Cisco Certified Network Associate 200-301 CCNA Exam Questions and Answers – Page 1

The latest Cisco Certified Network Associate 200-301 CCNA certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Cisco Certified Network Associate 200-301 CCNA exam and earn Cisco Certified Network Associate 200-301 CCNA certification.

Exam Question 91

Which command will display the Virtual LAN (VLAN) frame tagging method for a switch link?

A. show vlan
B. show vlan encapsulation
C. show vtp status
D. show interfaces trunk

Correct Answer:
D. show interfaces trunk
Answer Description:
The show interfaces trunk command displays the list of trunk ports and the configured VLAN frame tagging methods.
Sample output of the show interfaces trunk command would be as follows:
SwitchB# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
<Output omitted>

The show vlan command displays the VLAN number, name, status, and ports assigned to individual VLANs. Although the command cannot be used to determine the frame tagging method used for each trunk, it can be used to determine which ports are trunk ports by the process of elimination.
In the output below, generated from a six-port switch, the missing port (Fa0/6) is a trunk port. For communication to be possible between the two VLANs configured on the switch, Fa0/6 must be connected to a router, and trunking must be configured on the router end as well. The command is also useful for verifying that a port has been assigned to the correct VLAN as it indicates in the VLAN column the VLAN to which each port belongs.
Switch# show vlan
Vlan name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
58 vlan 58 active Fa0/5

The show vlan encapsulation command is not a valid command for Cisco switches.
The show vtp status command does not display VLAN frame tagging method. The command is used to verify the status of VTP. The output of the show vtp status command would be as follows:

The output of the show vtp status command would be as follows
The output of the show vtp status command would be as follows

Line 6 of the given output indicates that the switch is operating in VTP Client mode. There are three possible VTP modes in which a switch can operate: Server, Client, and Transparent.

  • In Server mode, any changes made in the switch, such as adding a VLAN, will be recorded in the local database and also passed on to the other switches, where the change will be added.
  • In Client mode, the switch will accept and record changes from switches in Server mode, but will not accept changes made on the local switch.
  • In Transparent mode, the switch adds changes made locally to the database, but will not send or accept changes sent from other switches.

The mode in use could be a useful piece of information during troubleshooting. For example, if you were unsuccessfully attempting to add a VLAN to the database, the reason would be that the switch is in VTP Client mode. If you were adding a VLAN in Transparent mode, the VLAN would be added to the local database but fail to appear on the other switches. If the switch were in Transparent mode, Line 6 in the above output would appear as follows:
VTP Operating Mode: Transparent
Only switches operating in VTP Server mode can accept changes to the VLAN database. This situation could be corrected easily and a VLAN 50 could be successfully added at two different configuration prompts by executing the following commands:
At global configuration mode:
switchB# config t
switchB(config)# vtp mode server
switchB(config)# vlan 50

At VLAN configuration mode:
switchB# vlan database
switchB(vlan)# vtp server
switchB(vlan)# vlan 50

Objective: LAN Switching Fundamentals
Sub-Objective: Configure, verify, and troubleshoot VLANs (normal/extended range) spanning multiple switches

Exam Question 92

View the following network diagram:

View the following network diagram.
View the following network diagram.

Which switch will become the root bridge?

A. SwitchA
B. SwitchB
C. SwitchC
D. The root bridge cannot be determined from the given information.

Correct Answer:
A. SwitchA
Answer Description:
SwitchA will become the root bridge. The bridge ID, also known as the switch ID, is used to elect the root bridge in a redundant network topology. The bridge ID has two components:

  • Switch’s priority number: Configured as 32768 on Cisco switches by default
  • Switch’s Media Access Control (MAC) address: The burnt-in hardware address of the network interface card

The switch with the lowest bridge ID is selected as the root bridge. If the same priority number is configured on two or more switches in the network, the switch with the lowest MAC address will become the root. Bridge Protocol Data Units (BPDUs) communicate the details of the switch with the lowest bridge ID in the network. The election process for the root bridge takes place every time there is a topology change in the network. A topology change may occur due to the failure of a root bridge or the addition of a new switch in the network. The root bridge originates BPDUs every two seconds, which are propagated by other switches throughout the network. BPDUs are used as keepalives between switches, and if a switch stops receiving BPDUs from a neighboring switch for ten intervals (20 seconds), it will assume a designated role for the network segment.
Neither SwitchB nor SwitchC will become the root bridge. Although both have an equal priority value to SwitchA (32768), the MAC addresses of SwitchB and SwitchC are higher than that of SwitchA.
The root bridge can be determined with the information given. If the diagram did not indicate MAC addresses, then the root bridge would not be able to be determined, since the priorities are equal.
Objective: LAN Switching Fundamentals
Sub-Objective: Configure, verify, and troubleshoot STP protocols

Exam Question 93

Which of the following statements are true of Class C IP addresses?

A. The decimal values of the first octet can range from 192 to 223
B. The decimal values of the first octet can range from 1 to 126
C. The first octet represents the entire network portion of the address
D. The first three octets represent the entire network portion of the address
E. The value of the first binary place in the first octet must be 0
F. The value of the first two binary places in the first octet must be 11

Correct Answer:
A. The decimal values of the first octet can range from 192 to 223
D. The first three octets represent the entire network portion of the address
F. The value of the first two binary places in the first octet must be 11
Answer Description:
A class C IP addresses will have the following characteristics:

  • The decimal values of the first octet can range from 192 to 223
  • The first three octets represent the entire network portion of the address
  • The value of the first two binary place in the first octet must be 11

Class B IP addresses will have the following characteristics:

  • The decimal values of the first octet can range from 128 to 191
  • The first two octets represent the entire network portion of the address
  • The value of the first two binary place in the first octet must be 10

Class A IP addresses will have the following characteristics:

  • The decimal values of the first octet can range from 1 to 126
  • The first octet represents the entire network portion of the address
  • The value of the first binary place in the first octet must be 0

Objective: Network Fundamentals
Sub-Objective: Compare and contrast IPv4 address types

Exam Question 94

Which Cisco Internetwork Operating System (IOS) command would be used to define a static route for network 192.168.11.0 through default gateway 192.168.43.1?

A. router(config)# ip route 192.168.11.0 255.255.255.0 192.168.43.1
B. router# ip route 192.168.11.0 255.255.255.0 192.168.43.1
C. router(config)# ip classless 192.168.43.1
D. router(config)# ip default gateway 192.168.11.0 255.255.255.0 192.168.43.1
E. router# ip default gateway 192.168.43.1

Correct Answer:
A. router(config)# ip route 192.168.11.0 255.255.255.0 192.168.43.1
Answer Description:
The router(config)# ip route 192.168.11.0 255.255.255.0 192.168.43.1 command would be used to define a static route for network 192.168.11.0 through default gateway 192.168.43.1. Static routing is used to manually configure routes to remote networks. The syntax of the ip route command is as follows:
ip route [destination_network] [mask] [next-hop_address or exit interface] [administrative_distance] [permanent]
The parameters of the command are as follows:

  • destination_network: Defines the network that needs to be added in the routing table.
  • mask: Defines the subnet mask used on the network.
  • next-hop_address: Defines the default gateway or next hop router that receives and forwards the packets to the remote network.
  • administrative_distance (AD): Static routes have an AD of 1, which can be changed to change the priority of the route.

Static routing is often implemented in small yet stable networks where the number of routes is small and manageable, and the network can benefit from the elimination of the traffic that dynamic routing protocols would introduce. If this is the case, it is important that all routes be statically created, or else networking problems can occur. For example, if in the diagram below no route to the 192.168.110.128/26 network on Router 2 exists on Router 1, Host 1 will be unable to ping Host 2. The fact that Host 1 would still be able to ping the S0/0 interface on Router 2 could obscure this missing route.

The fact that Host 1 would still be able to ping the S0/0 interface on Router 2 could obscure this missing route.
The fact that Host 1 would still be able to ping the S0/0 interface on Router 2 could obscure this missing route.

Host 1 will be able to ping the S0/0 interface of Router 2 because the 192.35.87.4/30 network will be in the routing table of Router 1, being directly connected to Router 1. Directly connected routes are automatically placed in the routing table. However, if you executed the show run command on Router 1, the output would indicate that no route to the 192.168.110.128/26 exists:
<Output omitted>
interface Fa0/1
ip address 192.168.54.65 255.255.255.192
no shutdown
interface S0/0
ip address 192.35.87.5 255.255.255.252
no shutdown

The option router# ip route 192.168.11.0 255.255.255.0 192.168.43.1 is incorrect because the ip route command should be configured in the global configuration mode.
The option router(config)# ip classless 192.168.43.1 is incorrect because the ip classless global configuration mode command allows a router to accept and forward packets for subnets that are not directly connected. The packets are forwarded to the best available supernet route.
The option router(config) # ip default gateway 192.168.11.0 255.255.255.0 192.168.43.1 is incorrect because the ip default gateway command is used to define the default gateway address when IP routing is disabled in the network.
Objective: Routing Fundamentals
Sub-Objective: Configure, verify, and troubleshoot IPv4 and IPv6 static routing

Exam Question 95

Which command will save a dynamically learned MAC address in the running-configuration of a Cisco switch?

A. switchport port-security mac-address
B. switchport port-security
C. switchport port-security sticky mac-address
D. switchport port-security mac-address sticky
E. switchport mac-address sticky

Correct Answer:
D. switchport port-security mac-address sticky
Answer Description:
Issuing the switchport port-security mac-address sticky command will allow a switch to save a dynamically learned MAC address in the running-configuration of the switch, which prevents the administrator from having to document or configure specific MAC addresses. Once the approved MAC addresses have all been learned, the network administrator simply saves the running-configuration file to NVRAM with the copy running-config startup-config command.
Switches dynamically build MAC address tables in RAM, which allow the switch to forward incoming frames to the correct target port. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect, and by defining violation policies (such as disabling the port) if additional hosts try to gain a connection. The following command secures a switch by manually defining an allowed MAC address:
switch(config-if)# switchport port-security mac-address 00C0.35F0.8301
This command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. Manually configuring all of your switch ports in this way, however, would require documenting all of your existing MAC addresses and configuring them specifically per switch port, which could be an extremely time-consuming task.
An example of the use of the switchport port-security mac-address sticky command is shown below:
Switch(config)#interface fastethernet0/16
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1

With the above configuration, if a computer with a MAC address of 0000.00bb.bbbb were plugged into the switch, the following two things would occur:

  • Only the host with MAC address 000.00bb.bbbb will be allowed to transmit on the port. This is a result of the port-security mac-address-sticky command, which instructs the switch to learn the next MAC address it sees on the port, and of the port-security maximum 1 command, which further instructs the switch that the address learned is the only address allowed on the port.
  • All frames arriving at the switch with a destination address of 0000.00bb.bbb will be forwarded out on Fa0/16.

The switchport port-security mac-address sticky command can also be used in combination with the interface-range command to make every port on the switch behave in this fashion as shown below for a 24-port switch.
Switch(config)#interface range fastethernet0/1-24
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 1

The switchport port-security mac-address command is incorrect since this command requires an additional argument to be valid (either a statically configured MAC address or the sticky option).
The switchport port-security command activates port security on the switch port, but does not configure sticky MAC address learning.
The switchport port-security sticky mac-address and switchport mac-address sticky options are incorrect because these are not valid Cisco IOS commands.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot port security

Exam Question 96

Which two are the limitations of the service password-encryption command? (Choose two.)

A. It uses the MD5 algorithm for password hashing.
B. It uses the Vigenere cipher algorithm.
C. An observer cannot read the password when looking at the administrator’s screen.
D. The algorithm used by this command cannot protect the configuration files against detailed analysis by attackers.

Correct Answer:
B. It uses the Vigenere cipher algorithm.
D. The algorithm used by this command cannot protect the configuration files against detailed analysis by attackers.
Answer Description:
The following are limitations of the service password-encryption command:

  • It uses the Vigenere cipher algorithm, which is simple in nature.
  • A cryptographer can easily crack the algorithm in a few hours.
  • The algorithm used by this command cannot protect the configuration files against detailed analysis by attackers.

The service password-encryption command does not use the MD5 algorithm for password hashing. The MD5 algorithm is used by the enable secret command.
The option stating that an observer cannot read the password when looking at the administrator’s screen is incorrect because this is an advantage of the service password-encryption command.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening

Exam Question 97

Which Cisco IOS command enables a router to copy IOS images to a router?

A. copy tftp flash
B. copy flash tftp
C. copy running-config tftp
D. copy running-config startup-config
E. copy tftp running-config

Correct Answer:
A. copy tftp flash
Answer Description:
The copy tftp flash command enables a router to copy an IOS image (the router operating system) to a router from a TFTP server. One router can act as a TFTP server to the other in this process.
The following example illustrates the steps to copy an image from Router A to Router B:

  • Verify the connectivity between Router A and Router B using the ping command.
  • Check the image size on both of the routers with the show flash command to verify that enough space exists on Router B.
  • Configure Router A as the TFTP server using the configure terminal command. Use the tftp-server flash [partition-number:]filename1 [alias filename2] [access-list-number] command to define the path to system image that needs to transferred. There can be multiple entries for multiple images.
  • Copy the image from Router A to Router B using the copy tftp flash command.
  • Verify the flash for the copied new image on Router B with the show flash command.

The copy flash tftp command is used to copy an IOS image from the router to a TFTP server.
The copy running-config tftp command is used to copy the active or running configuration file from RAM to a TFTP server.
The copy running-config startup-config command copies the active or running configuration from RAM to NVRAM. This command creates the configuration file that will be used as the startup configuration at reboot. This should always be done after making changes to the router so that the changes are saved when the router is rebooted.
The copy tftp running-config command merges a backup configuration with the currently active running configuration in RAM.
Objective: Infrastructure Management
Sub-Objective: Perform device maintenance

Exam Question 98

Which device in the given network diagram has as its primary responsibility the regulation of network traffic flow based on different trust levels for different computer networks?

Which device in the given network diagram has as its primary responsibility the regulation of network traffic flow based on different trust levels for different computer networks
Which device in the given network diagram has as its primary responsibility the regulation of network traffic flow based on different trust levels for different computer networks

A. the router
B. the switch
C. the hub(s)
D. the firewall

Correct Answer:
D. the firewall
Answer Description:
The firewall has as its primary responsibility the regulation of network traffic flow based on different trust levels for different computers or networks. In the network diagram shown in the exhibit, a firewall protects the network from unauthorized access attempts. A firewall can be implemented in hardware or software. Firewalls permit, deny, or filter data packets coming into and going out of the network. This helps prevent unauthorized access attempts from outside the network.
The primary function of a router is to perform routing between two subnets or between dissimilar network technologies. Routers can provide limited firewall functionality, but a firewall is a dedicated hardware or software solution with the primary responsibility of securing the network. A router does not have as its primary responsibility the regulation of network traffic flow based on different trust levels.
Switches work at Layer 2 in the Open System Interconnection (OSI) model and perform the function of separating collision domains. A switch does not have as its primary responsibility the regulation of network traffic flow based on different trust levels.
A hub is a device that provides a common connection point for network devices. The primary responsibility of a hub is not to regulate network traffic flow based on different trust levels.
Objective: Network Fundamentals
Sub-Objective: Describe the impact of infrastructure components in an enterprise network

Exam Question 99

Which command is used to view the entire routing table?

A. show route-map
B. show ip mroute
C. show ip route
D. show ip protocols

Correct Answer:
C. show ip route
Answer Description:
The show ip route command is used to view the entire routing table. The output of this command consists of codes, gateway of last resort, directly connected networks, and routes learned through different protocols working on the network. The syntax of the show ip route command is as follows:
show ip route [address [mask] [longer-prefixes]] | [protocol [process-id]]
The parameters of the show ip route command are as follows:

  • address: Specifies the address for which the routing information should be displayed.
  • mask: Specifies the subnet mask.
  • longer-prefixes: Specifies the combination of mask and address.
  • protocol: Specifies the name of the routing protocols such as Routing Information Protocol (RIP), or Open Shortest Path First (OSPF).
  • protocol-id: Specifies the protocol ID used to identify a process of a particular protocol.

The show route-map command is incorrect because this command is used to view the route-maps configured on the router.
The show ip mroute command is incorrect because this command is used to view the contents of the IP multicast routing table.
The show ip protocols command is incorrect because this command is used to view the routing protocols parameters, and the current timer values.
Objective: Routing Fundamentals
Sub-Objective: Interpret the components of routing table

Exam Question 100

The conference room has a switch port available for use by the presenter during classes. Each presenter uses the same PC attached to the port. You would like to prevent any other PCs from using that port. You have completely removed the former configuration in order to start anew.
Which of the following steps are required to prevent any other PCs from using that port?

A. make the port a trunk port
B. enable port security
C. make the port an access port
D. assign the MAC address of the PC to the port
E. make the port a sticky port
F. set the maximum number of MAC addresses on the port to 1

Correct Answer:
B. enable port security
C. make the port an access port
D. assign the MAC address of the PC to the port
Answer Description:
You should create the port as an access port, enable port security, and statically assign the MAC address of the PC to the port. Creating the port as an access port ensures that the PC can use the port and port security can be enabled on the port. The second step is to enable port security, which is required to use the third command. The third command sets the MAC address of the PC as the statically assigned address on that port, meaning that only that address can send and receive on the port.
You should not make the port a trunk port. There is no need to make this a trunk port because it will not be carrying multiple VLAN traffic, only the traffic of the PC.
You should not make the port a sticky port. The sticky keyword, when used with switchport port-security command, is used to allow a port to dynamically learn the first MAC address it sees in the port, add it to the MAC address table, and save it to the running configuration of the switch. It will not limit the MAC addresses allowed on the port to that of the PC.
You should not set the maximum number of MAC addresses on the port to 1. That would prevent the attachment of a hub or switch to the port, but would not restrict the MAC addresses allowed on the port to the MAC address of the PC.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot port security