific lecture slides would detail this).

/561

A: northbound interface: Connects the SDN controller to higher-level applications and

services, not directly to programs on networking devices.

B: software virtual interface: An SVI is a logical Layer 3 interface on a switch used for inter-

VLAN routing, not for controller-device communication.

D: tunnel Interface: A logical interface for encapsulating traffic, not the primary interface for

controller-to-device program communication.

Stallings, W. (2016). Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud.

Pearson Education, Inc. (Chapter 5, Section 5.2 "SDN Architecture," describes southbound

interfaces as connecting the controller to network devices).

Nunes,

B. A. A., Mendonca, M., Nguyen,

X. N., Obraczka, K., & Turletti,

T. (2014). A Survey

of Software-Defined Networking: Past, Present, and Future of Programmable Networks.

IEEE Communications Surveys & Tutorials, 16(3), 1617-1634. (Section III.A "SDN

Architecture" discusses southbound APIs for controller-switch communication). (Available

via IEEE Xplore)

Kreutz, D., Ramos,

F. M. V., VerÃssimo,

P. E., Rothenberg,

C. E., Azodolmolky, S., & Uhlig,

S. (2015). Software-Defined Networking: A Comprehensive Survey. Proceedings of the

/561

IEEE, 103(1), 14-76. (Section III "THE SDN LANDSCAPE," subsection "Southbound APIs"

describes these as interfaces between the controller and network elements). (Available via

IEEE Xplore)

/561

A. Routers do not queue and wait for routes; they forward or drop based on the current

table.

B. Flooding applies to layer-2 switches (or some multicast processes), not to unicast IP

routing.

/561

D. IOS never selects a similar but non-matching prefix; it must match exactly the longest

prefix that contains the destination.

1. Cisco Systems, IP Routing Fundamentals CEF and Forwarding, IOS XE Release 17,

section Longest-Match Routing Decision.

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html

2. Doyle,

J. & Carroll,

J. Routing TCP/IP, Vol. 1 (2nd ed.), Addison-Wesley/Cisco Press,

2005, pp. 43-46 (Longest prefix match and drop behaviour).

/561

B: Switches learn source MAC addresses dynamically, not destination MACs, and don't

create static entries or shut down ports for unknown unicast frames.

C: The CAM table is updated with the source MAC address and the ingress port of received

frames, not the destination MAC address.

D: Switches do not modify the checksum to indicate an invalid frame for unknown

destinations; they forward the original frame or drop it if an error is detected.

Cisco. (n.d.). How a Switch Works. Cisco Networking Academy. (Content often derived from

official Cisco documentation and principles).

Specifically, the concept of "flooding" for unknown unicast frames: "If the destination MAC

address is not in the table, the switch forwards the frame out all ports except the port on

which it was received. This is called flooding." This behavior is VLAN-specific. (General

principle found in CCNA curriculum materials like CCNA Switching, Routing, and Wireless

Essentials Companion Guide, Chapter 2: Switching Concepts).

IEEE Std 802.1Q-2018. (2018). IEEE Standard for Local and Metropolitan Area

NetworksBridges and Bridged Networks. IEEE Xplore.

/561

Section 8.8.2 "Forwarding Process": Describes that if the filtering database (MAC address

table) lookup for the destination MAC address fails, the frame is flooded to all other bridge

ports that are in the forwarding state for that VLAN. (e.g., "If no entry is found for a unicast

address, the frame shall be flooded...")

Tanenbaum,

A. S., & Wetherall,

D. J. (2011). Computer Networks (5th ed.). Pearson

Education.

Chapter 4, Section 4.6.2 "Learning Bridges/Switches": "If the destination address is not in

the hash table, the bridge simply broadcasts the incoming frame on all the other lines."

(Switches are multi-port bridges).

/561

A: authorization: Authorization determines what an authenticated entity is permitted to do; it

does not prevent an attacker from intercepting the communication itself.

C: anti-replay: Anti-replay mechanisms prevent attackers from resending captured, valid

messages but do not directly prevent the interception and impersonation inherent in MitM

attacks.

D: accounting: Accounting tracks actions performed by users for auditing and accountability,

which is a detective control, not a primary preventative measure against MitM attacks.

1. Kurose,

J. F., & Ross,

K. W. (2021). Computer Networking: A Top-Down Approach (8th

ed.). Pearson. In Chapter 8.2, "Principles of Cryptography," and Chapter 8.3, "Message

Integrity and Digital Signatures," the concepts leading to secure communication are

discussed. Chapter 8.6.3, "SSL Handshake," explicitly details how server authentication

(and optionally client authentication) using certificates helps prevent MitM attacks. "The

server sends its certificate... The client then verifies the certificate... This part of the

handshake protocol is critically important, as it is where the client authenticates the server."

(Paraphrased from typical SSL/TLS handshake descriptions).

/561

2. Stallings, W. (2017). Cryptography and Network Security: Principles and Practice (7th

ed.). Pearson. Chapter 17, "Transport-Level Security," discusses SSL/TLS, where

authentication of the server (and optionally the client) is a key feature to prevent MitM

attacks. "The SSL handshake protocol allows the server and client to authenticate each

other..."

3. National Institute of Standards and Technology (NIST). (2013). NIST Special Publication

800-52 Revision 1: Guidelines for the Selection, Configuration, and Use of Transport Layer

Security (TLS) Implementations. Section 3.3.1, "Server Authentication." "TLS server

authentication is essential for secure communication. It allows clients to verify the identity of

the server, which helps prevent man-in-the-middle attacks." (Direct URL:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf, Page 12).

/561

A: This route (AD 108, next-hop 10.10.10.10) is not present in the provided routing table

exhibit for the destination prefix 10.10.13.0/25.

B: This OSPF route (10.10.13.0/25 [110/2] via 10.10.10.2) has an AD of 110, which is higher

than the static route's AD (1), making it less preferred.

C: This specific OSPF route (10.10.13.0/25 [110/2] via 10.10.10.6) is not in the exhibit. The

OSPF route shown for this prefix is via 10.10.10.2.

Cisco Systems, "IP Routing: Protocol-Independent Configuration Guide, Cisco IOS XE

Cupertino 17.7.x" - Chapter: "Configuring Basic IP Addressing and Routing", Section:

"Information About Implementing Basic IP Addressing and Routing", Subsection: "Route

Selection". This document states that administrative distance is the first criterion for route

preference when multiple routes to the same prefix exist. (Direct URL:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproutepi/configuration/xe-17-7/iri-xe-177-book/iri-cfg-basic-ip-addr-rout.html#GUID-C98AFC3A-5387-41E1-9A58-7438F959199C)

Cisco Systems, "What Is Administrative Distance?" - This document explains that

"Administrative distance is the feature that routers use in order to select the best path when

there are two or more different routes to the same destination from two different routing

protocols." It also lists default AD values (Static=1, EIGRP (Internal)=90, OSPF=110,

RIP=120). (Direct URL: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interiorgateway-routing-protocol-eigrp/8651-21.html)

/561