CCNA ICND1 Test

Which of these best describes static NAT?   Choose two.

Options are :

  • Creates a one-to-one mapping of a private IP address to a routable IP address. (Correct)
  • Not considered a scalable solution. (Correct)
  • Requires a pool of routable addresses to be created.
  • Is particularly suited for networks where hundreds or thousands of internal users require address translation.
  • Allows a single routable IP address to be mapped to multiple inside hosts.

Answer : Creates a one-to-one mapping of a private IP address to a routable IP address. Not considered a scalable solution.

Explanation Static NAT is simply a one-to-one mapping of an inside private address and a routable address. It's okay if you have only one or two users requiring translation, but it's not really suitable for large networks and is not considered a scalable solution.

Which of the following are best practices regarding network troubleshooting?  Choose two.

Options are :

  • Only send a case up to more senior admins once you've gathered all pertinent information and have researched the issue online personally (when possible). (Correct)
  • If working on a switch, start troubleshooting at L2.
  • If working on a router, start your troubleshooting at L3.
  • Start at L7 of the OSI model and work down from there.
  • Start at L1 of the OSI model and work up from there. (Correct)

Answer : Only send a case up to more senior admins once you've gathered all pertinent information and have researched the issue online personally (when possible). Start at L1 of the OSI model and work up from there.

Explanation Always start troubleshooting at the physical layer -- you'll be surprised how often the solution to an issue is tightening a loose cable or plugging something in. Also, from someone who's been a junior and senior admin, always collect all the info you can and do online research whenever possible before escalating.

Identify the true statements regarding AAA.   Choose two.

Options are :

  • You enable AAA with the "aaa enable" command.
  • You enable AAA with the "aaa new-model" command. (Correct)
  • The three As are authorization, accountability, and accounting.
  • The three As are authorization, accounting, and authority.
  • You enable AAA with the "aaa run" command.
  • The three As are authorization, accounting, and authentication. (Correct)

Answer : You enable AAA with the "aaa new-model" command. The three As are authorization, accounting, and authentication.

Explanation The three As are authorization, accounting, and authentication, and you enable AAA with "aaa new-model".

Which of the following terms does not describe RADIUS?

Options are :

  • Uses UDP
  • Combines the authentication and authorization features
  • Is not Cisco-proprietary
  • When the client sends the server an access-request packet, the entire body of the packet is encrypted. (Correct)

Answer : When the client sends the server an access-request packet, the entire body of the packet is encrypted.

Explanation With RADIUS, only the password in the access-request packet is encrypted. RADIUS does use UDP, it combines authentication and authorization, and can be used by multiple vendors.

What is the net effect of the following command?

ntp server 10.1.1.1

Options are :

  • The local router will serve as a TFTP server for all devices on directly connected networks only.
  • The local router will serve as a time server only for the device at 10.1.1.1.
  • The local router will use the device at 10.1.1.1 as a TFTP server.
  • The local router will use the device at 10.1.1.1 as a time server. (Correct)
  • The local router will serve as a time server for all devices on directly connected networks only.
  • The local router will serve as a TFTP server only for the device at 10.1.1.1.

Answer : The local router will use the device at 10.1.1.1 as a time server.

Explanation The "ntp server" command can be a little misleading; this command doesn't make the local device a Network Time Protocol server. Instead, it points TO the NTP server the local device should get its time from.

Which three of these statements best describes PortFast?

Options are :

  • A port with PortFast enabled immediately transitions from running STP to running RSTP.
  • A port with PortFast enabled will go straight from blocking to forwarding, without spending any time in the intermediate STP port stages. (Correct)
  • PortFast can come in handy when a user is having trouble acquiring an IP address via DHCP. (Correct)
  • PortFast is a global setting; either all ports on the switch are running it, or none of them are running it.
  • You can apply PortFast to a single port. (Correct)

Answer : A port with PortFast enabled will go straight from blocking to forwarding, without spending any time in the intermediate STP port stages. PortFast can come in handy when a user is having trouble acquiring an IP address via DHCP. You can apply PortFast to a single port.

You're physically connecting two Cisco switches.  You want to use a port type that will be a member of all VLANs once you create it.  What's your best choice?

Options are :

  • Trunk and access ports.
  • Trunk ports, access ports, and ports that belong to VLAN 1.
  • Access ports only.
  • Trunk ports only. (Correct)
  • Trunk ports, access ports, and ports that belong to all VLANs.

Answer : Trunk ports only.

Explanation I described a trunk in the question, and to have a trunk , you gotta have trunk ports. You can't create a trunk using an access port on either end of the trunk.

What's the net result of the following command as it pertains to Fast 0/0?

router ospf 1

      passive-interface fast 0/0

Options are :

  • Routing updates will not be sent out that interface.
  • Distance vector protocols do not use the concept of passive interfaces?
  • Hellos will not be sent out that interface. (Correct)
  • Link state protocols do not use the concept of passive interfaces.

Answer : Hellos will not be sent out that interface.

Explanation With OSPF, the effect of this command is to suppress Hellos from going out that interface, making adjacencies impossible to form via that interface. Same goes for EIGRP. With RIP, we don't have hello packets or adjacencies; the effect with RIP is to prevent routing updates from going out the specified interface.

You just ran show ip dhcp binding on a Cisco router acting as a DHCP server.  Which of the following pieces of information will the output not show?

Options are :

  • The method used to assign the address (manual or dynamic)
  • The date of the lease expiration.
  • L2 addresses of the hosts that have failed to acquire an address from the DHCP server.
  • IP addresses of the hosts that have acquired an address from the server
  • Addresses remaining in the pool (Correct)

Answer : Addresses remaining in the pool

Explanation A helpful command for t-shooting DHCP, "show ip dhcp binding" gives you the addresses that have been assigned to hosts, the MAC addresses of those hosts, the time of lease expiration, and the type of address assignment. (You can specify the IP address of a particular host to get the info just on that host -- "show ip dhcp binding 10.1.1.2", for example.) This command will not give you info on devices that didn't get an address.

Administrative distance is ...    (Choose three)

Options are :

  • ... a ranking of how believable the source of a route is. The higher the AD, the more trusted the source.
  • ... a ranking of how believable a route's source is. The lower the AD, the more trusted the source. (Correct)
  • ... used as a tiebreaker when a single route is learned via two different sources (say, OSPF and EIGRP) and the mask length is different from each source. That is, if the 10.1.1.0 route was learned by OSPF with a mask of /22 and 10.1.1.10 /24 was learned by EIGRP, admin distance would be used to select which route to prefer.
  • ... set to 110 for all OSPF route types, regardless of source. (Correct)
  • ... set to 90 for EIGRP internal routes and 110 for EIGRP external routes.
  • ... used as a tiebreaker when a single route is learned via two different sources and the mask is the same length as well. For example, if the 10.1.1.0 /24 route was reported by both OSPF and EIGRP on a single router, admin distance would be used to decide which route to use. (Correct)

Answer : ... a ranking of how believable a route's source is. The lower the AD, the more trusted the source. ... set to 110 for all OSPF route types, regardless of source. ... used as a tiebreaker when a single route is learned via two different sources and the mask is the same length as well. For example, if the 10.1.1.0 /24 route was reported by both OSPF and EIGRP on a single router, admin distance would be used to decide which route to use.

Explanation Correcting the incorrect statements: The AD of internal EIGRP routes is 90, the AD of external EIGRP routes is 170 (not 110). AD only comes into play when the route in question has the same mask. And the lower the AD, the more trusted the source!

When you run "show interface serial 0/0", a line near the top of the output gives you important information regarding the interface status.  Which of the following output / description combos is false?

Options are :

  • "Serial 0/0 is administratively down, line protocol is up" indicates the interface has been administratively shut down. (Correct)
  • "Serial 0/0 is up, line protocol is up" is the desired status for a fully operational and correctly configured port.
  • "Serial 0/0 is up, line protocol is down" indicates a Layer 2 issue, such as an encapsulation mismatch or a DTE/DCE clocking issue.
  • "Serial 0/0 is down, line protocol is down" indicates a Layer 1 issue with the port.

Answer : "Serial 0/0 is administratively down, line protocol is up" indicates the interface has been administratively shut down.

Explanation When a port is administratively down, the line protocol will also be down, not up. If a port is physically down (whether it's been shut down administratively or not), it will also be logically down. "Physically up / logically down" is an impossible combination.

Which one of these terms unsuccessfully describes TACACS+?

Options are :

  • Is Cisco-proprietary
  • Combines the authentication and authorization features for a more efficient overall process. (Correct)
  • In the access-request packet sent from client to server, the entire body of the packet is encrypted.
  • Uses TCP

Answer : Combines the authentication and authorization features for a more efficient overall process.

Explanation TACACS+ doesn't combine authentication and authorization. The other three statements -- "uses TCP", "is Cisco-proprietary", and "encrypts entire body of packet" -- are correct.

Which one of these protocols is an FHRP *and* is Cisco-proprietary?

Options are :

  • VRRP
  • CDP
  • GLBP
  • STP
  • HSRP (Correct)

Answer : HSRP

Explanation The only protocol here that is both a First-Hop Redundancy Protocol and Cisco-proprietary is HSRP. CDP is Cisco-proprietary but is not an FHRP; GLBP and VRRP are FHRPs but are not Cisco-proprietary; STP is neither Cisco-proprietary nor an FHRP.

Which two of the following descriptions of these IPv6 multicast groups are incorrect?

Options are :

  • FF02::5 is the "all OSPFv3 DR routers" group. (Correct)
  • FF02::D is the "all PIM routers" group.
  • FF02::1 is the "all nodes on the local network" group.
  • FF02::9 is the "all RIPng routers" group.
  • FF02::6 is the "all OSPFv3 routers" group. (Correct)
  • FF02::A is the EIGRPv3 router group.

Answer : FF02::5 is the "all OSPFv3 DR routers" group. FF02::6 is the "all OSPFv3 routers" group.

Explanation The OSPF router descriptions are wrong; the FF02::5 group is the "all OSPF v3 router" group, and FF02::6 is the "all OSPFv3 DR" group.

Which two of the following represent the same value as the binary string 00001110?

Options are :

  • The hex value e. (Correct)
  • The decimal 28.
  • The hex value 10.
  • The decimal 14. (Correct)
  • The decimal 26.
  • The hex value 14.

Answer : The hex value e. The decimal 14.

Explanation That binary string has the 8, 4, and 2 bits set. Add 'em up and you have the decimal equivalent, 14. 14 is represented by the letter e in hex (or "E", case does not matter with hex.)

What makes a floating static route "float"?    Choose three.

Options are :

  • It serves as a backup route in case the "better" route to the exact same destination is lost. (Correct)
  • It's exactly the same as a route discovered by a dynamic routing protocol, but the static route has a higher admin distance. (Correct)
  • Floating static routes always have /0 masks.
  • It serves as the primary route to a given destination, with the matching dynamic route stepping in as the primary in case the static route is removed from the router.
  • Floating static routes always have /32 masks.
  • It's precisely the same as a route discovered by a protocol such as EIGRP or OSPF, but the static route has a lower admin distance.
  • There is no one single mask that will be applied to all floating static routes. (Correct)

Answer : It serves as a backup route in case the "better" route to the exact same destination is lost. It's exactly the same as a route discovered by a dynamic routing protocol, but the static route has a higher admin distance. There is no one single mask that will be applied to all floating static routes.

Explanation Floating static routes serve as a backup to a matching route discovered by a dynamic routing protocol. The floating static route doesn’t enter the IP routing table immediately due to its higher AD. If the dynamically discovered route is lost, the floating static route will be put into the routing table. There is no one single mask that you’ll apply to floating static routes.

For what reason was RFC 1918 developed?

Options are :

  • To create a faster version of STP.
  • To develop a Cisco-proprietary routing protocol.
  • To help with the over-allocation of IPv6 addresses.
  • To address the fact that we were running out of IPv4 addresses. (Correct)
  • To allow ports blocked by STP to go straight to forwarding.
  • To develop a non-Cisco-proprietary version of EIGRP.

Answer : To address the fact that we were running out of IPv4 addresses.

Explanation RFC 1918 created the various alphabetical address classes (Class A, B, etc.), and that was done for one major reason -- to help with the over-allocation of IPv4 addresses by defining private address classes.

What VLAN is used by CDP- and VTP-based traffic?

Options are :

  • These traffic types do not use a VLAN.
  • VLAN 0.
  • The native VLAN, default or not.
  • VLAN 1, even if VLAN 1 is not the native VLAN. (Correct)

Answer : VLAN 1, even if VLAN 1 is not the native VLAN.

Explanation From Cisco's website: "CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 has been cleared from the trunks and is not the native VLAN. If you clear VLAN 1 for user data, the action has no impact on control plane traffic that is still sent with the use of VLAN 1."

The address 138.2.1.100 falls into which IPv4 address class?

Options are :

  • Class A
  • Class C
  • Class D
  • Class B (Correct)
  • Class E

Answer : Class B

Explanation A quick first-octet address class refresher: A, 1 - 126; B, 128 - 191; C, 192-223; D, 224 - 239; E, 240-254.

You're eyeballing the output of show interface fast 0/3 (not shown) which happens to be a trunk port.   You note the number of input errors and CRCs is incrementing every time you run the show command.   Which of the following is likely causing the problem?

Options are :

  • Duplex mode on the host PC on the other end of this trunk.
  • One of the two interfaces on this trunk link is administratively shut down.
  • Duplex mode on the switch on the other end of this trunk. (Correct)
  • Duplex mode on the local switch's Fast 0/3 interface.

Answer : Duplex mode on the switch on the other end of this trunk.

Explanation This is a trunk, so we have to have a switch on the other end of the link. Since the errors are input errors, there's a problem with the remote switch, and a duplex mismatch is the #1 culprit when you see the input errors start to increment. (If there was an administratively shut down port, we wouldn't have a trunk in the first place!)

Which of the following accurately describe IEEE 802.1q?  Choose three.

Options are :

  • Is an industry-standard trunking protocol (Correct)
  • Tags traffic with a VLAN ID before sending across trunk (unless it belongs to the native VLAN, in which case tag is not inserted) (Correct)
  • Overhead is greater than that of the other major trunking protocol
  • Overhead is less than that of the other major trunking protocol (Correct)
  • Encapsulates every frame
  • Is Cisco-proprietary

Answer : Is an industry-standard trunking protocol Tags traffic with a VLAN ID before sending across trunk (unless it belongs to the native VLAN, in which case tag is not inserted) Overhead is less than that of the other major trunking protocol

Explanation Dot1q is an industry-standard, non-Cisco-proprietary trunking protocol that tags each frame with a VLAN ID before sending it across the trunk -- unless the frame is destined for the native VLAN, in which case no tag is attached. Dot1q's overhead is less than that of ISL, the other major trunking protocol you'll see in your CCENT and CCNA studies.

What is the default port number for SSH-based client connections?

Options are :

  • 111
  • 23
  • 22 (Correct)
  • 81
  • 181
  • 145

Answer : 22

Explanation SSH uses port 22.

Which of the following are true of NAT?   Choose two.

Options are :

  • When PAT is in use, you don't need the "ip nat inside" and "ip nat outside" commands.
  • By using NAT, you don't have to assign (or re-assign) routable addresses to hosts that need access to external hosts. (Correct)
  • For PAT to work correctly, the hosts must be configured for PAT as well as the router(s).
  • All versions of NAT allow you to use a single routable IP address for all internal hosts needing access to external hosts.
  • NAT allows you to hide the internal address ranges in use in your network from external hosts. (Correct)

Answer : By using NAT, you don't have to assign (or re-assign) routable addresses to hosts that need access to external hosts. NAT allows you to hide the internal address ranges in use in your network from external hosts.

Explanation NAT helps with network security a bit because the address translation hides the internal network numbers from prying eyes outside our network. NAT also eliminates the need to give hosts that need outside access a routable address in addition to their internal address. As for the false statements, only PAT allows us to use a single routable address; with PAT, you still need the “ip nat inside? and “Ip nat outside? commands, and the hosts need no configuration to use PAT.

Which of these statements best describes a host route?  (Choose two.)

Options are :

  • A host route will always have a /0 mask (0.0.0.0), since it uses a wildcard mask rather than a network or subnet mask.
  • A host route matches all hosts in the local VLAN and is a great choice for routing protocol updates.
  • A host route will always have a /32 mask (255.255.255.255). (Correct)
  • A host route matches one and only one destination. (Correct)
  • A host route is a type of multicast that is sent to all hosts on the local segment.

Answer : A host route will always have a /32 mask (255.255.255.255). A host route matches one and only one destination.

Explanation A host route matches one and only one destination, and to do that it has to have a /32 mask. (Host routes, like other static route types, use subnet masks, not wildcard masks.)

What's the end result if you correctly enable port security, but do not define the number of addresses a particular port can consider secure?

Options are :

  • The port will go into administrative shutdown mode.
  • The port will go into port-inconsistent state and it must be manually re-enabled.
  • The port will remain operational but port security will not run on that port.
  • The port will consider one address to be secure, and that address is the first one the port dynamically learns. (Correct)
  • The port will go into err-disabled mode and it must be manually re-enabled.

Answer : The port will consider one address to be secure, and that address is the first one the port dynamically learns.

Explanation By default, a port with port security enabled can consider one and only one address secure, and that is the next address that port dynamically learns.

Which of the following accurately describe CHAP?   Choose two.

Options are :

  • CHAP uses a three-way handshake. (Correct)
  • CHAP uses a four-way handshake
  • The "C" in CHAP stands for "challenge", and such a challenge can only be issued during the initial authentication.
  • CHAP does not use a handshake.
  • The "C" in CHAP stands for "challenge", and a challenge may be issued even after the initial authentication. (Correct)

Answer : CHAP uses a three-way handshake. The "C" in CHAP stands for "challenge", and a challenge may be issued even after the initial authentication.

Explanation CHAP uses a three-way handshake, and interestingly enough, CHAP can issue a challenge to a host even after the initial authentication to ensure the connection hasn't been altered.

What ACL type is described by the following snippet from Cisco's website?   (Choose two.)

"allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process."

Options are :

  • lock-and-key (Correct)
  • dynamic (Correct)
  • extended (numbered)
  • extended (named)
  • standard (named)
  • standard (numbered)

Answer : lock-and-key dynamic

Explanation A dynamic ACL will let you do this, and dynamic ACLs are also known as "lock-and-key ACLs".

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions