Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

8.3. Practice Questions (60 Questions)

💡 First Principle: These practice questions mirror the exam format—scenario-based stems with four choices. Think of them as a dress rehearsal. The goal isn't to memorize answers but to practice the reasoning process. When you miss a question, understand WHY the correct answer is correct and WHY your choice was wrong.

How to use these effectively: Don't just check if you got it right. For each question, identify which concept is being tested and whether you understood the "why" behind the answer. If you guessed and got lucky, that's not preparation—that's gambling on exam day.

Domain 1: Network Fundamentals (Q1-12)

Q1. A company is deploying a new network for their 500-employee office. Which network topology would provide the best scalability and performance?

A. Two-tier (collapsed core)
B. Three-tier
C. SOHO
D. Spine-leaf

Answer: B. Three-tier

Three-tier architecture (access, distribution, core) provides the best scalability for medium to large campus networks. Two-tier works for smaller deployments, SOHO is for home/small offices, and spine-leaf is optimized for data centers with east-west traffic patterns.

Q2. Which cable type should be used to connect two switches together in a legacy environment without Auto-MDIX?

A. Straight-through
B. Crossover
C. Rollover
D. Fiber

Answer: B. Crossover

Crossover cables connect like devices (switch-to-switch, router-to-router). Straight-through connects unlike devices (PC-to-switch). Modern devices with Auto-MDIX handle this automatically.

Q3. What is the primary difference between TCP and UDP?

A. TCP uses port numbers; UDP does not
B. TCP provides reliable delivery; UDP provides best-effort delivery
C. TCP is used for voice; UDP is used for data
D. TCP is faster than UDP

Answer: B. TCP provides reliable delivery; UDP provides best-effort delivery

TCP guarantees delivery through acknowledgments and retransmissions. UDP is best-effort with no delivery guarantee. Both use port numbers. UDP is actually faster due to less overhead.

Q4. Given the IP address 192.168.100.50/26, what is the network address?

A. 192.168.100.0
B. 192.168.100.32
C. 192.168.100.64
D. 192.168.100.48

Answer: A. 192.168.100.0

/26 = 255.255.255.192 with block size 64. Subnets: .0, .64, .128, .192. Address .50 falls in the .0-.63 range, so network address is 192.168.100.0.

Q5. Which address type is automatically configured on every IPv6 interface and used for neighbor discovery?

A. Global unicast
B. Unique local
C. Link-local
D. Anycast

Answer: C. Link-local

Link-local addresses (FE80::/10) are automatically configured and required for IPv6 to function. They're used for neighbor discovery, routing protocols, and local communication.

Q6. What does a switch do when it receives a frame with an unknown destination MAC address?

A. Drops the frame
B. Sends to the default gateway
C. Floods the frame out all ports except the source
D. Sends an ARP request

Answer: C. Floods the frame out all ports except the source

When the destination MAC isn't in the MAC address table, the switch floods the frame to all ports in the VLAN except the receiving port.

Q7. Which Power over Ethernet standard provides up to 25.5 watts to powered devices?

A. 802.3af
B. 802.3at
C. 802.3bt
D. 802.3ax

Answer: B. 802.3at

802.3at (PoE+) provides 25.5W at the powered device. 802.3af provides 12.95W. 802.3bt provides 60-90W. 802.3ax is Wi-Fi 6.

Q8. A Windows client shows an IP address of 169.254.10.50. What does this indicate?

A. The client is configured with a static IP
B. The DHCP server assigned this address
C. DHCP has failed and APIPA is in use
D. IPv6 is disabled

Answer: C. DHCP has failed and APIPA is in use

169.254.x.x (APIPA) indicates the client couldn't reach a DHCP server and assigned itself an address for local communication only.

Q9. Which virtualization technology creates multiple isolated routing tables on a single router?

A. Virtual machine
B. Container
C. VRF
D. VLAN

Answer: C. VRF

Virtual Routing and Forwarding (VRF) creates multiple isolated routing tables on one router. VLANs segment Layer 2; VRFs segment Layer 3.

Q10. In the OSI model, at which layer does a router operate?

A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4

Answer: C. Layer 3

Routers operate at Layer 3 (Network), making forwarding decisions based on IP addresses. Switches operate at Layer 2 (MAC addresses).

Q11. Which two channels should be used in a 2.4 GHz wireless deployment with three access points to avoid co-channel interference? (Choose two.)

A. 1 and 2
B. 1 and 6
C. 6 and 7
D. 6 and 11

Answer: B. 1 and 6, D. 6 and 11

Only channels 1, 6, and 11 are non-overlapping in the 2.4 GHz band. Using adjacent channels (like 1 and 2) causes interference.

Q12. What is the default aging time for dynamically learned MAC addresses on a Cisco switch?

A. 60 seconds
B. 180 seconds
C. 300 seconds
D. 600 seconds

Answer: C. 300 seconds

The default MAC address aging time is 300 seconds (5 minutes).

Domain 2: Network Access (Q13-24)

Q13. Which VLAN is used for untagged traffic on an 802.1Q trunk?

A. VLAN 1
B. Management VLAN
C. Native VLAN
D. Default VLAN

Answer: C. Native VLAN

The native VLAN carries untagged traffic on an 802.1Q trunk. By default, this is VLAN 1, but it can be changed.

Q14. What command enables trunking on a Cisco switch port using 802.1Q?

A. switchport mode trunk
B. switchport trunk encapsulation dot1q
C. switchport trunk allowed vlan all
D. switchport trunk native vlan 1

Answer: A. switchport mode trunk

switchport mode trunk enables trunking. On some switches, you may also need switchport trunk encapsulation dot1q first.

Q15. Which Spanning Tree Protocol feature allows an access port to immediately enter forwarding state?

A. BPDU Guard
B. PortFast
C. Root Guard
D. Loop Guard

Answer: B. PortFast

PortFast allows access ports to skip listening and learning states, immediately entering forwarding. Only use on ports connected to end devices, not switches.

Q16. What happens when BPDU Guard is enabled on a port and a BPDU is received?

A. The BPDU is ignored
B. The port transitions to blocking state
C. The port goes into err-disabled state
D. The switch becomes root bridge

Answer: C. The port goes into err-disabled state

BPDU Guard shuts down the port (err-disabled) if a BPDU is received, protecting against unauthorized switches.

Q17. Which protocol provides vendor-neutral neighbor discovery similar to CDP?

A. LACP
B. LLDP
C. VTP
D. DTP

Answer: B. LLDP

LLDP (Link Layer Discovery Protocol) is the IEEE standard equivalent of Cisco's CDP for neighbor discovery.

Q18. Which EtherChannel mode actively initiates negotiation?

A. On
B. Auto
C. Desirable
D. Active

Answer: D. Active

For LACP, "active" initiates negotiation and "passive" waits. For PAgP, "desirable" initiates and "auto" waits.

Q19. What is the purpose of a Wireless LAN Controller (WLC)?

A. To amplify wireless signals
B. To centrally manage lightweight access points
C. To provide internet connectivity
D. To encrypt all wireless traffic

Answer: B. To centrally manage lightweight access points

WLCs provide centralized management, configuration, and monitoring of lightweight APs through CAPWAP tunnels.

Q20. Which protocol tunnels traffic between a lightweight AP and a WLC?

A. LWAPP
B. CAPWAP
C. GRE
D. IPsec

Answer: B. CAPWAP

CAPWAP (Control and Provisioning of Wireless Access Points) tunnels control and data traffic between APs and the WLC.

Q21. What STP state does a port enter after leaving the listening state?

A. Blocking
B. Forwarding
C. Learning
D. Disabled

Answer: C. Learning

STP states progress: Blocking → Listening → Learning → Forwarding. In learning, the port builds MAC address table but doesn't forward user traffic.

Q22. Which command displays the current Spanning Tree root bridge for VLAN 10?

A. show spanning-tree vlan 10
B. show vlan 10
C. show spanning-tree root
D. show interfaces vlan 10

Answer: A. show spanning-tree vlan 10

This command shows STP details for VLAN 10, including the root bridge ID and local bridge information.

Q23. A switch port is configured for data VLAN 10 and voice VLAN 20. What type of port is this?

A. trunk port
B. access port with voice VLAN
C. routed port
D. dynamic port

Answer: B. access port with voice VLAN

This is an access port configured with a data VLAN and a voice VLAN for IP phones. The voice VLAN uses 802.1Q tagging for QoS.

Q24. What determines which switch becomes the STP root bridge?

A. Highest MAC address
B. Lowest bridge ID
C. Most ports
D. Highest bridge priority

Answer: B. Lowest bridge ID

The root bridge has the lowest bridge ID (priority + MAC address). Lower priority wins; if tied, lower MAC wins.

Domain 3: IP Connectivity (Q25-39)

Q25. A router has the following routes. Which will be used to forward a packet to 172.16.1.50?

  • 172.16.0.0/16 via 10.1.1.1
  • 172.16.1.0/24 via 10.1.1.2
  • 0.0.0.0/0 via 10.1.1.3

A. 172.16.0.0/16
B. 172.16.1.0/24
C. 0.0.0.0/0
D. Packet is dropped

Answer: B. 172.16.1.0/24

Longest prefix match: /24 is more specific than /16, so 172.16.1.0/24 is selected.

Q26. What is the administrative distance of OSPF?

A. 90
B. 100
C. 110
D. 120

Answer: C. 110

OSPF has AD 110. EIGRP internal is 90, RIP is 120, connected is 0, static is 1.

Q27. Which command creates a floating static route with an administrative distance of 200?

A. ip route 10.0.0.0 255.0.0.0 192.168.1.1 200
B. ip route 10.0.0.0 255.0.0.0 192.168.1.1 metric 200
C. ip route 10.0.0.0 255.0.0.0 192.168.1.1 distance 200
D. ip route 10.0.0.0 255.0.0.0 192.168.1.1 ad 200

Answer: A. ip route 10.0.0.0 255.0.0.0 192.168.1.1 200

The AD is specified at the end of the ip route command. A higher AD makes it a backup route.

Q28. What determines the OSPF Router ID if no router-id is configured and no loopback interfaces exist?

A. Lowest physical interface IP
B. Highest physical interface IP
C. First interface configured
D. Randomly generated

Answer: B. Highest physical interface IP

Router ID selection: (1) configured router-id, (2) highest loopback IP, (3) highest physical interface IP.

Q29. What must match between OSPF neighbors for them to form an adjacency?

A. Router ID
B. Area ID
C. Hello interval
D. All of B, C, and authentication settings

Answer: D. All of B, C, and authentication settings

OSPF neighbors must have matching area ID, Hello/Dead intervals, authentication, network type, and subnet. Router IDs must be unique, not matching.

Q30. On a multi-access network, which OSPF router is responsible for flooding LSAs?

A. Root Bridge
B. Designated Router
C. Area Border Router
D. Autonomous System Boundary Router

Answer: B. Designated Router

The DR (and BDR) is responsible for flooding LSAs on multi-access networks to reduce OSPF traffic.

Q31. What is the default OSPF cost for a 1 Gbps interface?

A. 1
B. 4
C. 10
D. 100

Answer: A. 1

OSPF cost = Reference bandwidth / Interface bandwidth. Default reference is 100 Mbps. 100/1000 = 0.1, rounded to 1.

Q32. Which command displays OSPF neighbor relationships?

A. show ip ospf
B. show ip ospf neighbor
C. show ip route ospf
D. show ip ospf database

Answer: B. show ip ospf neighbor

This command shows neighbor ID, state (FULL, 2-WAY), DR/BDR status, and interface information.

Q33. What is the purpose of the OSPF passive-interface command?

A. Stop sending and receiving Hello packets
B. Stop sending Hello packets but still advertise the network
C. Remove the interface from OSPF
D. Set the interface to the default network type

Answer: B. Stop sending Hello packets but still advertise the network

Passive interface stops Hello packets (no neighbors form) but still advertises the connected network in LSAs.

Q34. Which First Hop Redundancy Protocol is Cisco proprietary?

A. VRRP
B. HSRP
C. GLBP
D. Both B and C

Answer: D. Both B and C

HSRP and GLBP are Cisco proprietary. VRRP is the open standard.

Q35. What happens to traffic destined for an active FHRP virtual IP if the active router fails?

A. Traffic is dropped until manually reconfigured
B. Traffic continues using the backup router
C. Clients must request a new IP via DHCP
D. The virtual IP is removed from the network

Answer: B. Traffic continues using the backup router

The standby router takes over the virtual IP, and clients continue using the same gateway address transparently.

Q36. Which IPv6 routing command creates a default route?

A. ipv6 route ::/0 2001:DB8::1
B. ipv6 route 0.0.0.0/0 2001:DB8::1
C. ipv6 default-gateway 2001:DB8::1
D. ipv6 route ::/128 2001:DB8::1

Answer: A. ipv6 route ::/0 2001:DB8::1

::/0 represents all IPv6 destinations (the default route). /128 is a host route.

Q37. What is the OSPF network type for an Ethernet interface by default?

A. Point-to-point
B. Broadcast
C. Non-broadcast
D. Point-to-multipoint

Answer: B. Broadcast

Ethernet interfaces default to broadcast network type, which requires DR/BDR election.

Q38. A static route points to a next-hop IP that doesn't exist in the routing table. What happens?

A. The route appears in the routing table
B. The route does not appear in the routing table
C. The router generates an error message
D. The route becomes a floating static route

Answer: B. The route does not appear in the routing table

If the next-hop is unreachable, the static route is not installed. It becomes active when the next-hop becomes reachable.

Q39. What is the OSPF Hello interval on a broadcast network?

A. 5 seconds
B. 10 seconds
C. 30 seconds
D. 40 seconds

Answer: B. 10 seconds

Broadcast/point-to-point: Hello 10 seconds, Dead 40 seconds. Non-broadcast: Hello 30 seconds, Dead 120 seconds.

Domain 4: IP Services (Q40-45)

Q40. Which NAT type allows multiple internal hosts to share a single public IP address?

A. Static NAT
B. Dynamic NAT
C. PAT
D. NAT64

Answer: C. PAT

PAT (Port Address Translation), also called NAT overload, uses port numbers to distinguish connections from multiple hosts sharing one public IP.

Q41. What is the correct order of DHCP messages?

A. Request, Discover, Acknowledge, Offer
B. Discover, Offer, Request, Acknowledge
C. Offer, Discover, Request, Acknowledge
D. Discover, Request, Offer, Acknowledge

Answer: B. Discover, Offer, Request, Acknowledge

DORA: Discover (broadcast), Offer (server), Request (client accepts), Acknowledge (server confirms).

Q42. Which command enables a router interface to forward DHCP broadcasts to a remote server?

A. ip dhcp server 10.1.1.100
B. ip helper-address 10.1.1.100
C. ip dhcp relay 10.1.1.100
D. ip forward-dhcp 10.1.1.100

Answer: B. ip helper-address 10.1.1.100

ip helper-address forwards broadcast traffic (including DHCP) to a unicast destination.

Q43. What syslog severity level indicates a warning condition?

A. 3
B. 4
C. 5
D. 6

Answer: B. 4

Syslog levels: 0-Emergency, 1-Alert, 2-Critical, 3-Error, 4-Warning, 5-Notice, 6-Informational, 7-Debug.

Q44. Which QoS mechanism queues excess traffic instead of dropping it?

A. Policing
B. Shaping
C. WRED
D. Classification

Answer: B. Shaping

Shaping buffers excess traffic; policing drops it. WRED drops based on priority before congestion occurs.

Q45. What port does TFTP use?

A. TCP 20
B. TCP 21
C. UDP 69
D. UDP 161

Answer: C. UDP 69

TFTP uses UDP 69. FTP uses TCP 20 (data) and 21 (control). SNMP uses UDP 161.

Domain 5: Security Fundamentals (Q46-54)

Q46. Which Layer 2 security feature prevents rogue DHCP servers?

A. Port security
B. DHCP snooping
C. DAI
D. 802.1X

Answer: B. DHCP snooping

DHCP snooping validates DHCP messages and only allows server responses on trusted ports.

Q47. What is the violation mode that disables a port when port security is violated?

A. Protect
B. Restrict
C. Shutdown
D. Block

Answer: C. Shutdown

Shutdown (default) err-disables the port. Protect drops violating traffic silently. Restrict drops and logs.

Q48. Which ACL type filters based only on source IP address?

A. Standard ACL
B. Extended ACL
C. Named ACL
D. MAC ACL

Answer: A. Standard ACL

Standard ACLs (1-99, 1300-1999) filter on source IP only. Extended ACLs filter on source, destination, protocol, and ports.

Q49. Where should standard ACLs be placed?

A. Close to the source
B. Close to the destination
C. On the core switch
D. On the firewall

Answer: B. Close to the destination

Since standard ACLs only match source IP, place them near the destination to avoid blocking unintended traffic.

Q50. Which AAA protocol encrypts the entire packet payload?

A. RADIUS
B. TACACS+
C. Kerberos
D. LDAP

Answer: B. TACACS+

TACACS+ encrypts the entire packet. RADIUS only encrypts the password field.

Q51. What command enables SSH version 2 on a Cisco device?

A. ssh version 2
B. ip ssh version 2
C. crypto ssh version 2
D. transport input ssh 2

Answer: B. ip ssh version 2

The correct command is ip ssh version 2 in global configuration mode.

Q52. Which wireless security protocol should never be used due to known vulnerabilities?

A. WPA
B. WPA2
C. WEP
D. WPA3

Answer: C. WEP

WEP has been broken and provides no real security. Use WPA2 or WPA3.

Q53. What is the function of Dynamic ARP Inspection (DAI)?

A. Prevents rogue DHCP servers
B. Validates ARP packets using the DHCP snooping database
C. Limits the number of MAC addresses on a port
D. Encrypts ARP traffic

Answer: B. Validates ARP packets using the DHCP snooping database

DAI prevents ARP spoofing by validating that ARP packets match DHCP snooping bindings.

Q54. Which authentication method provides the strongest security for WPA2 in an enterprise environment?

A. WPA2-PSK
B. WPA2-Enterprise with RADIUS
C. Open authentication
D. MAC filtering

Answer: B. WPA2-Enterprise with RADIUS

WPA2-Enterprise uses 802.1X and individual credentials. PSK uses a shared key that's harder to manage securely.

Domain 6: Automation and Programmability (Q55-60)

Q55. Which API direction allows applications to communicate with the SDN controller?

A. Southbound
B. Northbound
C. Eastbound
D. Westbound

Answer: B. Northbound

Northbound APIs connect applications to the controller. Southbound APIs connect the controller to network devices.

Q56. In a controller-based network, where does the control plane reside?

A. On each network device
B. On the central controller
C. In the cloud
D. On the management station

Answer: B. On the central controller

SDN moves the control plane from individual devices to a central controller, leaving devices with data plane forwarding only.

Q57. Which HTTP method is used to create a new resource via REST API?

A. GET
B. POST
C. PUT
D. DELETE

Answer: B. POST

POST creates new resources. GET reads, PUT/PATCH updates, DELETE removes.

Q58. What is the correct JSON syntax to represent an array?

A. {"items": "a", "b", "c"}
B. {"items": ("a", "b", "c")}
3. {"items": ["a", "b", "c"]}
D. {"items": {"a", "b", "c"}}

Answer: C. {"items": ["a", "b", "c"]}

JSON arrays use square brackets [ ]. Objects use curly braces { }.

Q59. Which configuration management tool is agentless and uses SSH?

A. Puppet
B. Chef
C. Ansible
D. SaltStack

Answer: C. Ansible

Ansible is agentless and uses SSH (or NETCONF) to connect to devices. Puppet and Chef require agents.

Q60. What type of AI predicts network problems before they occur?

A. Generative AI
B. Predictive AI
C. Reactive AI
D. Deterministic AI

Answer: B. Predictive AI

Predictive AI analyzes patterns to forecast future problems. Generative AI creates content (like configuration suggestions).