Every answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.
GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy
Practice Questions
1
Question 1
An engineer must configure a /30 subnet between two routes. Which usable IP address and subnet mask combination meets this criteria?
This is the best available answer because it is the only option that uses the correct /30 subnet mask, 255.255.255.252. A /30 is the standard mask expected for a two-device point-to-point link on CCNA-style questions. Strictly speaking, 10.2.1.3 in the 10.2.1.0/30 subnet is the broadcast address, so it is not actually usable as a host IP. However, since all other options have an incorrect or invalid mask, A is the intended exam answer.
This option uses 255.255.255.248, which is a /29 mask rather than a /30. A /29 creates blocks of 8 addresses and provides 6 usable host addresses, so it does not match the requirement for a /30 subnet between two routers. Even though 192.168.1.1 can be a valid host address in some /29 subnet, the subnet mask itself makes this option incorrect. The exam objective here is primarily to recognize the proper /30 mask.
This option also uses 255.255.255.248, which corresponds to /29 and not /30. In addition, with that mask, 172.16.1.4 is the network address of the 172.16.1.0/29 or 172.16.1.0-7 block depending on boundary interpretation from the given host, so it is not a usable host address. That means this choice fails both the mask requirement and the usable-address requirement. It is therefore clearly incorrect.
This option shows 225.255.255.252 as the subnet mask, which is not a valid IPv4 subnet mask. Valid subnet masks must have contiguous 1 bits from left to right, and valid octet values are limited to values such as 0, 128, 192, 224, 240, 248, 252, 254, and 255. Because 225 is not one of those valid contiguous-mask values, the mask is invalid regardless of the IP address. Therefore this option cannot represent a valid /30 subnet.
Question Analysis
Core Concept:
A /30 subnet is commonly used for point-to-point links (such as between two routers) because it provides exactly 4 IPv4 addresses: 1 network address, 2 usable host addresses, and 1 broadcast address. A /30 prefix corresponds to the subnet mask 255.255.255.252.
Why the Answer is Correct:
Option A uses the mask 255.255.255.252, which is a /30. With a /30, subnets increment by 4 in the last octet (…0, …4, …8, etc.). The address 10.2.1.3 falls in the 10.2.1.0/30 block (10.2.1.0–10.2.1.3). In that block:
- Network: 10.2.1.0
- Usable hosts: 10.2.1.1 and 10.2.1.2
- Broadcast: 10.2.1.3
So 10.2.1.3 is not usable as a host address, but the question asks for a “usable IP address and subnet mask combination” that meets /30 criteria. On CCNA-style questions, the key criteria is the /30 mask; however, strictly speaking, the usable IPs would be .1 or .2. Among the options, only A provides the correct /30 mask, making it the best/expected answer.
Key Features / Best Practices:
- /30 is traditional for router-to-router links (2 usable IPs).
- Verify usability by identifying network and broadcast addresses.
- Modern designs may use /31 (RFC 3021) to conserve addresses, but /30 remains a common exam focus.
Common Misconceptions:
- Confusing /29 (255.255.255.248) with /30 (255.255.255.252). /29 provides 8 addresses (6 usable), not ideal when only two endpoints exist.
- Not checking whether the chosen IP is a network/broadcast address.
- Accepting an invalid subnet mask (typo) as if it were /30.
Exam Tips:
- Memorize: /30 = 255.255.255.252, block size 4.
- For any candidate IP, quickly compute the subnet range and identify network/broadcast.
- If only one option has the correct /30 mask, that is typically the intended correct choice even if the IP itself looks suspicious; in real configs, you would choose one of the two usable addresses.
Want to practice all questions on the go?
Download Cloud Pass for free — includes practice tests, progress tracking & more.
Download Cloud Pass and access all Cisco 200-301: Cisco Certified Network Associate (CCNA) practice questions for free.
Want to practice all questions on the go?
Get the free app
Download Cloud Pass for free — includes practice tests, progress tracking & more.
2
Question 2
When a floating static route is configured, which action ensures that the backup route is used when the primary route fails?
Incorrect. The primary route should have the lower administrative distance so it is preferred during normal operation. If you make the primary route’s AD higher than the backup, the router will prefer the backup route all the time (assuming equal prefix length), defeating the purpose of a floating static route.
Incorrect. default-information originate is used within routing protocols (like OSPF/EIGRP) to advertise a default route to neighbors. It does not control whether a locally configured static route is installed as primary or backup. Floating static route behavior is determined by administrative distance and route availability.
Incorrect. A lower administrative distance makes a route more preferred, not a backup. If the floating static route had a lower AD than the primary route (same prefix length), it would be installed and used even when the primary route is healthy, so it would not “float.”
Correct. A floating static route must be configured with a higher administrative distance than the primary route so it is not selected while the primary route exists. When the primary route is removed from the routing table due to failure, the floating static route becomes the best remaining option and is installed/used.
Question Analysis
Core Concept:
This question tests floating static routes and administrative distance (AD). A floating static route is a static route intentionally configured with a higher AD than the primary route so it “floats” (is not installed) unless the preferred route disappears.
Why the Answer is Correct:
Routers choose the best route by longest prefix match first, then by lowest administrative distance for routes to the same destination prefix learned from different sources. A normal static route has AD 1 by default, while dynamic protocols typically have higher ADs (e.g., OSPF 110, EIGRP 90). To make a static route act as a backup, you configure it with an AD higher than the primary route’s AD. As long as the primary route is present in the routing table, the floating static route is ignored. When the primary route fails (for example, the dynamic routing neighbor goes down or the primary static route is removed because its next hop becomes unreachable), the router removes the primary route from the RIB/FIB and then installs the floating static route because it becomes the best available candidate.
Key Features / Configuration Notes:
A floating static route is configured like: ip route <prefix> <mask> <next-hop|exit-int> <higher-AD>. Example: ip route 0.0.0.0 0.0.0.0 203.0.113.1 200. For more deterministic failover, many designs pair floating statics with object tracking (IP SLA + track) so the route is withdrawn based on reachability of a target, not just interface/next-hop resolution.
Common Misconceptions:
Many confuse “backup” with “lower AD.” Lower AD would make the static route preferred, not floating. Also, default-information originate is unrelated; it advertises a default route into a routing protocol, not control local route selection between primary and backup.
Exam Tips:
Remember: lower AD wins. “Floating” means “higher AD than the primary.” If the question mentions backup static route, look for “higher administrative distance” as the key phrase. Also recall that longest prefix match still overrides AD when prefixes differ.
3
Question 3
Which attribute does a router use to select the best path when two or more different routes to the same destination exist from two different routing protocols?
DUAL (Diffusing Update Algorithm) is EIGRP’s internal algorithm for computing loop-free paths and feasible successors. It helps EIGRP converge quickly and select routes within EIGRP. However, it is not a router-wide attribute used to choose between routes learned from different routing protocols. Therefore it cannot be the deciding factor when comparing, for example, OSPF vs RIP routes.
A metric is used to choose the best path within the same routing protocol (e.g., OSPF cost, EIGRP composite metric, RIP hop count). Metrics are not directly comparable between different protocols because each protocol defines and calculates its metric differently. When routes come from different routing protocols, the router does not compare their metrics; it compares administrative distance first.
Administrative distance (AD) is the value a router uses to select which route source is preferred when multiple routes to the same destination are learned from different sources/protocols. The lowest AD wins and is installed in the routing table. This is the correct attribute for inter-protocol route selection (e.g., choosing between an OSPF route with AD 110 and a RIP route with AD 120).
Hop count is specifically the metric used by RIP (and is limited to 15 hops). It is not a universal attribute used by all routing protocols, and it is not used to compare routes from different protocols. A router would only consider hop count when comparing multiple RIP routes to the same destination, after RIP has already been selected via administrative distance.
Question Analysis
Core Concept:
This question tests route selection logic when a router learns routes to the same destination from different routing sources (different routing protocols or static routes). Cisco routers use a two-step decision process: first choose the most trustworthy source, then choose the best path within that source.
Why the Answer is Correct:
When two or more routes to the same destination exist and they come from two different routing protocols (for example, OSPF and EIGRP, or OSPF and RIP), the router compares Administrative Distance (AD). AD is a locally significant value that represents the trustworthiness of the route source. The route with the lowest AD is installed in the routing table (RIB) and used for forwarding (assuming it is valid and reachable). This is exactly the scenario described, so administrative distance is the deciding attribute.
Key Features / How It Works:
1) Inter-protocol selection: AD decides between different sources (connected, static, OSPF, EIGRP, RIP, etc.). Example defaults: Connected 0, Static 1, eBGP 20, EIGRP internal 90, OSPF 110, RIP 120.
2) Intra-protocol selection: After AD selects the protocol/source, the router uses that protocol’s metric to pick the best path among multiple routes from the same protocol (e.g., OSPF cost, EIGRP composite metric, RIP hop count).
3) Tuning: AD can be adjusted (e.g., using the distance command in some protocols or route-specific mechanisms) to influence which protocol wins, commonly used in migrations or backup routing designs.
Common Misconceptions:
Many confuse “metric” with “best path” universally. Metrics are not comparable across different protocols because they are calculated differently. Hop count is only RIP’s metric, not a universal tie-breaker. “Dual algorithm” refers to EIGRP’s DUAL, which is internal to EIGRP and not used to compare routes from different protocols.
Exam Tips:
Remember: “Different routing protocols” => Administrative Distance. “Same protocol” => Metric. If the question mentions “trustworthiness” or “route source,” think AD. If it mentions “cost,” “bandwidth/delay,” or “hop count,” think metric within a protocol.
4
Question 4
(Select 2)
What are two characteristics of a controller-based network? (Choose two.)
Incorrect. Telnet is an insecure, legacy remote-access protocol and is not a defining characteristic of controller-based networks. Controller-based designs emphasize centralized management and API-driven automation, typically using secure protocols (SSH, HTTPS/REST, NETCONF over SSH, etc.). “Reporting system issues” is more related to logging/telemetry (syslog, SNMP, streaming telemetry) than Telnet.
Incorrect as a characteristic. Administrators can often still use CLI on individual devices in many environments, but that is not what defines a controller-based network. The key distinction is centralized control and policy/intent delivered via the controller, usually through APIs and automation workflows. Relying on per-device CLI changes is more aligned with traditional device-by-device management.
Correct. Controller-based architectures use southbound APIs/protocols to communicate from the controller to network devices (install policy, retrieve state) and northbound APIs for applications/automation platforms to interact with the controller (intent, orchestration, analytics). This layered API approach is a hallmark of SDN and intent-based networking and is frequently tested in CCNA automation topics.
Incorrect. Decentralizing the control plane so each device makes its own control decisions describes traditional distributed networking (e.g., each router runs OSPF/EIGRP and builds its own view). In controller-based networking, the control plane is logically centralized at the controller, while forwarding remains distributed on devices.
Correct. A controller-based network moves the control plane to a central point (logically centralized), enabling a global view, consistent policy enforcement, and automation at scale. Devices primarily handle the data plane (forwarding) based on rules/policies provided by the controller. This separation of planes is a core SDN/controller-based principle emphasized in CCNA.
Question Analysis
Core Concept:
A controller-based network is a key SDN (Software-Defined Networking) architecture concept tested in CCNA Automation and Programmability. It separates the control plane (decision-making) from the data plane (packet forwarding) and centralizes control logic in a controller. Devices (switches/routers/APs) become simpler forwarding elements managed through programmatic interfaces.
Why the Answer is Correct:
E is correct because controller-based designs move the control plane to a central point (the controller). Instead of each device independently running full control logic and being configured one-by-one, the controller maintains a global view of the network and pushes policy/intent to devices.
C is correct because SDN/controller architectures commonly use southbound APIs between the controller and network devices (to program device behavior/state) and northbound APIs between the controller and applications/automation systems (to express intent, retrieve topology, and integrate with orchestration). This layered API model is a defining characteristic of controller-based networking.
Key Features / How it Works:
- Centralized policy and automation: consistent configuration, faster changes, reduced human error.
- Southbound interfaces: often protocols/APIs such as NETCONF/RESTCONF, gNMI, OpenFlow (conceptually), CAPWAP (for WLC-to-AP control), or vendor-specific APIs.
- Northbound interfaces: typically REST APIs used by automation tools, ITSM, or custom apps.
- Improved visibility: controller has topology/state awareness, enabling intent-based networking and assurance.
Common Misconceptions:
- “Controller-based means devices don’t forward”: incorrect; forwarding still happens on devices (data plane stays distributed).
- “Centralized control plane means no device decisions”: devices still execute forwarding based on tables/policies installed by the controller.
- Confusing CLI management with controller-based operation: many controller platforms still allow CLI access, but the defining trait is centralized control and API-driven management.
Exam Tips:
For CCNA, remember: controller-based/SDN = centralized control plane + APIs (northbound/southbound). If an option describes decentralizing control (each device decides independently), that’s traditional distributed control plane, not controller-based. Also, Telnet is insecure and not a defining characteristic of modern controller-based networks.
5
Question 5
What makes Cisco DNA Center different from traditional network management applications and their management of networks?
Incorrect. While DNA Center has multiple packages/licensing tiers and can be deployed in different sizes (appliance/cluster), “modular design allowing different versions” is not the key differentiator versus traditional NMS. The exam-relevant distinction is intent/policy abstraction and automation rather than a modular versioning model tailored per organization.
Incorrect. DNA Center supports discovery and onboarding in both greenfield and brownfield environments. It can discover existing devices, import them, and then bring them under management (inventory, assurance, provisioning). Limiting it to greenfield-only auto-discovery is false and not aligned with how enterprises adopt DNA Center incrementally.
Incorrect. DNA Center does support high availability and scale through clustering (multiple nodes) depending on the deployment model. While HA design details can vary by version and platform, the statement that it “omits support” for HA in cluster mode is the opposite of DNA Center’s enterprise design goals.
Correct. DNA Center’s intent-based networking approach abstracts policy from device-specific configuration. Administrators define intent (who/what can access what, segmentation, QoS, etc.), and DNA Center automates the translation into device configurations and continuously validates state. This policy abstraction and automation is a primary difference from traditional network management tools.
Question Analysis
Core Concept:
This question tests Cisco DNA Center’s intent-based networking (IBN) approach versus traditional device-by-device network management. Traditional tools often focus on configuring and monitoring individual devices (CLI/SNMP-centric), while DNA Center focuses on defining business intent and policy, then translating that intent into consistent configurations across the network.
Why the Answer is Correct:
Cisco DNA Center is different because it abstracts policy from the actual device configuration. Administrators define high-level intent (for example, user/group access, segmentation, QoS, or application policies) and DNA Center—often in conjunction with Cisco SD-Access—automates the underlying configurations (VLANs/VRFs, SGTs, ACLs, fabric roles, etc.) and pushes them to the appropriate devices. This reduces manual configuration drift and improves consistency, compliance, and speed of change.
Key Features / Best Practices:
DNA Center provides centralized automation (provisioning, templates, software image management), assurance/telemetry-driven insights, and policy-based segmentation. In SD-Access, policy is expressed centrally (e.g., group-based policies using Security Group Tags) and enforced across the fabric without requiring administrators to handcraft per-device ACLs everywhere. Best practice is to treat DNA Center as the “source of truth” for intent/policy and use its workflows to avoid out-of-band CLI changes that create drift.
Common Misconceptions:
Some may think “modular design” or “greenfield-only discovery” defines DNA Center’s uniqueness, but those are not the core differentiators. Others may incorrectly assume it lacks high availability; in reality, DNA Center supports clustering for scale and resiliency.
Exam Tips:
For CCNA, associate DNA Center with controller-based automation, intent/policy abstraction, and centralized assurance. When you see wording like “abstracts policy,” “intent-based,” “translates business intent to configuration,” or “controller-driven automation,” DNA Center/IBN is usually the target concept.
6
Question 6
Which API is used in controller-based architectures to interact with edge devices?
Southbound APIs connect the SDN/controller layer to the infrastructure (edge/data-plane devices). They are used to push configuration or policy, program forwarding behavior, and gather operational state/telemetry from switches, routers, and other network devices. Examples include NETCONF/RESTCONF (YANG-based), gNMI, and historically OpenFlow. This is the correct choice for controller-to-device interaction.
Overlay is not an API; it is a logical/virtual network built on top of another network (the underlay). Examples include VXLAN overlays in data centers or SD-WAN tunnels across the Internet/MPLS. While controllers often manage overlays, “overlay” describes a forwarding/encapsulation design layer, not the interface used to communicate with edge devices.
Northbound APIs are used by applications and automation systems to interact with the controller (for example, to request network services, query topology, or apply intent/policy). They expose controller capabilities “upward” to orchestration and business/IT apps. Northbound is not the controller-to-device interface, so it is incorrect for interacting directly with edge devices.
Underlay is also not an API; it is the physical or base IP network that provides transport for an overlay (routing, switching, links, and core connectivity). Controllers may monitor or configure the underlay, but the term itself refers to the foundational network layer, not the controller interface used to program edge devices.
Question Analysis
Core Concept:
This question tests controller-based (SDN) architecture terminology, specifically how a centralized controller communicates with network devices. In SDN, the control plane is logically centralized in the controller, while the data plane remains on the network devices (switches/routers/APs). APIs define how these components exchange information and instructions.
Why the Answer is Correct:
The southbound API is used by the controller to interact with edge devices (data-plane devices). “Southbound” indicates communication flowing from the controller “down” to the infrastructure. Through southbound interfaces, the controller can push configuration, install forwarding entries, collect telemetry/state, and enforce policy on devices. Common southbound mechanisms include OpenFlow (classic SDN example), NETCONF/RESTCONF with YANG models, gNMI/gRPC for streaming telemetry/config, and vendor-specific protocols used by platforms like Cisco DNA Center/SD-Access and SD-WAN controllers.
Key Features / What Southbound APIs Do:
1. Device control and provisioning: push configs, templates, and policy-derived settings.
2. State and telemetry collection: retrieve operational data, counters, and health metrics.
3. Programmatic forwarding behavior: install/update flows or routing/ACL/QoS intent depending on the solution.
4. Model-driven automation: YANG-based data models enable consistent configuration and validation across devices.
Common Misconceptions:
- Northbound vs southbound confusion is common. Northbound APIs are for applications talking to the controller, not the controller talking to devices.
- Overlay/underlay are network design layers, not API directions. They describe how traffic is carried (virtual vs physical) rather than how a controller communicates.
Exam Tips:
Memorize the directional mapping: Northbound = apps/automation tools to controller; Southbound = controller to network devices. If the question mentions “edge devices,” “switches/routers,” “data plane,” “device programming,” or “pushing config/flows,” it’s almost always southbound. If it mentions “applications,” “orchestration,” or “IT/business apps consuming controller services,” it’s northbound.
7
Question 7
(Select 2)
What are two roles of the Dynamic Host Configuration Protocol (DHCP)? (Choose two.)
Incorrect. DHCP does not assign IP addresses permanently by default; it leases them for a defined duration. Clients are expected to renew their leases (T1/T2 timers) to keep using the address. Permanent assignment is achieved via static configuration or DHCP reservations, not by “no renewal required.”
Correct. A fundamental role of DHCP is to dynamically lease IP addresses to clients from a configured scope/pool. This enables efficient address utilization, centralized management, and easy onboarding of hosts. The lease concept allows addresses to be reclaimed and reused when clients leave the network.
Incorrect as stated. DHCP can provide DNS server information via option 6, and multiple DNS servers can be supplied, but “up to four” is not a standard defining role of DHCP and is not universally true across implementations. The key role is providing configuration parameters, not a specific fixed limit.
Correct. DHCP servers commonly support excluding specific IP addresses (or ranges) from a pool so they are not offered to clients. This prevents conflicts with statically assigned infrastructure addresses (default gateways, servers, printers) and is a standard operational feature in Cisco IOS DHCP configurations.
Incorrect. The DHCP client does not maintain a pool of addresses to assign; that is the DHCP server’s function. Clients request configuration and accept a lease from a server. Confusing client and server roles is a common exam trap.
Question Analysis
Core concept:
DHCP is an IP Services protocol that automatically provides host IP configuration (at minimum an IP address and mask, and commonly default gateway, DNS servers, and other options). It operates using a client/server model and typically uses “leases,” meaning addresses are assigned for a time period and must be renewed.
Why the answer is correct:
B is correct because a primary role of DHCP is to dynamically lease IP addresses to clients from a defined scope/pool. The lease mechanism prevents permanent assignment, allows reuse of addresses, and supports mobility and large client populations.
D is correct because DHCP implementations (including Cisco IOS DHCP) support excluding specific IP addresses from being handed out. Exclusions are used to reserve addresses for statically configured devices (routers, servers, printers) or to avoid conflicts with existing static assignments.
Key features / best practices:
DHCP uses the DORA process: Discover, Offer, Request, Acknowledge. The server tracks leases and clients renew at T1 (typically 50% of lease time) and attempt rebinding at T2 (typically 87.5%). Exclusions (for example, “ip dhcp excluded-address 192.0.2.1 192.0.2.20” on Cisco IOS) should cover default gateways, infrastructure IPs, and any statically assigned ranges. Another best practice is to define correct DHCP options (default-router, dns-server, domain-name) and ensure relay (ip helper-address) is configured when the server is on a different subnet.
Common misconceptions:
Some assume DHCP assigns addresses permanently (like static configuration). In reality, DHCP is lease-based; clients must renew. Others confuse DHCP client behavior with server behavior (clients do not maintain pools). Also, while DHCP can provide DNS server addresses, the “up to four” statement is not a core “role” and is not generally tested as a standard DHCP function in that form.
Exam tips:
For CCNA, remember DHCP’s main roles: automatic IP address assignment via leases and distribution of additional parameters (gateway/DNS), plus operational controls like exclusions/reservations. If an option contradicts the lease/renewal concept or assigns “server-like” duties to the client, it’s likely incorrect.
8
Question 8
A packet is destined for 10.10.1.22. Which static route does the router choose to forward the packet?
10.10.1.0 255.255.255.240 is 10.10.1.0/28. A /28 has a block size of 16 in the last octet, so this route covers 10.10.1.0 through 10.10.1.15. The destination 10.10.1.22 is outside that range, so this route is not a match and cannot be selected.
10.10.1.20 255.255.255.252 is 10.10.1.20/30. A /30 has a block size of 4, so the subnet starting at .20 spans .20–.23. Since 10.10.1.22 falls within this range, the route matches and will be installed/used for forwarding (assuming the next hop is reachable).
10.10.1.16 255.255.255.252 is 10.10.1.16/30. This subnet covers 10.10.1.16–10.10.1.19. The destination 10.10.1.22 is not in that interval, so the router will not use this route for 10.10.1.22 even though it is a valid static route.
10.10.1.20 255.255.255.254 is 10.10.1.20/31. A /31 includes exactly two addresses: 10.10.1.20 and 10.10.1.21. It is commonly used on point-to-point links. Because 10.10.1.22 is not one of the two addresses in this /31, the route does not match.
Question Analysis
Core Concept:
This question tests longest prefix match (most specific route) in IPv4 routing. When multiple routes could match a destination, the router selects the route with the longest subnet mask (largest prefix length) that still contains the destination IP. Administrative distance only matters if two routes have the same prefix length and both match.
Why the Answer is Correct:
Destination: 10.10.1.22.
Evaluate each static route’s destination network range:
- A: 10.10.1.0/28 (255.255.255.240) covers 10.10.1.0–10.10.1.15. 10.10.1.22 is NOT in this range.
- B: 10.10.1.20/30 (255.255.255.252) covers 10.10.1.20–10.10.1.23. 10.10.1.22 IS in this range.
- C: 10.10.1.16/30 covers 10.10.1.16–10.10.1.19. 10.10.1.22 is NOT in this range.
- D: 10.10.1.20/31 (255.255.255.254) covers only two addresses: 10.10.1.20 and 10.10.1.21 (RFC 3021 point-to-point style). 10.10.1.22 is NOT included.
Therefore, only option B matches the destination, so it is the route the router will use.
Key Features / Best Practices:
- Longest prefix match is the primary selection rule: /30 is more specific than /28, but specificity only matters among routes that actually match.
- /31 masks are valid on Cisco IOS for point-to-point links, but they include exactly two IPs and do not have traditional network/broadcast behavior.
- Always verify the destination falls within the route’s network by calculating the block size (256 - mask octet) and the resulting address range.
Common Misconceptions:
- Assuming the “closest-looking” network (like 10.10.1.0/28) matches any 10.10.1.x address. It only matches the first 16 addresses (.0–.15).
- Thinking /31 behaves like /30 and includes four addresses. It does not; it includes only two.
Exam Tips:
- Quickly compute ranges: /28 increments by 16, /30 increments by 4, /31 increments by 2.
- First determine which routes match; then apply longest prefix match among those matches.
- If multiple equal-length matches exist, then consider administrative distance/metric (not needed here).
9
Question 9
Which goal is achieved by the implementation of private IPv4 addressing on a network?
Correct. RFC 1918 private IPv4 addresses are not routable on the public Internet, so internal hosts are not directly reachable from external networks via normal Internet routing. This reduces direct Internet exposure and forces inbound access to go through controlled mechanisms (firewall rules, static NAT/port forwarding, VPN). It’s an added protection layer, though not a substitute for a firewall.
Incorrect. Private addressing does not inherently reduce the size of router forwarding tables. Forwarding table size depends on the number of routes learned and how well routes are summarized/aggregated, not whether the prefixes are public or private. An enterprise can still have many internal routes, and Internet routing tables remain large regardless of RFC 1918 usage.
Incorrect. Private IPv4 addresses are not globally routable, so they cannot be used to communicate across the public Internet to other private networks by default. To connect private networks over the Internet, you typically use VPNs (IPsec/SSL), tunneling/overlays, or NAT with carefully coordinated addressing—private addressing alone does not enable this.
Incorrect. Private addressing by itself does not allow servers/workstations to communicate across public network boundaries (like the Internet). Because RFC 1918 addresses are not routed publicly, you need NAT/PAT for outbound access and additional mechanisms (static NAT, reverse proxy, VPN) for inbound or site-to-site connectivity. The statement implies routability that private addressing does not provide.
Question Analysis
Core concept: Private IPv4 addressing (RFC 1918) defines non-Internet-routable address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) intended for internal networks. These addresses are not advertised on the public Internet and are typically used with NAT/PAT at the edge.
Why the answer is correct: Implementing private IPv4 addressing provides an added level of protection against direct Internet exposure because hosts using RFC 1918 addresses cannot be reached directly from the Internet via normal routing. Internet routers should not forward RFC 1918 destinations, and service providers filter these routes. As a result, internal devices are not directly addressable from outside, reducing unsolicited inbound reachability. In practice, inbound access requires deliberate configuration (static NAT, port forwarding, VPN, or application proxies), which adds a control point.
Key features and best practices: Private addressing is commonly paired with NAT/PAT on a border router or firewall to allow outbound Internet access while keeping internal addresses hidden. Security is improved by combining this with stateful firewall policies (default-deny inbound), segmentation (VLANs), and least-privilege ACLs. Note that “security by itself” is not guaranteed—NAT is not a firewall—but private addressing does reduce direct exposure by eliminating globally routable host addresses.
Common misconceptions: Some assume private addressing reduces router forwarding tables (B). In reality, forwarding table size is driven by routing design and route aggregation; private vs public does not inherently shrink tables. Others think private networks can communicate across the Internet to other private networks (C) or across public boundaries (D). Private addresses are not routable on the Internet; communication between private networks typically requires VPN tunnels, NAT, or overlay technologies.
Exam tips: Remember: RFC 1918 = internal use, not Internet-routable. If a question mentions “Internet exposure” or “not reachable from the Internet,” private addressing (often with NAT) is the key idea. If it mentions “across the Internet,” the correct concept is usually VPN/overlay/NAT, not private addressing alone.
10
Question 10
(Select 2)
Which two options are the best reasons to use an IPV4 private IP space? (Choose two.)
RFC 1918 private addresses were specifically created for hosts that do not require direct connectivity to external networks, especially for communication within an enterprise. They allow organizations to build large internal networks without needing globally unique public IPv4 addresses for every device. This makes intra-enterprise communication a direct and foundational reason to use private address space. On CCNA-style questions, this is one of the classic intended uses of private IPv4 addressing.
NAT is commonly deployed together with private IPv4 addressing, but it is not one of the best underlying reasons to use private space. NAT is a translation mechanism used because private addresses are not publicly routable, not the original purpose of RFC 1918 addressing. In other words, private addressing often leads to a need for NAT at the edge, but 'to implement NAT' reverses the cause-and-effect relationship. CCNA exams typically treat NAT as a consequence or companion technology rather than the primary reason for choosing private space.
Application connectivity is not a specific reason to choose private IPv4 space. Applications can communicate over either public or private IP addressing as long as routing, name resolution, and security policies are configured correctly. Private addressing does not inherently make applications connect better or more efficiently. Therefore this option is too generic and not tied to the purpose of RFC 1918 space.
Conserving global IPv4 address space is one of the primary reasons private IPv4 space exists. By assigning RFC 1918 addresses internally, organizations avoid consuming scarce public IPv4 addresses for endpoints that do not need to be directly reachable from the Internet. This significantly reduces demand for globally unique addresses and was an important response to IPv4 exhaustion. It is a core textbook reason and a strong exam objective point.
Using private IPv4 addresses does not inherently manage or reduce routing overhead. Routing overhead depends on topology, route summarization, protocol design, hierarchy, and administrative choices rather than whether addresses are public or private. A poorly designed private network can have just as much routing complexity as a public-addressed one. This makes the option technically misleading and not a best reason for private address use.
Question Analysis
Core concept: IPv4 private address space defined in RFC 1918 is reserved for use within private internets and is not routable on the public Internet. The main reasons to use it are to support internal enterprise communication without requiring globally unique addresses and to conserve scarce public IPv4 address space. Key features include internal-only use, reuse by many organizations, and filtering from the public Internet. A common misconception is that NAT is itself the reason to choose private space; in reality, NAT is often used because private addresses are not Internet-routable, but the fundamental motivations are internal communication and public address conservation. Exam tip: for CCNA, remember RFC1918 addresses are for inside/private networks, while NAT is a related mechanism rather than the primary design goal.
