Practice 300-410 Device Access Control questions with full explanations on every answer.
Start practicing
Device Access Control — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?
2A network administrator is configuring AAA for device access on a Cisco router. After configuring the RADIUS server and AAA authentication login default group radius local, the engineer tests Telnet access and receives 'Access denied' even with correct credentials. The RADIUS server is reachable. What is the most likely cause?
3An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?
4A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?
5An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?
6A network engineer is troubleshooting a Cisco router that is configured for RADIUS authentication. The engineer issues 'debug radius authentication' and sees that the RADIUS server is not responding. The router can ping the RADIUS server. What is the most likely cause?
7An engineer configures a Cisco router with 'ip http server' and 'ip http authentication local' for web-based management. The engineer creates a local username 'admin' with privilege level 15. However, when accessing the router via HTTP, the engineer is prompted for credentials but access is denied. What is the most likely cause?
8A network engineer is troubleshooting a Cisco router that is configured for TACACS+ authentication. The engineer issues 'test aaa group tacacs+ admin cisco123 new-code' and receives 'FAILED'. The router can ping the TACACS+ server. What is the most likely cause?
9An engineer configures a Cisco router with 'aaa authentication login default group radius local' and 'aaa authentication enable default group radius enable'. The engineer then attempts to enter enable mode and is prompted for a password. The RADIUS server is reachable, but the enable password is not accepted. What is the most likely cause?
10A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.2 Gi0/0 13 00:12:34 1 200 0 45 1 10.2.2.2 Gi0/1 12 00:11:20 2 200 0 67 2 10.3.3.2 Gi0/2 10 00:10:15 1 200 0 89 Based on this output, which statement is correct?
11A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.1.2 1 FULL/DR 00:00:35 10.1.1.2 GigabitEthernet0/0 192.168.2.2 1 2WAY/DROTHER 00:00:32 10.2.2.2 GigabitEthernet0/1 192.168.3.2 1 FULL/BDR 00:00:38 10.3.3.2 GigabitEthernet0/2 Based on this output, what is a potential issue?
12A network engineer runs the following command on Router R1: R1# show bgp ipv4 unicast summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.2 4 65002 1200 1200 10 0 0 01:00:00 5 10.2.2.2 4 65003 0 0 0 0 0 never Active Based on this output, what is the problem with the neighbor 10.2.2.2?
13A network engineer runs the following command on Router R1: R1# show route-map TEST route-map TEST, permit, sequence 10 Match clauses: ip address (access-lists): 100 Set clauses: metric 50 Policy routing matches: 0 packets, 0 bytes route-map TEST, deny, sequence 20 Match clauses: ip address (access-lists): 101 Set clauses: Policy routing matches: 0 packets, 0 bytes Based on this output, which statement is correct?
14A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 192.168.2.2:0, Local LDP Ident: 192.168.1.1:0 TCP connection: 10.1.1.2.646 - 10.1.1.1.646 State: Oper; Msgs sent/rcvd: 100/100; Downstream Up time: 00:45:00 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.1.1.2 Addresses bound to peer LDP Ident: 10.1.1.2 192.168.2.2 Based on this output, what is the state of the LDP session?
15A network engineer runs the following command on Router R1: R1# show dmvpn Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- ----------------- --------------- ----- -------- ----- 1 10.0.0.2 10.1.1.2 UP 00:10:00 D 2 10.0.0.3 10.1.1.3 UP 00:05:00 D Based on this output, what is the role of Router R1 in the DMVPN network?
16A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP class-map: MANAGEMENT (match-all) 100 packets, 10000 bytes 5 minute offered rate 0 bps police: cir 8000 bps, bc 1500 bytes conformed 100 packets, 10000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Based on this output, which statement is correct?
17A network engineer runs the following command on Router R1: R1# show ip vrf CUSTOMER Name Default RD Interfaces CUSTOMER 65001:100 Gi0/0.100 Gi0/1.100 Based on this output, which statement is correct?
18A network engineer runs the following command on Router R1: R1# show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 1 Type of operation: icmp-echo Latest RTT: 20 milliseconds Latest operation start time: 12:00:00 UTC Mon Mar 1 2021 Latest operation return code: OK Number of successes: 100 Number of failures: 0 Based on this output, which statement is correct?
19Examine the following partial configuration on a Cisco IOS-XE router: interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group MY_ACL in ! access-list 100 permit tcp any host 192.168.1.1 eq 22 access-list 100 deny ip any any ! line vty 0 4 transport input ssh login local ! username admin privilege 15 secret cisco What is the effect of this configuration?
20Consider the following partial configuration on a Cisco router: ip access-list extended BLOCK_TELNET deny tcp any any eq 23 permit ip any any ! interface Serial0/0/0 ip access-group BLOCK_TELNET out ! line vty 0 4 transport input telnet password cisco login What is the effect of this configuration?
21Examine the following partial configuration: username admin privilege 15 secret 5 $1$abcdefg$hashedvalue username operator privilege 1 password cisco ! line console 0 login local ! line vty 0 4 login local transport input ssh What is a potential security issue with this configuration?
22Given the following partial configuration on a router: ip access-list standard FILTER_SNMP permit 192.168.1.0 0.0.0.255 deny any ! snmp-server community public RO FILTER_SNMP snmp-server location DataCenter snmp-server contact admin@example.com What is the effect of this configuration?
23Examine the following partial configuration: ip access-list extended MGMT_ACCESS permit tcp 10.0.0.0 0.255.255.255 any eq 22 permit tcp 10.0.0.0 0.255.255.255 any eq 443 deny ip any any ! line vty 0 4 access-class MGMT_ACCESS in transport input ssh login local What is the effect of the 'access-class' command?
24Consider the following partial configuration: ip access-list extended SECURE_ACCESS permit icmp any any echo permit icmp any any echo-reply permit tcp any host 192.168.1.1 eq 22 permit tcp any host 192.168.1.1 eq 443 deny ip any any ! interface GigabitEthernet0/0 ip access-group SECURE_ACCESS in ! interface GigabitEthernet0/1 ip access-group SECURE_ACCESS out What is a potential issue with this ACL placement?
25What is the default OSPF dead interval on a broadcast multi-access network (e.g., Ethernet) when the hello interval is 10 seconds?
26In EIGRP, which metric component is disabled by default and must be explicitly enabled using the 'metric weights' command?
27Which of the following is true regarding the use of the 'transport input' command on a VTY line?
28Which TWO commands would a network engineer use to verify the status of local authentication and authorization for device access control on a Cisco IOS router? (Choose TWO.)
29Which TWO statements about configuring login enhancements for device access control on a Cisco IOS router are true? (Choose TWO.)
30Which TWO configuration steps are required to enable TACACS+ authentication for device access control on a Cisco IOS router, assuming the TACACS+ server is already reachable? (Choose TWO.)
31Which THREE symptoms indicate that a Cisco IOS router is experiencing issues with device access control due to misconfigured AAA local authentication? (Choose THREE.)
32Which THREE commands are used to troubleshoot and verify device access control when using TACACS+ authentication on a Cisco IOS router? (Choose THREE.)
33A large enterprise network is experiencing intermittent loss of reachability to a critical subnet 10.10.10.0/24 from remote sites. Router R1 has the following relevant configuration: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip summary-address eigrp 100 10.10.0.0 255.255.252.0. Router R2 shows: show ip route eigrp | include 10.10.10.0 outputs nothing, but show ip eigrp topology all-links shows 10.10.10.0/24 via 192.168.1.1 with a feasible distance of 1280. What is the root cause?
34A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R1 redistributes OSPF into EIGRP, and Router R2 redistributes EIGRP into OSPF. After configuration, some routes are missing, and routing loops occur. R1 has: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map OSPF-to-EIGRP. R2 has: router ospf 1 redistribute eigrp 100 subnets route-map EIGRP-to-OSPF. Show ip route on R1 shows an OSPF route 172.16.1.0/24 learned via R2, but also an EIGRP route for the same prefix with a better administrative distance. What is the root cause?
35A BGP-speaking router R1 is experiencing unexpected path selection for prefix 10.0.0.0/8. R1 receives two BGP updates: one from neighbor 192.168.1.2 with local preference 150, AS path 65001 65002, and MED 50; another from neighbor 192.168.2.2 with local preference 100, AS path 65001, and MED 100. R1's BGP configuration includes: bgp always-compare-med. The show ip bgp 10.0.0.0/8 output shows the path via 192.168.1.2 as best, but the network team expects the path via 192.168.2.2 to be best due to shorter AS path. What is the root cause?
36Two OSPF routers R1 and R2 are connected via a GigabitEthernet link in area 0. R1 has interface GigabitEthernet0/0 ip ospf network point-to-point, while R2 has the default OSPF network type broadcast. R1's show ip ospf neighbor shows R2 in FULL state, but R2's show ip ospf neighbor shows R1 in FULL state. However, routes from R1 are not appearing in R2's routing table. Show ip ospf database on R2 shows the router LSA from R1 but not the network LSA. What is the root cause?
37An EIGRP network with multiple routers is experiencing frequent stuck-in-active (SIA) events for prefix 10.10.10.0/24. The network topology includes a slow WAN link between R1 and R2. R1's show ip eigrp topology 10.10.10.0/24 shows the route in active state with a query outstanding to R2. R2's show ip eigrp topology shows the same prefix in passive state. The EIGRP timers are default. What is the root cause?
38A DMVPN network with NHRP is configured for spoke-to-spoke tunnels. Spoke routers R1 and R2 are both connected to a hub router H1. Spoke-to-spoke traffic is not working. R1's show dmvpn shows a dynamic NHRP mapping for R2's tunnel IP to R2's physical IP, but ping from R1's tunnel IP to R2's tunnel IP fails. R1's show ip nhrp shows the mapping as 'dynamic' with no flags. The hub has no special configuration. What is the root cause?
39An MPLS network is experiencing label distribution failures. Router R1 is an LSR connected to R2. R1's show mpls ldp neighbor shows R2 in OPERATIONAL state, but show mpls ldp bindings shows no label bindings for prefixes learned via OSPF from R2. R1's mpls ldp router-id is 1.1.1.1, and R2's is 2.2.2.2. The OSPF process on R1 advertises the loopback0 interface with ip address 1.1.1.1 255.255.255.255, and R2's loopback0 is 2.2.2.2. The link between them is 192.168.1.0/30. What is the root cause?
40A network administrator notices that SSH access to router R1 from a management station 10.10.10.10 is failing intermittently. R1 has the following configuration: access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 192.168.1.1 eq 22, line vty 0 4 access-class 100 in, and control-plane host control-plane security copp policy-map COPP class MANAGEMENT police cir 8000 bc 1500 conform-action transmit exceed-action drop. The management station is on a different subnet than the management interface. The failure occurs during peak hours. What is the root cause?
41A VRF-aware network has two VRFs: VRF A and VRF B. Router R1 is configured with VRF A and VRF B, and route leaking is configured between them using route-replicate. Routes from VRF A are appearing in VRF B, but traffic from VRF B to destinations in VRF A is failing. R1's configuration: ip route vrf A 10.10.10.0 255.255.255.0 192.168.1.1, and route-replicate from VRF A to VRF B. Show ip route vrf B shows the route 10.10.10.0/24 with next-hop 192.168.1.1. However, ping from a device in VRF B to 10.10.10.1 fails. What is the root cause?
42A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug ip ospf adj OSPF: 2 Way: DBD with 10.1.1.2 on GigabitEthernet0/0 OSPF: Send DBD to 10.1.1.2 seq 0x1C opt 0x52 flag 0x7 len 32 OSPF: Rcv DBD from 10.1.1.2 seq 0x1C opt 0x52 flag 0x2 len 132 mtu 1500 OSPF: Nbr 10.1.1.2 is FULL, state changed from LOADING to FULL What does this output indicate?
43A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug ip bgp updates BGP(0): 10.1.1.2 rcv UPDATE w/ attr: nexthop 10.1.1.2, origin i, metric 0, path 65002 BGP(0): 10.1.1.2 rcv UPDATE about 192.168.1.0/24 -- DENIED due to: community no-export; What does this output indicate?
44A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip eigrp topology 10.10.10.0/24 all-links P 10.10.10.0/24, 1 successors, FD is 1310720 via 10.1.1.2 (1310720/1310720), GigabitEthernet0/0 via 10.1.2.2 (1310720/1310720), GigabitEthernet0/1 What does this output indicate?
45A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip ospf database router 10.1.1.2 OSPF Router with ID (10.1.1.1) (Process ID 1) Router Link States (Area 0) LS age: 150 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 10.1.1.2 Advertising Router: 10.1.1.2 LS Seq Number: 80000002 Checksum: 0x1234 Length: 48 Number of Links: 2 Link connected to: a Transit Network (Link ID) Designated Router address: 10.1.1.2 (Link Data) Router Interface address: 10.1.1.2 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.1.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 What does this output indicate?
46A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show mpls ldp bindings 10.10.10.0 24 lib entry: 10.10.10.0/24, rev 2 local binding: label: 101 remote binding: lsr: 10.1.1.2:0, label: 102 remote binding: lsr: 10.1.2.2:0, label: 103 What does this output indicate?
47A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# debug nhrp NHRP: Receive Resolution Request via Tunnel0 10.1.1.2, target 192.168.1.1 NHRP: Send Resolution Reply via Tunnel0 to 10.1.1.2, target 192.168.1.1 What does this output indicate?
48A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection I - IKE Initiatior, R - IKE Responder C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 10.1.1.1 10.1.1.2 ACTIVE aes sha md5 2 86400 D What does this output indicate?
49A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show policy-map control-plane input class class-default Class-map: class-default (match-any) 140225 packets, 12345678 bytes 5 minute offered rate 1000 bps, drop rate 0 bps Match: any police: cir 1000000 bps, bc 31250 bytes conformed 140225 packets, 12345678 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop What does this output indicate?
50A network engineer runs the following command to troubleshoot a Device Access Control issue: R1# show ip bgp vpnv4 vrf CUSTOMER-A 10.10.10.0/24 BGP routing table entry for 10.10.10.0/24, version 2 Paths: (1 available, best #1, table CUSTOMER-A) Not advertised to any peer Refresh Epoch 1 Local 10.1.1.2 from 10.1.1.2 (10.1.1.2) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:100:100 mpls labels in/out nolabel/101 What does this output indicate?
51What is the default dead interval on a Cisco IOS-XE router for OSPF on a broadcast network type?
52Which EIGRP packet type is used to acknowledge receipt of a reliable packet?
53What is the default administrative distance for OSPF routes in Cisco IOS?
54Which statement accurately describes the default behavior of auto-summary in EIGRP on Cisco IOS-XE?
55What is the maximum hop count for a route in RIP?
56Which OSPF LSA type is used to advertise external routes and is flooded throughout the entire OSPF domain?
57In BGP, what is the default value of the keepalive timer?
58Which statement correctly describes the behavior of OSPF network type 'point-to-multipoint' regarding neighbor discovery?
59What is the default OSPF metric for a route redistributed from another routing protocol into OSPF?
60Drag and drop the steps to configure SSH access with local AAA on a Cisco router into the correct order, from first to last.
61Drag and drop the steps to troubleshoot Device Access Control adjacency or connectivity failures into the correct order, from first to last.
62Drag and drop the steps to verify and validate Device Access Control operational state into the correct order, from first to last.
63Which TWO statements about AAA authentication on Cisco IOS-XE are true? (Choose TWO.)
64Which TWO configuration changes are required to enforce role-based access control (RBAC) using Cisco IOS privilege levels and AAA? (Choose TWO.)
65Which TWO statements about TACACS+ and RADIUS are true? (Choose TWO.)
66Which TWO commands can be used to verify the configured AAA authentication method lists on a Cisco IOS-XE device? (Choose TWO.)
67Which TWO actions will prevent unauthorized access to a Cisco IOS-XE device's console port? (Choose TWO.)
68An engineer configures OSPF on a link between two routers with MTU 1500 on one side and MTU 1400 on the other. The adjacency forms but is stuck in EXSTART. Which is the most likely explanation?
69An engineer configures EIGRP named mode on a router. After making a change to the metric weights, the router becomes stuck-in-active (SIA) for a route. Why does this happen in named mode but not in classic mode?
70An engineer configures iBGP between two routers in the same AS. The BGP session comes up, but the routes learned from the eBGP neighbor are not installed in the routing table. The IGP does not carry the BGP next-hop address. Which is the most likely explanation?
71An engineer configures mutual redistribution between OSPF and EIGRP. After a few minutes, routing loops occur. The engineer did not use route tagging. Which is the most likely explanation?
72An engineer configures DMVPN Phase 2 with spoke-to-spoke tunnels. Spokes can ping each other's physical interfaces, but cannot establish a direct tunnel. NHRP registration is successful. Which is the most likely explanation?
73An engineer configures an IPsec site-to-site VPN. The tunnel comes up, but no traffic passes. The engineer checks the crypto map and access-lists. Which is the most likely explanation?
74An engineer configures Control Plane Policing (CoPP) on a router. After applying the policy, OSPF neighbors go down. The engineer checks the policy and sees that OSPF packets are not explicitly matched. Which is the most likely explanation?
75An engineer configures uRPF strict mode on an interface. After configuration, legitimate traffic from a directly connected network is dropped. The network is connected via a single link, and there is no asymmetric routing. Which is the most likely explanation?
76An engineer configures a route-map to filter OSPF routes using a distribute-list. The distribute-list is applied inbound on an OSPF interface. Unexpectedly, the router still installs the filtered routes. Which is the most likely explanation?
The Device Access Control domain covers the key concepts tested in this area of the 300-410 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 300-410 domains — no account required.
The Courseiva 300-410 question bank contains 76 questions in the Device Access Control domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Device Access Control domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included