Skip to Content

Cisco Certified Network Associate 200-301 CCNA Exam Questions and Answers – Page 5

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest Cisco Certified Network Associate 200-301 CCNA certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Cisco Certified Network Associate 200-301 CCNA exam and earn Cisco Certified Network Associate 200-301 CCNA certification.

Exam Question 481

Which of the following are port roles in the Rapid Spanning Tree Protocol (RSTP)? (Choose three.)

A. Alternate
B. Listening
C. Routing
D. Designated
E. Backup
F. Blocking
G. Discarding

Correct Answer:
A. Alternate
D. Designated
E. Backup
Answer Description:
There are five port roles in RSTP:

  • Root port: the closest port to the root bridge in terms of path cost. There can be only one root port on each switch, and the root switch is the only switch in the network that does not have a root port.
  • Designated port: a forwarding port to the root bridge. All versions of STP require each network segment to have only one path toward the root bridge, to avoid bridging loops in redundantly connected environments. All bridges connected to a given segment listen to one another’s BPDUs and agree that the bridge that is sending the best BPDU is the designated bridge for the segment.
  • Alternate port: a blocking port that becomes the root port if the active root port fails.
  • Backup port: a blocking port that becomes the designated port if an existing designated port fails.
  • Disabled port: a disabled port has no role within the operation of spanning tree.
  • RSTP was designed to provide rapid convergence of the spanning tree in case of changes to the active topology, such as switch failure.

RSTP has the following similarities to STP:

  • RSTP elects the root switch using the same parameters as STP.
  • RSTP elects the root port using the same rules as STP.
  • Designated ports on each LAN segment are elected in RSTP in the same way as STP.

Listening is a port state, not a port role. Listening is the STP transitional state while a port is preparing to enter a root or designated role.

Blocking is a port state, not a port role. A blocking port is inactive in STP spanning tree, and blocking is not a port state in RSTP. In RSTP that port state is called discarding.

The routing port does not exist in the RSTP topology.

Discarding is an RSTP port state, not a port role.

Exam Question 482

Which two security features can be configured to prevent unauthorized access into the network through a networking device? (Choose two.)

A. Anti-Replay
B. Traffic filtering
C. Authentication
D. IPSec network security
Correct Answer:
B. Traffic filtering
C. Authentication
Answer Description:
Traffic filtering and authentication security can be configured to prevent unauthorized access into the network through a networking device. Unauthorized access to the company’s network should be blocked because unauthorized access can damage a company’s network. Attackers may access confidential data, plant a virus in the network, or flood the network with illegitimate packets. Therefore, preventive measures should be taken to block any unauthorized access.

The traffic filtering security feature uses two measures to prevent unauthorized access into the network: access lists and Cisco IOS firewalls.

Access lists are configured to determine which traffic to block and which traffic should be forwarded at the router interfaces. The following types of access lists are available when using Cisco devices:

  • Basic access lists: Allow only specific traffic through the device; other traffic is dropped.
  • Extended access lists: Used to filter the traffic based on source IP address, destination IP address, port numbers, or protocols.

Cisco IOS firewalls provide various security features according to your needs. Following are the key components of Cisco IOS firewall:

  • Context-based Access Control (CBAC): Filters TCP and UDP packets on the basis of application layer protocol session information.
  • Cisco IOS firewall Intrusion Detection System (IDS): Used to detect suspicious activity. IDS are used to watch packets and sessions as they flow through the router and scan then to match IDS signatures. If the packet is detected as suspicious, the packet is dropped.
  • Authentication Proxy: Used to apply specific security policies on a per-user basis.

Authentication security can be used to prevent unauthorized access to the network. When a user attempts to access a service or host within the network, they must enter credentials such as their user name and password. If the credentials are correct, then access is provided; otherwise, the user is not allowed to access the service.

Anti-replay and IPSec network security cannot prevent unauthorized access through a networking device into the network. Anti-replay prevents the capture and replay of packets on a network. Although a good security feature to deploy it does not specifically address access to the network through a device. IPSec is used to encrypt and protect the integrity of data that travels through the network, not control access through a device.

Exam Question 483

Which of the following IPV6 commands is used to define a static host name-to-address mapping in the host name cache?

A. ipv6 host
B. ipv6 unicast routing
C. ipv6 neighbor
D. ipv6 local
Correct Answer:
A. ipv6 host
Answer Description:
The ipv6 host command is used to define a static host name-to-address mapping in the host name cache, and is executed in global configuration mode.

The ipv6 unicast-routing command is used to enable IPv6 forwarding on a router.

There is no ipv6 local command. There is an ipv6 local pool command that can be used to define a prefix pool when using DHCPv6.

The ipv6 neighbor command is used to configure a static entry in the IPv6 neighbor discovery cache, which will enhance the neighbor discovery process that occurs with IPv6.

Exam Question 484

Which two statements are TRUE of synchronous serial ports? (Choose two.)

A. These ports can be used to provide leased-line or dial-up communications.
B. These ports do not support the High-Level Data Link Control (HDLC) encapsulation method.
C. An AUI connector is used with serial ports.
D. These ports can be used to configure high-speed lines (E1 or T1).
E. An RJ-45 connector is used with serial ports.
Correct Answer:
A. These ports can be used to provide leased-line or dial-up communications.
D. These ports can be used to configure high-speed lines (E1 or T1).
Answer Description:
Synchronous serial ports can be used to provide leased-line or dial-up communications, and these ports can be used to configure high-speed lines (E1 or T1). The following are also true of synchronous serial ports:

  • With the help of synchronous serial lines, dialers can be configured, which are then used to support dialon- demand routing.
  • These ports are found on several serial network interface processors and cards.

The option stating that synchronous serial ports cannot support High-Level Data Link Control (HDLC) encapsulation method is incorrect because HDLC is the default encapsulation method configured on serial interfaces.

The option stating that an AUI connector is used with serial ports is incorrect because AUI is a connector used with Ethernet ports.

The option stating that an RJ-45 connector is used with serial ports is incorrect because RJ-45 and RJ-48 connectors are used with ISDN BRI connections.

Exam Question 485

Which of the following commands is used to verify the link-local, global unicast, and multicast addresses of an IPv6 router?

A. show ipv6 neighbors (only link-local addresses)
B. show ipv6 route
C. show ipv6 protocols
D. show ipv6 interface
Correct Answer:
D. show ipv6 interface
Answer Description:
The show ipv6 interface command is used to verify the link-local, global unicast, and multicast addresses assigned to an IPv6-enabled router interface. The show ipv6 interface command displays information regarding that interface, such as the physical state, MTU, and IPv6 enable/disable state.

Here is the partial output of the show ipv6 interface command on an IPv6-enabled router named rtrA:

Here is the partial output of the show ipv6 interface command on an IPv6-enabled router named rtrA.

In the sample output, you can see that the Fa0/1 interface of rtrA has the link-local address FE80::6339:7BFF:FE5D:A031/64 and the global unicast address 2001:7067:90D1:1::1. The global unicast address is not in EUI-64 format because when the ipv6 address command was issued, the eui64 keyword was not used. If the EUI-64 format had been specified with the eui64 keyword, the global unicast address would have been 2001:7067:90D1:1:6339:7BFF:FE5D:A031.

An IPv6-enabled interface has not only a link-local and global unicast address, but also one or more multicast addresses. A multicast address is an IPv6 address that has the prefix FF00::/8. These addresses are assigned to interfaces of different nodes such that they appear as a logical group. This implies that when a packet is destined for a multicast address, that packet is delivered to all the interfaces that have the same multicast address. The various multicast groups are as follows:

  • FF02::1 Indicates the group of all the nodes on the local segment
  • FF02::2 Indicates the group of all the routers on the local segment
  • FF02::1:FF00:0/104 Indicates a solicited-node multicast group for every unicast or anycast address assigned to the interface

You can also notice in the sample output that the Fa0/1 interface belongs to three multicast groups: FF02::1, FF02::2, and FF02::1:FF5D:A031. The first two multicast groups refer to the all-host and all-router multicast groups, respectively. The third group, FF02::1:FF5D:A031, is the solicited-node multicast address. This address is created for every unicast or anycast address. A solicited-node multicast address is determined by assigning the least significant 24 bits of the unicast address to the least significant 24 bits of the FF02::1:FF00:0 address.

The show ipv6 neighbors command displays the link-local /global unicast addresses of the neighbors, including other information such as state and the next-hop interface.

The show ipv6 route command is used to view the IPv6 routing table on the router. This command displays the prefixes, administrative distance, metric, and next-hop addresses for various IPv6 networks.

The show ipv6 protocols command is used to view the active routing protocols for IPv6 on the router. This command shows the interfaces, redistribution status, and summarization status about each of the routing protocols enabled on the router.

Exam Question 486

Which type of Category 5 unshielded twisted-pair (UTP) cable is used to work as a trunk between two
switches?

A. RJ-45 straight-through
B. RJ-41 crossover
C. RJ-11 straight-through
D. RJ-45 crossover
Correct Answer:
D. RJ-45 crossover
Answer Description:
An RJ-45 crossover cable connects two switches. To act as a trunk a trunking protocol such as ISL or 802.1q must be configured on the link. . A trunk is a connection between two switches that is used to carry traffic from multiple VLANs.

In general, the rule to follow when choosing between a straight-through and a crossover cable is:

  • When connecting like devices (i.e. router to router, switch to switch), use a crossover cable.
  • When connecting dissimilar devices (i.e. switch to router), use a straight-through cable.

The one exception to this rule is when connecting a computer NIC to a router, in which case a crossover cable is used. Be aware, however, that many devices, including network cards in computers, now have the ability to sense automatically when they are connected to a like device and adapt to the connection, making crossover cables unnecessary in those situations.

You should not choose an RJ-45 straight-through cable. The cable type to be used depends on the circuit connection of the hardware. To connect two switches, a crossover cable is required. The difference between a straight-through cable and a crossover cable lies in the location of the wire termination on the two ends of an RJ-45 cable. If the UTP cable wire connects Pin 1 of one side to Pin 1 of other side and Pin 2 to 2 through all eight pins of the RJ 45 connector, the cable is said to be straight-through. On the other hand, if Pin 1 of one side of an RJ-45 cable connects to Pin 3 of the other end, and Pin 2 connects to Pin 6 of the other end, it is known as a crossover cable. A straight-through cable is used to connect a computer’s network interface card (NIC) to a hub or switch.

You should not choose an RJ-41 crossover cable. RJ-41 is a single-line universal data jack normally associated with fixed-loss loop (FLL) or programmed (P) modems. It is not used between switches.

You should not choose an RJ-11 straight-through cable type. RJ-11 UTP cables have four pins and are used to connect voice instruments. RJ-11 UTP cables are not intended for connecting computers and transferring data. They are commonly used for telephones and modems.

Note: Cisco switches have an auto-mdix feature that notices when the wrong cabling pinouts are used, and readjusts the switch’s logic so that the cable will work.

Exam Question 487

Which of the following commands would instruct OSPF to advertise ONLY the 192.168.10.0/24 network in Area 0?

A. Router(config)# router ospf 1
Router(config-router)# network 192.168.10.0 0.0.0.255 area 0
B. Router(config)# router ospf 1
Router(config-router)# network 192.168.11.0 0.0.0.255 area 0
C. Router(config)# router ospf 1
Router(config-router)# network 192.168.10.0 255.255.255.0 area 0
D. Router(config)# router ospf 1
Router(config-router)# network 192.168.10.0 0.0.255.255 area 0

Correct Answer:
A. Router(config)# router ospf 1
Router(config-router)# network 192.168.10.0 0.0.0.255 area 0
Answer Description:
The command Router(config-router)# network 192.168.10.0 0.0.0.255 area 0 would instruct OSPF to advertise the 192.168.10.0 network in Area 0. It is executed in OSPF process 1 configuration mode, as indicated by the prompt Router(config-router)#. This command correctly states the network as 192.168.10.0 and uses the proper wildcard mask of 0.0.0.255.

The command Router(config-router)# network 192.168.11.0 0.0.0.255 area 0 is incorrect because it advertises the 192.168.11.0/24 network instead of the 192.168.10.0/24 network.

The command Router(config-router)# network 192.168.10.0 255.255.255.0 area 0 is incorrect because it uses a regular mask instead of a wildcard mask.

The wildcard mask in OSPF network statements must be expressed inversely, and not as a regular subnet mask. If the network you are configuring for OSPF operation is 192.168.10.0/24, then the inverse version of a /24 mask (or 255.255.255.0) would be 0.0.0.255. The correct command, Router(config-router)# network 192.168.10.0 0.0.0.255 area 0,will configure OSPF to run over any local interfaces assigned an IP address beginning with 192.168.10, since the inverse mask dictates that the first three octets must be a match.

The command Router(config-router)# network 192.168.10.0 0.0.255.255 area 0 is incorrect because it uses an improper wildcard mask. This mask would instruct OSPF to advertise any network with a prefix longer than the 192.168.0.0/16 network.

When routing does not seem to be working correctly, one of the first things to check is whether OSPF is operating on the proper interfaces. OSPF is enabled by network statements. To verify the network statements that were entered, you should execute the show run command and examine the output. If the network statement is configured so that the interface on the router is not in that network, OSPF will not operate on that interface. For example, suppose that Router A has an interface of 192.168.5.1/30 and the show run command produces the following output:

<output omitted>
router ospf 2 area 0
network 192.168.5.0 0.0.0.4

In this case, OSPF will not operate on the interface because the router interface is not in the network indicated by the network statement. The problem is not the network address but the wildcard mask. For a 30-bit mask, the wildcard should be 0.0.0.3, not 0.0.0.4. The wildcard mask can be determined by subtracting the regular mask value in the last octet (252) from 255, which is 3. The solution would to remove the incorrect statement and enter the correct statement as follows:

routerA(config)# router ospf 2 area 0
no network 192.168.5.0 0.0.0.4 area 0
network 192.168.5.0 0.0.0.3 area 0

Exam Question 488

Which commands would you use to determine the IP address and hostname of a directly connected switch from which you received VLAN information? (Choose two. Each correct answer is part of the solution.)

A. show vtp status
B. show cdp neighbors detail
C. show cdp neighbor status
D. show vtp counters
E. show cdp neighbor
Correct Answer:
A. show vtp status
B. show cdp neighbors detail
Answer Description:
The VLAN Trunking Protocol (VTP) is used to synchronize VLANs between switches, and the question implies that VTP is being used in this environment. The show vtp status command will display the IP address of the switch that last updated your VLAN database. The output of this command is as follows:

The show vtp status command will display the IP address of the switch that last updated your VLAN database. The output of this command is as follows.

The “Configuration last modified by 10.1.1.2” output reveals the IP address of the switch from which you received VLAN information. Once you know the IP address of the switch, you can use the show cdp neighbors detail command to determine the hostname associated with this IP address. The output of this command is as follows:

Once you know the IP address of the switch, you can use the show cdp neighbors detail command to determine the hostname associated with this IP address. The output of this command is as follows.

The show cdp neighbors detail command provides detailed information about directly connected Cisco devices. The detail option is required to provide the IP address of the neighboring devices, and indicates here that IP address 10.1.1.2 is assigned to Device ID: SwitchB, which is the hostname for this device. SwitchB is the switch from which you received VLANs.

Although not offered as an option, the show cdp entry* command will also display all directly connected devices and will indicate the hostname and the IP address and platform, but will not indicate from which device VTP information was received. Its output is shown below:

Although not offered as an option, the show cdp entry* command will also display all directly connected devices and will indicate the hostname and the IP address and platform, but will not indicate from which device VTP information was received. Its output is shown below.

This command displays the same information as the show cdp neighbor detail command. It includes:

  • The IP address of the neighbor (in this case 10.1.1.2)
  • The port on which the CDP information was received (in this case FastEthernet0/4)
  • The platform (in this case a Cisco WS-C2950G-24 Switch)

The show vtp counters command is incorrect because it does not display information about neighboring devices, nor information regarding from which switch VLANs were received.

The show cdp neighbor command is incorrect because the detail option is required to display the IP addresses of neighboring devices.

The show cdp neighbor status command is incorrect because this is not a valid Cisco IOS command.

Exam Question 489

Which Cisco command keeps unauthorized users from viewing passwords in the router configuration file?

A. enable secret
B. enable password
C. enable encryption
D. service encryption
E. service password-encryption
Correct Answer:
E. service password-encryption
Answer Description:
The service password-encryption global configuration mode command keeps unauthorized users from viewing passwords in the router configuration file. The service password-encryption command encrypts all current and future passwords configured on the router, including the line password, virtual terminal password, console password, user name password, routing protocol passwords such as BGP neighbor passwords, the privileged command password, and authentication key passwords. Moreover, it encrypts any future passwords created on the router.

The encryption process occurs whenever the current configuration is built or a password is configured. The service password-encryption command will cause the router configuration file to display encrypted characters instead of passwords when the running-configuration or startup-configuration files are viewed.

The enable password command creates a password that will be required to enter privileged EXEC mode, but the password will not be encrypted.

The enable secret command provides encryption to the enable mode passwords but does not apply globally to all passwords configured on the router. It also does not encrypt any future passwords created on the router.

The enable encryption and service encryption commands are invalid.

Exam Question 490

A packet is received with a destination IP address of 10.2.16.10.
A packet is received with a destination IP address of 10.2.16.10.
What would the next hop IP address be for this packet?

A. 192.168.1.10
B. 192.168.4.2
C. 192.168.10.254
D. None; the packet will be dropped.
Correct Answer:
B. 192.168.4.2
Answer Description:
The packet will be routed to the next hop IP address of 192.168.4.2, since this routing table entry is the most specific match for the remote network. Packets are routed according to the most specific, or “longest,” match in the routing table.

The packet in the scenario has a destination IP address of 10.2.16.10, which matches two entries in the routing table.

  • 10.0.0.0 /8: this matches based on the /8 mask, where only the first byte has to match. The destination IP address of 10.2.16.10 has a first byte matching 10. If this were the only matching route table entry, it would be selected.
  • 10.2.16.0 /24: The first 24 bits of this entry match the first 24 bits of the destination IP address of 10.2.16.10.

Therefore, the 10.2.16.0 /24 entry is selected for routing this packet because it most specifically matches the destination IP address, or has the longest number of matching bits.

The next hops of 192.168.1.10 and 192.168.10.254 will not be used, as these routes are not the most specific matches for the destination IP address of the packet.

It is interesting to note that packets that are destined for the 10.2.32.0 network will be load balanced across both serial 0/0 and serial 0/1 because the cost (2172425) is the same for both paths.

The packet will not be dropped because there is at least one routing table entry that matches the destination IP address of the packet.

To ensure that no packets are dropped, even if there is no matching route in the routing table, a default route could be configured as follows (next hop picked at random for illustration):

Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

This configuration would instruct the router to send any packets that do match the existing routes to 192.168.1.1. For example, a packet destined for 201.50.6.8/24 would not match any routes in the table, and would thus be forwarded to 192.168.1.1.

If you understand how routing tables and routing advertisements work, it is relatively simple to describe the contents of a router’s routing table without seeing the table directly. To do so, you would view the router’s configuration and the configuration of its neighbors using show run, along with a diagram of its network connections. For example, examine the diagram of the two routers shown below along with their respective configurations:
For example, examine the diagram of the two routers shown below along with their respective configurations.
For example, examine the diagram of the two routers shown below along with their respective configurations.

It will contain S*0.0.0.0/0 [1/0] via 192.35.87.5 because of the static default route indicated in line 4 of its configuration output.

It will contain R 192.168.110.128/26 [120/1] via 192.35.87.5 00:00:22, Serial 0/0 because Router 2 has a network 192.168.110.128 statement indicating that it will advertise this network to its neighbors.

It will contain the two routes C 192.35.87.4/30 is directly connected, S0/0 and C 192.168.54.64/26 is directly connected, Fa0/0 because all directly connected routes are automatically placed in the table.