20+ practice questions focused on VRF and Path Isolation — one of the most tested topics on the ENCOR 350-401 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start VRF and Path Isolation PracticeA network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?
Explanation: The CE router can ping the PE's VRF interface IP, confirming Layer 2 and VRF interface configuration are correct. However, the CE cannot reach remote VPNv4 routes, which indicates that the PE is not advertising or installing those routes into the VRF. The most likely cause is that the VRF CUSTOMER_A has not been activated under BGP using the 'address-family ipv4 vrf CUSTOMER_A' command, which is required to exchange IPv4 routes between the PE and CE within the VRF context and to redistribute them into MP-BGP for VPNv4 propagation.
An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?
Explanation: The issue is that the guest captive portal server resides in VLAN 100, but the guest wireless subnet is likely in a different VLAN or subnet within the GUEST VRF. Since VRF-lite provides separate routing tables, inter-VLAN routing within the same VRF must be explicitly configured (e.g., using SVIs with 'ip routing' and proper VRF forwarding). The switch can reach the server because it is directly connected, but guest devices cannot because their traffic is not routed between the wireless subnet and the server's VLAN within the GUEST VRF.
A service provider uses MPLS L3VPN with multiple VRFs on a Cisco ASR 1000 PE router. One customer VRF (RED) has overlapping IP addresses with another VRF (BLUE). The engineer configures route-target import/export as 100:1 for RED and 200:2 for BLUE. Both VRFs have a static default route pointing to the CE. The PE receives VPNv4 routes from the route reflector for both VRFs. However, traffic from RED to its CE is working, but traffic from BLUE to its CE is intermittently failing. What is the most likely cause?
Explanation: The correct answer is A because if the BLUE VRF's interface is missing the 'ip vrf forwarding BLUE' command, the interface remains in the global routing table. This means traffic from the BLUE VRF will be forwarded using the global routing table instead of the VRF's routing table, causing intermittent failures when the global table does not have a route to the CE or when the CE's IP overlaps with another VRF's subnet. The static default route configured in the BLUE VRF would not be used, leading to connectivity issues.
A network engineer is troubleshooting a VRF-lite deployment on a Cisco Nexus 9000 switch. Two VRFs, PROD and DEV, are configured. The switch has an SVI for VLAN 10 in VRF PROD and VLAN 20 in VRF DEV. A firewall is connected to a Layer 3 port in VRF PROD for internet access. The engineer needs to allow the DEV VRF to reach the internet through the same firewall, but without using a separate physical interface. What should the engineer configure?
Explanation: Option A is correct because VRF-lite does not support direct route leaking between VRFs without an external mechanism. By configuring a static route in VRF DEV pointing to the firewall's IP address (which resides in VRF PROD) and using a route-map to leak the route, the engineer enables inter-VRF routing. This allows DEV traffic to reach the firewall's interface in PROD without requiring a separate physical interface, as the route-map controls which prefixes are shared between VRFs.
An engineer is configuring MPLS L3VPN on a Cisco IOS-XR router. The VRF CUSTOMER_B is configured with route-target import 100:1 and export 100:1. The engineer notices that the VRF routes are not being advertised to the route reflector. The BGP session to the route reflector is established and the VPNv4 address family is activated. What is the missing configuration?
Explanation: Option B is correct because in MPLS L3VPN on Cisco IOS-XR, simply configuring the VRF and establishing the BGP VPNv4 session is insufficient. The engineer must explicitly configure the address-family ipv4 unicast vrf CUSTOMER_B under BGP and use the redistribute command (e.g., redistribute connected or redistribute static) to inject the VRF routes into BGP for advertisement to the route reflector. Without this, the VRF routes remain in the local routing table but are never converted into VPNv4 prefixes.
+15 more VRF and Path Isolation questions available
Practice all VRF and Path Isolation questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of VRF and Path Isolation. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
VRF and Path Isolation questions on the 350-401 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. VRF and Path Isolation is tested as part of the ENCOR 350-401 blueprint. Practicing with targeted VRF and Path Isolation questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-401 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but VRF and Path Isolation is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full VRF and Path Isolation practice session with instant scoring and detailed explanations.
Start VRF and Path Isolation Practice →