0% found this document useful (0 votes)

50 views116 pages

200-301 Exam Simulation

The document contains a series of questions and explanations related to networking concepts, specifically focusing on Ansible, Cisco IOS commands, VLANs, Class C IP addresses, SNMP, VPN solutions, and NAT configurations. Each question includes multiple-choice options, correct answers, and detailed explanations of the concepts involved. The content is aimed at preparing individuals for the 200-301 exam simulation, covering automation, network access, fundamentals, and IP services.

Uploaded by

florin-gabriel.citu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

50 views116 pages

200-301 Exam Simulation

Uploaded by

florin-gabriel.citu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 116

11/14/24, 2:49 PM 200-301 Exam Simulation

Quick Quiz November 14, 2024 Test ID: 317575210

Question #1 of 80 Question ID: 1703830

Which of the following is NOT true of Ansible?

A) Agent-less deployment
B) Installation is very easy and configured easily.

C) SSH communications are slow, which may cause more downtime.

D) Understanding of the script execution is difficult.

Explanation

Understanding of the script execution is NOT difficult. On the contrary, Ansible commands are executed in sequential
order so that understanding of the script execution is straightforward.

It is true that SSH communications are slow, which may cause more downtime.

It is also true that the Ansible installation is very simple and configured easily.

Finally, Ansible uses agent-less deployment. This makes connection faster compared to an agent-based model.

Objective:
Automation and Programmability

Sub-Objective:
Recognize the capabilities of configuration management mechanisms such as Ansible and Terraform

References:

Digital Varys > Ansible vs Chef vs Puppet

Question #2 of 80 Question ID: 1703619

Which Cisco IOS command disables Cisco Discovery Protocol Version 2 (CDPv2) advertisements?

A) no cdp enable
B) no cdp v2-advertise

C) no cdp run
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 1/116
11/14/24, 2:49 PM 200-301 Exam Simulation

D) no cdp advertise-v2

Explanation

The no cdp advertise-v2 command disables CDPv2 advertisements. It is the reverse of the cdp advertise-v2
command, which enables CDPv2 advertisements on a device.

The no cdp v2-advertise command is not a valid Cisco IOS command.

The no cdp run command disables CDP, not CDPv2 advertisements.

The no cdp enable command disables CDP on an interface.

Objective:
Network Access

Sub-Objective:
Configure and verify Layer 2 discovery protocols (Cisco Discovery Protocol and LLDP)

References:

Cisco > Support > Cisco Discovery Protocol Configuration Guide, Cisco IOS Release 12.4 > Chapter: Using Cisco
Discovery Protocol

Question #3 of 80 Question ID: 1703510

Assume that all ports on Layer 2 devices are in the same virtual LAN (VLAN). View the given network topology.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 2/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Which network device should be placed at the highlighted box to produce a total of two broadcast domains and seven
collision domains in the network?

A) Switch
B) Hub
C) Router

D) Bridge

Explanation

A hub should be placed at the highlighted box to produce a total of two broadcast domains and seven collision domains
in the network. Network devices segment collision domains and broadcast domains in the following manner:

Hub: A Layer 1 device with all ports in the same collision domain and broadcast domain.
Bridge/Switch: Layer 2 devices on which all ports are in different collision domains, but in the same broadcast
domain (assuming that all ports are in the same VLAN or no VLAN is configured).
Routers: A Layer 3 device on which every port is a separate collision as well as broadcast domain.

The bridge shown in the graphic has three ports populated by active links, resulting in three collision domains. The
switch shown in the exhibit has four ports populated with the links, resulting in four collision domains. Together these
two devices create seven collision domains.

Because the scenario requires that there be no more than seven collision domains, the device in the highlighted box
must not create any further collision domains. A hub is a device that has all its ports in the same collision domain and
will not create any further collision domains in the topology.

A bridge or switch cannot be the correct option because these will also add collision domains.

In the exhibit, the router has two ports with active links, which will result in two broadcast domains. Because the
scenario states there are no more than two broadcast domains, the device in the highlighted box must not be a router.
Routers are used to segment broadcast domains.

Objective:
Network Fundamentals

Sub-Objective:
Describe characteristics of network topology architectures

References:

Cisco > Product Support > Switches > Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide,
12.2(25)EW > Chapter: Understanding and Configuring VLANs

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 3/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Question #4 of 80 Question ID: 1703553

Which of the following statements are true of Class C IP addresses? (Choose all that apply.)

A) The first three octets represent the entire network portion of the address.
B) The first octet represents the entire network portion of the address.

C) The value of the first binary place in the first octet must be 0.

D) The decimal values of the first octet can range from 1 to 126.
E) The decimal values of the first octet can range from 192 to 223.

F) The value of the first two binary places in the first octet must be 11.

Explanation

Class C IP addresses will have the following characteristics:

The decimal values of the first octet can range from 192 to 223.
The first three octets represent the entire network portion of the address.
The value of the first two binary places in the first octet must be 11.

Class B IP addresses will have the following characteristics:

The decimal values of the first octet can range from 128 to 191.
The first two octets represent the entire network portion of the address.
The value of the first two binary places in the first octet must be 10.

Class A IP addresses will have the following characteristics:

The decimal values of the first octet can range from 1 to 126.
The first octet represents the entire network portion of the address.
The value of the first binary place in the first octet must be 0.

Objective:
Network Fundamentals

Sub-Objective:
Configure and verify IPv4 addressing and subnetting

References:

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Configure IP Addresses and
Unique Subnets for New Users > Document ID: 13788

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 4/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Question #5 of 80 Question ID: 1703746

You have recently been hired as a network administrator. After starting your new job, you discover that the network
devices are not being monitored on a regular basis. You need to deploy a technology or protocol that will provide this
service.

Which protocol or technology should you deploy?

A) SMTP

B) DHCP

C) SNMP
D) DNS

Explanation

You would deploy Simple Network Management Protocol (SNMP) to monitor network devices. It uses port 161 to
communicate. Information about a managed device's resources and activity is defined by a series of objects and is
contained by a managed device's Management Information Base (MIB). SNMP management software can request
each of the MIB objects from an SNMP agent, referred to as an SNMP walk. Different SNMP messages can be sent,
including:

Get – retrieves information from a managed device

Set – sets a variable in a managed device or triggers an action on a managed device
Trap – an unsolicited message sent from a managed device to an SNMP manager, which can notify the SNMP
manager about a significant event that occurred on the managed device.

Syslog messages and SNMP traps trigger notification messages that can be sent via e-mail and SMS. A syslog server
receives, and stores log messages sent from syslog clients. A syslog client sends logging information to a syslog server.
A syslog server ensures that a network administrator can review device error information from a central location.

Simple Mail Transfer Protocol (SMTP) is used for e-mail. Dynamic Host Configuration Protocol (DHCP) is used to
dynamically assign IP addresses. Domain Name System (DNS) is used to manage IP addresses to host name
mappings.

Objective:
IP Services

Sub-Objective:
Explain the function of SNMP in network operations

References:

WhatsUp Gold > How to Use SNMP to Monitor Network Devices

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 5/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Cisco > Cisco Prime Infrstructure 3.2 User Guide > Monitor Device and Network Health and Performance

Cisco > Monitor Device and Network Health and Performance (PDF)

Question #6 of 80 Question ID: 1703790

The company you work for has a large number of employees who are considered a mobile workforce. These
employees need to access resources on the LAN from their home or while traveling. Which of the following
tunneling/VPN solutions would be the most appropriate in this situation?

A) IPsec

B) PPTP

C) Remote access
D) Site to site

Explanation

A remote-access VPN allows geographically dispersed users to access the intranet or other company resources. It is
ideal for a mobile workforce.

A site-to-site VPN allows an organization to connect two or more remote offices so that it appears as if they are local to
each other. It can also be used for partner connections.

IPsec is the encryption protocol used in secure VPN connections. While IPsec may be used, it has nothing to do with
the type of VPN deployed.

Point-to-Point Tunneling Protocol (PPTP) uses an initial public Internet connection and creates a second connection
(tunnel) through which VPN traffic is managed. A VPN can use PPTP, but this protocol does not affect the type of VPN
deployed.

Objective:
Security Fundamentals

Sub-Objective:
Describe IPSec remote access and site-to-site VPNs

References:

Cisco Community > Technology and Support > Security > Ipsec Tunnel Mode Vs Transport Mode

AT&T Cybersecurity > Level Blue > Blog > Security Essentials > Secure Remote Access Explained

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 6/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Question #7 of 80 Question ID: 1703728

You need to configure Network Address Translation (NAT) to allow users access to the Internet. There are 62 private
hosts that need Internet access using the private network 10.4.3.64 /26, and all of them will be translated into the public
IP address of the serial interface.

Which of the following NAT configurations will allow all 62 hosts to have simultaneous Internet access?

A) Router(config)# access-list 1 permit 10.4.3.64 0.0.0.63

Router(config)# ip nat inside source list 1 interface serial 0
overload

B) Router(config)# ip nat pool POOLNAME 10.4.3.64 /26

Router(config)# interface s0

Router(config-if)# ip nat inside source 1 pool POOLNAME overload

C) Router(config)# access-list 1 permit 10.4.3.64 0.0.0.127

Router(config)# interface s0/0

Router(config-if)# ip nat source list 1 pool POOLNAME overload

D) Router(config)# access-list 1 permit 10.4.3.64 /26

Router(config)# ip nat inside source list 1 interface serial 0

Explanation

You would execute the following commands:

Router(config)# access-list 1 permit 10.4.3.64 0.0.0.63

Router(config)# ip nat inside source list 1 interface serial 0 overload

A successful NAT configuration requires the creation of an access control list (ACL) to identify the private IP addresses
that will be translated, as well as an ip nat inside source command to dictate what public IP addresses will be used for
translation. Cisco uses the term "inside local" for IP addresses prior to translation, and "inside global" for public IP
addresses after translation.

The access-list 1 permit 10.4.3.64 0.0.0.63 command correctly identifies the private host network of 10.4.3.64 /26,
consisting of 62 hosts.

The ip nat command is broken down as follows:

inside: indicates that packets received on the inside (private) interface will be translated
list 1: specifies that access list 1 will be used to determine which private IP addresses will be translated
interface serial 0: specifies that NAT will translate private IP addresses into the IP address of the serial 0 interface
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 7/116
11/14/24, 2:49 PM 200-301 Exam Simulation

overload: allows NAT to reuse the IP address of the serial interface for all private IP addresses, providing them
simultaneous access to the Internet.

The correct wildcard mask is critical to ensuring that the access list allows translation of all LAN devices. For example, if
a private LAN used the 192.168.9.0/24 network and 167 devices were present in the network, the correct wildcard mask
would be 0.0.0.255. If you used an incorrect wildcard mask, such as 0.0.0.3, only the 192.168.9.0/30 network would be
allowed translation (only the IP addresses 192.18.9.1 and 192.168.19.2). Of the 167 devices, 165 would not receive
translation.

The overload keyword is required in this configuration since there are more private IP addresses (62) than there are
public IP addresses (one). Overload activates NAT overloading, often called Port Address Translation (PAT), and
assigns each private IP address a unique, dynamic source port in router memory to track connections. If the overload
keyword were not included in the NAT configuration, only one private host could access the Internet at a time.

An alternate solution would involve the creation of a pool of public IP addresses on the NAT router and applying the
access control list to the NAT pool, using the following commands:

Router(config)# ip nat pool NATPOOL 201.52.4.17 201.52.4.22 netmask 255.255.255.248

Router(config)# ip nat inside source list 1 pool NATPOOL overload

The first command creates a NAT pool with six public IP addresses on subnet 201.52.4.16/29, which will be used for
translation. The second command then ties access list 1 to the NAT pool and specifies overload so that the six public
addresses can be reused as often as necessary, allowing all of the private IP addresses simultaneous Internet access.

In both of these examples, dynamic mapping is used. Without dynamic mapping, it is not possible for computers from
outside the network to establish a connection with computers inside the network unless a static mapping between the
private IP address and the public IP address is established on the NAT device.

A common alternative approach is to use public IP addresses in the DMZ rather than private IP addresses, and to place
any computers than must be accessed from outside the network in the DMZ. In this case, NAT is not required between
the DMZ devices and the Internet. Even if public IP addresses are used in the DMZ, if the addresses undergo NAT
translation, connections from outside the network will not be possible.

When NAT is used to translate a public IP address (or addresses) to private IP addresses, the NAT process is ONLY
implemented on the router that connects the network to the Internet. This is because private IP addresses are not
routable to the Internet and translation must occur where the network connects to the Internet.

The following command sets are incorrect because they both involve the creation of a NAT pool:

Router(config)# ip nat pool POOLNAME 10.4.3.64 /26

Router(config)# interface s0
Router(config-if)# ip nat inside source 1 pool POOLNAME overload

and

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 8/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Router(config)# access-list 1 permit 10.4.3.64 0.0.0.127

Router(config)# interface s0/0
Router(config-if)# ip nat source list 1 pool POOLNAME overload

The scenario states you must use the IP address of the serial interface as the public address. Also, the ip nat inside
source command is configured in global configuration mode, not interface configuration mode. Finally, access control
lists require inverse masks (such as 0.0.0.63). CIDR notation (as in POOLNAME 10.4.3.64 /26) is not allowed.

The following command set is incorrect because access control lists require inverse masks (such as 0.0.0.63) and
CIDR notation (/26) is not allowed:

Router(config)# access-list 1 permit 10.4.3.64 /26

Router(config)# ip nat inside source list 1 interface serial 0

Also, the ip nat inside source command is configured in global configuration mode, not interface configuration mode.

Objective:
IP Services

Sub-Objective:
Configure and verify inside source NAT using static and pools

References:

Cisco > Product Support > Routers > IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T > Chapter:
Configuring NAT for IP Address Conservation

Question #8 of 80 Question ID: 1703722

Which statement best describes the function of Hot Standby Router Protocol (HSRP)?

A) HSRP provides a round-robin gateway selection process to increase fault

tolerance.
B) HSRP specifies a single IP address that all routers in the group must use.

C) HSRP defines a frame-tagging scheme that allows end stations to use any router
as a gateway.
D) HSRP defines a set of routers that represent one virtual, fault-tolerant router.

Explanation

Hot Standby Router Protocol (HSRP) is specified by RFC 2281. The primary function of HSRP is to define a set of
routers that work together to represent one virtual, fault-tolerant router. Thus, redundancy is provided in the event that

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 9/116
11/14/24, 2:49 PM 200-301 Exam Simulation

any one of the routers fails. HSRP can be configured on the following interface types:

Routed ports
Switched virtual interfaces (SVI)
Etherchannel port channels

HSRP does use a single IP address to represent a group of routers, but this does not fully describe the function of
HSRP.

HSRP does not provide round-robin gateway selection. HSRP uses router priority to select a primary and standby
router.

HSRP does not define a frame-tagging scheme that allows end stations to use any router as a gateway. End stations
use the virtual IP address of a group of HSRP routers as the default gateway.

Objective:
IP Connectivity

Sub-Objective:
Describe the purpose, functions, and concepts of first hop redundancy protocol

References:

Cisco > Support > Technology Support > IP Application Services > Troubleshooting TechNotes > Understand the Hot
Standby Router Protocol Features and Functionality > Document ID: 9234

Cisco > Support > Technology Support > IP Application Services > Technology Q&A > Review Hot Standby Router
Protocol (HSRP): FAQ > Document ID: 9281

Cisco > Product Support > Switches > Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE > Chapter:
Configuring HSRP

Question #9 of 80 Question ID: 1703560

Which subnet is IP address 172.16.5.2 /23 a member of, and what is the broadcast address for that subnet?

A) subnet: 172.16.4.0, broadcast: 172.16.5.255

B) subnet: 172.16.2.0, broadcast: 172.16.5.255
C) subnet: 172.16.5.0, broadcast: 172.16.5.255
D) subnet: 172.16.0.0, broadcast: 172.16.7.255

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 10/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The IP address 172.16.5.2 /23 is a member of subnet 172.16.4.0 and has the broadcast address of 172.16.5.255. The
valid host range is between 172.16.4.1 and 172.16.5.254.

Binary form of IP address 172.16.5.2 = 10101100.00010000.00000101.00000010

Binary conversion for /23 netmask = 11111111.11111111.11111110.00000000
Decimal conversion for /23 netmask = 255.255.254.0

Calculations:
Perform the AND operation between the IP address and the netmask to obtain the subnet ID:
Address = 10101100.00010000.00000101.00000010
Netmask = 11111111.11111111.11111110.00000000
-------------------------------------------------------------------------------
Subnetwork ID = 10101100.00010000.00000100.00000000

Convert the binary version of the network ID to dotted decimal format, 172.16.4.0.

To obtain the broadcast address, replace the last 9 host bits (32 - 23 = 9 bits) of the network address. It yields the
following:

Binary form of broadcast address = 10101100.00011001.00000101.11111111

Decimal form of broadcast address = 172.16.5.255

Objective:
Network Fundamentals

Sub-Objective:
Configure and verify IPv4 addressing and subnetting

References:

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Configure IP Addresses and
Unique Subnets for New Users > Document ID: 13788 > Understand IP Addresses

Cisco > Technology Support > IP Addressing Services > Troubleshooting TechNotes > Configure Subnet Zero and All-
Ones Subnet > Document ID: 13711

Question #10 of 80 Question ID: 1715746

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 11/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show frame-relay map

atlanta#show frame-relay map

Serial0/0 (up): ip 172.16.1.2 dlci 401(0x191,0x6410), dynamic,
broadcast,Cisco, status defined, active
Serial0/0 (up): ip 172.16.1.3 dlci 501(0x1F5,0x7C50), dynamic,
broadcast,Cisco, status defined, active
Serial0/0 (up): ip 172.16.1.4 dlci 301(0x12D,0x48D0), dynamic,
broadcast,Cisco, status defined, active

show run

atlanta#show running-config
Building configuration...
!
version 12.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname atlanta
!
!
!
!
interface Ethernet0
no ip address
!
interface Serial0/0
ip address 172.16.1.1 255.255.255.240
encapsulation frame-relay
no fair-qeue
interface Serial0/1
ip address 192.168.5.1 255.255.255.252
encapsulation ppp
interface Serial0/2
ip address 192.168.5.5 255.255.255.252
encapsulation ppp

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 12/116
11/14/24, 2:49 PM 200-301 Exam Simulation

ppp authentication chap

interface Serial0/3
ip address 192.168.5.9 255.255.255.252
!
!
router rip
version 2
network 172.16.1.0
network 192.168.0.0
no auto-summary
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
no login
!

end

Which of the serial connections on the Atlanta router are configured to use an encapsulation method that is compatible
with non-Cisco routers? (Choose all that apply.)

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 13/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) S0/3
B) S0/1

C) S0/2

D) S0/0

Explanation

The interfaces S0/1 and S0/2 are both configured to use PPP as the encapsulation type. This type is compatible with
non-Cisco routers. The specification of PPP can be seen on line 3 of the output of the show run command executed on
both interfaces:

interface Serial0/1
ip address 192.168.5.1 255.255.255.252
encapsulation ppp
interface Serial0/2
ip address 192.168.5.5 255.255.255.252
encapsulation ppp
ppp authentication chap

When this specification is missing in the same output, it is an indication that the interface is using the default HDLC.
The Cisco version of HDLC is NOT compatible with the HDLC encapsulation method used by non-Cisco routers.
Therefore, PPP, which is cross platform compatible, should be used when connecting to non-Cisco routers.

The following output of the show run command demonstrates what the output would look like on S0/1 when PPP is not
in use.

interface Serial0/2
ip address 192.168.5.5 255.255.255.252

The S0/0 interface is using frame relay encapsulation, as is shown in line three of the output from the show run
command:

interface Serial0/0
ip address 172.16.1.1 255.255.255.240
encapsulation frame−relay

The compatibility of the frame relay encapsulation with non-Cisco routers is dependent on the encapsulation version
specified. It can be set as either Cisco or IETF. If IETF is specified, the encapsulation is compatible with non-Cisco
routers. If Cisco is specified, it is not. In the second line for each entry in the output of the show frame-relay map, it
can be seen that Cisco was specified:

Serial0/0 (up): ip 172.16.1.2 dlci 401(0x191,0x6410), dynamic,

broadcast,Cisco, status defined, active

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 14/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Serial0/0 (up): ip 172.16.1.3 dlci 501(0x1F5,0x7C50), dynamic,

broadcast,Cisco, status defined, active
Serial0/0 (up): ip 172.16.1.4 dlci 301(0x12D,0x48D0), dynamic,
broadcast,Cisco, status defined, active

The S0/3 interface is not compatible with non-Cisco routers because it is using HDLC. The use of HDLC is indicated by
the absence of the encapsulation frame relay statement in its section of the show run command, as shown below:

interface Serial0/3

ip address 192.168.5.9 255.255.255.252

Objective:
Network Fundamentals

Sub-Objective:
Describe characteristics of network topology architectures

References:

Cisco > Support > Troubleshooting Frame Relay Connections

Question #11 of 80 Question ID: 1703792

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show int status

SW1#sh int status

Port Name Status Vlan Duplex Speed Type
Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX
[output omitted]

show interface trunk

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 auto 802.1q trunking 1

show interface status

SW2#sh int status

Port Name Status Vlan Duplex Speed Type

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 15/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX

[output omitted]

show interface trunk

SW2#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 auto 802.1q trunking 1

show interface port-channel

R4# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES NVRAM up up
Etherne0/1 unassigned YES NVRAM up up
Dialer1 10.10.10.1 Yes IPCP up up
Loopback0 172.16.5.5 YES NVRAM up up

[output omitted]

Given:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 16/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The network team has struggled to maintain VPN connections between the main office and the branch offices. A
requirement to use IPsec on the connections has added to their difficulty. Their main frustration is the need to
reconfigure the main office connection with every new VPN connection required. Which technology would allow them to
configure the main office only once, even if more offices that require VPN connections are subsequently added?

A) Cisco IPSec VTI

B) IPSec tunnels

C) GRE over IPsec

D) Cisco DMVPN

Explanation

Cisco Dynamic Multipoint Virtual Private Network (DMVPN) enables you to configure a single mGRE tunnel interface in
the main office with a single IPsec profile to manage all spoke routers. While it requires a hub and spoke configuration,
it allows for IPSec to be immediately triggered, creating a point-to-point GRE tunnel whenever new spokes are added
without requiring any IPsec peering configuration in the main office.

IPsec VTIs allow you to configure a virtual interface to which you can apply features. Features for clear-text packets are
configured on the VTI. Features for encrypted packets are applied on the physical outside interface. When IPsec VTIs
are used, you can separate the application of features such as NAT, ACLs, and QoS and apply them to clear-text or
encrypted text, or both. When crypto maps are used, there is no simple way to apply encryption features to the IPsec
tunnel.
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 17/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Cisco IPSec Virtual Tunnel Interface (VTI) allows for the configuration of IPsec interfaces without the need to statically
map IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with an actual (virtual) interface.
This feature does not allow for configuring the main office only once, even if more offices that require VPN connections
are later added.

GRE over IPsec tunnels can also be used in a hub and spoke configuration, but they would require static tunnels
between the main office and each branch. GRE over IPsec tunnels do not allow for configuring the main office only
once, even if more offices that require VPN connections are later added.

IPSec tunnels running in tunnel mode are always an option for branch office connections, but they must be configured
individually. They do not allow for configuring the main office only once, even if more offices that require VPN
connections are later added.

Objective:
Security Fundamentals

Sub-Objective:
Describe IPSec remote access and site-to-site VPNs

References:

Cisco > Support > Configuring Dynamic Multipoint Virtual Private Networks

Question #12 of 80 Question ID: 1704873

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show frame-relay map

atlanta#show frame-relay map

show run

atlanta#show running-config
Building configuration...
!

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 18/116
11/14/24, 2:49 PM 200-301 Exam Simulation

version 12.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname atlanta
!
!
!
!
interface Ethernet0
no ip address
!
interface Serial0/0
ip address 172.16.1.1 255.255.255.240
encapsulation frame-relay
no fair-qeue
interface Serial0/1
ip address 192.168.5.1 255.255.255.252
encapsulation ppp
interface Serial0/2
ip address 192.168.5.5 255.255.255.252
encapsulation ppp
ppp authentication chap
interface Serial0/3
ip address 192.168.5.9 255.255.255.252
!
!
router rip
version 2
network 172.16.1.0
network 192.168.0.0
no auto-summary
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 19/116
11/14/24, 2:49 PM 200-301 Exam Simulation

no login
!

end

When the Atlanta router sends a packet and the Layer 2 address in the header is 501, what IP address will be placed in
the packet header?

A) 172.16.1.4

B) 172.16.1.2
C) 172.16.1.1

D) 172.16.1.3

Explanation

The IP address172.16.1.3 will be placed in the packet header if the Layer 2 address in the header is 501e. Line 1 of the
output of the show frame-relay map command indicates that the DLCI associated with the IP address 172.16.1.3 is
501. DLCI 501 is associated with the router in LA.

Serial0/0 (up): ip 172.16.1.3 dlci 501(0x1F5,0x7C50), dynamic,

broadcast,Cisco, status defined, active

The IP address 172.16.1.1 is the IP address assigned to the S0/0 interface on the Atlanta router as indicated by the
output of the show run command below:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 20/116
11/14/24, 2:49 PM 200-301 Exam Simulation

interface Serial0/0
ip address 172.16.1.1 255.255.255.240
encapsulation frame−relay

The IP address 172.16.1.2 is associated with DLCI 401, as shown in the output of the show frame-relay map
command. DLCI 401 is associated with the router in NY.

Serial0/0 (up): ip 172.16.1.2 dlci 401(0x191,0x6410), dynamic,

broadcast,Cisco, status defined, active

The IP address 172.16.1.4 is associated with DLCI 301, as shown in the output of the show frame-relay map
command below. DLCI 301 is associated with the router in Dallas:

Serial0/0 (up): ip 172.16.1.4 dlci 301(0x12D,0x48D0), dynamic,

broadcast,Cisco, status defined, active

Objective:
Network Fundamentals

Sub-Objective:
Describe characteristics of network topology architectures

References:

Cisco > Support > Cisco IOS Wide-Area Networking Command Reference > frame-relay map

Question #13 of 80 Question ID: 1703766

You wish to configure Secure Shell (SSH) support on your router so that incoming VTY connections are secure.

Which of the following commands must be configured? (Choose all that apply.)

A) ip access-group

B) transport input ssh

C) service config

D) ip domain-name

E) crypto key generate rsa

Explanation

Secure Shell (SSH) provides a secure alternative to Telnet for remote management of a Cisco devices. Configuring
SSH support on a Cisco router involves a minimum of three commands:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 21/116
11/14/24, 2:49 PM 200-301 Exam Simulation

ip domain-name [domain-name]: configures the DNS of the router (global configuration mode)
crypto key generate rsa: generates a cryptographic key to be used with SSH (global configuration mode)
transport input ssh: allows SSH connections on the router's VTY lines (VTY line configuration mode)

The transport input ssh command allows only SSH connectivity to the router and prevents clear-text Telnet
connections. To enable both SSH and Telnet, you would use the transport input ssh telnet command.

The ip access-group command is incorrect because this command is used to activate an access control list (ACL) on
an interface and does not pertain to SSH.

The service config command is incorrect because this command is used to automatically configure routers from a
network server and does not pertain to SSH.

Objective:
IP Services

Sub-Objective:
Configure network devices for remote access using SSH

References:

Cisco > Support > Technology Support > Secure Shell (SSH) > Troubleshooting TechNotes > Configure SSH on
Routers and Switches > Document ID: 4145

Question #14 of 80 Question ID: 1704783

In what mode does an LWAPP-enabled access point operate?

A) Lightweight mode

B) WGB
C) Autonomous mode

D) Ad hoc mode

Explanation

Lightweight access point protocol (LWAPP)-enabled access points operate in lightweight mode. LWAPP is a protocol
used to allow centralized management of APs. The management components are removed from the APs, and a WLAN
controller provides a single point of management. This controller coordinates WLAN access, managing the load on the
APs and user movement between APs. Upon starting, an LWAPP-enabled access point must obtain an IP address. It
can then discover the controller using DHCP, DNS, or a subnet broadcast. When multiple wireless controllers are
detected by an AP, it chooses to associate with the controller that has the fewest existing associated APs.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 22/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Individually configured APs that operate without central management are operating in autonomous mode. This would be
the opposite of lightweight mode, which is made possible by LWAPP. Autonomous access points can be upgraded to
lightweight. If they are upgraded, they will only function in conjunction with a WLAN controller. Moreover, when an
autonomous access point is upgraded to lightweight, the console port only provides read access to the unit.

Characteristics that autonomous and lightweight access points have in common:

Both support Power over Ethernet (PoE)

Both can use a Cisco Secure Access Control server (ACS) for security

A wireless gateway bridge (WGB) is used to connect a computer without a wireless network card to a wireless network,
but not separate WLANs. The WGB can connect up to eight computers to a WLAN. The WGB connects to the root AP
through a wireless interface.

Ad hoc is a WLAN mode used for peer-to-peer connectivity. Ad hoc mode allows wireless-enabled computers to
communicate with each other without having an AP involved.

Objective:
Network Access

Sub-Objective:
Describe Cisco Wireless Architectures and AP modes

References:

Cisco>Support>Product Support>Wireless>Software Downloads, Release and General Information>Support

FAQ>Lightweight Access Point FAQ

Cisco > Support > Technology Support > Wireless LAN (WLAN) > Troubleshooting TechNotes > Cisco Wireless
Devices Association Matrix > Document ID: 19242 > LWAPP APs Association

Question #15 of 80 Question ID: 1703718

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show ip interface brief

R2# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.5.1 YES NVRAM up up
Ethernet1 unassigned YES unset administratively down down
Loopback0 192.200.60.5 YES NVRAM up up

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 23/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Serial0 192.168.10.1 YES NVRAM up up

Serial1 192.168.10.60 YES NVRAM up up
Serial2 192.168.10.126 YES manual up up
Serial3 unassigned YES unset administratively down down
show ip ospf interface

R3# show ip ospf interface ethernet 1

Ethernet0 is up, line protocol is up
Internet Address 10.10.10.1/24, Area 0
Process ID 2, Router ID 192.168.45.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.45.1, Interface address 192.168.45.1
No backup Designated router on this network
Timer intervals configured, Hello 5, Dead 40, Wait 40, Retransmit 5

show interfaces

R3#show interfaces serial 0

Serial0 is up, line protocol is down
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 1433 kbit reliability 255/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
[output is omitted]

show ip ospf interface

R4# show ip ospf interface ethernet 0

Ethernet0 is up, line protocol is up
Internet Address 10.10.10.2/24, Area 0
Process ID 1, Router ID 192.168.59.60, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.59.30, Interface address 10.10.10.2
No backup Designated router for this network
Timer intervals configured, Hello 10, Dead 30, Wait 40, Retransmit 5

show interfaces serial 1

Remote#show interfaces serial 1

Serial1 is up, line protocol is up down
Hardware is HD64570
Internet address is 20.0.0.2/8
MTU 1500 bytes, BW 1433 Kbit reliability 255/255

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 24/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Encapsulation PPP, loopback not set, keepalive set (10 sec)

[output is omitted]

Your assistant executed the following command on R2.

R2(config-router)# network 192.168.10.0 0.0.0.63 area 0

Based on this command, which interfaces on R2 will participate in OSPF? (Choose two.)

A) S3

B) S1
C) S2

D) E0

E) S0

Explanation

The Serial0 and Serial1 interfaces will participate in OSPF. The network command uses a wildcard mask to describe
the network and therefore the interfaces to be included. If an interface is in the network described by the network and
mask, then it will participate in OSPF.

The command R2(config-router)# network 192.168.10.0 0.0.0.63 area 0 describes a network that starts at
192.168.10.0 and goes to 192.168.10.63 The octets with a 0 in the wildcard mask must match the octets of the

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 25/116
11/14/24, 2:49 PM 200-301 Exam Simulation

network statement exactly (192.168.10). The range of allowable values in the last octet starts where the network
statement starts at 192.18.10.0. You will add the value in the last octet of the mask to arrive at the end point of the
range, which is 192.168.10.63. Therefore, the range of allowable addresses is 192.168.10.1 - 192.168.10.62.

The two interfaces that fall in the range are Serial0 (192.168.10.1) and Serial1 (192.168.10.60) as indicated by the
output of the show ip interface brief command executed on R2:

R2# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.5.1 YES NVRAM up up
Ethernet1 unassigned YES unset administratively down down
Loopback0 192.200.60.5 YES NVRAM up up
Serial0 192.168.10.1 YES NVRAM up up
Serial1 192.168.10.60 YES NVRAM up up
Serial2 192.168.10.126 YES manual up up
Serial3 unassigned YES unset administratively down down

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

Cisco Support > Cisco IOS IP Routing: OSPF Command Reference > network area

Question #16 of 80 Question ID: 1703578

You install a second NIC in your Linux computer. Then you log on to the computer as root. You want to configure the
new NIC with the IP address 192.168.0.1 and the subnet mask 255.255.255.0.

Which command should you issue at a command prompt to configure the NIC?

A) ifconfig eth0 192.168.0.1 subnet 255.255.255.0 up

B) ipconfig eth1 192.168.0.1 netmask 255.255.255.0 up

C) ipconfig eth0 192.168.0.1 subnet 255.255.255.0 up

D) ifconfig eth1 192.168.0.1 netmask 255.255.255.0 up

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 26/116
11/14/24, 2:49 PM 200-301 Exam Simulation

On a Linux computer, you would use the ifconfig command to configure a network interface card (NIC). The first NIC
in a Linux computer is typically named eth0, and the second NIC is named eth1. Therefore, you should log on to the
Linux computer as root, which is also known as the superuser, and issue the command ifconfig eth1 192.168.0.1
netmask 255.255.255.0 up to configure the second NIC. The 192.168.0.1 portion of the command configures the IP
address for the NIC, the netmask 255.255.255.0 portion of the command configures the subnet mask for the NIC,
and the up portion of the command activates the NIC. A similar procedure would be used on a UNIX computer.

The command ifconfig eth0 192.168.0.1 subnet 255.255.255.0 up is not properly configured; the command
uses the term subnet rather than the proper term netmask, and the command would attempt to configure eth0 rather
than eth1.

The ipconfig command can be used on Microsoft computers to view the TCP/IP protocol stack, but ipconfig cannot
be used to configure a NIC.

Objective:
Network Fundamentals

Sub-Objective:
Verify IP parameters for Client OS (Windows, Mac OS, Linux)

References:

ComputerHope > Linux ifconfig command

Question #17 of 80 Question ID: 1704819

Which Cisco switch features are designed to work together to mitigate ARP spoofing attacks? (Choose two.)

A) DAI

B) 802.1x

C) Port security

D) DHCP snooping

Explanation

Dynamic ARP inspection (DAI) and DHCP snooping are Cisco features designed to work together to mitigate Address
Resolution Protocol (ARP) spoofing attacks. DAI validates ARP packets in a network. It determines the validity of an
ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP snooping database. This
capability protects the network from some man-in-the-middle attacks. The following global configuration command
instructs the switch to intercept, log, and discard packets with invalid IP-to-MAC address bindings for the specified
VLANs:
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 27/116
11/14/24, 2:49 PM 200-301 Exam Simulation

switch(config)# ip arp inspection vlan 10-12,15

When configuring DAI, ports are configured as either trusted or untrusted. DAI forwards all packets received on a
trusted interface without checks but intercepts all packets on an untrusted port.

DHCP snooping creates an IP address-to-MAC address database that DAI uses to validate ARP packets. It compares
the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates
attackers spoofing MAC addresses. The following command enables DHCP MAC address verification:

router(config)# ip dhcp snooping verify mac-address

DHCP Authorized ARP can also be used to mitigate ARP spoofing. When implemented, the server assigns an IP
address to a client and creates a static mapping. The DHCP server then sends periodic ARPs to clients to make sure
that the clients are still active. Clients respond with an ARP reply. Unauthorized clients cannot respond to these periodic
ARPs. The unauthorized ARP responses are blocked at the DHCP server.

DHCP snooping is also used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is
to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP
server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. It can also cache the MAC address-to-IP address
mapping for clients receiving DHCP addresses from a valid DHCP server.

Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to
define what computer or device can be connected to a port, but it does not eliminate ARP spoofing.

802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting
who can connect to the switch, but it does not inspect ARP packets.

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security)

References:

Cisco > Product Support > Switches > Catalyst 6500 Release 12.2SXF and Rebuilds Software Configuration Guide >
Chapter: Dynamic ARP Inspection (DAI)

Cisco > Product Support > Cisco IOS and NX-OS Software > Cisco IOS IP Addressing Services Command Reference
> ip arp inspection vlan

Question #18 of 80 Question ID: 1703816

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 28/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Which of the following concepts makes the deployment of automation and the programmability of networks possible?

A) APIs

B) SNMP

C) CLI

D) PXE

Explanation

Application programming interfaces (APIs) make it possible to communicate beneficially with software in a system, both
in interrogating the system and giving it directions.

Simple Network Management Protocol (SNMP) has been used in the past to accomplish crude automation, but it is not
as efficient or scalable as using APIs.

The command line interface (CLI) is the classic method of communicating with devices, but it does not offer any
significant automation capabilities.

While a pre-execution environment (PXE) might be used to automate a system’s onboarding process, which could be a
part of an automation process, it is not what makes the deployment of automation and programmability of networks
possible.

Objective:
Automation and Programmability

Sub-Objective:
Explain how automation impacts network management

References:

PCskull > Business > 4 Business Process Automation Benefits and Its Impact

Question #19 of 80 Question ID: 1703698

You are the network administrator for your company. The Chief Technical Officer of the company is looking for a routing
solution that satisfies the following requirements:

No routing protocol advertisements

Increased network security
No routing protocol overhead
Not concerned about fault tolerance.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 29/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Which of the following routing techniques matches the criteria?

A) Dynamic routing

B) Hybrid routing

C) Public routing
D) Static routing

Explanation

The static routing technique matches the criteria given in this scenario. Static routing is a process of manually entering
routes into a routing table. Static routes are not recommended for large networks because static routes are manually
configured on the router. However, if a single link is used to connect an enterprise to an Internet Service Provider (ISP),
then static routing is the best option.

The following are characteristics of static routing:

Configuring static routes does not create any network traffic

Manually configured static routes do not generate routing updates and therefore increase security and minimize
network traffic.
Router resources are used more efficiently.
Static routes are not recommended for large networks because they are manually configured on the router and
maintaining the routes can become problematic.
Static route configuration is not fault tolerant because static routes do not automatically adapt to changes in the
network.

The dynamic routing option is incorrect because route updates consume bandwidth and overhead. While the scenario
is not concerned with routing protocol overhead, it states that there should be no bandwidth consumption by route
advertisements.

Hybrid routing and public routing are not valid routing techniques in Cisco terminology.

Objective:
IP Connectivity

Sub-Objective:
Configure and verify IPv4 and IPv6 static routing

References:

Cisco > Support > Switches > Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 5.x >
Chapter: Configuring Static Routing

Cisco Press > Articles > Cisco Network Technology > General Networking > Cisco Networking Academy's Introduction
to Routing Dynamically > Dynamic versus Static Routing

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 30/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Cisco > Configuring Static Routing (PDF)

Question #20 of 80 Question ID: 1704799

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show ip interface brief

R2# show ip interface brief

show ip ospf interface

R3# show ip ospf interface ethernet 1

show interfaces

R3#show interfaces serial 0

show ip ospf interface

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 31/116
11/14/24, 2:49 PM 200-301 Exam Simulation

R4# show ip ospf interface ethernet 0

Remote#show interfaces serial 1

Serial1 is up, line protocol is up down
Hardware is HD64570
Internet address is 20.0.0.2/8
MTU 1500 bytes, BW 1433 Kbit reliability 255/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
[output is omitted]

R3 and R4 are not forming an OSPF adjacency. What is preventing this from happening?

A) Area numbers do not match

B) IP addresses are incorrect
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 32/116
11/14/24, 2:49 PM 200-301 Exam Simulation

C) Process ID numbers do not match

D) Hello and dead timers are misconfigured

Explanation

The problem is that the hello and dead timer values do not match. Before two OSPF routers can form an adjacency,
they must be set with matching hello and dead timers. R4 is set for Hello 10, Dead 30 and R3 is set for Hello 5,
Dead 40. This can be seen in the output of the show ip ospf interface commands:

R3# show ip ospf interface ethernet 1

and

R4# show ip ospf interface ethernet 0

The IP addresses are correct. The E0 interface on R4 and the E1 interface on R3 are both in the 10.10.10.0/24
network.

The area numbers do match. They are both set for Area 0.

It is not required for the OSPF process IDs to match. They are locally significant only.

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 33/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Cisco > Support > Technology Support > IP Routing > Technology Q&A > What Does the show ip ospf interface
Command Reveal? > Document ID: 13689

Question #21 of 80 Question ID: 1704810

Recently you had a serious problem with a router and contacted TAC. They told you a core dump of the system would
have been helpful in diagnosing the issue. You would like to configure the router to make a full copy of the memory
image the next time the router experiences the type of issue that can generate a core dump.

Which of the following is NOT a supported method of setting up a core dump?

A) HTTP

B) Flash disk

C) RCP

D) TFTP

Explanation

A core dump cannot be sent to a location using HTTP. The four supported methods for dumping a copy of the router's
memory image are:

TFTP
FTP
RCP
Flash disk

To use File Transfer Protocol (FTP) to configure a core dump, execute the following commands:

ip ftp username username

ip ftp password password
exception protocol ftp
exception dump a.b.c.d

To use Trivial File Transfer Protocol (TFTP) to configure a core dump, execute the following commands:

exception dump a.b.c.d

To use remote copy protocol (RCP) to configure a core dump, execute the following commands:

exception protocol rcp

exception dump a.b.c.d

Finally, to send a core dump to a Flash drive, execute the following commands:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 34/116
11/14/24, 2:49 PM 200-301 Exam Simulation

exception crashinfo file flash:filename

Objective:
IP Services

Sub-Objective:
Describe the capabilities and function of TFTP/FTP in the network

References:

Cisco > Support > Creating Core Dumps

Cisco > Support > Cisco IOS Basic System Management Command Reference > exception dumpCisco > Support >
Cisco IOS Basic System Management Command Reference > exception protocolCisco > Support > Cisco IOS Basic
System Management Command Reference > exception crashinfo file

Question #22 of 80 Question ID: 1703631

View the following network diagram:

Which switch will become the root bridge?

A) SwitchA

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 35/116
11/14/24, 2:49 PM 200-301 Exam Simulation

B) SwitchB

C) The root bridge cannot be determined from the given information.

D) SwitchC

Explanation

SwitchA will become the root bridge. The bridge ID, also known as the switch ID, is used to elect the root bridge in a
redundant network topology. The bridge ID has two components:

Switch's priority number: Configured as 32768 on Cisco switches by default

Switch's Media Access Control (MAC) address: The burnt-in hardware address of the network interface card

The switch with the lowest bridge ID is selected as the root bridge. If the same priority number is configured on two or
more switches in the network, the switch with the lowest MAC address will become the root. Bridge Protocol Data Units
(BPDUs) communicate the details of the switch with the lowest bridge ID in the network. The election process for the
root bridge takes place every time there is a topology change in the network. A topology change may occur due to the
failure of a root bridge or the addition of a new switch in the network. The root bridge originates BPDUs every two
seconds, which are propagated by other switches throughout the network. BPDUs are used as keepalives between
switches, and if a switch stops receiving BPDUs from a neighboring switch for ten intervals (20 seconds), it will assume
a designated role for the network segment.

Neither SwitchB nor SwitchC will become the root bridge. Although both have an equal priority value to SwitchA
(32768), the MAC addresses of SwitchB and SwitchC are higher than that of SwitchA.

The root bridge can be determined with the information given. If the diagram did not indicate MAC addresses, then the
root bridge would not be able to be determined, since the priorities are equal.

Objective:
Network Access

Sub-Objective:
Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

References:

Cisco > Support > Technology Support > Spanning Tree Protocol > Troubleshooting TechNotes > Understand and
Configure STP on Catalyst Switches > Document ID: 5234

GeeksForGeeks > Root Bridge Election in Spanning Tree Protocol

Question #23 of 80 Question ID: 1703813

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 36/116
11/14/24, 2:49 PM 200-301 Exam Simulation

You need to configure a WLAN with WPA PSK security. On which configuration tab of the WLAN should you do this?

A) Security

B) QoS

C) Advanced

D) General

Explanation

Enabling WPA PSK is done on the Security tab of the WLAN as shown below. The exact setting where this is specified
is in the drop down box next to Auth Key Mgmt.

While the General tab is used to map WPA2 to an interface, as shown below, it is not where the PSK is specified.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 37/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The Advanced tab is where settings such as Management Frame Protection (MFP) is performed, as highlighted below:

The QoS tab is used to enable and manage QoS, as shown below:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 38/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify WLAN within the GUI using WPA2 PSK

References:

Cisco > Product Support > Wireless > Cisco Wireless LAN Controller Configuration Guide, Release 7.3 > Chapter:
Using the Web-Browser and CLI Interfaces

Question #24 of 80 Question ID: 1704827

Which of the following is NOT a function of the northbound interface?

A) Obtain a list of network devices.

B) Communicate with network devices.

C) Create VLANs.

D) Poll the health of the network.

Explanation

Northbound APIs are used to communicate from network controllers to their management software. The software-
defined networking (SDN) northbound interface is in the management plane and is used to manage the SDN controller,
performing functions such as:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 39/116
11/14/24, 2:49 PM 200-301 Exam Simulation

creating VLANs
polling the health of the network
obtaining a list of network devices

The southbound interface, on the other hand, is used to send and receive information to and from the routers, switches,
and APIs that are managed by the SDN controller. Communicating with network devices is the job of the southbound
interface, not the northbound.

Objective:
Automation and Programmability

Sub-Objective:
Describe controller-based, software defined architecture (overlay, underlay, and fabric)

References:

Cisco Learning Network > CCNA Certification Community > What is the difference between Northbound and
Southbound Interfaces?

Cisco Press > Articles > Software-Defined Networking Security and Network Programmability

Question #25 of 80 Question ID: 1703739

Your company has a corporate-wide Windows Server network using the TCP/IP protocol. Several users are
complaining that their computers are getting IP address conflicts.

Which action should you perform?

A) Increase the TCP window size.

B) Manually configure IP addresses on each computer.

C) Implement a DHCP server.

D) Change the MAC address for each network interface card.

Explanation

A Dynamic Host Configuration Protocol (DHCP) server dynamically assigns IP addresses to DHCP clients. This
ensures that each client receives a valid and unique IP address, preventing IP address conflicts.

None of the other options is correct. Increasing the TCP window size can be used to help alleviate network bandwidth
issue. Manually configuring the IP addresses on each computer is more likely to cause IP address conflicts. Changing
the MAC address for each NIC may not be possible, depending on the configuration of the NIC. Even if you can change
the MAC address, this will have no effect on IP address conflicts.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 40/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
IP Services

Sub-Objective:
Explain the role of DHCP and DNS within the network

References:

Microsoft Learn > Windows Server > Dynamic Host Configuration Protocol (DHCP)

Question #26 of 80 Question ID: 1703717

You are configuring Open Shortest Path First (OSPF) protocol for IPv6 on Router5. The router has two interfaces, which
have been configured as follows:

S0/0 - 192.168.5.1/24

S0/1 - 10.0.0.6/8

You would like OSPF to route IPv6 only on the S0/0 network. It should not route for IPv6 on the S0/1 network. The
process ID you have chosen to use is 25. You do not want to apply an IPv6 address yet.

Which of the following command sets would enable OSPF for IPv6 as required?

A) Router5(config)#ipv6 unicast-routing
Router5(config)#ipv6 ospf 25
Router5(config-rtr)#router-id 1.1.1.1

B) Router5(config)#ipv6 ospf 25
Router5(config)# network 192.168.5.0

C) Router5(config)#ipv6 ospf 25
Router5(config)#router-id 192.168.5.1

D) Router5(config)#ipv6 unicast-routing
Router5(config)#ipv6 router ospf 25
Router5(config-rtr)#router-id 1.1.1.1
Router5(config)#interface S0/0
Router5(config-if)#ipv6 ospf 25 area 0

Explanation

The correct command sequence would be as follows:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 41/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Router5(config)#ipv6 unicast-routing
Router5(config)#ipv6 router ospf 25
Router5(config-rtr)#router-id 1.1.1.1
Router5(config)#interface S0/0
Router5(config-if)#ipv6 ospf 25 area 0

The first line enables IPv6 routing with the ipv6 unicast-routing command. The second line enables OSPF routing for
IPv6 with the ipv6 router ospf command. The third assigns a necessary router ID (which was chosen at random) with
the router-id command. The last two lines enable OSPF for area 0 on the correct interface.

The following command set is incorrect because it does not enable OSPF routing for IPv6, assign a necessary router
ID, or enable OSPF for area 0 on the proper interface:

Router5(config)#ipv6 ospf 25
Router5(config)# network 192.168.5.0

This command set also displays incorrect use of the network command. The network command would be used with
OSPF v2.

The following command set fails to enable OSPF routing for IPv6, assign a necessary router ID, or enable OSPF for
area 0 on the correct interface:

Router5(config)#ipv6 ospf 25
Router5(config)#router-id 192.168.5.1

It also assigns the router ID under global configuration mode, rather than under router ospf 25 configuration mode
as required.

The following command set fails to enable OSPF for area 0 on the proper interface:

Router5(config)#ipv6 unicast-routing
Router5(config)#ipv6 ospf 25
Router5(config-rtr)#router-id 1.1.1.1

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

Cisco > Support > Cisco IOS IPv6 Command Reference > ipv6 unicast-routing

Cisco > Support > Cisco IOS IPv6 Command Reference > ipv6 ospf area

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 42/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Question #27 of 80 Question ID: 1703798

What command would be used to verify trusted DHCP ports?

A) show ip arp trust

B) show ip dhcp snooping

C) show mls qos

D) show ip trust

Explanation

The command show ip dhcp snooping is used to verify trusted DHCP ports. This command is used to verify which
ports are intended to have DHCP servers connected to them.

DHCP snooping creates an IP address to MAC address database that is used by Dynamic ARP Inspection (DAI) to
validate ARP packets. It compares the MAC address and IP address in ARP packets, and only permits the traffic if the
addresses match. This eliminates attackers that are spoofing MAC addresses.

DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to
mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server
packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP
address mapping for clients receiving DHCP addresses from a valid DHCP server.

MLS QOS has no bearing on DHCP services, so show mls qos is not correct.

The other commands are incorrect because they have invalid syntax.

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security)

References:

Cisco > Product Support > Cisco IOS and NX-OS Software > Cisco IOS IP Addressing Services Command Reference
> show ip dhcp snooping

Question #28 of 80 Question ID: 1704790

What switch security configuration requires AAA to be configured on the switch?

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 43/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) Private VLAN

B) Port security

C) VACL

D) 802.1x

Explanation

802.1x requires AAA to be configured on the switch. 802.1x uses AAA authentication to control access to the port.

The overall steps required to configure a switch for 802.1x are:

1. Enable AAA on the switch.

2. Define the external RADIUS server(s) and the key to be used for encryption.
3. Define the authentication method.
4. Enable 802.1x on the switch.
5. Configure each switch port that will use 802.1x.
6. Optionally allow multiple hosts on the switch port.

Objective:
Network Access

Sub-Objective:
Describe network device management access (Telnet, SSH, HTTP, HTTPS, console, TACACS+/RADIUS, and cloud
managed )

References:

What Is 802.1X Authentication?

Question #29 of 80 Question ID: 1704797

Observe the following network exhibit:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 44/116
11/14/24, 2:49 PM 200-301 Exam Simulation

According to the diagram, which of the following route types would be advisable to configure on the ISP router with
respect to the LAN connection?

A) Static route

B) Gateway of last resort

C) RIP

D) Default route

Explanation

The best solution would be a static route that summarizes all of the networks in the LAN and points to the WAN
interface of R1. This configuration would prevent the ISP router from needing a route to all subnets in the company
LAN, thereby reducing the size of its routing table.

A default route would not be advisable on the ISP router with respect to its connection to the LAN. Default routes should
be used to reduce the entries in the routing table in the following instances:

The network contains a stub router, which is a router that has a single connection to the rest of the network
whereby all traffic must go in that direction regardless of the network.
The network contains a router that acts as the connection to the Internet or ISP for the network.

In either case, the purpose of a default route is to leverage the fact that all traffic must go in a certain direction,
regardless of its destination. Placing a default route in the table ensures that traffic destined for a network not in the
routing table is automatically sent in this direction, which eliminates the need for specific routes to all destinations.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 45/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A gateway of last resort is created when you set a default route in a router. Therefore, if the ISP router does not need a
default route, it does not need a gateway of last resort.

A RIP route should not be placed on the ISP router. RIP is an interior gateway protocol (IGP). ISP routers and other
routers on the Internet use exterior gateway protocols (EGP) such as BGP.

Objective:
IP Connectivity

Sub-Objective:
Configure and verify IPv4 and IPv6 static routing

References:

Cisco > Configuring Static and Default Routes (PDF)

Question #30 of 80 Question ID: 1704757

Which statement best describes a converged network?

A) A network with a mix of voice and video traffic

B) A network with a mix of voice, video, and data traffic

C) A network with real-time applications

D) A network with mix of data and video traffic

Explanation

A converged network is a combination of voice, video, and data traffic. Network convergence is a migration from
maintaining multiple service-specific networks, namely data, voice, and video, to a single IP-based network. All services
are delivered on the same network, reducing infrastructure costs. Despite the benefits that network convergence
provides, it is highly susceptible to network delays, especially for real-time traffic.

Converged networks frequently face the following problems:

Bandwidth: As all the voice and video networks are combined into one universally converged network, bandwidth
capacity becomes a priority.
Packet loss: When links become congested, packets will be dropped. Voice and video traffic are intolerant of
dropped packets.
Delay: Delay represents the time it takes for packets to traverse the network and reach their destinations. While
some delay is expected, delay increases when links are over-subscribed.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 46/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Voice and video traffic are intolerant of high or variable delays. A packet that arrives late is no better than a packet that
does not arrive. Delays can be variable or fixed.

Fixed delays are constant and mostly induced by the computing software of the hardware devices, such as processing
delays and packetization delay.

Variable delays, known as jitter, cause problems for voice and video.

Objective:
Network Fundamentals

Sub-Objective:
Describe characteristics of network topology architectures

References:

What is a Converged Network?

Question #31 of 80 Question ID: 1703629

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show int status

SW1#sh int status

Port Name Status Vlan Duplex Speed Type
Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX
[output omitted]

show interface trunk

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 auto 802.1q trunking 1

show interface status

SW2#sh int status

Port Name Status Vlan Duplex Speed Type
Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX
[output omitted]

show interface trunk

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 47/116
11/14/24, 2:49 PM 200-301 Exam Simulation

SW2#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 auto 802.1q trunking 1

show interface port-channel

SW2#show interface port-channel 1 etherchannel

R4# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES NVRAM up up
Etherne0/1 unassigned YES NVRAM up up
Dialer1 10.10.10.1 Yes IPCP up up
Loopback0 172.16.5.5 YES NVRAM up up

[output omitted]

Given:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 48/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Review the output provided on SW2 for the EtherChannel configuration between SW1 and SW2. Which column is used
to indicate the physical interface in the bundle that will be used for a specific flow of traffic?

A) Load

B) Port

C) Index

D) EC State

Explanation

The Load column has hex values that will be decoded into binary by the switch to determine which specific physical
interface in the bundle should be used by a specific traffic flow. The choice of interface will also be influenced by the
load-balancing algorithm being used by the switch, which is configurable.

The Index column simply indicates the number given to each physical interface in the bundle. It has no meaning with
respect to choosing a physical link by a flow.

The Port column specifies the interface ID of each physical interface in the bundle.

The EC State column indicates the operational status of each physical interface in the bundle.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 49/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
Network Access

Sub-Objective:
Configure and verify (Layer 2/Layer 3) EtherChannel (LACP)

References:

Cisco > Support > Technology Support > EtherChannel > EtherChannel Between Catalyst 3550/3560/3750 Series
Switches and Catalyst Switches Running Cisco IOS System Software Configuration Example > Document ID: 12033

Question #32 of 80 Question ID: 1703806

You are creating a wireless network for your company. You need to implement a wireless protocol that provides
maximum security while providing support for older wireless clients.

Which protocol should you choose?

A) Wi-Fi Protected Access 2 (WPA2)

B) Wi-Fi Protected Access 3 (WPA3)

C) Wi-Fi Protected Access (WPA)

D) Wired Equivalent Privacy (WEP)

Explanation

You should implement WPA. WPA was created to fix core problems with WEP. WPA is designed to work with older
wireless clients while implementing the 802.11i standard. WAP is the default protocol used by most wireless networks
and devices. However, because WAP can access Web pages and scripts, there is great opportunity for malicious code
to damage a system. WAP does not provide maximum security. It is considered the weakest wireless protocol.

WPA3 is more secure than WPA or WPA2 but it cannot support older wireless clients. While WPA2 was a significant
increase in security over WPA, WPA3 makes additional improvements over WPA2, including:

WPA3-Personal, unlike WPA2-Personal which uses pre-shared keys (passphrases), utilizes a process called
Simultaneous Authentication of Equals (SAE) in which the station and access point authenticate one another by
proving to each other that they have a key. This produces a master key (PMK) which, while shared between the
two, is never sent. So, should a hacker capture the packets used, the original key or the generated master key
cannot be derived.
WPA3-Enterprise includes a new 192-bit security level based on the NSA’s requirements for environments requiring
greater security. It also only allows GCMP-256 encryption.

WEP is the security standard for wireless networks and devices that use encryption to protect data. However, WEP
does have weaknesses and is not as secure as WPA or WPA2. WPA2 implements the 802.11i standard completely.
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 50/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Therefore, it does not support the use of older wireless cards. Identification and WPA2 are considered the best
combination for securing a wireless network.

There are three versions of WPA: WPA, WPA2, and WPA3. WPA uses Temporal Key Integrity Protocol (TKIP) for
encryption. WPA2 uses CCM Mode Protocol (CCMP) for encryption. WPA, WPA2 and WPA3 can operate in two modes:
Personal and Enterprise. Because CCMP uses AES, TKIP is considered weaker than CCMP. The Personal mode uses
a 256-bit key and is referred to as WPA-Personal or WPA-Pre-shared Key (WPA-PSK) and WPA2-Personal or WPA2-
PSK, depending on which version of WPA you implement. The Enterprise mode is designed for enterprise networks and
uses Extensible Authentication Protocol (EAP) for authentication. This mode is referred to as WPA-Enterprise or WPA-
802.1x and WPA2-Enterprise or WPA2-802.1x, depending on which version of WPA you implement. WPA-Enterprise is
more secure than WPA2-PSK.

If you need to implement a secure wireless authentication method that uses a remote RADIUS server for
authentication, you should implement Lightweight Extensible Authentication Protocol (LEAP) or Protected Extensible
Authentication Protocol (PEAP). Of these two protocols, PEAP is considered the most secure.

When deploying a WPA2-Enterprise wireless network, you will need to install a digital certificate on the authentication
server. When choosing between PSK, Enterprise, and Open modes, the highest security is offered by Enterprise. The
next highest is PSK. You should never choose Open mode because it provides no security whatsoever.

Objective:
Security Fundamentals

Sub-Objective:
Describe wireless security protocols (WPA, WPA2, and WPA3)

References:

Wireless security: WEP, WPA, WPA2 and WPA3 differences

Question #33 of 80 Question ID: 1704779

What attack can be prevented by keeping the native VLAN of the trunk ports different from the user VLANs?

A) Steganography

B) Data exfiltration

C) Double tagging

D) Masquerading

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 51/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Double tagging is an attack that allows a malicious individual to access a VLAN for which they are not a member.
Double-tagging attacks can be prevented by changing the native VLAN on all trunk ports to an unused VLAN ID.

Steganography is not an attack and cannot be prevented by keeping the native VLAN of the trunk ports different from
the user VLANs. Steganography is the process of removing bits of information from a graphic and replacing it with data
that you want to hide. This swapping does not typically have a noticeable effect on the graphic but allows the sender to
hide data that can be extracted later by means of the same application used to insert it into the graphic. The best
defense against steganography is to periodically scan PCs for questionable software. The presence of steganography
software on any system should be prohibited unless it is specifically required for business purposes.

Data exfiltration is the extracting of data from a network in an unauthorized manner and cannot be prevented by
keeping the native VLAN of the trunk ports different from the user VLANs. Its behavior can be discovered with data loss
prevention (DLP) software, if present. If it is not present, data exfiltration may only be reported when it falls into the
wrong hands. When it occurs, the best course of action is to identify the source of the disclosure if possible and then
take disciplinary action.

Masquerading is the process of pretending to be another and cannot be prevented by keeping the native VLAN of the
trunk ports different from the user VLANs. The term also refers to the process where a single public IP address is used
by all interior devices when accessing the Internet. This is done by deploying network address translation (NAT).

Objective:
Network Access

Sub-Objective:
Configure and verify interswitch connectivity

References:

Cisco Certified Expert > Double Tagging

Question #34 of 80 Question ID: 1703812

You are considering an implementation of WPA on your WLAN using the GUI. Which of the following versions requires
a RADIUS server and uses TKIP encryption?

A) WPA-Enterprise

B) WPA3-Personal

C) WPA2-Personal

D) WPA PSK

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 52/116
11/14/24, 2:49 PM 200-301 Exam Simulation

WPA-Enterprise requires a RADIUS server and uses TKIP encryption. There are three versions of WPA: WPA, WPA2,
and WPA3. Moreover, the three versions can be run in two modes, Personal and Enterprise.

The following table describes the characteristics of WPA, WPA2, and WPA3 as they operate in the two modes:

Version Encryption Authentication

WPA Personal TKIP Pre-shared key
WPA Enterprise TKIP RADIUS server
WPA2 Personal CCMP (AES) Pre-shared key
WPA2 Enterprise CCMP (AES) RADIUS server
WPA3 Personal CCMP (AES) Simultaneous Authentication of Equals (SAE)
WPA3 Enterprise GCMP-256 encryption RADIUS server

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify WLAN within the GUI using WPA2 PSK

References:

TechTarget > Networking > Wireless security: WEP, WPA, WPA2 and WPA3 differences

Question #35 of 80 Question ID: 1704801

Which of the following features is used with the ip nat inside command to translate multiple devices in the internal
network to a single address in the IP address pool?

A) Static

B) Overload

C) Override

D) Dynamic

Explanation

The overload keyword, when specified with the ip nat inside command, translates multiple devices in the internal
network to a single address in the IP address pool.

For example:

ip nat pool test 172.28.15.1 172.28.15.1 prefix 24

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 53/116
11/14/24, 2:49 PM 200-301 Exam Simulation

In this example, the NAT pool named "test" only has a range of one address. Another variation of this command is as
follows:

ip nat inside source list 3 interface serial 0 overload

This command configures NAT to overload on the address assigned to the serial 0 interface. When this variation is
used, the command uses a list named “3” to determine the addresses in the pool

With static NAT, translation mappings are created statically and are placed in the translation tables regardless of
whether there is traffic flowing.

With dynamic NAT, the translation mappings table is populated as the required traffic flows through NAT-enabled
devices.

Override is not a valid NAT option. There is no such option.

Objective:
IP Services

Sub-Objective:
Configure and verify inside source NAT using static and pools

References:

Cisco > Support > Technology Support > IP Addressing Services > Troubleshooting TechNotes > Configure Network
Address Translation > Document ID: 13772 > Quick Start Steps to Configure and Deploy NAT

Cisco > Support > Cisco IOS and NX-OS Software > Cisco IOS IP Addressing Services Command Reference > ip nat
source

Question #36 of 80 Question ID: 1703575

Which of the following are types of Internet Protocol version 6 (IPv6) addresses? (Choose three.)

A) Anycast

B) Unicast

C) Multicast

D) Dual-cast

E) Broadcast

Explanation

Unicast, multicast, and anycast are types of IPv6 addresses.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 54/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Unicast addresses are used to define a single destination interface. A packet sent to a unicast address is delivered to
the specific interface.

Multicast addresses are used to define a group of hosts. When a packet is sent to a multicast address, it is delivered to
all the hosts identified by that address. Multicast addresses begin with the prefix FF00::/8 and the second octet
identifies the range over which the multicast address is propagated. Some special case IPv6 multicast addresses are:

FF01:0:0:0:0:0:0:1 − Indicates all-nodes address for interface-local scope.

FF02:0:0:0:0:0:0:2 − Indicates all-routers address for link-local.

Anycast addresses are used to identify a set of devices. These addresses are also assigned to more than one interface
belonging to different nodes. A packet sent to an anycast address is delivered to just one of the interfaces, based on
which one is closest. For example, if an anycast address is assigned to a set of routers, one in India and another in the
U.S., the users in the U.S. will be routed to U.S. routers and the users in India will be routed to a server located in India.

The broadcast option is incorrect because these types of addresses are not supported by IPv6. Broadcast functionality
is provided by multicast addressing.

The dual-cast option is incorrect because this is not a valid Cisco address type.

Objective:
Network Fundamentals

Sub-Objective:
Describe IPv6 address types

References:

Cisco Press > Articles > IPv6 Address Representation and Address Types

Question #37 of 80 Question ID: 1704811

You need to ensure that your company's security awareness training includes examples of social engineering attacks.
Which of the following is an example of a social engineering attack?

A) A Trojan horse

B) A backdoor

C) An e-mail hoax

D) A logic bomb

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 55/116
11/14/24, 2:49 PM 200-301 Exam Simulation

An e-mail hoax is also referred to as a social engineering attack. An e-mail hoax is an e-mail message that contains a
false warning about a potential virus infection. As well-meaning users forward an e-mail hoax to other users, resulting in
increased e-mail traffic that can seriously deplete the amount of bandwidth available on a network. Most network-bound
viruses are spread by e-mail. Hoaxes target a broad set of victims. While e-mail hoaxes work through forwarding, social
media hoaxes work through sharing on your social media site. An example is a social media post to a fake free software
link or to a video. In most cases, the object is to obtain the victim's contact list.

A logic bomb is a program that is designed to destroy network resources when a specified event occurs. A backdoor is
an unguarded pathway into a network. A Trojan horse is a program that seems innocuous but contains malicious code
that can damage network resources or provide hackers with a pathway into a network.

Objective:
Security Fundamentals

Sub-Objective:
Define key security concepts (threats, vulnerabilities, exploits, and mitigation techniques)

References:

Email Hoax

Question #38 of 80 Question ID: 1703737

Which of the following commands will configure a router to use DNS for hostname resolution?

A) ip dns server

B) ip name-server

C) ip dns primary

D) ip domain lookup

Explanation

The ip domain lookup command configures the device to use DNS for hostname resolution. It must be accompanied
by a command that specifies the location of the DNS server, which is done with the ip name-server command.

The ip dns primary command is used to configure the device as the primary DNS name server for a domain (zone)
and as the Start of Authority (SOA) record source, which designates the start of a zone.

The ip dns server command is used to make the device a DNS server.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 56/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
IP Services

Sub-Objective:
Explain the role of DHCP and DNS within the network

References:

Cisco > Support > IP Addressing: DNS Configuration Guide, Cisco IOS Release 15M&T > Chapter: Configuring DNS

Question #39 of 80 Question ID: 1704832

Using Cisco DNS-enabled device management, where is device provisioning performed?

A) Router
B) Controller

C) Switch

D) DNA center

Explanation

The Cisco DNA center can offload a number of functions from the controller(s). These include:

Policy

Design

Provisioning

Assurance.

When using Cisco DNA Center-enabled device management, the controllers, under the direction of the Cisco DNA
center, manage the physical devices (routers, switches, etc.)

Routers and switches only perform data forwarding.

Objective:
Automation and Programmability

Sub-Objective:
Recognize the capabilities of configuration management mechanisms such as Ansible and Terraform

References:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 57/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Cisco > Products & Services > Cloud and Systems Management > Cisco Catalyst Center > Data Sheets > Cisco DNA
Center 2.3.5 Data Sheet

Question #40 of 80 Question ID: 1703723

Which protocol allows the network to fully utilize standby routers in a redundancy group without additional
administrative burden?

A) VRRP

B) GLBP

C) IRDP

D) HSRP

Explanation

Gateway Load Balancing Protocol (GLBP) allows the network to fully utilize standby routers in a redundancy group.
Unlike HSRP and VRRP, GLBP allows automatic selection and simultaneous use of multiple gateways. It also allows for
router load balancing from a segment without using different host configurations as in HSRP.

Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) provide gateway redundancy,
but only one router in a group can forward traffic for a redundancy group. The bandwidth and resources associated with
the non-actively forwarding routers are wasted. GLBP allows this wasted bandwidth and resources to be utilized by
providing automatic selection and the use of multiple available gateways to destinations.

ICMP Router Discovery Protocol (IRDP) is an extension of the Internet Control Message Protocol (ICMP) that allows
routers to advertise useful routes. IRDP does not require hosts to recognize routing protocols, nor does it require
manual configuration.

Objective:
IP Connectivity

Sub-Objective:
Describe the purpose, functions, and concepts of first hop redundancy protocol

References:

Cisco > Products and Services > Cisco IOS and NX-OS Software > Cisco GLBP Load Balancing Options > Document
ID: 1474267833434262

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 58/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Question #41 of 80 Question ID: 1703634

In the given exhibit, which combination shows the components of a bridge ID used for Spanning Tree Protocol (STP)?

A) 3

B) 2

C) 1
D) 4

Explanation

The bridge ID, also known as the switch ID, is used to elect the root bridge in a redundant network topology. The bridge
ID has two components:

Switch's priority number: Configured as 32768 on Cisco switches by default

Switch's Media Access Control (MAC) address: The burnt-in hardware address of the network interface card (NIC)

The switch with the lowest bridge ID is elected as the root bridge. If the same priority number is configured on two or
more switches in the network, the switch with the lowest MAC address will become the root.

Bridge Protocol Data Units (BPDUs) communicate the details of the switch with the lowest bridge ID in the network. The
election process for the root bridge takes place every time there is a topology change in the network. A topology change
may occur due to the failure of a root bridge or the addition of a new switch in the network. The root bridge originates
BPDUs every two seconds, which are propagated by other switches throughout the network. BPDUs are used as
keepalives between switches. If a switch stops receiving BPDUs from a neighboring switch for ten intervals (20
seconds), it will assume a designated role for the network segment.

The combinations of the remaining options are incorrect because Virtual LAN (VLAN) numbers and serial numbers are
not components of a bridge ID.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 59/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
Network Access

Sub-Objective:
Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

References:

Spanning Tree Protocol – Part 3: Bridge ID, Priority, System ID Extension & Root Bridge Election Process

Question #42 of 80 Question ID: 1703591

When Workstation 1 sends a packet to the FTP server, in how many different frames will the packet be encapsulated as
it is sent across the Internetwork?

A) 4

B) 3

C) 2

D) 1

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 60/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Explanation

Since Workstation 1 and the FTP server are in the same network (the 10.6.5.0/24 network), Workstation 1 will
encapsulate the packet in a frame with its own MAC address in the source MAC address field. It will place the MAC
address of the FTP server (which it will learn via an ARP broadcast) in the destination MAC address field. Then the
frame will be transferred through the switch with no changes to the FTP server. Therefore, in this instance it will use a
single frame.

Multiple frames are only used when the packet needs to cross routers on its way to the destination. Although the source
and destination IP addresses remain the same regardless of the number of routers the packet crosses, each router will
change the source MAC address field to the MAC address of its sending interface and the destination MAC address to
the MAC address of the next hop router. Each time this is done, a new frame is created.

For example, if Workstation 1 sent a packet to Server 20, three frames would be created as follows:

the first frame would be constructed by Workstation 1

the second frame would be constructed by R1
the third frame would be constructed by R2.

The switches will change neither field but will simply switch the frame to the port where the MAC address is located.

Objective:
Network Fundamentals

Sub-Objective:
Describe switching concepts

References:

How do Packets Find a Computer in a Network?

Question #43 of 80 Question ID: 1715755

Which of the following APIs is used to communicate from a network controller to its appropriate management software?

A) JSON

B) Northbound API

C) None of these

D) Southbound API

Explanation

Northbound APIs are used to communicate from network controllers to their management software.
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 61/116
11/14/24, 2:49 PM 200-301 Exam Simulation

When management software makes changes to component configurations, southbound APIs push the changes to the
actual components, such as switches, routers, and wireless access points. The communication travels in the opposite
direction to northbound APIs.

JSON is an incorrect option. JavaScript Object Notation (JSON) is a data format used with APIs but is not an API itself.
It is an easier format to work with than eXtensible Markup Language (XML). JSON stores data in key-value pairs. Each
JSON object begins and ends with curly braces {}, as indicated below:

{
“type”: “Cisco ASR 2001-X Router”,
“family”: “Routers”,
“location”: “Eternia”
}

In the example above, you can see that JSON allows data to be stored as a key (type) with an associated value (Cisco
ASR 2001-X Router).

Application programming interfaces (APIs) allow you to communicate with and configure a network. You use APIs to
access various components of a network using software and can configure them if required. Two commonly used APIs
when working with Cisco networks are northbound and southbound APIs. The following illustrates how they operate:

[APPLICATIONS]

↑↓ Northbound APIs

[CONTROLLERS]

↑↓ Southbound APIs

[DATA PLANE]

The Cisco Catalyst Center (formerly the Cisco DNA Center) provides a graphical user interface (GUI) that allows you to
manage network controllers. When you log into a network controller using the GUI in order to manage the network, the
information exchange is done using a northbound REST-based API.

Objective:
Automation and Programmability

Sub-Objective:
Describe controller-based, software defined architecture (overlay, underlay, and fabric)

References:

W3 Schools > JSON - Introduction

Cisco Catalyst Center Platform APIs and Integrations Overview. - Cisco Catalyst Center 2.3.7 - Cisco DevNet

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 62/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Foundation Topics: Introduction to Software-Defined Networking > Software-Defined Networking Security and Network
Programmability | Cisco Press

Question #44 of 80 Question ID: 1703713

In the network exhibit below, the routers are running OSPF and are set to the default configurations.

What would be the effect of configuring a loopback interface on RouterA with an address of 192.168.1.50/24?

A) RouterB would become the DR

B) RouterA would become the DR

C) RouterC would become the DR

D) RouterA would become the BDR

Explanation

Configuring a loopback interface on RouterA with an address of 192.168.1.50/24 would cause RouterA to become the
designated router (DR). The DR is determined by the router with the highest interface priority number. If the priority
numbers are tied, then the router with the highest router ID (RID) becomes the DR.

The default priority number is 1 and can be configured as high as 255. Changing the priority to 0 would make the router
ineligible to become the DR or the backup designated router (BDR). The ip ospf priority # command is used to
manually configure a priority on a specific interface.

Router IDs are determined first by the highest loopback IP address, followed by the highest IP address on an active
physical interface. Thus, in the case of a priority tie, the router with the highest loopback IP address will have the
highest RID and will become the DR for the network segment.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 63/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The current Router ID for a router can be determined by executing the show ip interface brief command. In the
sample output of the show ip interface brief command below, the RID will be 10.108.200.5.

Router# show ip interface brief

Interface IP-Address OK? Method Status Protocol
Ethernet0 10.108.00.5 YES NVRAM up up
Ethernet1 unassigned YES unset administratively down down
Loopback0 10.108.200.5 YES NVRAM up up
Serial0 10.108.100.5 YES NVRAM up up
Serial1 10.108.40.5 YES NVRAM up up
Serial2 10.108.100.5 YES manual up up
Serial3 unassigned YES unset administratively down down

Neither RouterB nor RouterC will be the DR because the IP addresses on their physical interfaces are lower than
192.168.1.50/24.

RouterA will not be the backup designated router. Since it is the DR, it cannot also be the BDR.

RouterC will not be the BDR because its IP address is lower than that of RouterB. RouterB will be the BDR.

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Understand Open Shortest Path
First (OSPF) - Design Guide > Document ID: 7039 > DR Election

Question #45 of 80 Question ID: 1703587

A server on your network contains several virtual servers. However, it contains a single NIC. Which statement MOST
likely describes the communication from this server?

A) It transmits data using IPv6.

B) It transmits data from multiple MAC addresses.

C) It transmits data using IPv4.

D) It transmits data from multiple IP addresses.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 64/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Explanation

When a server contains several virtual servers with a single network interface card (NIC), it is most likely to transmit
data from multiple IP addresses. It could also transmit data from a single IP address, but with each virtual server using
a different port number.

This server does not transmit data from multiple MAC addresses. Because a MAC address is the physical address for
the NIC, this server only uses a single MAC address.

Virtual servers can be implemented using either IPv4 or IPv6. The number of NICs used in a virtual server has no effect
on which IP version should be used.

Objective:
Network Fundamentals

Sub-Objective:
Explain virtualization fundamentals (server virtualization, containers, and VRFs)

References:

Configuring Multiple IP Addresses and Service Ports for a Virtual Server

Question #46 of 80 Question ID: 1242572

You have been asked to troubleshoot the NTP configuration of a router named R70. After executing the show run
command, you receive the following partial output of the command that shows the configuration relevant to NTP:

clock timezone PST -8

clock summer-time PDT recurring
ntp update-calendar
ntp server 192.168.13.57
ntp server 192.168.11.58
interface Ethernet 0/0
ntp broadcast

Based on this output, which of the following statements is true?

A) The time zone is set to 8 hours less than Pacific Standard time.

B) The router will send NTP broadcasts on interface E0/0.

C) The router will periodically update its software clock.

D) The router will listen for NTP broadcasts on interface E0/0.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 65/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Explanation

The router will send NTP broadcasts on its E0/0 interface. The command ntp broadcast, when executed under an
interface, instructs the router to send NTP broadcast packets on the interface. Any devices on the network that are set
with the ntp broadcast client command on any interface will be listening for these NTP broadcasts. While the clients
will not respond in any way, they will use the information in the NTP broadcast packets to synchronize their clocks with
the information.

The time zone is not set to 8 hours less than Pacific Standard Time. The value “-8” in the command clock timezone
PST -8 represents the number of hours of offset from UTC time, not from the time zone stated in the clock timezone
command.

The router will not listen for NTP broadcasts on the interface E0/0. The ntp broadcast command, when executed under
an interface, instructs the router to send NTP broadcast packets on the interface. To set the interface to listen and use
NTP broadcasts, you would execute the ntp broadcast client command on the interface.

The router will not periodically update its software clock. The command ntp update-calendar configures the system to
update its hardware clock from the software clock at periodic intervals.

Objective:
IP Services

Sub-Objective:
Configure and verify NTP operating in a client and server mode

References:

Cisco > Support > Setting Time and Calendar Services > Configuring NTP

Question #47 of 80 Question ID: 1703815

Which of the following is NOT true of the impact of automation on network management?

A) Can reduce costs

B) Can lead to complacency

C) May change IT roles

D) Always increases customer satisfaction

Explanation

The automation of certain tasks can remove the personal touch, which many users prefer. For example, while an
automatic password reset process may reduce time spent by technicians performing this process, it may also lead to

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 66/116
11/14/24, 2:49 PM 200-301 Exam Simulation

dissatisfaction from some users.

It is true that the use of automation, especially when applied to security functions, can lead to complacency on the part
of technicians.

It is also true that automation can reduce costs, but that is not always a given. Analyzing and confirming cost reductions
should occur before deployment.

As automation eliminates the need for certain tasks to be performed manually, IT roles may require changes when
automation is introduced.

Objective:
Automation and Programmability

Sub-Objective:
Explain how automation impacts network management

References:

PCskull > Business > 4 Business Process Automation Benefits and Its Impact

Question #48 of 80 Question ID: 1703683

Below is the output of the show ip route command from one of your routers:

R66#show ip route

.....
1.0.0.0/30 is subnetted, 4 subnets
C 1.1.1.0 is directly connected, FastEthernet0/1
O 1.1.1.4 [110/2] via 1.1.1.2, 00:10:04, FastEthernet0/1
O 1.1.1.8 [110/2] via 1.1.1.13, 00:10:04, FastEthernet0/0
C 1.1.1.12 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 4 subnets
C 172.16.0.0 is directly connected, Ethernet0/0/0
O 172.16.1.0 [110/11] via 1.1.1.2, 00:10:04, FastEthernet0/1
O 172.16.2.0 [110/12] via 1.1.1.13, 00:09:24, FastEthernet0/0
[110/12] via 1.1.1.2, 00:09:24, FastEthernet0/1
O 172.16.3.0 [110/11] via 1.1.1.13, 00:10:04, FastEthernet0/0

What does the value “110” represent in the output?

A) EIGRP administrative distance

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 67/116
11/14/24, 2:49 PM 200-301 Exam Simulation

B) OSPF administrative distance

C) EIGRP cost

D) OSPF cost

Explanation

The value “110” represents the administrative distance of the route, which in this case was learned by OSPF. OSPF
routes are always indicated by an “O” to the left of the route details. The two values in brackets in each route entry
indicate the administrative distance on the left of the forward slash. The value to the right of the slash is the cost of the
route. Therefore, [110/2] represents an administrative distance of 110 and a cost of 2.

The value of “110” does not represent EIGRP administrative distance because the route was not learned from EIGRP. If
it were, the route would have a “D” to the left of the route details. Moreover, the default administrative distance of EIGRP
is 90, not 110.

The values do not represent OSPF cost. The cost value is on the right side of the forward slash within the brackets in
each route entry. For example, the route entry O 1.1.1.4 [110/2] via 1.1.1.2, 00:10:04, FastEthernet0/1
indicates an OSPF cost of 2.

The values do not represent an EIGRP cost. First, if it were an EIGRP route, the route would have a “D” to the left of the
route details. Moreover, the cost value is located within the square brackets to the right of the forward slash in each
route entry. The only cost values shown in the table are 2, 11, and 12.

Objective:
IP Connectivity

Sub-Objective:
Interpret the components of routing table

References:

Cisco > Support > Cisco IOS IP Routing: Protocol-Independent Command Reference > show ip route

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > What is Administrative Distance? >
Document ID: 15986

Matt Oswalt Blog > The Anatomy of "Show IP Route"

Question #49 of 80 Question ID: 1242570

Which of the following commands sets the local router to serve as an authoritative time source?

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 68/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) ntp server

B) ntp peer

C) ntp master

D) ntp authenticate

Explanation

The ntp master command sets the local router to serve as an authoritative time source.

The ntp server command is used to specify an external time source that the local router should use as its time
source.

The ntp authenticate command is used to enable the authentication of time source to which the local router has
been configured to use. It is the first step in a process that must also include the specification of a hashing algorithm
and a key, both of which must match on the time source.

The ntp peer command is used to configure the local router to synchronize a peer or to be synchronized by a peer. It
does not make the local router authoritative as a time source like the ntp master command does.

Objective:
IP Services

Sub-Objective:
Configure and verify NTP operating in a client and server mode

References:

Cisco > Support > Cisco IOS Basic System Management Command Reference > ntp master

Question #50 of 80 Question ID: 1703647

Two Catalyst switches on a LAN are connected to each other with redundant links and have Spanning Tree Protocol
(STP) disabled. What problem could occur from this configuration?

A) It may cause broadcast storms.

B) All ports on both switches may change to a forwarding state.

C) It may cause a collision storm.

D) These switches will not forward VTP information.

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 69/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The configuration in the scenario may cause broadcast storms. When there are redundant links between two switches,
it is recommended that you enable Spanning Tree Protocol (STP) to avoid switching loops or broadcast storms. Loops
occur when there is more than one path between two switches. STP allows only one active path at a time, thus
preventing loops. A broadcast storm occurs when the network is plagued with constant broadcasts. When the switches
have redundant links, the resulting loops would generate more broadcasts, eventually resulting in a complete blockage
of available bandwidth that could bring the entire network down. This situation is referred to as a broadcast storm.

The option stating that all ports on both switches may change to a forwarding state is incorrect. Forwarding is a port
state that is available when using STP. When STP is disabled, the switch cannot change the STP states of its ports.

The option stating that the switches will not forward VLAN Trunking Protocol (VTP) information is incorrect. Enabling or
disabling STP does not have a direct effect on VTP messages.

The term collision storm is not a valid term.

Objective:
Network Access

Sub-Objective:
Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

References:

The Ultimate Guide to Spanning Tree Protocol (STP)

Cisco > Configuring Storm Control (PDF)

Question #51 of 80 Question ID: 1715751

Consider the following output:

Routing Protocol is "igrp 120"

Sending updates every 90 seconds, next due in 44 seconds
Invalid after 270 seconds, hold down 280, flushed after 630
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
IGRP maximum hopcount 100
IGRP maximum metric variance 1
Redistributing: igrp 109

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 70/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Routing for Networks:

172.160.74.0
Routing Information Sources:
Gateway Distance Last Update
172.160.74.18 100 0:56:41
172.160.74.19 100 6d19
172.160.74.22 100 0:25:41
172.160.74.20 100 0:01:04
172.160.74.30 100 0:02:29
Distance: (default is 100)
Routing Protocol is "bgp 18"
Sending updates every 60 seconds, next due in 0 seconds
Outgoing update filter list for all interfaces is 1
Incoming update filter list for all interfaces is not set
Redistributing: igrp 109
IGP synchronization is disabled
Automatic route summarization is enabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
192.109.211.17 1
192.109.213.89 1
198.6.255.13 1
172.161.72.18 1
172.161.72.19
172.161.84.17 1
Routing for Networks:
192.108.209.0
192.108.211.0
198.6.254.0
Routing Information Sources:
Gateway Distance Last Update
172.161.72.19 20 0:05:28
Distance: external 20 internal 200 local 200

Which command produced this output?

A) show ip process

B) show ip routing process

C) show ip route

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 71/116
11/14/24, 2:49 PM 200-301 Exam Simulation

D) show ip protocols

Explanation

The show ip protocols command is used to view the current state of active routing protocols. This command is issued
from Privileged EXEC mode. It has the following syntax:

Router# show ip protocols

This command does not have any parameters.

The output was not produced by the command show ip process or the show ip routing process. The show ip
routing process and show ip process commands are incorrect because these are not valid Cisco IOS commands.

The output was not produced by the command show ip route. The show ip route command is used to view the
current state of the routing table. An example of its output is shown below:

router>show ip route
Codes: C - connected O - OSPF i - IS-IS
S - static IA - inter area L1 - level-1
B - BGP E1 - external type 1 L2 - level-2
E2 - external type 2
* - candidate default
m - route's metric
w - route's weight
S 0.0.0.0/0 directly connected to null 0
C 6.1.1.64/28 directly connected to ethernet 1
C 6.1.1.80/28 directly connected to ethernet 2
C 6.1.1.96/28 directly connected to ethernet 3
C 6.1.1.112/28 directly connected to ethernet 4
S 11.1.0.0/16 via 10.5.0.1 [w:0 m:0]
C 11.5.0.0/16 directly connected to ethernet 0
S 127.0.0.0/8 directly connected to null 0

Objective:
IP Connectivity

Sub-Objective:
Interpret the components of routing table

References:

Cisco > Support > Cisco IOS IP Routing: Protocol-Independent Command Reference > show ip protocols

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 72/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Question #52 of 80 Question ID: 1703745

You administer your company's 100Base-TX Ethernet network. TCP/IP is the networking protocol used on the network.
You want the routers on the network to send you notices when they have exceeded specified performance thresholds.

Which protocol should you use to enable the routers to send the notices?

A) SNMP

B) SMTP

C) Telnet
D) ARP

Explanation

You would use Simple Network Management Protocol (SNMP) to enable the routers to notify you when they exceed
specified performance thresholds. SNMP is a protocol in the TCP/IP protocol suite that enables the collection of data
about various devices connected to a TCP/IP network, including bridges, hubs, and routers. Each SNMP-compatible
device has a Management Information Base (MIB) database that defines the type of information that can be collected
about the device. You can also configure SNMP traps to analyze network performance and network problems. A trap is
a message that an SNMP-compatible device sends when the device has exceeded a performance threshold. You can
configure SNMP to send traps to the network management software you are using, to your e-mail address, or to
another destination.

SNMP works at the Application layer of the OSI model. SNMP monitors are pieces of software that actually monitor
managed devices. This software must be applied at the device level.

Address Resolution Protocol (ARP) is used on a TCP/IP network to resolve IP addresses to media access control
(MAC) addresses. TCP/IP uses IP addresses to identify hosts, whereas Ethernet uses MAC addresses to identify
network nodes. For Ethernet and TCP/IP to interoperate, a host's IP address must be resolved to a MAC address. You
cannot use ARP to notify you when network devices have exceeded performance thresholds. ARP works at the
Network layer of the OSI model.

Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail messages from e-mail clients to e-mail servers. SMTP
is also used to transfer e-mail messages between e-mail servers. SMTP will not send traps when network devices have
exceeded performance thresholds. SMTP works at the Application layer of the OSI model.

Telnet is a terminal emulation protocol. You can use Telnet to establish a remote session with a server and to issue
commands on a server. Telnet client software provides you with a text-based interface and a command line from which
you can issue commands on a server that supports the Telnet protocol. Telnet will not send notices when network
devices have exceeded established performance thresholds. Telnet works at the Application layer of the OSI model.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 73/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
IP Services

Sub-Objective:
Explain the function of SNMP in network operations

References:

Tech-Faq > SNMP (Simple Network Management Protocol)

Question #53 of 80 Question ID: 1703754

You have configured a router as shown in the following output:

ip dhcp pool POOLNAME

network 10.2.10.0 255.255.255.0
default-router 10.2.10.254
dns-server 10.6.1.200
!
interface fastethernet0/0
ip nat inside
!
interface serial0/1
ip address 200.14.3.25 255.255.255.252
ip nat outside
!
access-list 1 permit 10.2.10.0 0.0.0.255
!
ip nat pool NATPOOL 205.2.1.1 205.2.1.14 netmask 255.255.255.240
ip nat inside source list 1 pool NATPOOL

Hosts on the LAN cannot receive an IP address. What is wrong?

A) The IP address on the serial interface is incorrect.

B) An IP address needs to be configured on the FastEthernet interface.

C) The NAT pool is not large enough.

D) The default-router command in the DHCP pool is incorrect.

Explanation

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 74/116
11/14/24, 2:49 PM 200-301 Exam Simulation

An IP address needs to be configured on the FastEthernet interface. Dynamic Host Configuration Protocol (DHCP) is
used to dynamically provide IP network configurations to workstations as they are booted up. DHCP minimizes network
administration overload, allowing devices to be added to the network with little or no manual configuration.

The router configuration in the scenario has created a DHCP address pool called POOLNAME. The network statement in
the exhibit, network 10.2.10.0 255.255.255.0, identifies the range of IP addresses that the pool will provide to host
systems (10.2.10.0 /24). However, a DHCP pool can only provide IP addresses over a subnet to which it is directly
connected. Because neither of the interfaces in the exhibit has an IP address on the 10.2.10.0 /24 subnet, the solution
is to assign the FastEthernet0/0 interface the IP address specified in the default-router statement, 10.2.10.254 /24.

The IP address on the serial interface has no impact on the DHCP pool.

The default-router statement is correctly providing the IP address that DHCP hosts will use as their default gateway.
The problem is not with the default-router statement, but with the lack of a correct IP address assigned to the
FastEthernet0/0 interface.

The NAT configuration in the exhibit has no impact on the DHCP pool. If the NAT pool were not large enough, the result
would be that some of the hosts would be able to get to the Internet and others would not. For example, the output
shown below indicates that there are fourteen addresses in the pool (205.2.1.1 to 205.2.1.14). If the network contained
30 computers, only fourteen would be able to use the Internet at the same time because of the number of public
addresses in the pool:

ip nat pool NATPOOL 205.2.1.1 205.2.1.14 netmask 255.255.255.240

ip nat inside source list 1 pool NATPOOL

Objective:
IP Services

Sub-Objective:
Configure and verify DHCP client and relay

References:

Cisco > Support > Cisco IOS and NX-OS Software > IP Addressing: DHCP Configuration Guide, Cisco IOS XE Release
3SE (Catalyst 3850 Switches) > Chapter: Configuring the Cisco IOS DHCP Server > Configuring DHCP Address Pools

Question #54 of 80 Question ID: 1703548

What data structure is pictured in the graphic?

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 75/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) TCP segment
B) IP header

C) UDP datagram

D) HTTP header

Explanation

The data structure pictured in the graphic is a UDP datagram. It uses a header (not shown) that contains the source
and destination MAC addresses. It has very little overhead as compared to the TCP segmented (shown later in this
explanation) as any transmission that uses UDP is not provided the services of TCP.

It is not a TCP segment, which has much more overhead (shown below). The TCP header contains fields for sequence
number, acknowledgment number, and window size. These fields are not found in a UDP header because UDP
provides none of the services that require use of these fields. That is, UDP cannot re-sequence packets that arrive out
of order, nor does UDP acknowledge receipt (thus the term non-guaranteed to describe UDP). Furthermore, since UDP
does not acknowledge packets, there is no need to manage the window size. The window size refers to the number of
packets that can be received without an acknowledgment.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 76/116
11/14/24, 2:49 PM 200-301 Exam Simulation

It is not an IP header. An IP header contains fields for the source and destination IP address. The IP header, like the
UDP segment, does not contain fields for sequence number, acknowledgment number, and window size. These fields
are not found in an IP header because IP provides none of the services that require use of these fields. IP provides
best-effort user data. This does not cause a delivery problem, however, as IP relies on TCP to provide those services
when the transmission is a unicast.

An HTTP header does not include fields for HTTP requests and responses.

Objective:
Network Fundamentals

Sub-Objective:
Compare TCP to UDP

References:

User Datagram Protocol (UDP)

Question #55 of 80 Question ID: 1703738

You administer a TCP/IP network. You want to enable the hosts on your network to be automatically configured with IP
configurations, such as IP address, subnet mask, and default gateway address. The IP configurations should be leased
to the clients for a limited time.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 77/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Which protocol should you use to accomplish this task?

A) HTTP

B) IPP

C) BOOTP

D) SMTP

E) DHCP

Explanation

You would use Dynamic Host Configuration Protocol (DHCP) to automatically configure the hosts on your network with
IP configurations. DHCP was designed to automatically configure frequently moved, fully boot-capable computers, such
as laptop computers, with IP configurations. You can use DHCP to configure such IP settings as IP address, subnet
mask, and default gateway address. Typically, DHCP information is leased to a client for a limited period. DHCP clients
usually release DHCP information when they are shut down. When a DHCP client retrieves IP configurations from a
DHCP server, the DHCP client is not necessarily configured with the same IP configurations as on previous occasions.

Bootstrap Protocol (BOOTP) is a host configuration protocol that was designed before DHCP. BOOTP was designed to
configure diskless workstations with IP configurations. BOOTP does not lease IP configurations as DHCP does.
Instead, a BOOTP server permanently assigns IP configurations to a BOOTP client. When a BOOTP client is started,
the BOOTP server always assigns the same IP configurations to the BOOTP client.

Hypertext Transfer Protocol (HTTP) is used to transfer Web pages on a TCP/IP network. Simple Mail Transfer Protocol
(SMTP) is used to transfer e-mail messages on a TCP/IP network. Internet Printing Protocol (IPP) is used to enable
network printing through a TCP/IP network such as the Internet. HTTP, SMTP, and IPP are not used to automatically
configure hosts on a TCP/IP network with IP settings.

Objective:
IP Services

Sub-Objective:
Explain the role of DHCP and DNS within the network

References:

Cisco > Product Support > Cisco IOS and NX-OS Software > IP Addressing: DHCP Configuration Guide, Cisco IOS XE
Release 3SE (Catalyst 3850 Switches) > Chapter: Configuring the Cisco IOS DHCP Server

Question #56 of 80 Question ID: 1703791

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 78/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The company you work for has a large number of employees who work in offices in Atlanta and Boston. You would like
to implement an access solution whereby all systems in the two offices appear local to one another. Which of the
following tunneling/VPN solutions would be the most appropriate in this situation?

A) PPTP

B) Remote access

C) Site to site

D) IPsec

Explanation

A site-to-site VPN allows an organization to connect two or more remote offices so that it appears as if they are local to
each other. It can also be used for partner connections.

A remote-access VPN allows geographically dispersed users to access the intranet or other company resources. It is
ideal for a mobile workforce.

IPsec is the encryption protocol used in secure VPN connections. While IPsec may be used, it has nothing to do with
the type of VPN deployed.

Objective:
Security Fundamentals

Sub-Objective:
Describe IPSec remote access and site-to-site VPNs

References:

Cisco Community > Technology and Support > Security > Ipsec Tunnel Mode Vs Transport Mode

AT&T Cybersecurity > Level Blue > Blog > Security Essentials > Secure Remote Access Explained

Question #57 of 80 Question ID: 1703721

Which statement best describes the interaction between a workstation and an HSRP virtual router?

A) The workstation must have the real IP address of one of the HSRP routers
defined as its default gateway.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 79/116
11/14/24, 2:49 PM 200-301 Exam Simulation

B) The workstation sends packets to the active router's real MAC address.

C) The active HSRP router replies to the workstation's ARP request with the
virtual router's MAC address.

D) The workstation must support IRDP in order to switch to the alternate router in an
HSRP group.

Explanation

The active HSRP router replies to the workstation's ARP request with the HSRP virtual MAC address. The HSRP virtual
router presents a consistently available router to the end user, reachable by a single unique, virtual MAC address. Only
the active router responds to frames destined to this virtual MAC address, which identifies the HSRP group.

The primary function of Hot Standby Router Protocol (HSRP) is to define a set of routers that work together to represent
one virtual, fault-tolerant router. Thus, redundancy is provided in the event that one of the routers fails. An HSRP group
consists of an active router and a standby router, which together present the appearance of a virtual router. The active
router is elected from the routers configured to belong to the HSRP group. The virtual router's MAC address identifies
the virtual router, and the end user will send packets to that destination MAC address. The end-user device will send an
ARP request using the known IP address of its default gateway to discover the virtual router's MAC address. Only the
active router will respond to the ARP request. The active router will then forward packets sent to the virtual router. The
standby router monitors the status of the HSRP group and assumes packet-forwarding responsibilities of the virtual
router if the active router fails.

The six HSRP states are defined as follows:

Initial state: All routers start in this state.

Learn state: The router is in the learn state when it has not communicated with the active router. It does not know
which router is the active router and does not know the IP address of the virtual router (if no HSRP IP address is
configured in the router).
Listen state: Once the router hears from the active router and knows the virtual IP address, it enters the listen state.
It is not the active or standby router.
Speak state: After a router learns the IP address of the virtual router, it enters the speak state. It participates in the
active and standby router election. It sends hello messages to the active router.
Standby state: When the active router has been elected, the second router enters the standby state. This is the
standby router, and it will become the active router if the active router fails.
Active state: The router is in an active state when it is forwarding packets. It receives packets via the virtual IP
address.

Neither the workstation nor any other device is required to support ICMP Router Discovery Protocol (IRDP) in order to
implement an HSRP virtual router. An IRDP-compliant device (RFC 1256) listens for IRDP hello messages, which
advertise default routes.

It is not required for the workstation to know the actual IP address of any of the routers in the group. The end-user
device will send an ARP request using the known IP address of its default gateway to discover the virtual router's MAC

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 80/116
11/14/24, 2:49 PM 200-301 Exam Simulation

address.

The workstation does not send packets to the active router's real MAC address. It will send packets to the virtual
router's MAC address.

Objective:
IP Connectivity

Sub-Objective:
Describe the purpose, functions, and concepts of first hop redundancy protocol

References:

Cisco > Support > Technology Support > IP Application Services > Troubleshooting TechNotes > Understand the Hot
Standby Router Protocol Features and Functionality > Document ID: 9234

Cisco > Support > Technology Support > IP Application Services > Technology Q&A > Review Hot Standby Router
Protocol (HSRP): FAQ > Document ID: 9281

Cisco > Product Support > Switches > Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE > Chapter:
Configuring HSRP

Question #58 of 80 Question ID: 1704804

An associate creates the following access list that she plans to apply to an interface on a router:

access-list 100 permit ip any any log

What type of traffic could cause this ACL to place a heavy load on the CPU of the router, and what command could be
used to reduce the impact of the ACL? (Choose two.)

A) Logging rate limit

B) ip access-list log-update threshold

C) ip access-list logging interval

D) Traffic that is process switched

E) Traffic that is CEF switched

F) Traffic that is fast switched

Explanation

There are two contributors to the CPU load increase from ACL logging: process switching of packets that match log-
enabled access control entries (ACEs), and the generation and transmission of the log messages. To reduce the impact

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 81/116
11/14/24, 2:49 PM 200-301 Exam Simulation

of process switched traffic, the ip access-list logging interval command can be used. The interval is specified in
milliseconds and represents how often a single packet is process switched. While the messages in the generated log
entries may not be as comprehensive after this command is executed, the counter values that are generated by the
show access-list and show ip-access list commands will still be accurate.

Packets that are not process switched (CEF switched and fast switched) will examined or accounted for in the logging,
so they are not the source of the problem.

The ip access-list log-update threshold command is used to configure how often syslog messages are generated
and sent after the initial packet match. While this would be a beneficial command to run, as it addresses the second
source of CPU congestion that is the sending of the syslog messages, that was not listed as a traffic type option.
Therefore, this would not be a solution to the issue presented by packet switched traffic.

The logging rate limit command also will reduce the impact of log generation and transmission on the CPU, but again,
it does not address the issue presented by process switched traffic.

Objective:
IP Services

Sub-Objective:
Describe the use of syslog features including facilities and severity levels

References:

Cisco > Security > Understanding Access Control List Logging

Cisco > Support > Cisco IOS Security Command Reference > ip access-list

Question #59 of 80 Question ID: 1703716

Examine the partial output from two adjacent routers:

RTR78# show ip ospf

Routing Process 201 with ID 192.0.2.1 VRF default
Stateful High Availability enabled
Graceful-restart is configured
Grace period: 60 state: Inactive
Last graceful restart exit status: None
Supports only single TOS(TOS0) routes
Supports opaque LSA
This router is an autonomous system boundary
Administrative distance 110

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 82/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Reference Bandwidth is 40000 Mbps

Initial SPF schedule delay 3000.000 msecs,
minimum inter SPF delay of 2000.000 msecs,
maximum inter SPF delay of 4000.000 msecs
Initial LSA generation delay 3000.000 msecs,
RTR79# show ip ospf
Routing Process 202 with ID 192.0.2.1 VRF default
Stateful High Availability enabled
Graceful-restart is configured
Grace period: 60 state: Inactive
Last graceful restart exit status: None
Supports only single TOS(TOS0) routes
Supports opaque LSA
This router is an autonomous system boundary
Administrative distance 110
Reference Bandwidth is 30000 Mbps
Initial SPF schedule delay 3000.000 msecs,
minimum inter SPF delay of 2000.000 msecs,
maximum inter SPF delay of 4000.000 msecs
Initial LSA generation delay 3000.000 msecs,

Which of the following statements describes why the two routers are NOT forming an OSPF neighbor adjacency?

A) The process IDs do not match

B) The distance is misconfigured

C) The reference bandwidth does not match

D) The router IDs are misconfigured

Explanation

The output shows that the router IDs for RTR78 and RTR79 are the same value, which should not be the case. One of
the two routers has been misconfigured with the other router's ID. This will prevent an OSPF neighbor adjacency from
forming.

Other issues that can prevent an adjacency are:

Mismatched OSPF area number

Mismatched OSPF area type
Mismatched subnet and subnet mask
Mismatched OSPF HELLO and dead timer values.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 83/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The process IDs do not have to match. It does not matter whether they match or not because the process ID is only
locally significant on the device.

The administrative distance is not misconfigured in the output. Both routers are using the default OSPF administrative
distance of 110.

If the reference bandwidths do not match, it will affect the calculation of the path cost, but it will not prevent an
adjacency from forming.

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Troubleshoot OSPF Neighbor
Problems > Document ID: 13699 > Typical Reasons for OSPF Neighbor Problems

Question #60 of 80 Question ID: 1704948

Which two features do Cisco routers offer to mitigate distributed denial-of-service (DDoS) attacks? (Choose two.)

A) Flow control

B) Scatter tracing

C) Rate limiting

D) Access control lists (ACLs)

E) Anti-DDoS guard

Explanation

Cisco routers use access control lists (ACLs) and blackholing features to help mitigate distributed denial-of-service
(DDoS) attacks. A DoS attack is an attack in which legitimate users are denied access to networks, systems, or
resources. One of the most common DoS attacks is the DDoS attack, which is executed by using multiple hosts to flood
the network or send requests to a resource. The difference between DoS and DDoS is that in a DoS attack, an attacker
uses a single host to send multiple requests, whereas in DDoS attacks, multiple hosts are used to perform the same
task.

Cisco routers offer the following features to mitigate DDoS attacks:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 84/116
11/14/24, 2:49 PM 200-301 Exam Simulation

ACLs: Filter unwanted traffic, such as traffic that spoofs company addresses or is aimed at Windows control ports.
However, an ACL is not effective when network address translation (NAT) is implemented in the network.
Rate limiting: Minimizes and controls the rate of bandwidth used by incoming traffic.
Traffic-flow reporting: Creates a baseline for the network that is compared with the network traffic flow, helping you
detect any intrusive network or host activity.
Apart from these features offered by Cisco routers, the following methods can also be used to mitigate DDoS
attacks:
Using a firewall, you can block or permit traffic entering a network.
The systems vulnerable to attacks can be shifted to another location or a more secure LAN.
Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion
Detection Systems (HIDS), can be implemented to detect intrusive network or host activity such as a DoS attack,
and raise alerts when any such activity is detected.

Anti-DDoS guard and scatter tracing are incorrect because these features are not offered by Cisco routers to mitigate
DDoS attacks.

Flow control is incorrect because flow control is used to prevent the loss of traffic between two devices.

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify access control lists

References:

How to configure the router to minimize a Denial of Service (DoS) attack

Question #61 of 80 Question ID: 1703714

Given the following output, which statements can be determined to be true? (Choose three.)

RouterA2# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.23.2 1 FULL/BDR 00:00:29 10.24.4.2 FastEthernet1/0
192.168.45.2 2 FULL/BDR 00:00:24 10.1.0.5 FastEthernet0/0
192.168.85.1 1 FULL/- 00:00:33 10.6.4.10 Serial0/1
192.168.90.3 1 FULL/DR 00:00:32 10.5.5.2 FastEthernet0/1
192.168.67.3 1 FULL/DR 00:00:20 10.4.9.20 FastEthernet0/2

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 85/116
11/14/24, 2:49 PM 200-301 Exam Simulation

192.168.90.1 1 FULL/BDR 00:00:23 10.5.5.4 FastEthernet0/1

<<output omitted>>

A) The DR for the serial subnet is 192.168.85.1.

B) The DR for the network connected to Fa0/1 has a router ID of 10.5.5.2.

C) This router is neither the DR nor the BDR for the Fa0/1 subnet.

D) The DR for the network connected to Fa0/0 has an interface priority greater
than 2.

E) RouterA2 is connected to more than one multi-access network.

F) This router is the DR for subnet 10.1.0.0.

Explanation

The show ip ospf neighbor command displays a list of all OSPF routers with which you have established a neighbor
relationship. The following describes the command output:

Neighbor ID: the Router ID (RID) of the neighboring router

Pri: the interface priority of the neighboring router, which is used to determine which router should serve the
function of a Designated Router (DR)
State: the functional state of the neighboring router
Dead Time: the period that the router will wait to hear a Hello packet from this neighbor before declaring the
neighbor down
Address: the IP address of the neighboring router on this subnet
Interface: the local interface over which the neighbor relationship (adjacency) was formed.

The output for neighbor 192.168.45.2 is as follows:

192.168.45.2 2 FULL/BDR 00:00:24 10.1.0.5 FastEthernet0/0

This indicates that the interface priority of neighbor 192.168.45.2 is 2. The default OSPF interface priority is 1 and the
highest interface priority determines the designated router (DR) for a subnet. This same line reveals that this neighbor
is currently the backup designated router (BDR) for this segment, which indicates that another router became the DR. It
can then be assumed that the DR router has an interface priority higher than 2. (The router serving the DR function is
not present in the truncated sample output.)

The output for the two neighbors discovered on Fa0/1 is as follows:

192.168.90.3 1 FULL/DR 00:00:32 10.5.5.2 FastEthernet0/1

192.168.90.1 1 FULL/BDR 00:00:23 10.5.5.4 FastEthernet0/1

This output indicates that router 192.168.90.3 is the DR, and router 192.168.90.1 is the BDR for this network. Since
there can only be one DR and BDR per segment, this indicates that the local router is neither the DR nor the BDR.
(OSPF considers these as DROther routers.)

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 86/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The fact that multiple DRs are listed in this output indicates that RouterA2 is connected to more than one multiaccess
segment, since each segment will elect a DR.

It cannot be determined if this router is the DR for subnet 10.1.0.0. The output indicates that router 192.168.45.2 is the
BDR for this network, but with the truncated output it cannot be determined if this router is the DR.

The DR for the network connected to Fa0/1 does not have a router ID of 10.5.5.2. The Address field of the show ip
ospf neighbor command indicates the IP address of the neighbor's interface, not the router ID of the neighbor.

The DR for the serial subnet is not 192.168.85.1 since point-to-point serial interfaces do not elect DRs and BDRs. This
is indicated by the output below:

192.168.85.1 1 FULL/- 00:00:33 10.6.4.10 Serial0/1

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

Cisco > Support > Cisco IOS IP Routing: OSPF Command Reference > show ip ospf neighbor

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Understand Open Shortest Path
First (OSPF) - Design Guide > Document ID: 7039 > DR Election

Question #62 of 80 Question ID: 1703565

To enable users to access the FTP server from the Internet, which service must be operational on which device?

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 87/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) VTP on the switch connected to the FTP server

B) NAT on R2

C) NAT on R1

D) DHCP on R1

Explanation

Network Address Translation (NAT) must be operational on the R1 router. The computers on the LAN side of R1,
including the FTP server, are using a private IP address range (10.6.5.0/24). To allow access to the FTP server from the
Internet, the private IP address of the FTP server (10.6.5.108/24) must be converted to a public IP address. NAT can
perform this translation and should be operational on the router that connects the LAN where the FTP server is located
to the Internet, which in this case is R1.

NAT does not need to be running on R2. Both of the interfaces on R2 are using public IP addresses, so no translation is
necessary. Moreover, configuring R2 would not help users connect to the FTP server since R1 is the router that
connects the LAN where the FTP server is located to the Internet.

Making DHCP operational on R1 would not help. DHCP provides address configurations to both local and remote
clients but cannot perform the translation required in this scenario.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 88/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Making VLAN Trunking Protocol (VTP) operational on the switch would not provide any translation. This protocol is
used to communicate VLAN information among multiple switches.

Objective:
Network Fundamentals

Sub-Objective:
Describe private IPv4 addressing

References:

What Is Network Address Translation (NAT)?

Question #63 of 80 Question ID: 1704813

You want to configure password policies that ensure password strength. Which password setting most affects a
password's strength?

A) Password complexity
B) Password lockout

C) Password age

D) Password history

Explanation

Password complexity is the most important setting to ensure password strength. Password complexity allows you to
configure which characters should be required in a password to reduce the possibility of dictionary or brute force
attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special
characters. Both uppercase and lowercase letters can be required. A password that uses a good mix, such as
Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday,
NewYears06, and John$59. Note that password complexity rules are less effective when users make common
character substitutions in dictionary words, such as zero for O, @ for a, and 3 for E.

Password age, sometimes referred to as password expiration, allows you to configure the minimum or maximum
number of days before a user is required to change the user's password. It is a good security practice to enforce a
password age of 30 to 60 days. Some companies force users to change their passwords monthly or quarterly. This
interval should be determined based on how critical the information is and on how frequently passwords are used.

Password history allows you to configure how many new passwords must be created before an old one can be reused.
This setting enhances security by allowing the administrators to ensure that old passwords are not being reused
continually. Passwords that are used repeatedly are sometimes referred to as rotating passwords.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 89/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Password lockout allows you to configure the number of invalid logon attempts that can occur before an account is
locked. Usually, this password lockout policy also allows you to configure the number of days that the account remains
in this state. In some cases, you may want to configure the account lockout policy so that an administrator must be
contacted to re-enable the account.

Other password factors that you should consider include:

Password reuse - specifies whether users can reuse old passwords. In most cases, this setting allows you to
configure the number of previous passwords that will be retained. In this case, an old password can be reused if it
is old enough to no longer be retained. For example, if you must change your password every 30 days and your
system is configured to remember the last 6 passwords, then you will be able to reuse a password 6 months after it
is no longer used.
Password length - specifies the minimum number of characters that must be included in the user's password.

The use of strong passwords will help to prevent password cracking, which is the process of cracking the password
using a dictionary or brute force attack. A security administrator should periodically test the strength of user passwords.
The best method for testing is to copy the user password database to a stand-alone server and use a password-
cracking program against the database.

Recent NIST password guideline changes are favoring password length over password complexity. Based on these
guidelines, a longer password of random words should be favored over a complex password that is shorter in length.
However, password length was not one of the options given.

Objective:
Security Fundamentals

Sub-Objective:
Describe security password policies elements, such as management, complexity, and password alternatives (multifactor
authentication, certificates, and biometrics)

References:

Password Complexity: Strengths, Weaknesses, Best Practices

Question #64 of 80 Question ID: 1715754

What Cisco Catalyst switch feature can be used to define ports as trusted for DHCP server connections?

A) 802.1x
B) Private VLANs

C) DHCP snooping

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 90/116
11/14/24, 2:49 PM 200-301 Exam Simulation

D) Port security

Explanation

DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to
mitigate DHCP spoofing attacks. DHCP spoofing is an attack that can be used to force user traffic through an attacking
device. This is accomplished by an attacker responding to DHCP queries from users. Eliminating the response from the
correct DHCP server would make this more effective, but if the attacker's response gets to the client first, the client will
accept it.

The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different
gateway, the user traffic will be forced to travel through a device controlled by the attacker. This will allow the attacker to
capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use
their own DNS server to force traffic to selected hosts to go to a device they control. Again, this would allow the attacker
to capture traffic and gain information.

DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER,
DHCPACK, and DHCPNAK, from the company DHCP server. DHCP snooping can also cache the MAC address to IP
address mapping for clients receiving DHCP addresses from a valid DHCP server.

The three required steps to implement DHCP snooping are:

1. Enable DHCP snooping globally with the ip dhcp snooping command:

switch(config)# ip dhcp snooping

1. Enable DHCP snooping for a VLAN with the vlan parameter:

switch(config)# ip dhcp snooping vlan vlan #

(for example, ip dhcp snooping 10 12 specifies snooping on VLANs 10 and 12)

1. Define an interface as a trusted DHCP port with the trust parameter:

switch(config-if)# ip dhcp snooping trust

When specifying trusted ports, access ports on edge switches should be configured as untrusted, with the exception of
any ports that may have company DHCP servers connected. Only ports where DHCP traffic is expected should be
trusted. Most certainly, ports in any area of the network where attacks have been detected should be configured as
untrusted.

Some additional parameters that can be used with the ip dhcp snooping command are:

switch(config)# ip dhcp snooping verify mac-address - this command enables DHCP MAC address
verification.
switch(config)# ip dhcp snooping information option allow-untrusted - this command enables
untrusted ports to accept incoming DHCP packets with option 82 information. DHCP option 82 is used to identify

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 91/116
11/14/24, 2:49 PM 200-301 Exam Simulation

the location of a DHCP relay agent operating on a subnet remote to the DHCP server.

When DHCP snooping is enabled, no other relay agent-related commands are available. The disabled commands
include:

ip dhcp relay information check global configuration

ip dhcp relay information policy global configuration
ip dhcp relay information trust-all global configuration
ip dhcp relay information option global configuration
ip dhcp relay information trusted interface configuration

Private VLANs are a method of protecting or isolating different devices on the same port and VLAN. A VLAN can be
divided into private VLANs, where some devices are able to access other devices, and some are completely isolated
from others. This was designed so service providers could keep customers on the same port isolated from each other,
even if the customers had the same Layer 3 networks.

Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to
define what computer or device can be connected to a port, but not to limit which ports can have DHCP servers
connected to them.

802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting
who can connect to the switch, but it cannot control which ports are permitted to have a DHCP server attached to it.

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security)

References:

Cisco > Product Support > Switches > Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide,
12.2(20)EW > Chapter: Configuring DHCP Snooping and IP Source Guard > Configuring DHCP Snooping on the
Switch

Cisco > Product Support > Switches > Cisco IOS IP Addressing Services Command Reference > ip dhcp
snoopingCisco > Product Support > Switches > Cisco IOS IP Addressing Services Command Reference > ip dhcp relay
information option

Question #65 of 80 Question ID: 1704824

Which of the following is NOT a benefit of automation on network management?

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 92/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) Improved morale

B) Improved security
C) Efficiency

D) Scalability

Explanation

Automation is not always enthusiastically embraced by employees, especially if they view it as a threat to their job
security.

Automation does increase scalability by allowing managers to handle larger and more complex networks more easily.

Automation does increase efficiency by typically performing manual tasks more quickly.

Automation does improve security because it can perform manual security tasks such as monitoring log files in real time
and automating responses to network threats.

Objective:
Automation and Programmability

Sub-Objective:
Explain how automation impacts network management

References:

PCskull > Business > 4 Business Process Automation Benefits and Its Impact

Question #66 of 80 Question ID: 1703779

Click and drag the command(s) used to configure passwords on a Cisco router to their appropriate purposes. (Not all
options will be used.)

{UCMS id=5725900723191808 type=Activity}

Explanation

Following are the commands along with their descriptions:

enable secret john: The enable secret command is used to configure an encrypted password, which provides
privileged administrative access to the IOS using the password "John". It is always advisable to configure an enable
secret password. If an enable secret password is not configured and a console TTY password is configured, then a
remote user can gain privileged administrative access from a remote VTY session which poses a risk to network
security.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 93/116
11/14/24, 2:49 PM 200-301 Exam Simulation

enable password john: The enable password command is used to configure an unencrypted password.

To set a user mode password, which is one that you are prompted for when you connect to the router rather than when
you try to execute the enable command, enter the line at which you want it effective (either line console 0, line aux 0, or
line vty 0 4) and then password <password>. An example of setting the user mode password for both the console and
the telnet connections are shown below:

Router(config)#Line console 0
Router(config-line)#login
Router(config-line)#password cisco
Router(config)#Line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco

Also be aware that as executed above the password will not be encrypted without the execution of the service
password-encryption command prior to creating the passwords.

privilege level: This command is used to configure the privilege level assigned to a particular line in, such as the
terminal or console line

privilege mode level level command-string: This command would be used to configure a particular privilege level
and assign commands available at that level.

The other options offered are not valid commands.

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify device access control using local passwords

References:

Cisco > Support > Technology Support > IP Addressing Services > Troubleshooting TechNotes > Cisco Guide to
Harden Cisco IOS Devices > Document ID: 13608 > Password Management

Question #67 of 80 Question ID: 1703811

When configuring a WLAN with WPA PSK security, on which configuration tab would you map WPA2 to an interface?

A) QoS
B) General

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 94/116
11/14/24, 2:49 PM 200-301 Exam Simulation

C) Security
D) Advanced

Explanation

The General tab is used to map WPA2 to an interface, as shown in the graphic.

The Security tab of the WLAN is used to enable WPA PSK, as shown in the graphic.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 95/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The Advanced tab is where settings such as Management Frame Protection (MFP) are configured, as highlighted in the
graphic.

The QoS tab is used to enable and manage QoS, as shown in the graphic.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 96/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify WLAN within the GUI using WPA2 PSK

References:

Cisco > Support > Wireless > Cisco Wireless LAN Controller Software > Configuration Guides > Cisco Wireless LAN
Controller Configuration Guide, Release 7.3 > Chapter: Using the Web-Browser and CLI Interfaces

Question #68 of 80 Question ID: 1703756

You have the following configuration on your router:

ip dhcp pool POOLNAME

network 10.1.0.0 255.255.255.0
default-router 10.1.0.254
dns-server 10.1.0.200

What command would you run to prevent the last available IP address in the scope from being allocated to a host via
DHCP?

A) ip dhcp excluded-address 10.1.0.254

B) ip dhcp excluded-address 10.1.0.253

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 97/116
11/14/24, 2:49 PM 200-301 Exam Simulation

C) ip dhcp 10.1.0.253 excluded-address

D) ip dhcp restrict 10.1.0.254

Explanation

In this scenario, you would run the ip dhcp excluded-address 10.1.0.253 command in global configuration mode to
prevent DHCP allocation of the last available IP address in the scope. The ip dhcp excluded-address command is
used to prevent DHCP from handing out IP addresses that are already statically configured on your network. The
command can include a single IP address to exclude or an entire range, such as:

Router(config)# ip dhcp excluded-address 10.1.0.100 10.1.0.125

The command above would block the entire range of 10.1.0.100 through 10.1.0.125 from being allocated by DHCP. If
the next IP address in sequence to be assigned would have been 10.1.0.100, DHCP will skip the range and assign
10.1.0.126 as the next host address.

You would not execute ip dhcp excluded-address 10.1.0.254. This is the address of the router, and it will
automatically be excluded.

The other commands are incorrect because they are not valid Cisco IOS commands.

Objective:
IP Services

Sub-Objective:
Configure and verify DHCP client and relay

References:

Cisco > Support > IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15SY > Chapter: Configuring the
Cisco IOS DHCP Server > Excluding IP Addresses

Cisco Press > Articles > Cisco Networking Academy > CCNP 1: Advanced IP Addressing Management > DHCP and
Easy IP

Question #69 of 80 Question ID: 1703549

Which statement is NOT true regarding Internet Control Message Protocol (ICMP)?

A) ICMP is documented in RFC 792.

B) An ICMP echo-request message is generated by the ping command.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 98/116
11/14/24, 2:49 PM 200-301 Exam Simulation

C) ICMP provides reliable transmission of data in an Internet Protocol (IP)

environment.

D) ICMP can identify network problems.

Explanation

ICMP does NOT provide reliable transmission of data in an Internet Protocol (IP) environment. The Transmission
Control Protocol (TCP) is used to provide reliable transmission of data in an IP environment.

The following statements are TRUE regarding ICMP:

ICMP can identify network problems.

ICMP is documented in RFC 792.
An ICMP echo-request message is generated by the ping command.
An ICMP echo-reply message is an indicator that the destination node is reachable.
ICMP is a network-layer protocol that uses message packets for error reporting and informational messages.

Objective:
Network Fundamentals

Sub-Objective:
Compare TCP to UDP

References:

ExtraHop > Internet Control Message Protocol (ICMP)

Question #70 of 80 Question ID: 1703695

Server 20 is returning requested data to Workstation 1. What command(s) need to be configured on R2 for the data to
be returned successfully? (Choose all that apply. Each correct answer is a complete solution.)

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 99/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) ip route 0.0.0.0 0.0.0.0 10.6.5.20

B) ip route 0.0.0.0 0.0.0.0 S0

C) ip route 10.6.5.0 255.255.255.0 10.6.5.1

D) ip route 10.6.5.0 255.255.255.0 215.56.3.60

Explanation

To route data to the 10.6.5.0/24 network, R2 can be configured in one of two ways. First, it can be configured with a
route statement that sends all traffic for the 10.6.5.0 network to the next hop, which is the S0 interface of R1
(215.56.3.60). That configuration is accomplished with the ip route 10.6.5.0 255.255.255.0 215.56.3.60 command.

Second, because the network where Server 20 is located has only one path to any other network (through R2), you
could configure a default route on R2 that sends all traffic to networks not in the routing table to R1. To do so, execute
the ip route 0.0.0.0 0.0.0.0 S0 command.

The command ip route 0.0.0.0 0.0.0.0 10.6.5.20 creates a default route using the address of Workstation 1. That
network (10.6.5.0/24) will not be in the routing table of R2, so packets to any network that is not in the routing table
would be dropped.

The command ip route 10.6.5.0 255.255.255.0 10.6.5.1 creates a route to the 10.6.5.0 network but uses the Fa0/2
interface of R1 as the next hop. The next hop is the S0 interface of R1, not the Fa0/2.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 100/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
IP Connectivity

Sub-Objective:
Configure and verify IPv4 and IPv6 static routing

References:

Cisco > Support > Cisco IOS IP Routing: Protocol-Independent Command Reference > ip route

Question #71 of 80 Question ID: 1703776

What is often the weakest link in the security chain, and represents the largest vulnerability?

A) Embedded systems
B) End-of-life systems
C) Lack of vendor support

D) Untrained users

Explanation

Untrained users are often the most vulnerable point in the organization and represent the biggest vulnerability. It is
impossible for users to adhere to an organization's information security polices if they are not aware of them. It is also
impossible for the user to implement a security procedure without being trained in how to do so. Without the proper user
training, even the most sophisticated defense an organization can purchase may be rendered useless.

Keeping end-of-life systems active in the network, such as running an outdated operating system, can create system-
wide vulnerabilities. As an example, new malware attacks would be particularly effective on systems that are running
Windows XP after Microsoft discontinued security updates for it.

Embedded systems are smaller computer systems, perhaps even a chip, which are used as component of a larger
system. They may be used in industrial controls, smart homes, manufacturing, and even printers. Consider the impact
of a networked printer that does not have the appropriate security controls updated on the firmware.

Lack of vendor support can be particularly harmful. A vendor should be responsible for providing security updates for
issues that are discovered. Failure of the vendor to do so provides an attacker with the opportunity to exploit a system
vulnerability.

Objective:
Security Fundamentals

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 101/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Sub-Objective:
Describe security program elements (user awareness, training, and physical access control)

References:

Untrained users are biggest flaw in organizations’ cyber defense layer

Question #72 of 80 Question ID: 1703781

Which Cisco Internetwork Operating System (IOS) command would be used to set the privileged mode password to
"cisco"?

A) router(config)# enable password cisco

B) router(config)# line password cisco

C) router(config-router)# enable password cisco

D) router# enable secret cisco

Explanation

The enable password command is used to set the local password to control access to privileged levels. This command
is executed on the global configuration mode, as in router(config)# enable password cisco. The syntax of the
command is:

router(config)# enable password [level level] {password | [encryption-type] encrypted-password}

The parameters of the command are as follows:

level level: An optional parameter to set the privilege level at which the password applies. The default value is 15.
password: Specifies the password that is used to enter enable mode.
encryption-type: An optional parameter to specify the algorithm used to encrypt the password.
encrypted-password: Specifies the encrypted password that is copied from another router configuration.

The router# enable secret cisco command is incorrect because the enable secret command must be executed from
global configuration mode, not privileged EXEC mode. In fact, this is the password for which you will be prompted when
you attempt to enter privilege exec mode.

The line password command is incorrect because this command is not a valid Cisco IOS command.

The router(config-router)# enable password cisco command is incorrect because the enable password command
must be entered in global configuration mode.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 102/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Objective:
Security Fundamentals

Sub-Objective:
Configure and verify device access control using local passwords

References:

Cisco > Support > Cisco IOS Security Command Reference > enable password

Cisco > Support > Cisco IOS Security Configuration Guide, Securing User Services, Release 12.4 > Chapter:
Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices

Question #73 of 80 Question ID: 1704906

What is the easiest way to force a specific switch to become the primary spanning-tree root bridge for a VLAN?

A) Raise the spanning-tree priority value on the switch.

B) Lower the port-cost value of an interface on the switch.

C) Lower the spanning-tree priority value on the switch.

D) Raise the port-cost value of an interface on the switch.

Explanation

The spanning-tree root bridge is the bridge with the lowest bridge ID. The bridge ID is a value calculated from the
bridge priority and the bridge MAC address. Therefore, lowering the spanning-tree priority value lowers the bridge ID,
which can force the switch to become the root bridge.

The easiest way to force a specific switch to become the spanning-tree root bridge for a VLAN is to lower its priority
using the spanning-tree vlan vlan_id priority priority command. For example, the following command will
configure the switch as the root bridge for VLAN 10:

switch(config)# spanning-tree vlan 10 priority 4096

The priority value of 4096 is used by convention. It could be set to any value as long as it is lower than any other switch
in the VLAN. The priority value 4096 is typically used when forcing the placement of the root bridge, and 8192 is used
to force placement of the secondary root bridge. These values work because the default priority value for switches is
32768.

Raising the port-cost value of an interface on the switch interface is an effective way to reduce the likelihood
that spanning tree allows the interface to enter the forwarding state. However, it does not affect the placement of the
root bridge.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 103/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Likewise, lowering the port cost of an interface is an effective way to increase the likelihood that spanning tree allows
the interface to enter the forwarding state.. However, it does not affect the placement of the root bridge.

Objective:
Network Access

Sub-Objective:
Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

References:

Configuring STP

Question #74 of 80 Question ID: 1703663

What command disables 802.1x authentication on a port and permits traffic without authentication?

A) dot1x port-control force-authorized

B) dot1x port-control disable

C) dot1x port-control force-unauthorized

D) dot1x port-control auto

Explanation

The command dot1x port-control force-authorized is used to disable 802.1x on a port and permit traffic without
authentication. Dot1x ports are in one of two states: authorized or unauthorized. Authorized ports permit user traffic to
flow through the port. This state usually follows successful authentication. Unauthorized ports only permit authorization
traffic to flow through the port.

Usually, a port begins in an unauthorized state. A user is then allowed to exchange AAA authentication traffic with the
port. Once the user has been authenticated successfully, the port is changed to the authorized state and the user is
permitted to use the port normally.

Normal use of 802.1x has the port configured with the dot1x port-control auto statement. This places the port in an
unauthorized state until successful authentication. After successful authentication, the port is changed to the authorized
state.

When 802.1x is initially configured, the default port control of the ports is force-authorized. This forces the port to be in
the authorized state without successful authentication. This setting disables the need for authentication and permits all
traffic.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 104/116
11/14/24, 2:49 PM 200-301 Exam Simulation

The force-unauthorized keyword configures the port as an unauthorized port regardless of authentication traffic. A port
configured with this key word would not permit user traffic, not even authentication traffic.

The command dot1x port-control disable is not a valid command due to incorrect syntax.

Objective:
Network Access

Sub-Objective:
Describe network device management access (Telnet, SSH, HTTP, HTTPS, console, TACACS+/RADIUS, and cloud
managed )

References:

Cisco > Support > Switches > Catalyst 6500 Series Release 15.0SY Software Configuration Guide > Security >
Chapter: IEEE 802.1X Port-Based Authentication

Cisco > Support > Cisco IOS Security Command Reference > dot1x port-control

Question #75 of 80 Question ID: 1703750

Yesterday one of your associates made some changes to the syslog configuration on the router R69. Today, while
working on the router you received this syslog message:

000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)

Based on this output, which of the following commands did the associate execute?

A) service timestamps log datetime msec

B) logging console 4

C) service sequence-numbers

D) service timestamps log

Explanation

The associate must have executed the service sequence-numbers command during his changes. This command
instructs the syslog system to add a sequence number to each message, which can help to organize a timeline when
messages are sent to a syslog server from various sources.

The associate could not have executed the service timestamps log command. This command enables time stamps
on log messages, showing the time since the system was rebooted. If this had been done, a time stamp similar to the
following would have been added to the message:

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 105/116
11/14/24, 2:49 PM 200-301 Exam Simulation

*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)

The associate could not have executed the service timestamps log datetime msec command. This command
enables time stamps on log messages, showing the time since the system was rebooted in milliseconds. If this had
been done, a time stamp similar to the following would have been added to the message:

*Mar 1 18:46:11:058 %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)

The associate could not have executed the logging console 4 command. This command instructs the syslog system
to only display messages of levels 4, 3, 2 and 1 in severity. Since the message displayed is a level 5 message, this
command could not have been executed.

Objective:
IP Services

Sub-Objective:
Describe the use of syslog features including facilities and severity levels

References:

Cisco > Product Support > Switches > Catalyst 4500 Series Switch Software Configuration Guide, IOS XE 3.7.xE and
IOS 15.2(3)Ex > Chapter: Configuring System Message Logging > System Log Message Format

Question #76 of 80 Question ID: 1703719

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show ip interface brief

R2# show ip interface brief

show ip ospf interface

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 106/116
11/14/24, 2:49 PM 200-301 Exam Simulation

R3# show ip ospf interface ethernet 1

show interfaces

R3#show interfaces serial 0

R4# show ip ospf interface ethernet 0

show interfaces serial 1

Remote#show interfaces serial 1

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 107/116
11/14/24, 2:49 PM 200-301 Exam Simulation

What is the router ID of R2?

A) 192.168.10.1
B) 192.168.10.126

C) 192.168.5.1
D) 192.200.60.5

Explanation

The router ID of R2 is 192.200.60.5. The OSPF Router ID is the highest IP address of a loopback interface, if one is
configured. If a loopback interface is not configured, then the OSPF RID is the highest IP address of any physical
interface. Because R2 has a loopback interface, and its address is 192.200.60.5, then that is the Router ID of R2.

You can verify this from the output of the show ip interface brief command given on R2:

R2# show ip interface brief

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 108/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Serial2 192.168.10.126 YES manual up up

Serial3 unassigned YES unset administratively down down

The other IP addresses all belong to physical interfaces in R2, and all are less than the IP address of the loopback
interface anyway.

Objective:
IP Connectivity

Sub-Objective:
Configure and verify single area OSPFv2

References:

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Troubleshooting Duplicate Router
IDs with OSPF > Document ID: 23862 > Router ID

Question #77 of 80 Question ID: 1704759

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to
answer the question below.

show ip interface brief

R2# show ip interface brief

show ip ospf interface

R3# show ip ospf interface ethernet 1

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 109/116
11/14/24, 2:49 PM 200-301 Exam Simulation

No backup Designated router on this network

Timer intervals configured, Hello 5, Dead 40, Wait 40, Retransmit 5

show interfaces

R3#show interfaces serial 0

R4# show ip ospf interface ethernet 0

show interfaces serial 1

Remote#show interfaces serial 1

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 110/116
11/14/24, 2:49 PM 200-301 Exam Simulation

R3 and the router named Remote are connected with a point-to-point leased line. The two routers cannot
communicate. What is the problem?

A) The LMI types are incorrect

B) The IP addresses are incorrect

C) The encapsulations do not match

D) The loopback addresses are not set

Explanation

The encapsulations do not match. R3 is set to use HDLC and Remote is set to use PPP. These settings must match, or
communications cannot occur. You can see these settings in the show interfaces command for the two routers:

R3# show interfaces serial 0

and

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 111/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Remote# show interfaces serial 1

There is no problem with the IP addresses. Both addresses are in the 20.0.0.0/8 subnet.

LMI types are used only with Frame Relay connections, so that is not an issue.

Loopback addresses are not required to be set for this link to function.

Objective:
Network Fundamentals

Sub-Objective:
Describe characteristics of network topology architectures

References:

Cisco > Configuring PPP on Cisco IOS XR Software (PDF)

Question #78 of 80 Question ID: 1703552

What is the subnet mask of the network between R1 and R2?

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 112/116
11/14/24, 2:49 PM 200-301 Exam Simulation

A) 255.255.255.0
B) 255.255.224.0

C) 255.255.240.0
D) 255.255.252.0

Explanation

The IP addresses of the two interfaces that are in the network between R1 and R2 are 215.56.3.60/24 (the R1 S0
interface) and 215.56.3.5/24 (the R2 S0 interface). Both of these have a 24-bit mask, which is 255.255.255.0.

The mask is not 255.255.240.0. That denotes a 20-bit mask and would be indicated with a /20 notation at the end of
each IP address.

The mask is not 255.255.224.0. That denotes a 19-bit mask and would be indicated with a /19 notation at the end of
each IP address.

The mask is not 255.255.252.0. That denotes a 22-bit mask and would be indicated with a /22 notation at the end of
each IP address.

Objective:
Network Fundamentals

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 113/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Sub-Objective:
Configure and verify IPv4 addressing and subnetting

References:

Cisco > Support > Technology Support > IP Routing > Troubleshooting TechNotes > Configure IP Addresses and
Unique Subnets for New Users > Document ID: 13788

Question #79 of 80 Question ID: 1703768

Which Cisco command will display the version and configuration data for Secure Shell (SSH)?

A) show ssh
B) show ip ssh

C) debug ip ssh
D) debug ssh

Explanation

The show ip ssh command is used to display the version and configuration data for SSH on a Cisco router. The
following is sample output of the show ip ssh command:

router#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 2

This show ip ssh command output displays the enabled status of the SSH protocol, the retries parameter (configured
at two attempts), and the timeout of 120 seconds.

The following message will appear when the show ip ssh command is issued and SSH has been disabled:

router# show ip ssh

%SSH has not been enabled

To enable SSH, include the transport input SSH command when configuring authentication on a line. For example, the
configuration of a Cisco network device to use SSH on incoming communications via the virtual terminal ports, with a
specified password, is shown in the partial output of the show run command below:

line vty 0 4
password 7 030752180500
login
transport input ssh
https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 114/116
11/14/24, 2:49 PM 200-301 Exam Simulation

It is important to note the login command on the third line of the above output which is critical for security. This
command instructs the device to prompt for a username and password using SSH. If this line reads no login, SSH
might be otherwise be correctly configured, but the device will never prompt for the username and password.

The show ssh command will display the status of the SSH connections on the router. The following is sample output
from the show ssh command:

router# show ssh

Connection Version Encryption State Username
0 1.5 3DES Session Started time

The debug ip ssh command is used to display debug messages for SSH.

The debug ssh command is not a valid Cisco command.

Objective:
IP Services

Sub-Objective:
Configure network devices for remote access using SSH

References:

Cisco > Support > Cisco IOS Security Command Reference > show ip ssh

Question #80 of 80 Question ID: 1703532

A switch is powered up and the system LED is amber. Which of the following describes this situation?

A) The switch is performing normally.

B) Utilization level is high.

C) There is a security violation on a switch port.

D) The switch is malfunctioning.

Explanation

The system LED indicates the overall health of the switch. The LED should turn solid green after a successful Power
On Self-Test (POST). An amber system LED indicates that there is a system-wide failure in the switch.

High utilization will not cause the system LED to turn amber.

An amber system LED indicates a general switch malfunction. It does not indicate that the switch is performing
normally.

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 115/116
11/14/24, 2:49 PM 200-301 Exam Simulation

Port security violations will not cause the system LED to be amber. The system LED is used to identify the overall
health of the switch.

Objective:
Network Fundamentals

Sub-Objective:
Identify interface and cable issues (collisions, errors, mismatch duplex, and/or speed)

References:

Cisco > Product Support > Switches > Catalyst 2960 Switch Hardware Installation Guide > Chapter: Product Overview
> LEDs

Hewlett Packard Enterprise > Cisco Catalyst 2960 Series Switch - Monitoring and Troubleshooting Using LEDs

https://www.kaplanlearn.com/education/test/print/98791994?testId=317575210 116/116

(May-2020-Updated) PassLeader 2020 CCNA 200-301 Exam Dumps
No ratings yet
(May-2020-Updated) PassLeader 2020 CCNA 200-301 Exam Dumps
9 pages
2017 Latest Cisco - EnsurePass.100-105.V13.04.306Q
No ratings yet
2017 Latest Cisco - EnsurePass.100-105.V13.04.306Q
126 pages
Cpe 511 Solution
No ratings yet
Cpe 511 Solution
5 pages
PDF Ccent Examen Resuelto DL
No ratings yet
PDF Ccent Examen Resuelto DL
49 pages
Cisco: Questions & Answers
No ratings yet
Cisco: Questions & Answers
34 pages
Cisco Actualtests 100-101 v2014-09-20 by CODY 122q
No ratings yet
Cisco Actualtests 100-101 v2014-09-20 by CODY 122q
44 pages
Cisco CDP & LLDP Exam Prep
100% (2)
Cisco CDP & LLDP Exam Prep
70 pages
ICND20S01L04
No ratings yet
ICND20S01L04
37 pages
DHCP
No ratings yet
DHCP
35 pages
DHCP Protocol Overview & Usage
No ratings yet
DHCP Protocol Overview & Usage
39 pages
Lab - Configure CDP and LLDP: (Instructor Version)
No ratings yet
Lab - Configure CDP and LLDP: (Instructor Version)
20 pages
Exam 350-401: IT Certification Guaranteed, The Easy Way!
100% (1)
Exam 350-401: IT Certification Guaranteed, The Easy Way!
129 pages
Cisco 200 301 Ccna Dumps by Klein 29-01-2024 12qa Dumpssheet
No ratings yet
Cisco 200 301 Ccna Dumps by Klein 29-01-2024 12qa Dumpssheet
13 pages
Icnd Part 1, Vol 1
100% (1)
Icnd Part 1, Vol 1
367 pages
Week 2 LAN Switching Technologies
No ratings yet
Week 2 LAN Switching Technologies
111 pages
Advanced Networking Interview Q&A
No ratings yet
Advanced Networking Interview Q&A
6 pages
Question #1151
No ratings yet
Question #1151
35 pages
Usefull CCIE Notes
No ratings yet
Usefull CCIE Notes
57 pages
Network+ Exam Cram Study Sheet
86% (21)
Network+ Exam Cram Study Sheet
3 pages
CCNA Quiz + Additives
100% (3)
CCNA Quiz + Additives
57 pages
Ccie Rs Written
No ratings yet
Ccie Rs Written
500 pages
CCNA-IP Services
No ratings yet
CCNA-IP Services
13 pages
CCNAv7 Imtahan
No ratings yet
CCNAv7 Imtahan
420 pages
Final Exam CCNA Discovery 1 4
No ratings yet
Final Exam CCNA Discovery 1 4
17 pages
Learning Services Cisco Training On Demand Interconnecting Cisco Networking Devices, Part 1 (ICND1)
No ratings yet
Learning Services Cisco Training On Demand Interconnecting Cisco Networking Devices, Part 1 (ICND1)
5 pages
Vendor: Cisco Exam Code: 350-401 Exam Name: Implementing and Operating Cisco Enterprise
No ratings yet
Vendor: Cisco Exam Code: 350-401 Exam Name: Implementing and Operating Cisco Enterprise
6 pages
Cisco 200-301 v2020-12-09 q76
No ratings yet
Cisco 200-301 v2020-12-09 q76
34 pages
Ccna Interview Ques-2
No ratings yet
Ccna Interview Ques-2
11 pages
Lecture-5-Networking Devices
No ratings yet
Lecture-5-Networking Devices
47 pages
02 - Ethernet Modbus TCPIP
No ratings yet
02 - Ethernet Modbus TCPIP
49 pages
CCNA 1 v70 Final Exam Answers Full Introduction To Networks
No ratings yet
CCNA 1 v70 Final Exam Answers Full Introduction To Networks
56 pages
CCNA 1 v7.0 Final Exam Answers
No ratings yet
CCNA 1 v7.0 Final Exam Answers
56 pages
Cisco 300-101 ROUTE Practice Test
No ratings yet
Cisco 300-101 ROUTE Practice Test
7 pages
200-120 Composite2
No ratings yet
200-120 Composite2
8 pages
200-120CCNA Cisco Certified Network Associate CCNA (803) 2014-06-02
100% (1)
200-120CCNA Cisco Certified Network Associate CCNA (803) 2014-06-02
8 pages
200 CCNA Questions & Answer
No ratings yet
200 CCNA Questions & Answer
48 pages
Network Fundamentals: Study Material
No ratings yet
Network Fundamentals: Study Material
6 pages
9.1 Cisco CCST Whiteboard
100% (4)
9.1 Cisco CCST Whiteboard
4 pages
Imp For Interview
No ratings yet
Imp For Interview
16 pages
Ccna 1
No ratings yet
Ccna 1
16 pages
300-115 Dump
No ratings yet
300-115 Dump
146 pages
Vendor: Cisco Exam Code: 350-401 Exam Name: Implementing and Operating Cisco Enterprise
No ratings yet
Vendor: Cisco Exam Code: 350-401 Exam Name: Implementing and Operating Cisco Enterprise
6 pages
2.2.2.6 Lab - Configure CDP and LLDP
0% (2)
2.2.2.6 Lab - Configure CDP and LLDP
10 pages
Test Ccna
No ratings yet
Test Ccna
19 pages
Cisco Device and Network Management
No ratings yet
Cisco Device and Network Management
25 pages
100-105.CCNA Part 1 - Braindumps
No ratings yet
100-105.CCNA Part 1 - Braindumps
132 pages
Converged Networks (LAN and SAN) For EX
No ratings yet
Converged Networks (LAN and SAN) For EX
148 pages
CCNA 9TUT - New Questions Part 5 6 and 7
No ratings yet
CCNA 9TUT - New Questions Part 5 6 and 7
61 pages
APsystems Energy Communication Unit ECU-C User Manual - Rev4.0 - 2023!08!15
No ratings yet
APsystems Energy Communication Unit ECU-C User Manual - Rev4.0 - 2023!08!15
47 pages
Arp Rarp and Icmp Protocol-Notes
No ratings yet
Arp Rarp and Icmp Protocol-Notes
2 pages
Networking Setup for IT Students
No ratings yet
Networking Setup for IT Students
4 pages
ALDAY - 1.0.1.2 Class Activity - Branching Out
No ratings yet
ALDAY - 1.0.1.2 Class Activity - Branching Out
3 pages
Computer Networks & Protocols Guide
No ratings yet
Computer Networks & Protocols Guide
204 pages
Early Warning System For The Border Gateway Protocol
No ratings yet
Early Warning System For The Border Gateway Protocol
94 pages
College of Engineering and Tecnology Departement of Computer Science Industrial Training Report On Networking
No ratings yet
College of Engineering and Tecnology Departement of Computer Science Industrial Training Report On Networking
23 pages
Virtual Circuits and Datagram
No ratings yet
Virtual Circuits and Datagram
7 pages
CN Lab Manual
100% (1)
CN Lab Manual
45 pages
Hcip H12-222
No ratings yet
Hcip H12-222
407 pages
Network Configuration Guide
No ratings yet
Network Configuration Guide
6 pages
HRRP
No ratings yet
HRRP
7 pages
Lab 10 CCN
No ratings yet
Lab 10 CCN
7 pages
Devices Used in Each Layer of TCP
No ratings yet
Devices Used in Each Layer of TCP
10 pages
KSR CN QB
No ratings yet
KSR CN QB
31 pages
NSA Interview Task
No ratings yet
NSA Interview Task
3 pages
TCP IP Applications
No ratings yet
TCP IP Applications
10 pages
TSO00364USEN - Ibm System Storage Product Guide
No ratings yet
TSO00364USEN - Ibm System Storage Product Guide
20 pages
Self Defending Network
No ratings yet
Self Defending Network
80 pages
A Survey of Programmable Networks
No ratings yet
A Survey of Programmable Networks
18 pages
9.1.4.7 Packet Tracer - Subnetting Scenario 2 Instructions
No ratings yet
9.1.4.7 Packet Tracer - Subnetting Scenario 2 Instructions
5 pages
FortiOS 6.4.0 SD WAN - Deployment - Guide
No ratings yet
FortiOS 6.4.0 SD WAN - Deployment - Guide
19 pages
Distributed Computing and Artifi Cial Intelligence, 11th International Conference
No ratings yet
Distributed Computing and Artifi Cial Intelligence, 11th International Conference
562 pages
RFC 2544 Performance Evaluation and Internal Measu
No ratings yet
RFC 2544 Performance Evaluation and Internal Measu
8 pages
MPLS Management Technology Overview
No ratings yet
MPLS Management Technology Overview
27 pages
BGP Workshop for Network Engineers
No ratings yet
BGP Workshop for Network Engineers
135 pages
NIIE BM-02 - Networking-Middle Project
No ratings yet
NIIE BM-02 - Networking-Middle Project
2 pages
CCNA Routing and Switching Introductory Presentation: by - Aayush Agarwal CSE, 7K1
No ratings yet
CCNA Routing and Switching Introductory Presentation: by - Aayush Agarwal CSE, 7K1
20 pages
Hot Standby Router Protocol Using Cisco Packet Tracer: School of Computing
No ratings yet
Hot Standby Router Protocol Using Cisco Packet Tracer: School of Computing
22 pages
ZTE H298A Router Setup Guide
No ratings yet
ZTE H298A Router Setup Guide
11 pages