Every answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.
GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy
Practice Questions
1
Question 1
A user configured OSPF and advertised the Gigabit Ethernet interface in OSPF. By default, to which type of OSPF network does this interface belong?
Point-to-multipoint is not the default for Ethernet on Cisco IOS. It is typically used when you want OSPF to treat a multiaccess network as a collection of point-to-point links (often in hub-and-spoke or certain NBMA designs) and generally avoids DR/BDR elections. It can be configured manually, but GigabitEthernet defaults to broadcast.
Point-to-point is commonly the default on serial links running PPP/HDLC and on some tunnel interfaces, where only two endpoints exist and no DR/BDR election is needed. Even if an Ethernet link connects only two routers, OSPF still defaults to broadcast on GigabitEthernet unless you explicitly set ip ospf network point-to-point.
Broadcast is the default OSPF network type for Ethernet interfaces such as GigabitEthernet. It assumes the segment supports broadcast/multicast, uses multicast Hellos for neighbor discovery, and performs DR/BDR elections on the multiaccess subnet. This matches typical LAN/VLAN behavior and is the expected default answer for GigabitEthernet in CCNA.
Nonbroadcast is used for NBMA networks where broadcast/multicast is not supported (classic examples: Frame Relay/ATM). In nonbroadcast mode, OSPF cannot rely on multicast Hellos for discovery and often requires static neighbor configuration. GigabitEthernet supports broadcast/multicast, so it does not default to nonbroadcast.
Question Analysis
Core Concept:
This question tests OSPF network types and their defaults based on interface media. OSPF uses the network type to decide how neighbors are discovered, whether a DR/BDR election occurs, and what kind of LSA behavior is expected on the link.
Why the Answer is Correct:
A GigabitEthernet interface on Cisco IOS is an Ethernet multiaccess medium. By default, OSPF treats Ethernet interfaces (including FastEthernet and GigabitEthernet) as a broadcast network type. In OSPF, “broadcast” means the segment supports Layer 2 broadcast/multicast, so OSPF can use multicast Hellos (224.0.0.5 and 224.0.0.6) for neighbor discovery and can perform a Designated Router (DR) and Backup Designated Router (BDR) election to reduce adjacency/LSA overhead on multiaccess networks.
Key Features / Behaviors:
- Default OSPF network type on Ethernet: broadcast
- Neighbor discovery: automatic via multicast Hellos
- DR/BDR election: yes (based on OSPF priority, then router ID)
- Typical use case: VLANs/LAN segments where multiple routers could share the same subnet
- Can be changed manually per interface with: ip ospf network {broadcast | point-to-point | point-to-multipoint | non-broadcast}
Common Misconceptions:
- Point-to-point is often associated with “a single link,” so candidates may assume a single router-to-router Ethernet cable should be point-to-point. However, OSPF defaults are based on media type, not the number of neighbors actually present. Even if only two routers are connected via an Ethernet link, the default remains broadcast unless you explicitly change it.
- Nonbroadcast is commonly confused with broadcast; nonbroadcast is typically for NBMA networks (historically Frame Relay/ATM) where broadcast/multicast is not supported and neighbors often must be statically defined.
Exam Tips:
- Memorize default OSPF network types by interface: Ethernet = broadcast; serial HDLC/PPP = point-to-point (common default); NBMA technologies often default to nonbroadcast (platform-dependent) but are less emphasized in modern CCNA.
- If you see “GigabitEthernet/FastEthernet” and no special context, default to broadcast and remember DR/BDR behavior.
- If a question mentions manual neighbor statements, think nonbroadcast or point-to-multipoint nonbroadcast.
(Reference: Cisco OSPF configuration guides describe Ethernet as broadcast multiaccess with DR/BDR election and multicast Hellos.)
Want to practice all questions on the go?
Download Cloud Pass for free — includes practice tests, progress tracking & more.
Download Cloud Pass and access all Cisco 200-301: Cisco Certified Network Associate (CCNA) practice questions for free.
Want to practice all questions on the go?
Get the free app
Download Cloud Pass for free — includes practice tests, progress tracking & more.
2
Question 2
If a notice-level message is sent to a syslog server, which event has occurred?
A device restart is certainly logged to syslog, but it is not the best match for notice (level 5) in typical Cisco severity mapping. Many reboot/startup messages are informational (level 6) because they describe normal operational status rather than a significant condition requiring attention. While some platforms may log certain reload-related events at notice, it is not the canonical association tested on CCNA.
A debug operation corresponds to syslog severity level 7 (debugging). Debug messages are the most verbose and least severe, and they are usually not sent to a central syslog server unless explicitly configured (logging trap debugging). Therefore, a notice-level message (5) does not indicate that a debug operation is running.
A routing instance (or routing neighbor/adjacency) flapping is a classic “normal but significant” event. It indicates a meaningful state change that can impact traffic, but it may not be a device fault. These types of up/down transitions are commonly logged at severity 5 (notice), making this the best match for a notice-level syslog message.
An ARP inspection failure (Dynamic ARP Inspection) is typically treated as a security-related problem and is more likely to be logged as warning (4) or error (3), depending on the exact message and platform. “Failed inspection” implies an abnormal condition that may require action, which generally maps to warning/error rather than notice.
Question Analysis
Core Concept:
This question tests Cisco syslog severity levels. Syslog messages have a facility and a severity (0–7). The severity indicates how serious the event is and is commonly used to decide what gets sent to a syslog server via the logging trap level.
Why the Answer is Correct:
A notice-level syslog message is severity level 5 ("notifications" / "notice"). Cisco defines level 5 as a normal but significant condition—something noteworthy that is not an error condition. A classic example is a routing adjacency or routing process event such as a neighbor relationship going up/down (a “flap”). Those events are significant operational changes but often not “errors” in the sense of a malfunction; they are typically logged at level 5.
Key Features / Configuration / Best Practices:
On Cisco IOS, you control what severities are sent to the syslog server with commands like:
- logging host <ip>
- logging trap notice (or a higher/lower level)
Remember: lower numbers are more severe. If you set logging trap notice (5), the device will send levels 0–5 (emergencies through notice), but not informational (6) or debugging (7). In production, many organizations choose informational (6) or notice (5) depending on volume and the need to capture state changes (like routing neighbor flaps).
Common Misconceptions:
Many learners confuse “notice” with “notification” or think it implies a reboot. Reboots are usually logged at level 6 (informational) or sometimes level 5 depending on platform/message ID, but the canonical mapping for “device restarted” is not specifically “notice.” Another common mistake is assuming anything security-related (like ARP inspection) is “notice”; failures are generally warnings (4) or errors (3).
Exam Tips:
Memorize the severity ladder: 0 Emergency, 1 Alert, 2 Critical, 3 Error, 4 Warning, 5 Notice, 6 Informational, 7 Debugging. Also remember the filtering rule: “logging trap X” sends 0 through X. When you see “debug operation,” think level 7; when you see “failed,” think warning/error; when you see “state change/flap,” think notice/informational.
3
Question 3
A network engineer must back up 20 network router configurations globally within a customer environment. Which protocol allows the engineer to perform this function using the Cisco IOS MIB?
ARP (Address Resolution Protocol) maps an IPv4 address to a MAC address on a local network segment. It is used for Layer 2 adjacency and forwarding decisions, not for device management. ARP has no concept of MIBs, OIDs, or centralized polling/collection. While ARP tables can be viewed for troubleshooting, ARP cannot be used to back up router configurations or interact with Cisco IOS MIB objects.
SNMP is the protocol designed to query and manipulate MIB objects on network devices. Cisco IOS exposes many operational and device-specific parameters through Cisco MIBs, which an SNMP manager can poll across many routers globally. Because the question explicitly references “using the Cisco IOS MIB,” SNMP is the only protocol in the options that directly uses MIBs (especially with SNMPv3 recommended for secure management).
SMTP (Simple Mail Transfer Protocol) is used to send email between mail clients and mail servers or between mail servers. It does not provide network device management, configuration retrieval, or any interaction with MIB databases. SMTP might be used by monitoring systems to send alert emails, but it is not the protocol used to access Cisco IOS MIB information or perform configuration backups.
CDP (Cisco Discovery Protocol) is a Cisco proprietary Layer 2 neighbor discovery protocol used to learn about directly connected Cisco devices (device ID, interface, platform, IP address, etc.). CDP is helpful for topology discovery and troubleshooting but does not use MIBs as its primary mechanism for configuration backup. It cannot retrieve full router configurations or perform global configuration backups.
Question Analysis
Core Concept:
This question tests understanding of network management protocols and how device configuration data can be accessed/managed at scale using Management Information Bases (MIBs). A MIB is a structured database of managed objects (OIDs) that a network management system (NMS) can query or set.
Why the Answer is Correct:
SNMP (Simple Network Management Protocol) is the protocol used to access MIB objects, including Cisco-specific MIBs such as the Cisco IOS MIB. If an engineer needs to back up router configurations globally using the Cisco IOS MIB, the mechanism is SNMP GET/GETNEXT/GETBULK (and sometimes SET) operations against relevant OIDs. Cisco provides MIB modules that expose configuration-related information and operational state. While many real-world config backups are done via SSH/SCP/TFTP/NETCONF, the question explicitly says “using the Cisco IOS MIB,” which directly implies SNMP.
Key Features / Best Practices:
SNMP uses a manager/agent model: routers run an SNMP agent; the engineer uses an NMS/SNMP manager to poll devices. SNMPv3 is the best practice because it provides authentication and encryption (unlike SNMPv1/v2c which rely on community strings in clear text). For global scale, SNMP supports standardized monitoring and inventory across many devices, and Cisco enterprise MIBs extend visibility into IOS-specific features.
Common Misconceptions:
Candidates may think of TFTP/SCP for “backup configs,” which is common operationally, but those are file transfer methods and not “using the Cisco IOS MIB.” Others may confuse CDP (neighbor discovery) or ARP (IP-to-MAC mapping) with management functions; neither interacts with MIBs. SMTP is email transport and unrelated.
Exam Tips:
When you see “MIB,” immediately associate it with SNMP. Also remember: SNMP is primarily for monitoring, but the exam often frames it as the protocol that leverages MIBs for management tasks. If security is mentioned, prefer SNMPv3. If the question instead referenced configuration automation via data models (YANG), then NETCONF/RESTCONF would be the likely direction—but that is not MIB-based.
4
Question 4
An email user has been lured into clicking a link in an email sent by their company's security organization. The webpage that opens reports that it was safe, but the link may have contained malicious code.
Which type of security program is in place?
User awareness is correct because the company security organization sent the email and the clicked link led to a safe page. That pattern matches simulated phishing used for security awareness training. These programs educate users to recognize phishing/social engineering, measure risk (click/report rates), and reinforce best practices like verifying URLs, reporting suspicious emails, and using MFA.
Brute force attack is an authentication attack where an attacker repeatedly tries many passwords or keys until one works (often against SSH, VPN, or web logins). It does not involve luring users to click links or landing pages. Nothing in the scenario suggests password guessing, rate-based login attempts, or account lockouts.
Physical access control refers to preventing unauthorized physical entry using locks, badges, mantraps, guards, and cameras. The scenario is entirely about an email link and a web page, which are logical/social vectors rather than physical security controls. Therefore it does not fit the described situation.
Social engineering attack describes tactics like phishing, pretexting, and baiting used by attackers to manipulate people. While the email resembles phishing, the question asks which security program is in place, and it was sent by the company’s security organization with a safe landing page. That indicates a training simulation, not an actual attacker-driven social engineering attack.
Question Analysis
Core Concept:
This scenario describes a security awareness (user awareness) program using simulated phishing. Organizations run controlled tests where users receive realistic phishing emails; if they click, they are redirected to a safe landing page that explains the result. This measures susceptibility and reinforces training.
Why the Answer is Correct:
The email was sent by the company’s security organization, and the webpage reports it was safe. That combination strongly indicates a phishing simulation campaign (often called “phish testing”) as part of a user awareness program. The goal is not to compromise the user, but to educate them and gather metrics (click rates, credential submission rates, reporting rates) to improve human-layer defenses.
Key Features / Best Practices:
User awareness programs typically include: regular training on recognizing phishing indicators (sender spoofing, urgent language, mismatched URLs), simulated phishing exercises, easy reporting mechanisms (e.g., “Report Phish” button), and follow-up micro-training for users who click. Best practice is to pair simulations with technical controls (email filtering, URL rewriting/sandboxing, DNS security, MFA) because training alone is not sufficient. Policies should ensure simulations are ethical, non-punitive, and focused on improvement.
Common Misconceptions:
Option D (social engineering attack) sounds plausible because phishing is a form of social engineering. However, the question asks which type of security program is in place, and the sender is the company’s security organization with a safe landing page—this points to training, not an actual attack. Options B and C are unrelated: brute force targets authentication via repeated guesses, and physical access control concerns badges/locks/cameras.
Exam Tips:
On CCNA, distinguish between “attack type” and “security control/program.” If the prompt mentions internal security teams, safe landing pages, or “you clicked” notifications, it’s almost always security awareness training via phishing simulation. If it describes an external adversary attempting to trick users for credentials or malware, then it’s social engineering/phishing as an attack.
5
Question 5
Which feature on the Cisco Wireless LAN Controller when enabled restricts management access from specific networks?
TACACS+ is an AAA protocol used to authenticate and authorize administrative users (typically for device management logins). It answers “who is allowed to log in” and what commands they can run, but it does not inherently restrict access based on source networks. You could combine TACACS+ with an ACL, but TACACS+ alone is not the feature that restricts management access from specific networks.
CPU ACL is the correct choice because it protects the WLC management plane by filtering traffic destined to the controller CPU/management interface. By permitting only specific source subnets/hosts and denying others, it restricts who can reach management services (SSH/HTTPS/SNMP, etc.). This directly matches the requirement to restrict management access from specific networks.
Flex ACL is generally associated with FlexConnect deployments and is used to filter client traffic (data plane) at the AP or for specific WLAN/client policies, depending on design. It is not primarily a management-plane protection feature for the WLC itself. Therefore, it does not best match “restricts management access” to the controller.
RADIUS is also an AAA protocol, commonly used for network access (802.1X) and sometimes for administrative login authentication. Like TACACS+, it controls authentication/authorization/accounting, not the source IP networks that are allowed to reach the WLC management interface. Source-based management restriction is accomplished with a management/CPU ACL, not RADIUS.
Question Analysis
Core Concept:
This question tests how a Cisco Wireless LAN Controller (WLC) restricts management-plane access. In Cisco terminology, protecting the management plane is commonly done with an access control list applied to the CPU/management interfaces so only approved source networks can reach services like HTTPS/HTTP, SSH, SNMP, and controller management protocols.
Why the Answer is Correct:
On a WLC, enabling a CPU ACL (often referred to as a “CPU Access Control List” or “management ACL”) restricts management access from specific networks by filtering traffic destined to the controller’s management plane. In other words, it controls which source IP subnets/hosts are allowed to initiate management sessions to the WLC. This is exactly what the question describes: restricting management access from specific networks.
Key Features / How It’s Used:
A CPU ACL is applied to the controller’s management interface/CPU, not to client data traffic. Best practice is to permit only trusted admin subnets (e.g., NOC/VPN ranges) and deny everything else, while ensuring required services (DNS, NTP, syslog, RADIUS/TACACS reachability as needed) remain allowed. This reduces attack surface (brute force, scanning, exploitation) and is a standard management-plane hardening step.
Common Misconceptions:
TACACS and RADIUS are AAA protocols; they control “who” can log in (authentication/authorization/accounting), not “from where” they can reach the management interface. Flex ACL and WLAN/Interface ACLs are typically used to filter client/user traffic (data plane) in centralized or FlexConnect deployments, not to protect the controller’s own management-plane access.
Exam Tips:
When you see “restrict management access from specific networks,” think “management-plane ACL” (CPU ACL) rather than AAA. AAA answers are correct when the question focuses on user/admin credential validation, role-based authorization, or accounting logs. ACL answers are correct when the question focuses on IP-based source restrictions or traffic filtering to the device itself.
6
Question 6
Which statement compares traditional networks and controller-based networks?
Correct. Traditional networks typically have a distributed control plane (each device runs routing/STP/control protocols) and a local data plane. Controller-based (SDN) networks centralize control logic in a controller/cluster and push forwarding/policy to devices, which primarily handle packet forwarding. This is the classic control-plane/data-plane decoupling concept tested in CCNA Automation and Programmability.
Incorrect. Policy abstraction from device-level configuration is a common goal in controller-based/intent-based networking, but traditional networks generally require configuring policies directly on each device (ACLs, QoS, routing policy, VLANs). While you can use tools to template configs, the network itself does not inherently abstract policy from device configuration in the same architectural way.
Incorrect. Traditional networks can support centralized management using NMS platforms (SNMP/telemetry collectors, syslog servers, configuration management tools), but it is not “native” in the architectural sense, and it is not exclusive to traditional networks. Controller-based networks are actually known for centralized management and orchestration as a primary design goal.
Incorrect. Traditional networks do not offer a centralized control plane; their control plane is distributed across devices (each router/switch makes its own control decisions based on protocols and local configuration). Controller-based networks, by contrast, provide a logically centralized control plane via a controller/cluster, which is one of the main differentiators from traditional designs.
Question Analysis
Core Concept:
This question tests the architectural difference between traditional (distributed) networking and controller-based (SDN-style) networking, specifically the relationship between the control plane (decision-making: routing, policy, path selection) and the data plane (forwarding packets in hardware/software).
Why the Answer is Correct:
In traditional networks, each device (router/switch) contains both the control plane and the data plane. For example, OSPF/EIGRP/BGP compute routes locally on each router, and the forwarding table is programmed locally. In controller-based networks, the control plane is logically centralized in a controller (or controller cluster) and devices primarily act as forwarding nodes that receive policy/forwarding instructions from the controller. This is the key “decoupling” idea: separating (or at least centralizing) control logic away from individual devices. Therefore, statement A correctly compares the two: controller-based networks decouple control and data planes (logically), while traditional networks generally do not.
Key Features / Best Practices:
Controller-based networks commonly provide centralized policy definition, intent-based networking, automation via APIs, and consistent configuration deployment. Examples include Cisco SD-Access (DNA Center as controller/management), SD-WAN (vManage/vSmart), and ACI (APIC). Note that “decoupling” is often logical rather than physical; controllers may run in clusters for resiliency, and devices still perform local forwarding.
Common Misconceptions:
Many confuse centralized management with centralized control. Traditional networks can have centralized management tools (NMS, SNMP, syslog, configuration managers), but the control plane decisions still happen per-device. Also, controller-based networks do not necessarily “abstract policies from device configurations” in the same way across all solutions; abstraction is a common SDN goal, but the defining comparison here is control/data plane separation.
Exam Tips:
For CCNA, remember: traditional = distributed control plane on every device; controller-based/SDN = logically centralized control plane with programmable interfaces. If an option claims traditional networks have centralized control, it’s almost always wrong. Also watch wording like “natively” and “only”—these are strong qualifiers that often make distractors incorrect.
7
Question 7
Which IPv6 address block forwards packets to a multicast address rather than a unicast address?
2000::/3 is the IPv6 Global Unicast Address (GUA) range. These are publicly routable unicast addresses, similar in concept to IPv4 public addresses. Packets destined to 2000::/3 are forwarded using normal unicast routing toward a single destination interface, not replicated to a group. This option is a common distractor because it is the most common “Internet” IPv6 range.
FC00::/7 is the Unique Local Address (ULA) block, typically used for private internal addressing (commonly FD00::/8 in practice). ULAs are unicast addresses and are not intended to be routed on the public Internet (though they can be routed within an organization). They do not represent multicast groups and do not cause multicast-style forwarding behavior.
FE80::/10 is the IPv6 link-local unicast range. Every IPv6-enabled interface automatically has a link-local address, used for on-link communication such as Neighbor Discovery and routing protocol neighbor relationships (e.g., OSPFv3, EIGRP for IPv6). Despite its special role, FE80::/10 is still unicast: it identifies a single interface on the local link, not a multicast group.
FF00::/12 falls within the IPv6 multicast space (IPv6 multicast is FF00::/8 overall). Any destination starting with FF is multicast, meaning it targets a group of receivers rather than a single interface. Routers and hosts treat these destinations according to multicast rules (scope, group membership), and IPv6 uses multicast extensively (e.g., FF02::1 all-nodes, FF02::2 all-routers).
Question Analysis
Core Concept:
This question tests IPv6 address types and how routers forward traffic based on the destination prefix. In IPv6, unicast addresses identify a single interface, while multicast addresses identify a group of interfaces. Packets sent to a multicast destination are replicated and delivered to all members of that multicast group (subject to multicast routing/snooping behavior).
Why the Answer is Correct:
FF00::/12 is the IPv6 multicast address block. Any destination address beginning with FF (i.e., within FF00::/8; the option given is FF00::/12, a subset) is treated as multicast. When a router receives a packet destined to an FFxx:... address, it is not forwarded as a unicast to one next hop; instead, it is processed/forwarded according to multicast rules (e.g., delivered locally if the router is a member, and forwarded out interfaces with interested receivers if multicast routing is enabled).
Key Features / Details:
IPv6 multicast addresses start with FF00::/8. The second byte contains flags and scope (e.g., link-local scope, site-local, global). Common examples include FF02::1 (all nodes on the local link) and FF02::2 (all routers on the local link). IPv6 relies heavily on multicast for functions that IPv4 often handled with broadcast, such as Neighbor Discovery (NDP) using solicited-node multicast addresses (FF02::1:FFxx:xxxx).
Common Misconceptions:
Many learners confuse link-local (FE80::/10) with multicast because link-local is used for neighbor discovery and routing protocol adjacencies, but FE80::/10 is still unicast (one interface). Another confusion is thinking “special-use” blocks like FC00::/7 imply group delivery; they do not—ULA is still unicast.
Exam Tips:
Memorize the high-level IPv6 blocks: 2000::/3 = global unicast, FC00::/7 = unique local unicast, FE80::/10 = link-local unicast, FF00::/8 = multicast. If it starts with FF, it’s multicast—no exceptions in CCNA-level questions.
8
Question 8
Router R1 must send all traffic without a matching routing-table entry to 192.168.1.1. Which configuration accomplishes this task?
Incorrect. The command ip route default-route 192.168.1.1 is not valid IOS syntax for creating a default route. Cisco IOS requires the destination network and mask (or prefix) to be specified, such as 0.0.0.0 0.0.0.0. While ip routing is fine, the static route line would be rejected or not accomplish the intended default routing behavior.
Incorrect. This option misuses the ip route syntax and parameter order. It places 192.168.1.1 where the destination network should be, and then provides two 0.0.0.0 values that do not correctly represent the mask and next hop in the required positions. The correct default route must specify destination 0.0.0.0 with mask 0.0.0.0, followed by the next-hop address.
Correct. ip route 0.0.0.0 0.0.0.0 192.168.1.1 configures a static default route (gateway of last resort). The /0 prefix matches any destination not already matched by a more specific route, and forwards that traffic to next hop 192.168.1.1. This is the standard and expected CCNA answer for sending all unknown traffic to a specific next hop.
Incorrect for a router performing routing. ip default-gateway 192.168.1.1 is used on devices that are not routing (commonly Layer 2 switches) to define where management traffic should go to reach remote networks. On a router, the correct method is a default route (ip route 0.0.0.0 0.0.0.0 <next-hop>).
Question Analysis
Core Concept:
This question tests configuring a default route (gateway of last resort) on a Cisco router. A default route is used when a packet’s destination does not match any more-specific route in the routing table. In IPv4, the default route is represented as 0.0.0.0/0.
Why the Answer is Correct:
Option C uses the correct IOS static route syntax for a default route:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Here, 0.0.0.0 0.0.0.0 defines the destination network and mask (/0), meaning “match anything.” The next-hop IP address 192.168.1.1 tells R1 where to forward traffic that has no more specific match. This creates a candidate default route and, if the next hop is reachable, it becomes the gateway of last resort.
Key Features / Best Practices:
- Default route format: ip route 0.0.0.0 0.0.0.0 <next-hop | exit-interface>
- Ensure the next-hop (192.168.1.1) is reachable via a connected interface or another route; otherwise the default route may not be installed/used as expected.
- On routers, ip routing is enabled by default (unlike many L2 switches). Including it is harmless but usually unnecessary.
Common Misconceptions:
- Confusing ip default-gateway with a router default route: ip default-gateway is for devices not performing routing (typically L2 switches) to reach remote management networks.
- Misordering parameters in ip route: IOS expects destination network and mask first, then next hop or exit interface.
- Thinking “default-route” is a keyword in ip route: it is not.
Exam Tips:
- Memorize: default route = 0.0.0.0/0.
- For static routes: ip route <dest> <mask> <next-hop/exit-int>.
- If you see ip default-gateway in a router question, it’s almost always incorrect unless the device is acting purely as a host (routing disabled).
9
Question 9
Which function does the range of private IPv4 addresses perform?
Correct. RFC 1918 private IPv4 ranges are reserved so that multiple organizations can reuse the same internal address space without global conflicts. Because these routes are not carried on the public Internet, Company A and Company B can both use 192.168.1.0/24 internally. This conserves public IPv4 space and simplifies internal network design, especially when combined with NAT for Internet access.
Incorrect. Private IPv4 addresses do not provide a direct connection for hosts from outside the enterprise network. In fact, they are not routable on the public Internet, so external hosts cannot reach them directly. If inbound access is needed, organizations use public IPs with NAT (static NAT/port forwarding) and security controls (firewalls/ACLs), not private addressing itself.
Incorrect. Private range addressing does not remove the need for NAT to reach the Internet. Since RFC 1918 addresses are not routable on the public Internet, some mechanism (commonly NAT/PAT, or a proxy/translation service) is required for private hosts to communicate with public Internet hosts. The statement reverses the real relationship: private addressing typically increases the need for NAT at the edge.
Incorrect. Private IPv4 addressing does not inherently enable secure communications to the Internet. “Private” means non-publicly routable, not encrypted or protected. Security requires technologies and policies such as firewalls, ACLs, VPNs, TLS, and segmentation. While private IPs can reduce unsolicited inbound reachability, they do not guarantee security for communications or for external hosts.
Question Analysis
Core Concept:
This question tests understanding of RFC 1918 private IPv4 address space and why it exists. Private IPv4 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are reserved for use inside private networks and are not routable on the public Internet.
Why the Answer is Correct:
Option A is correct because the key function of private IPv4 address ranges is to allow many different organizations to reuse the same address space internally without causing global address conflicts. Since these addresses are not advertised or routed on the public Internet, Company A and Company B can both use 10.1.1.0/24 internally with no conflict, as long as those networks remain private. This design conserves scarce public IPv4 space and simplifies internal addressing.
Key Features / How it Works:
Private addresses are intended for internal routing only. Internet routers drop RFC 1918 routes, preventing accidental global reachability. When private hosts need Internet access, they typically use NAT/PAT at the edge to translate private (inside local) addresses to public (inside global) addresses. Private addressing is also common in enterprise LANs, campus networks, and home networks (SOHO), often combined with DHCP for easy host configuration.
Common Misconceptions:
A frequent misunderstanding is thinking private addressing inherently provides security or direct Internet connectivity. Private addresses are “non-routable,” not “secure.” Security requires controls like stateful firewalls, ACLs, segmentation, and secure protocols. Another misconception is that NAT is optional for Internet access with private IPs; in practice, some form of translation or proxying is required to communicate with public Internet hosts.
Exam Tips:
Memorize the RFC 1918 ranges and the phrase “not routable on the public Internet.” If an option suggests private IPs provide direct Internet connectivity or eliminate NAT needs, it’s almost certainly wrong. For CCNA, associate private addressing with address conservation and internal reuse, and associate Internet access from private networks with NAT/PAT and perimeter security controls.
10
Question 10
What is the destination MAC address of a broadcast frame?
00:00:0c:07:ac:01 is not a broadcast MAC because it is not all Fs. It looks like a Cisco-related OUI (00:00:0c is historically associated with Cisco) and could represent a virtual MAC used by certain redundancy protocols or a specific device MAC. Broadcast frames must use ff:ff:ff:ff:ff:ff as the destination.
ff:ff:ff:ff:ff:ff is the Ethernet broadcast destination MAC address. All bits are set to 1, which signals every device on the local Layer 2 segment/VLAN to accept the frame. Switches flood frames destined to this address out all ports in the VLAN (except the ingress port), making it the correct answer.
43:2e:08:00:00:0c is not a broadcast address. It is a specific unicast MAC format (and does not have all Fs). It may appear tempting because it contains 00:00:0c (a Cisco OUI) at the end, but broadcasts are defined strictly as all 1s in the destination MAC field.
00:00:0c:43:2e:08 is not a broadcast MAC address. It begins with a Cisco OUI-like prefix (00:00:0c), which can be seen in certain Cisco virtual MACs, but it is still a specific address rather than the all-ones broadcast. Broadcast requires ff:ff:ff:ff:ff:ff exactly.
00:00:0c:ff:ff:ff is not the Ethernet broadcast address because only the last three bytes are ff. A true broadcast MAC has all six bytes set to ff. This option is a common distractor that tests whether you know the broadcast address is 48 bits of 1s, not a partial pattern.
Question Analysis
Core Concept:
This question tests Ethernet Layer 2 addressing—specifically the destination MAC address used for a broadcast frame. In Ethernet, the destination MAC determines which devices on the local Layer 2 segment (broadcast domain/VLAN) should process the frame.
Why the Answer is Correct:
The Ethernet broadcast MAC address is ff:ff:ff:ff:ff:ff (all 48 bits set to 1). When a switch receives a frame with this destination, it floods the frame out all ports in the same VLAN except the port it was received on (subject to STP state and other forwarding rules). All hosts in that VLAN will accept and process the frame at Layer 2 because the destination matches the broadcast address.
Key Features / How It’s Used:
Broadcast frames are commonly used by protocols that need to reach all local devices when the sender does not know a specific destination MAC. A classic example is ARP Request: a host that knows an IPv4 address but not the corresponding MAC sends an ARP request to ff:ff:ff:ff:ff:ff. Other examples include some DHCP messages (initial client broadcasts) and certain discovery/legacy protocols. Broadcasts are confined to a VLAN; routers do not forward Layer 2 broadcasts between subnets (by default), which is a key reason VLANs/subnets limit broadcast scope.
Common Misconceptions:
Some options resemble Cisco-related MAC patterns (00:00:0c...) which are Organizationally Unique Identifier (OUI) prefixes often seen in Cisco protocols (e.g., HSRP uses a virtual MAC starting with 00:00:0c). Those are not broadcasts; they are specific unicast or multicast/virtual MAC addresses. Another trap is thinking “broadcast” might mean “unknown unicast flooding,” but unknown unicast frames still have a specific unicast destination MAC—just not yet learned by the switch.
Exam Tips:
Memorize these key Ethernet addresses:
- Broadcast: ff:ff:ff:ff:ff:ff
- Multicast: least significant bit of the first octet is 1 (e.g., 01:00:5e... for IPv4 multicast)
Also remember: broadcasts are flooded within a VLAN and are not routed across Layer 3 boundaries without special features (e.g., DHCP relay is not “broadcast forwarding”; it’s a helper function).
