Cisco · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A service provider is designing a new MPLS L3VPN service. The customer requires that their VPN traffic be isolated from other customers and that the provider edge routers maintain separate routing tables for each VPN. Which architectural component is essential for this separation?
MPLS label stacking
VRF (Virtual Routing and Forwarding)
VRF creates separate routing tables per VPN instance, enabling isolation.
VLAN tagging on the customer-facing interfaces
BGP route reflectors
An operator notices that a new MPLS-TE tunnel is not being established. The tunnel configuration includes a dynamic path option and a bandwidth of 100 Mbps. The network uses RSVP-TE with CSPF. The link-state database shows sufficient reservable bandwidth on all links along the calculated path. What is the most likely cause of the tunnel establishment failure?
RSVP-TE is not enabled on the transit interfaces
RSVP-TE must be enabled on each interface along the path for signaling.
The path option is misconfigured with a strict explicit path
MPLS LDP is not enabled on the core routers
The tunnel source interface is not configured with an IP address
Which network architecture model separates the control plane and data plane in a way that allows for centralized control and distributed forwarding?
SDN architecture
SDN centralizes control while keeping forwarding distributed.
MPLS architecture
VPN architecture
QoS architecture
A service provider is troubleshooting a BGP route advertisement issue. Routes from a customer are not being advertised to the upstream provider. The PE router is configured with 'neighbor 10.0.0.1 route-map RMAP out'. The route-map RMAP permits the customer prefix. However, the BGP table on the PE shows the prefix as valid but not advertised. What is a likely cause?
The next-hop is not reachable from the upstream provider
If next-hop-self is not used, the next-hop might be a customer-facing interface not reachable upstream.
The BGP session to the upstream provider is flapping
The prefix is not in the global routing table
The route-map is applied inbound instead of outbound
In a carrier's network, MPLS-TE tunnels are used to steer traffic away from congested links. The operator configures a tunnel with a bandwidth of 200 Mbps and a dynamic path. The CSPF computation shows a path with sufficient bandwidth, but the tunnel fails to come up. The RSVP neighbor is established. What is the most likely cause?
The tunnel destination is not reachable via IGP
The path message is rejected due to resource reservation failure
RSVP-TE reserves bandwidth; if not available, tunnel fails.
The tunnel interface is down
MPLS LDP is not configured
A service provider wants to offer Layer 2 VPN services using MPLS. Which technology should be used to transport Ethernet frames across the MPLS core?
Pseudowire
Pseudowire provides point-to-point Layer 2 transport over MPLS.
LDP
VPLS
L3VPN
Want more Architecture practice?
Practice this domainA service provider is deploying MPLS L3VPN over an OSPF backbone. The PE routers are configured with OSPF as the IGP. The CE router of customer A is connected to two PEs for redundancy. Which configuration is required on the PE routers to ensure that the CE router can load-balance traffic across both PEs without loops?
Use OSPF sham-links between the two PEs.
Use the BGP cost community to adjust the path selection on the CE.
Configure OSPF with the capability vrf-lite and enable the down-bit on the PE-CE link.
The down-bit prevents the CE from re-advertising routes learned from one PE to the other PE, avoiding loops.
Disable the DN-bit on the PE-CE OSPF interface.
An ISP is designing an MPLS core network and needs to choose an IGP that supports fast convergence. Which IGP meets this requirement and is most commonly used in MPLS core networks?
IS-IS
IS-IS provides fast convergence and is the predominant IGP in service provider MPLS cores.
OSPFv3
EIGRP
RIPng
A network engineer is troubleshooting an MPLS L3VPN where the CE router is receiving the correct VPN prefixes from the PE, but traffic from the CE to those prefixes is being dropped. The PE has a default route pointing to the CE. What is the most likely cause?
The VRF on the PE is not configured with the correct route-target import.
The PE does not have a specific route for the destination in its global routing table.
Without a specific route, the PE may not push the correct MPLS label, causing the core to drop the packet.
The CE does not have a route back to the PE's loopback.
The PE-CE link MTU is smaller than the packet size.
A service provider is deploying segment routing in its MPLS core. Which label allocation method is used by segment routing to distribute prefix SIDs?
LDP
BGP
RSVP-TE
IGP (IS-IS or OSPF)
Segment routing encodes prefix SIDs in IGP updates.
An engineer is configuring an MPLS L3VPN and needs to ensure that the PE router installs VPNv4 routes from a remote PE into the VRF of a customer. The remote PE sends a VPNv4 route with route-target 100:1. Which configuration on the local PE causes the route to be imported into the VRF?
router bgp 100 address-family ipv4 vrf CUSTOMER route-target import 100:1
vrf definition CUSTOMER rd 100:1 route-target both 100:1 route-map IMPORT
vrf definition CUSTOMER rd 100:1 route-target import 100:1
This imports routes with RT 100:1 into the VRF.
vrf definition CUSTOMER rd 100:1 route-target export 100:1
Which TWO of the following are characteristics of MPLS-TE (Traffic Engineering)?
Uses explicit paths to route traffic away from shortest-path IGP.
MPLS-TE can specify explicit paths for traffic engineering.
Uses LDP for label distribution along the TE tunnel.
Allows bandwidth reservation and priority.
MPLS-TE supports bandwidth reservation and preemption.
Requires per-platform label space for TE tunnels.
Requires all routers in the TE tunnel to be in the same OSPF area.
Want more Networking practice?
Practice this domainAn engineer is troubleshooting an MPLS L3VPN where customers behind CE1 cannot reach a specific prefix behind CE2. The PE routers are using OSPF as the IGP and LDP for label distribution. On PE2, the prefix is present in the VRF routing table, but not in the VRF forwarding table. What is the most likely cause?
MTU mismatch is causing the VPN label to be dropped.
OSPF is not redistributing the BGP routes into the IGP on PE2.
The VRF is not properly configured on PE2's interface toward CE2.
The route is missing a label in the LFIB on PE2.
If the label is missing, the route cannot be installed in the VRF forwarding table.
A service provider is designing a new MPLS core network using Segment Routing with MPLS data plane. They require traffic engineering capabilities to optimize bandwidth utilization. Which technology should be used to compute optimal paths based on IGP link attributes and bandwidth constraints?
RSVP-TE with FRR
LDP over SR
SR-TE (Segment Routing Traffic Engineering)
SR-TE computes paths using segment lists and can enforce bandwidth constraints.
OSPF with MPLS-TE extensions
An engineer is deploying MPLS in the core and wants to ensure that all core routers use the same label for a specific prefix, regardless of which router originated it. Which MPLS label allocation mode should be used?
Per-interface label mode
Per-next-hop label mode
Per-prefix label mode
Per-prefix allocates one label per prefix, ensuring same label across all routers.
Per-VRF label mode
During an MPLS network migration from LDP to Segment Routing, an engineer notices that some routers are not advertising Prefix-SIDs for certain loopbacks. The IGP is OSPF. What configuration is required on these routers to advertise Prefix-SIDs?
Enable 'mpls ldp autoconfig' on the loopback interface.
Enable 'segment-routing mpls' globally and configure 'prefix-sid index' under the loopback interface.
Configure 'segment-routing mpls set-adjacency-sid' on the loopback.
Configure 'segment-routing mpls' globally and assign a SID index under the OSPF router process for the loopback.
This enables SR globally and assigns the Prefix-SID under OSPF.
A service provider is deploying a new MPLS core with Segment Routing and requires fast convergence upon link failure. They plan to use TI-LFA (Topology Independent Loop-Free Alternate). What is a prerequisite for TI-LFA to provide protection against any single link failure?
IGP must be a link-state protocol with complete topology information (OSPF or IS-IS).
TI-LFA uses the link-state database to compute backup paths.
BGP-LU must be enabled for label distribution.
LDP must be enabled on all interfaces.
RSVP-TE must be configured with FRR.
Which TWO statements about MPLS label switching are correct? (Choose two.)
The transit LSR performs label swapping.
Correct: Transit routers swap the incoming label with an outgoing label.
The CE receives a frame with an MPLS label.
The ingress LSR imposes a label on the packet.
Correct: Ingress does label imposition (push).
PHP (Penultimate Hop Popping) causes the egress router to pop the label.
The egress LSR performs label swapping before forwarding.
Want more MPLS and Segment Routing practice?
Practice this domainA service provider is implementing QoS on an MPLS network to support voice, video, and data traffic. Which queuing mechanism provides the lowest latency for real-time traffic?
FIFO
WRED
LLQ
LLQ provides a strict priority queue that ensures low latency and jitter for real-time traffic.
CBWFQ
An engineer is troubleshooting a QoS policy on a Cisco router. The policy is intended to mark voice traffic with DSCP EF and video traffic with DSCP AF41. After applying the policy, voice traffic is correctly marked, but video traffic is marked as DSCP 0. What is the most likely cause?
The class map for video traffic does not match the traffic correctly.
A misconfigured match statement would cause video traffic to fall into the default class, resulting in DSCP 0.
The video traffic is being policed and dropped.
The trust boundary is set to 'trust dscp' and the incoming video traffic is not marked.
The policy is not applied to the correct interface direction.
A service provider uses an MPLS-TE tunnel to carry voice and data traffic. The tunnel is experiencing packet loss during congestion. The engineer wants to ensure that voice traffic receives guaranteed bandwidth and low latency while data traffic uses remaining bandwidth. Which QoS configuration should be applied on the tunnel interface?
LLQ with a priority queue for voice and a default class for data
LLQ ensures low latency for voice, and the default class uses remaining bandwidth for data.
CBWFQ with bandwidth allocation for voice and data
Policing on voice traffic to limit its rate
Shaping on the tunnel to 75% of bandwidth with no queuing
An engineer is configuring MPLS VPN and needs to ensure that customer traffic is automatically marked with a specific QoS policy based on the VPN. Which method should be used to propagate QoS markings across the MPLS network?
Use 802.1p CoS on the CE-PE link and preserve it across the MPLS backbone
Use MPLS EXP bits to mark traffic at the ingress PE and map to QoS at egress
MPLS EXP bits are designed to carry QoS information across the MPLS network.
Use IP ToS bits to mark traffic and rely on MPLS to preserve them
Set DSCP at the ingress PE and preserve it across the MPLS backbone
A network administrator configures a class map to match VoIP traffic using 'match ip dscp ef' on a Cisco router. However, the QoS policy is not applying the expected marking to VoIP packets. What is a possible reason?
The policy is applied in the output direction instead of input.
The VoIP traffic is not marked with DSCP EF from the source.
If the source does not set DSCP EF, the match will fail and the traffic will not be classified.
The policy is applied to the wrong interface.
The class map uses the wrong match type.
Which TWO QoS mechanisms are used to provide congestion avoidance? (Choose two.)
Policing
RED
RED (Random Early Detection) is a congestion avoidance mechanism.
CBWFQ
LLQ
WRED
WRED (Weighted Random Early Detection) drops packets probabilistically to avoid congestion.
Want more Automation and Quality of Service practice?
Practice this domainA service provider is deploying MPLS Layer 3 VPN and needs to ensure that BGP next-hop resolution works correctly for VPNv4 prefixes learned from a route reflector. The PE routers are directly connected to the RR via iBGP, and there is an IGP running within the MPLS core. Which condition must be met for the PE to install the VPNv4 prefix into its routing table?
The next-hop must be reachable via the IGP with an MPLS label.
MPLS LSP must exist to the next-hop for label imposition.
The next-hop must be a directly connected interface.
The PE must have a VPN label for the next-hop.
The IGP must be IS-IS, not OSPF.
A service provider is designing a multicast solution for a Layer 3 VPN. They want to use MVPN with BGP signaling (draft-rosen). The PE routers are configured with VRF and multicast routing enabled. Which BGP address family must be enabled between PE routers to carry multicast routing information?
MCAST-VPN address family
The MCAST-VPN address family is used for MVPN signaling.
MVPN does not use BGP; it uses PIM.
VPNv4 address family
IPv4 multicast address family
A network engineer is troubleshooting an MPLS TE tunnel that is not coming up. The tunnel is configured with a strict explicit path, and the path includes an interface that is currently down. Which action should the engineer take to allow the tunnel to use an alternative path?
Increase the path-option preference value.
Disable path protection on the tunnel.
Change the explicit path to 'loose' for the down interface.
Loose hops allow the tunnel to traverse other interfaces.
Configure an affinity constraint to exclude the down interface.
Which TWO statements about BGP FlowSpec (RFC 8955) are correct?
FlowSpec can be deployed in BGP sessions between a route reflector and a client.
FlowSpec routes can be propagated via BGP within the service provider network.
FlowSpec uses a separate BGP session from the regular IPv4 unicast session.
FlowSpec is designed to replace ACLs on provider edge routers.
FlowSpec requires MPLS forwarding to operate.
FlowSpec uses the IPv4 unicast or VPNv4 address family.
FlowSpec uses SAFI 133 (IPv4) or 134 (VPNv4) under the IPv4 AFI.
Which THREE characteristics apply to the BGP-LS (BGP Link State) protocol?
It supports only IS-IS, not OSPF.
It uses a separate address family from VPNv4.
BGP-LS uses AFI 16388, SAFI 71.
It distributes link-state information from IGPs like OSPF and IS-IS.
BGP-LS collects topology from IGPs.
It uses BGP as the transport protocol.
BGP-LS is an address family within BGP.
It carries traffic-engineering parameters in the NLRI.
Refer to the exhibit. A service provider is applying this QoS policy on a PE-CE interface. The business customer complains that voice traffic (marked with DSCP EF) experiences drops during congestion. What is the likely cause?
The police rate under the REALTIME class is limiting voice traffic to 10% of bandwidth.
Policing drops traffic exceeding 10%.
The priority level is set too low; voice should be priority level 4.
The 'bandwidth remaining ratio' command under class-default is starving the priority queue.
The policy is applied in the output direction; it should be input.
Want more Services practice?
Practice this domainA service provider is implementing network automation using YANG data models. They need to ensure that the automation solution supports both configuration and operational state data retrieval. Which NETCONF operation should be used to retrieve operational state data?
<edit-config>
<get-config>
<get>
Retrieves both configuration and operational state data.
<lock>
Which tool is used to validate YANG data models against device capabilities and to generate Python bindings for automation scripts?
RESTCONF
pyang
Validates YANG models and can generate Python bindings.
Ansible
NETCONF
A network engineer is automating BGP configuration using the Cisco IOS-XE YANG model. They want to enable the 'always-compare-med' feature under BGP. Which XPath expression correctly targets this leaf?
/bgp/global/always-compare-med
/native/router/bgp/scope/global/always-compare-med
Correct path according to Cisco IOS-XE YANG model.
/native/router/bgp/always-compare-med
/router/bgp/global/always-compare-med
A service provider uses RESTCONF to automate interface configuration. They need to add a new IPv4 address to an existing interface. Which HTTP method and URI should be used?
DELETE /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1
PATCH /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1/ietf-ip:ipv4/address
PATCH merges the new address into the list.
POST /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1/ietf-ip:ipv4
PUT /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0/1/ietf-ip:ipv4/address
What is the primary benefit of using model-driven telemetry over traditional SNMP polling for network assurance?
Provides real-time data streaming without polling overhead
Push-based telemetry eliminates polling.
Reduces the need for YANG models
Increases security by using SSH
Simplifies device configuration
A network operator uses gRPC Network Management Interface (gNMI) to collect telemetry data from routers. They notice that some updates are missing. Which gNMI mode should be used to ensure that all state changes are captured?
ON_CHANGE
Sends updates only when a value changes, capturing all changes.
TARGET_DEFINED
POLL
SAMPLE
Want more Automation and Assurance practice?
Practice this domainThe 350-501 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 6 domains: Architecture, Networking, MPLS and Segment Routing, Automation and Quality of Service, Services, Automation and Assurance. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 350-501 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.