These questions cover network operations and security — topics that appear across multiple N10-009 domains and where a small gap in knowledge of how devices actually work causes confident-sounding wrong answers.
Question 1
A technician makes several configuration changes to a Cisco router via the CLI. After a power failure, all changes are lost. What was the technician's mistake?
- A) Changes were made in the wrong configuration mode
- B) The running configuration was not saved to startup configuration
- C) The router needed a reboot to apply the changes
- D) The changes were not tested in a lab environment first
Answer: B — The running configuration was not saved to startup configuration
On Cisco IOS, all CLI changes modify the running configuration stored in RAM — which is volatile. To persist across reboots, the running config must be saved to NVRAM as the startup configuration.
Router# copy running-config startup-config
Or the shorter alias:
Router# write memory
The two configs to know:
| Config | Location | Persistent? |
|---|---|---|
| Running config | RAM | No — lost on power loss |
| Startup config | NVRAM | Yes — loaded on boot |
show running-config and show startup-config let you compare what's live vs what will survive a reboot.
Question 2
A rogue DHCP server on the network is assigning incorrect gateway addresses to clients. Which switch feature most effectively prevents this?
- A) Port security with MAC address limits
- B) DHCP snooping
- C) 802.1X port authentication
- D) Dynamic ARP Inspection
Answer: B — DHCP snooping
DHCP snooping classifies switch ports as trusted (connected to legitimate DHCP servers or uplinks) or untrusted (connected to end devices). DHCP offer and ACK messages arriving on untrusted ports are dropped, silencing any rogue DHCP server plugged into an access port.
How the related security features layer together:
| Feature | Protects against |
|---|---|
| DHCP snooping | Rogue DHCP servers |
| Dynamic ARP Inspection (DAI) | ARP spoofing / poisoning (uses snooping table) |
| Port security | MAC flooding and unauthorised devices |
| 802.1X | Unauthenticated devices connecting at all |
DAI is built on top of DHCP snooping — it validates ARP packets against the snooping binding table, so you need snooping running first.
</details>Question 3
A security team needs timestamps on logs from routers, firewalls, and servers to be consistent for incident correlation. Which protocol should be deployed across all devices?
- A) DNS
- B) SNMP
- C) NTP
- D) Syslog
Answer: C — NTP (Network Time Protocol)
NTP synchronises clocks across devices using a hierarchy of time sources called strata. Stratum 0 is a reference clock (GPS, atomic); stratum 1 servers sync from stratum 0; stratum 2 devices sync from stratum 1, and so on.
Without NTP, each device's clock drifts independently. A 30-second drift between a firewall and a SIEM makes correlated log analysis — and forensic timelines — unreliable.
Ports and protocols the exam expects:
| Protocol | Port | Purpose |
|---|---|---|
| NTP | UDP 123 | Clock synchronisation |
| Syslog | UDP 514 | Log transport to a central server |
| SNMP | UDP 161/162 | Device monitoring and management |
| DNS | UDP/TCP 53 | Name resolution |
Syslog handles log delivery but doesn't fix the timestamps — you need NTP first so the timestamps are worth trusting.
</details>Key Takeaways
copy running-config startup-configis the save command on Cisco IOS; changes in RAM are lost on reboot- DHCP snooping designates trusted/untrusted ports to block rogue DHCP servers; DAI builds on top of it
- NTP (UDP 123) synchronises device clocks — a prerequisite for meaningful log correlation and incident response