Home > Operations


June 20th, 2011 in ICND2 Go to comments

Here you will find answers to ICND 2 – Operation Questions

Question 1

Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch.
2950Switch(config-if)#switchport port-security
2950Switch(config-if)#switchport port-security mac-address sticky
2950Switch(config-if)#switchport port-security maximum 1

The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two)


A – The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B – Only host A will be allowed to transmit frames on fa0/1.
C – This frame will be discarded when it is received by 2950Switch.
D – All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E – Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F – Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.


Answer: B D


The first command 2950Switch(config-if)#switchport port-security is to enable the port-security in a switch port.

In the second command 2950Switch(config-if)#switchport port-security mac-address sticky, we need to know the full syntax of this command is switchport port-security mac-address sticky [MAC]. The STICKY keyword is used to make the MAC address appear in the running configuration and you can save it for later use. If you do not specify any MAC addresses after the STICKY keyword, the switch will dynamically learn the attached MAC Address and place it into your running-configuration. In this case, the switch will dynamically learn the MAC address 0000.00aa.aaaa of host A and add this MAC address to the running configuration.

In the last command 2950Switch(config-if)#switchport port-security maximum 1 you limited the number of secure MAC addresses to one and dynamically assigned it (because no MAC address is mentioned, the switch will get the MAC address of the attached MAC address to interface fa0/1), the workstation attached to that port is assured the full bandwidth of the port.Therefore only host A will be allowed to transmit frames on fa0/1 -> B is correct.

After you have set the maximum number of secure MAC addresses for interface fa0/1, the secure addresses are included in the “Secure MAC Address” table (this table is similar to the Mac Address Table but you can only view it with the show port-security address command). So in this question, although you don’t see the MAC address of host A listed in the MAC Address Table but frames with a destination of 0000.00aa.aaaa will be forwarded out of fa0/1 interface -> D is correct.

Question 2

A network administrator must configure 200 switch ports to accept traffic from only the currently attached host devices. What would be the most efficient way to configure MAC-level security on all these ports?

A – Visually verify the MAC addresses and then telnet to the switches to enter the switchport-port security mac-address command.
B – Have end users e-mail their MAC addresses. Telnet to the switch to enter the switchport-port security mac-address command.
C – Use the switchport port-security MAC address sticky command on all the switch ports that have end devices connected to them.
D – Use show mac-address-table to determine the addresses that are associated with each port and then enter the commands on each switch for MAC address port-security.


Answer: C


(Please read the explanation of question 1 to understand the use of the “switchport port-security MAC address sticky”)

A and C can be used, but instead of writing all the MAC addresses of the devices associated with each port, we can ask the switch to learn all the MAC addresses of the associated devices automatically by the “switchport port-security mac-address sticky” command which will save much work for the administrator.

Question 3

Refer to the exhibit. What can he concluded from the output of the debug command?


A – The output represents normal OSPF operation.
B – The interfaces of two OSPF routers connected to the Border router are in the same subnet.
C – The OSPF router connected to interface Serial0/1 has NOT formed a neighbor relationship with the Border router.
D – A router is connected to interface Serial0/3 of the Border router. The OSPF router ID of the connected router is the IP address of the connected interface.


Answer: C

Question 4

Refer to the exhibit. What does STATUS=ACTIVE refer to in the output of the show frame-relay pvc command?


A – The PVC is experiencing congestion.
B – The Frame Relay switch is correctly programmed with the DLCI and is operational.
C – The router is actively broadcasting to establish a link to the Frame Relay switch.
D – The router is connected to the local Frame Relay switch, but not to the far end device.


Answer: B

Question 5

Refer to the graphic. Users on the Holyoke router are unable to access the intranet server attached to interface E0 of the Chicopee router. Inspection of the routing table of the Holyoke router shows that an entry for the Chicopee E0 network is missing. Which command will configure the Holyoke router with a path to the intranet server network?


A – Holyoke(config)# ip host Chicopee
B – Holyoke(config)# ip host Chicopee
C – Holyoke(config)# ip network
D – Holyoke(config)# ip network
E – Holyoke(config)# ip route
F – Holyoke(config)# ip route


Answer: E

Question 6

Users have been complaining that their Frame Relay connection to the corporate site is very slow. The network administrator suspects that the link is overloaded. Based on the partial output of the Router#show frame relay pvc command shown in the graphic, which output value indicates to the local router that traffic sent to the corporate site is experiencing congestion?


A.DLCI = 100
B.last time PVC status changed 00:25:40
C.in BECN packets 192
D.in FECN packets 147
E.in DE packets 0


Answer: C


If one of the intermediate Frame Relay switches encounters congestion, it will set the BECN (Backward Error Congestion Notification) bit on packets being returned to the sending device and the FECN (Forward Error Congestion Notification) bit on the packets being sent to the receiving device.

A FECN tells the receiving device that the path is congested so that the upper layer protocols should expect some delay. The BECN tells the transmitting device that the Frame Relay network is congested and that it should “back off” to allow better throughput.

The DE (Discard Eligibility) bit is used to identify less important traffic that can be dropped during periods of congestion. DCE devices will discard frames with the DE bit set before discarding those that do not.

Question 7

Refer to the exhibit. Which of these statements correctly describes the state of the switch once the boot process has been completed?


A. As FastEthernet0/12 will be the last to come up, it will be blocked by STP.
B. Remote access management of this switch will not be possible without configuration change.
C. More VLANs will need to be created for this switch.
D.The switch will need a different IOS code in order to support VLANs and STP.


Answer: B


We don’t know the network topology so A is not correct.

A switch can operate without VLANs -> C is not correct.

This switch IOS supports VLAN because we can see VLAN 1 in the exhibit -> D is not correct.

In this case, VLAN 1 has been shutdown so we can’t remote access to this switch -> B is correct.

  1. none
    August 22nd, 2010

    Had most of these today, passed. Barely passed.

  2. memet
    August 25th, 2010

    are u sure q7 ‘s answer B , I see diifferent test answer is C

  3. YE
    August 29th, 2010

    q 7. I saw the answer as C on the Mashti too. but i agree with B

  4. Phoenix
    August 31st, 2010

    I have some photozz from my exam.I can mail to human which potted it to this site.
    Sorry for my poor English slavian2004@bk.ru

  5. Walid
    September 4th, 2010

    Me too, I saw it as C, But I agree with B.

  6. tester
    September 7th, 2010

    Took test 9/6 only saw Q1 on the test.

  7. tim
    September 15th, 2010

    i only had Q1 in my test

  8. Cool Guy
    October 22nd, 2010

    Hi, everyone, anyone have How2pass dumps and lab/simlets, kindly send the link, I will take my ICND2 in two week. thanks

  9. bigui
    October 30th, 2010

    i will take icnd2 exam soon please help me to have some dumps and labs.

    thanks you

  10. bigui
    October 30th, 2010

    i will take icnd2 exam soon please help me to have some dumps and labs.my e-mail is domagnie@yahoo.fr

    thanks you

  11. adish
    December 20th, 2010

    Hi 9tut!!
    Got new question:
    Which port is newly introduced in Rapid-PVST?
    1. Learning
    2. Listening
    3. Discarding
    4. Forwarding

  12. Muhammad hammad
    December 22nd, 2010


    inregards to question 7 . In pass4sure exams the correct answer is C …which does not even make sense .kindly can you explain why it could be C ? OR the pass4sure exam got it wrong


  13. James
    December 23rd, 2010


    It is “3. discarding”. Looks like you’re studying only dumps for the exam!

    @Muhammad hammad

    P4S is wrong. I googled the questions and many results show that B is the correct answer.

  14. testICND2 failed
    January 18th, 2011

    p4s is way wrong. maybe 6 identical questions on my test

  15. Snoob
    February 24th, 2011

    @testICND2 failed
    Study more! Dumps are just there to give you an idea of the exam. You have to know your stuff.

  16. Martin
    March 4th, 2011

    Regarding the 7 question i think the right answer is
    “B. Remote access management of this switch will not be possible without configuration change.”
    They just put the INTERFACE VL1 admin down, the vlan 1 is still on the switch, and the switch will be just fine will all ports in vlan 1.
    Also answers from question 272 and 274 from ACME are wrong, but i will let you decide what is the right answer :).
    Thx everyone, and 9tut.com for support.
    Theos_1406 from Romania.

  17. Martin
    March 4th, 2011

    Sorry ACME is for CCNA not ICND.

  18. I cant see B as right answer
    March 21st, 2011

    Answer: B


    We don’t know the network topology so A is not correct.

    A switch can operate without VLANs -> C is not correct.

    This switch IOS supports VLAN because we can see VLAN 1 in the exhibit -> D is not correct.

    In this case, VLAN 1 has been shutdown so we can’t remote access to this switch -> B is correct.

    *****You have to look at the INFO given VLAN 1 is down so no you cannot have remote access to that vlan. However In order for vlan 1 to be down another vlan must have been established because vlan 1 is on by default. So therefore there is another active vlan on this device. But it left us to assume. So going by the info you have to go with C

  19. Yousef
    April 13th, 2011

    @ I cant see B: Actually C is n’t a choice because if you check now using packet tracer or any simulator or the default vlan which is vlan 1 is by default shutdown. B is the answer.

  20. cybermagnetik
    May 20th, 2011

    What a great web log. I spend hours on the net reading blogs, about tons of various subjects. I have to first of all give praise to whoever created your theme and second of all to you for writing what i can only describe as an fabulous article. I honestly believe there is a skill to writing articles that only very few posses and honestly you got it. The combining of demonstrative and upper-class content is by all odds super rare with the astronomic amount of blogs on the cyberspace.

  21. ciscos confusion
    June 10th, 2011

    Q7 is very tricky B is the right answer for what they are saying, but C would be a correct anser if this was a security question. vlan 1 is automaticaly turned ON by default, which lets all traffic pass, now the user turned it off meaning no traffic will pass unless another vlan is created for security reasons we do this. in this quesiton it is only asking about what the state is from this boot seq, and with vlan 1 down there can be no REMOTE access unless you create another vlan, but you dont have to. B is correct for Q7

  22. xallax
    June 10th, 2011

    Switch> enable
    Switch# configure terminal
    Switch(config)# interface vlan1
    Switch(config-if)# no shutdown
    Switch(config-if)# exit
    Switch(config)# ip default-gateway *IP here*
    Switch(config)# do write

    that’s about it, you don’t need to create a set a new management vlan, just enable vlan1 and you’re done

  23. Anonymous
    July 28th, 2011

    dude when you boot up switch the vlan show shutdown state.

  24. windmerrox
    September 30th, 2011

    Q1 on test.

  25. Denis
    October 12th, 2011

    Good!Lets go!!!

  26. Radiant9
    December 2nd, 2011

    Question for you all;

    I had question 4 on my exam but the PVC STATUS = INACTIVE. What does that mean? Does it mean there is a specific reason why its inactive?

  27. Anonymous
    December 11th, 2011

    PVC STATUS = INACTIVE means that theres no connection between FR switch and the far end router. Not sure of the specific reason though but I dont think we need to know for CCNA.
    Maybe someone else can explain more?

  28. None ya
    December 13th, 2011


    PVC Status= Inactive… .generally means a configuration issue on the DTE device, which is the customer router in a frame relay connection.

    PVC Status= Active.. .means that everything is operating normally.

    PVC Status= Deleted… means that there is a configuration issue on the provider end, most likely nothing is configured on the provider side of the PVC.

  29. Sarpich
    December 17th, 2011

    Just pass ICND2 today with 916 score. See question 1 on my exam.

  30. WKC
    January 28th, 2012

    Passed ICND2 today with 944!! I didn’t have any of these questions on my test today

  31. TheCryptKeeper
    January 29th, 2012

    HI Peeps regarding question 1, I though answer A would also be included. I did a test in packet tracer and sure enough the new mac of host A populated the Mac-Address-Table. Am i missing somthing here? Please help, I have only two days left.

  32. Alaa
    February 7th, 2012

    @TheCryptKeeper, FFFF.FFFF.FFFF is not the mac address of host A, 0000.00aa.aaaa is host A’s mac address.

    How did you do on the exam?

  33. BIGD
    February 15th, 2012

    I keep hearing about ACL2, WHERE CAN I FIND IT HERE ON 9TUT?

  34. 9tut
    February 15th, 2012

    @BIGD: ACL2 is a sim for CCNA only, not for ICND2 and you can find it here: http://www.9tut.com/78-ccna-access-list-sim-2

  35. BIGD
    February 18th, 2012


  36. TheCryptKeeper
    February 19th, 2012

    HI dude, i failed but am re-taking tomorrow. Thanks for the info.

  37. kevin
    February 27th, 2012

    Can someone explain question 3?

    C: The OSPF router connected to interface Serial0/1 has NOT formed a neighbor relationship with the Border router.

    How can you determine this to be the answer with such limited information from the diagram?

  38. xallax
    February 27th, 2012

    “mismatch in hello timers…”
    that’s the clue that they did not form neighboring relationship

  39. Syed Mehmood Ali
    March 31st, 2012

    I have passes the exam with 944 marks question #5 came into my exam.

  40. NerroAzurro
    March 31st, 2012

    Q#1 in my exam

  41. chas
    April 12th, 2012

    Passed, Q1 was on my exam.

  42. WSL
    April 22nd, 2012

    Passed ICND2 today with 986/1000 πŸ™‚

    Q1 was there

  43. ST
    May 22nd, 2012

    Similar Q1 out today

  44. seren
    June 3rd, 2012

    Q6 : I did not get it why we choose “in BECN packets 192”? is it because the 192 greater 147??
    Many thanks.

  45. 9tut
    June 3rd, 2012

    @seren: It is because BECN, not 192 or 147. BECN is the information sent back to the local router indicating the link to the partner is being congesting.

    Note: The question says: “which output value indicates to the local router that traffic sent to the corporate site is experiencing congestion?”

  46. mikemonk
    June 14th, 2012

    Q1 on exam today! Passed with 958, awesome site! πŸ™‚

  47. Anonymous
    June 28th, 2012

    Q3 is incorrect:

    A. The output represents normal OSPF operation. –> WRONG (because you’re seeing a mismatched Hello message in the debug).

    B – The interfaces of two OSPF routers connected to the Border router are in the same subnet. CORRECT (Hellos were received from two interfaces, with no debug indicating a mismatch. This indicates they are on the same subnet).

    C. The OSPF router connected to interface Serial0/1 has NOT formed a neighbor relationship with the Border router. WRONG (since a Hello was received on this interface with no debug indicating timers were mistmatched, we must assume neighbors were formed).

    D – A router is connected to interface Serial0/3 of the Border router. The OSPF router ID of the connected router is the IP address of the connected interface. WRONG (we have no way to determine this based on the output provided).

  48. Klauss
    July 6th, 2012


    Receiving Hello packets did not make the routers neighbors. This would have happened ONLY if they agreed on the parameters in these packets. In our question(3), the Border router receives a mismatch on serial 0/1. C is the correct answer.
    I don’t see how we can tell they are in the same subnet. The serial interfaces are, of course.

  49. Klauss
    July 6th, 2012


    I meant the serial interfaces between the OSPF routers are in the same subnet, respectively.

  50. kc10boom
    July 10th, 2012

    Q #3. The answer is C. It clearly says “mismatched hello parameters from” on s0/1.

  51. klauss
    July 13th, 2012


    I don’t understand. When I send 2 comments to the website only one shows (the second). It happened twice to me on July 6th 2012.

  52. creative me
    November 3rd, 2012

    Hi , Can some one explain Q3 Please.

  53. pat
    December 9th, 2012

    Q3 question 3
    @creative me here you go

    Read line – Rcv hello from area 0 s0/1……

    Next line – Mismatched hello parameters from

    Opsf hello timers must be set to the same values on both interfaces of the same link connecting the Border router with it’s neighbor, otherwise adjacency will be not established

  54. pat
    December 10th, 2012

    hmm but these interfaces are on different subnets, so I got confused now

  55. MK
    December 17th, 2012

    This Q was on ICDN2 exam :
    Which two commands correctly verify whether port security has been configured on portFastEthernet 0/12 on a switch?(choose two)?
    sw1#show switchport port-secure interface FastEthernet 0/12
    sw1#show switchport port-security interface FastEthernet 0/12
    sw1#show port-secure interface FastEthernet 0/12
    sw1#show running-config
    sw1#show port-security interface FastEthernet 0/12

  56. Anonymous
    December 30th, 2012

    I am going to give exam in next month,will these be valid for that time,plz confirm me
    Thanks in advance

  57. JL
    January 8th, 2013

    MK, I believe the answer is D, & E.

    Under show Run
    interface FastEthernet0/12
    spanning-tree portfast
    switchport mode access
    switchport port-security
    switchport port-security mac-address sticky

    B1-S1#sh port-security int fa 0/12
    Port Security : Enabled
    Port Status : Secure-down
    Violation Mode : Shutdown
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 1
    Total MAC Addresses : 0
    Configured MAC Addresses : 0
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 0000.0000.0000:0
    Security Violation Count : 0

    The answer A, B. is invalid command. C is “port-secure” does not exist.

    Good Luck

  58. Daniel L.
    January 21st, 2013

    JL absolutely right!

  59. Xedia
    February 19th, 2013

    only question 1 today on my test.

  60. Eddy
    May 16th, 2013


    “Mismatched hello parameters from”

    I think is the router id, this ip does not have to be on the same network of (and you do not know the prefix of …)

    In fact there is no network notion here…

  61. Eddy
    May 16th, 2013

    (please read subnet in place of network, sorry for my poor english)

  62. Anonymous
    May 22nd, 2013

    1 and 4 where on the exam the maximum number was a differnet number (3)on question 1. get to know about port security and the max and the mac address in port security. i got a few questions on it

  63. Blackangus
    June 7th, 2013

    Passed today 958/100. Question 1 was on my test.

  64. Stephen
    June 15th, 2013

    Q7 B is correct.

    Hi guys!! I can able to make int Vlan 1 admin down before creating some other VLAN for management ..

    so B is correct.

    Switch#show interfaces vlan 1
    Vlan1 is administratively down, line protocol is down
    Hardware is CPU Interface, address is 00e0.f7cc.03b1 (bia 00e0.f7cc.03b1)
    MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 21:40:21, output never, output hang never
    Last clearing of “show interface” counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    1682 packets input, 530955 bytes, 0 no buffer
    Received 0 broadcasts (0 IP multicast)
    0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
    563859 packets output, 0 bytes, 0 underruns
    0 output errors, 23 interface resets
    0 output buffer failures, 0 output buffers swapped out

  65. MO
    August 5th, 2013

    Just wrote my ICND2 today, and i got 902/1000.. Question 3 was in the exam.. Thanks to the 9tut team..

  66. Sham
    August 17th, 2013

    I had a similar question to number 2 here on my exam

  67. Anonymous
    September 15th, 2013

    Ques 7 Answer is B. Since its administratively down, one will not be able to remote into it.

  68. Fel
    September 16th, 2013

    None of these were on the exam today. Passed with 916

  69. TrickedbyCisco
    September 20th, 2013

    For some reason my exam overlapped and I got 200-100. Didnt know was there already and Fail. 640-816 next Monday.

  70. Thyreme
    September 27th, 2013

    Q 1 & 2 on today’s exam. Nailed it with 888/1000. Thanks to 9tut, CBT Nuggets, CiscoPress, HeavyMod.

  71. Anonymous
    February 8th, 2014

    how about answer C in Question 1?
    it seem as correct
    any idea ?

  1. No trackbacks yet.