Cisco · Free Practice Questions · Last reviewed May 2026
174real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A network engineer is troubleshooting an EIGRP adjacency issue between two directly connected routers, R1 and R2. Both routers are configured with the same autonomous system number, but the adjacency fails to come up. The engineer checks the interfaces and verifies that they are up/up. On R1, the output of 'show ip eigrp neighbors' shows nothing. What is the most likely cause of this problem?
The interfaces are configured with IP addresses from different subnets.
Correct because EIGRP will not form an adjacency if the interfaces are not in the same subnet, as the hello packets will be dropped.
The EIGRP process is shut down on one of the routers.
The passive-interface default command is configured under the EIGRP process.
The EIGRP router ID is the same on both routers.
A network engineer is troubleshooting a routing issue in an EIGRP network. Router R1 is not learning a specific route from its neighbor R2, even though R2 has the route in its routing table. The engineer checks the EIGRP topology table on R1 and does not see the route. The output of 'show ip eigrp neighbors' shows that R1 and R2 are adjacent. What should the engineer check next?
Check if a distribute-list in or out is applied under the EIGRP process on R1.
Correct because a distribute-list can filter incoming or outgoing routes, preventing them from being added to the topology table.
Check if the route is being summarized on R2.
Check if the EIGRP metric for the route is too high.
Check if the route is a connected route on R2.
An engineer is troubleshooting an EIGRP convergence issue. After a link failure, the network takes an unusually long time to converge. The engineer notices that the EIGRP hello and hold timers are set to the default values. The network has many routers in a hub-and-spoke topology. What is the most likely cause of the slow convergence?
The hub router has too many EIGRP neighbors, causing CPU overload and dropped hello packets.
Correct because a high number of neighbors can overwhelm the hub, leading to missed hello packets and adjacency resets, which prolongs convergence.
The EIGRP stub feature is not enabled on the spoke routers.
The EIGRP variance command is configured, causing unequal-cost load balancing.
The EIGRP router ID is not configured, so it defaults to the highest loopback IP.
A network engineer is troubleshooting an EIGRP issue where a route is flapping in and out of the routing table. The engineer checks the logs and sees messages indicating that the route is being learned from two different neighbors, but the metric keeps changing. The route is a summary route. What is the most likely cause of the flapping?
The summary route is being advertised by multiple routers with different metrics.
Correct because if the summary route is originated by multiple routers, the metric may vary, causing the router to flap between the best paths.
The EIGRP stub feature is configured on one of the neighbors.
The passive-interface command is applied to the interface receiving the summary route.
The EIGRP router ID is the same on both neighbors.
An engineer is troubleshooting an EIGRP issue where a router is not learning any routes from a neighbor, but the neighbor adjacency is up. The engineer checks the EIGRP topology table on the local router and sees that the neighbor is listed, but no routes from that neighbor are present. The engineer also verifies that the neighbor has routes to advertise. What is the most likely cause?
The neighbor is configured as an EIGRP stub router.
Correct because a stub router only advertises connected and summary routes by default, so if the neighbor has other routes, they will not be advertised.
The local router has a distribute-list out applied to the neighbor.
The EIGRP metric weights are different on the two routers.
The local router has a route-map applied to the EIGRP process that is filtering all routes.
A network engineer is troubleshooting an EIGRP issue where a router is not installing a route in the routing table, even though the route is present in the EIGRP topology table. The route is a feasible successor, but it is not being used. What is the most likely reason for this?
The feasible successor has a higher metric than the current successor.
Correct because EIGRP installs only the route with the lowest metric (successor) into the routing table; feasible successors are kept as backup routes.
The route is a summary route that is being suppressed.
The route is being filtered by a distribute-list in.
The EIGRP variance command is set to 1, preventing unequal-cost load balancing.
Want more EIGRP Troubleshooting practice?
Practice this domainA network engineer is troubleshooting an OSPFv2 adjacency issue between two directly connected routers, R1 and R2, both running IOS-XE. The link is a point-to-point Ethernet link. The engineer issues 'show ip ospf neighbor' on R1 and sees no neighbors. 'show ip ospf interface GigabitEthernet0/0' on R1 shows 'Network Type BROADCAST', but the link is actually a point-to-point link. Both routers have 'ip ospf 1 area 0' configured on the interface. What is the most likely cause of the adjacency not forming?
The OSPF network type mismatch between the two routers (one is BROADCAST, the other is POINT-TO-POINT).
The routers have duplicate OSPF router IDs.
Duplicate router IDs prevent OSPF adjacency from forming; each router must have a unique router ID.
The interface is configured with 'ip ospf passive-interface'.
The OSPF process is not enabled globally; 'router ospf 1' is missing.
A network engineer is troubleshooting OSPFv3 on a dual-stack network. Routers R1 and R2 are connected via a serial link. Both routers have OSPFv3 configured for IPv6. The engineer runs 'show ipv6 ospf neighbor' on R1 and sees R2 as FULL/DR. However, R1 cannot ping the IPv6 address of R2's loopback interface. 'show ipv6 route ospf' on R1 does not show any OSPF routes. What is the most likely cause?
The OSPFv3 process has 'no ipv6 unicast-routing' enabled globally.
The interface on R2 is configured as passive under OSPFv3.
The interface on R1 does not have an IPv6 address configured.
OSPFv3 requires an IPv6 address on the interface to advertise the connected prefix; without it, the router cannot originate a route for that link, and other routes may not be learned if the neighbor also lacks IPv6 addressing.
The OSPFv3 process is configured with 'default-information originate always' but no default route exists.
A network engineer is troubleshooting OSPFv2 route redistribution. R1 is an ASBR redistributing static routes into OSPF. R2, an internal router, receives the redistributed routes but they appear as O E2 routes. However, R1 also has a directly connected network 10.1.1.0/24 that is not being advertised as an OSPF route. 'show ip ospf database external' on R2 shows the redistributed static routes but not the connected network. What is the most likely cause?
The connected network is not included in the redistribution because the engineer used 'redistribute static' without the 'subnets' keyword.
The connected network is not being advertised because it is not part of the OSPF process; the engineer must configure 'network 10.1.1.0 0.0.0.255 area 0' under router ospf.
The ASBR is missing the 'redistribute connected' command under the OSPF process.
Without 'redistribute connected', the directly connected network is not advertised into OSPF, even if the interface is enabled for OSPF (which it may not be).
The connected network is a loopback interface, and OSPF does not advertise loopback networks by default.
A network engineer is troubleshooting an OSPFv2 adjacency issue between two routers across a Frame Relay network. R1 and R2 are connected via a point-to-point subinterface. The engineer configures 'ip ospf network point-to-point' on both subinterfaces. However, the adjacency does not form. 'show ip ospf interface' on R1 shows the interface is up and OSPF is enabled, but no neighbors are seen. What is the most likely cause?
The OSPF network type is set to broadcast, causing a DR/BDR election that fails on a point-to-point subinterface.
The subinterface is not configured with an IP address.
The Frame Relay map is missing or the DLCI is not assigned to the subinterface.
Without a proper DLCI mapping, the router cannot send Layer 2 frames to the neighbor, preventing OSPF hello packets from being exchanged.
The OSPF hello and dead timers are mismatched between R1 and R2.
A network engineer is troubleshooting an OSPFv3 issue where a router R1 is not learning routes from a neighbor R2. The adjacency is FULL, but 'show ipv6 route ospf' on R1 shows only a default route. R2 is an ASBR redistributing connected routes into OSPFv3. 'show ipv6 ospf database external' on R1 shows the external routes, but they are not installed in the routing table. What is the most likely cause?
The router R1 has a distribute-list in the OSPFv3 process that filters out the external routes.
A distribute-list can filter routes from being installed in the routing table even if they are in the LSDB.
The external routes have a metric of 16777214, which is considered infinite.
The router R1 does not have IPv6 unicast routing enabled.
The external routes are type 5 LSAs but the router is in a totally stubby area.
A network engineer is troubleshooting an OSPFv2 route flapping issue. The router R1 is learning a route to 192.168.1.0/24 via two different paths: one through R2 and one through R3. The route is flapping between the two paths every few seconds. 'show ip ospf interface' shows that both interfaces are stable. What is the most likely cause?
The routers R2 and R3 have the same OSPF router ID.
Duplicate router IDs can cause OSPF to see the same route from two different neighbors as different, leading to route flapping.
The route is being redistributed by both R2 and R3 with different metrics.
The OSPF network type on the interfaces is set to broadcast, causing DR/BDR instability.
The link between R1 and R2 has a high error rate causing intermittent packet loss.
Want more OSPF Troubleshooting (v2/v3) practice?
Practice this domainA network engineer is troubleshooting a BGP peering issue between two directly connected routers, R1 and R2. R1 is configured with 'neighbor 10.1.1.2 remote-as 65002' and 'neighbor 10.1.1.2 update-source Loopback0', while R2 uses 'neighbor 10.1.1.1 remote-as 65001' and 'neighbor 10.1.1.1 update-source Loopback0'. The loopback interfaces are not advertised into any IGP, and there is no static route for the loopback addresses. The BGP session remains in Idle state. What is the most likely cause?
The BGP session is stuck in Idle because the neighbor statements reference loopback interfaces that are not reachable.
Correct because BGP uses the update-source address for peering; without reachability, TCP cannot establish.
The BGP session is stuck in Idle because the remote-as values are mismatched.
The BGP session is stuck in Idle because the update-source command is not allowed on directly connected interfaces.
The BGP session is stuck in Idle because the neighbor statements must use the directly connected interface IP addresses.
An engineer is troubleshooting a missing BGP route on R3. R3 has an eBGP session with R4 (AS 65004) and an iBGP session with R1 (AS 65003). R4 advertises a prefix 192.168.1.0/24 to R3, and R3's BGP table shows the route with next-hop 10.1.4.4. However, R3 does not install this route in its routing table. The output of 'show ip bgp 192.168.1.0/24' on R3 shows the route as valid but not best. What is the most likely cause?
The route is not installed because the next-hop 10.1.4.4 is not reachable via any routing table entry.
Correct because BGP requires the next-hop to be reachable; otherwise, the route is not considered best.
The route is not installed because BGP synchronization is enabled and the IGP does not have the route.
The route is not installed because the prefix length is too long for the routing table.
The route is not installed because R3 has a higher administrative distance for eBGP routes.
A network engineer is troubleshooting a BGP route advertisement issue. Router R1 in AS 65001 is configured to redistribute connected routes into BGP. The route 10.10.10.0/24 is learned via BGP on R2 (AS 65002), but R2's iBGP neighbor R3 (AS 65002) does not receive this route. R2 and R3 have a full iBGP mesh, and the BGP session is established. The output of 'show ip bgp' on R2 shows the route with the 'r' flag (RIB-failure). What is the most likely cause?
The route is marked as RIB-failure because a route with a lower administrative distance already exists in the routing table for the same prefix.
Correct because RIB-failure occurs when another routing source (e.g., OSPF, EIGRP, static) has a better route, preventing BGP from installing its route.
The route is marked as RIB-failure because the next-hop is unreachable.
The route is marked as RIB-failure because BGP synchronization is enabled and the IGP does not have the route.
The route is marked as RIB-failure because the prefix is being filtered by an outbound route map.
An engineer is troubleshooting a BGP peering problem between two routers, R1 (AS 65001) and R2 (AS 65002), connected via a firewall. The BGP session is flapping every few seconds. The engineer notices that the TCP connection is established, but BGP OPEN messages are not exchanged. The firewall logs show that TCP port 179 is allowed, but packets with the BGP marker (0xFFFFFFFF) are being dropped. What is the most likely cause?
The firewall is dropping BGP packets because the BGP marker (0xFFFFFFFF) is being flagged as a potential attack or malformed packet.
Correct because some security devices inspect BGP messages and may drop packets with the all-ones marker, especially if they are not configured to allow BGP properly.
The BGP session is flapping because the keepalive timer is set too low on both routers.
The BGP session is flapping because the routers have mismatched BGP AS numbers.
The BGP session is flapping because the firewall is performing TCP sequence number randomization, breaking the BGP session.
A network engineer is troubleshooting missing BGP routes on R3. R1 (AS 65001) is an eBGP peer of R2 (AS 65002), and R2 is an iBGP peer of R3 (AS 65002). R1 advertises the prefix 172.16.1.0/24 to R2. On R2, 'show ip bgp' shows the prefix with next-hop 10.1.1.1 (R1's interface). R3's BGP table does not contain this prefix. R2 and R3 are not route reflectors, and there are no other iBGP peers. What is the most likely cause?
R2 does not have the 'neighbor 10.1.1.3 activate' command under the BGP configuration for the iBGP session.
Correct because without the activate command, BGP will not advertise any prefixes to the neighbor, even if the session is up.
R2 is not advertising the route because the next-hop 10.1.1.1 is not reachable from R3.
R2 is not advertising the route because BGP synchronization is enabled and the IGP does not have the route.
R2 is not advertising the route because the prefix is being filtered by an inbound route-map on R3.
An engineer is troubleshooting a BGP route selection issue. Router R1 receives two paths for prefix 10.0.0.0/8: one from eBGP peer R2 (AS 65002) with weight 0, local preference 100, and AS path 65002; and another from eBGP peer R3 (AS 65003) with weight 0, local preference 200, and AS path 65003 65004. R1's BGP table shows the path from R3 as the best route. The engineer wants the path from R2 to be preferred. What should the engineer do?
Configure a route-map on R1 to set local preference 150 for routes from R2.
Correct because local preference is compared before AS path length; setting a higher local preference for R2's route will make it preferred over R3's route with local preference 200? Wait, 150 is less than 200, so R3 would still be preferred. Actually, to beat 200, you need >200. So this option is incorrect as stated. Let me adjust: The correct fix is to set local preference higher than 200, e.g., 250. But the option says 150, which is wrong. I need to fix this. Let me rework the question.
Configure a route-map on R1 to set local preference 250 for routes from R2.
Correct because setting local preference higher than 200 will make the R2 path preferred over the R3 path.
Configure a route-map on R1 to prepend two additional AS numbers to the AS path from R3.
Configure a route-map on R1 to set weight 100 for routes from R2.
Want more BGP Troubleshooting practice?
Practice this domainA network engineer is troubleshooting a route redistribution issue between OSPF and EIGRP. Routers R1 (OSPF) and R2 (EIGRP) are redistributing routes into each other. The engineer notices that some OSPF external routes are not appearing in the EIGRP topology table on R2, although the redistribution is configured. The show ip eigrp topology command on R2 does not list the missing prefixes. What is the most likely cause?
The redistribute ospf command under EIGRP is missing the match internal keyword.
The redistribute ospf command under EIGRP is missing the match external keyword.
Correct: Without match external, OSPF external routes are not redistributed into EIGRP.
The OSPF process on R1 has a route filter blocking external routes.
EIGRP has a lower administrative distance than OSPF, causing route suppression.
A network engineer is troubleshooting a route redistribution issue between EIGRP and OSPF. Routers R1 (EIGRP) and R2 (OSPF) are redistributing routes. The engineer notices that some EIGRP external routes (redistributed into EIGRP from another protocol) are not appearing in the OSPF database on R2. The show ip ospf database external command on R2 does not list these prefixes. What is the most likely cause?
The redistribute eigrp command under OSPF is missing the subnets keyword.
The redistribute eigrp command under OSPF is missing the match external keyword.
Correct: Without match external, EIGRP external routes are not redistributed into OSPF.
EIGRP has a higher administrative distance than OSPF, causing route suppression.
The OSPF process on R2 has a distribute-list blocking these routes.
A network engineer is troubleshooting a route redistribution issue between two OSPF processes. Router R1 runs OSPF process 1 and OSPF process 2, and redistributes routes between them. The engineer notices that routes from OSPF process 1 are not appearing in the OSPF database of process 2, even though the redistribute command is configured. The show ip ospf database command on R1 for process 2 shows no external routes. What is the most likely cause?
The redistribute ospf 1 command under OSPF process 2 is missing the subnets keyword.
Correct: Without subnets, only classful networks are redistributed, causing many missing routes.
OSPF process 1 has a higher administrative distance than OSPF process 2.
The redistribute ospf 1 command under OSPF process 2 is missing the match internal keyword.
OSPF process 2 has a route map applied that is filtering all routes.
A network engineer is troubleshooting a route redistribution issue between RIP and OSPF. Router R1 runs both RIP and OSPF, and redistributes RIP routes into OSPF. The engineer notices that RIP routes are not appearing in the OSPF database on neighboring routers. The show ip ospf database external command on a neighbor shows no external routes from R1. The redistribute rip command is configured under OSPF on R1. What is the most likely cause?
The redistribute rip command under OSPF is missing the subnets keyword.
Correct: Without subnets, only classful networks are redistributed, causing missing routes.
RIP has a higher administrative distance than OSPF.
The OSPF process on R1 has a distribute-list blocking these routes.
The RIP process on R1 is not running.
A network engineer is troubleshooting a route redistribution issue between EIGRP and BGP. Router R1 runs both EIGRP and BGP, and redistributes EIGRP routes into BGP. The engineer notices that some EIGRP routes are not appearing in the BGP table on R1. The show ip bgp command does not list these prefixes. The redistribute eigrp command is configured under BGP. What is the most likely cause?
The redistribute eigrp command under BGP is missing the subnets keyword.
The EIGRP routes are not present in the IP routing table on R1.
Correct: BGP only redistributes routes that are in the routing table; if they are missing, redistribution fails.
BGP has a higher administrative distance than EIGRP.
The EIGRP process on R1 has a route filter blocking these routes.
A network engineer is troubleshooting a route redistribution issue between OSPF and BGP. Router R1 runs both OSPF and BGP, and redistributes OSPF routes into BGP. The engineer notices that OSPF external routes are not appearing in the BGP table on R1. The show ip bgp command does not list these prefixes. The redistribute ospf 1 match external command is configured under BGP. What is the most likely cause?
The redistribute ospf 1 match external command under BGP is missing the subnets keyword.
Correct: Without subnets, only classful networks are redistributed, causing missing routes.
OSPF has a higher administrative distance than BGP.
The OSPF process on R1 has a distribute-list blocking these routes.
BGP requires the network command to advertise routes, not redistribution.
Want more Route Redistribution practice?
Practice this domainA network engineer is troubleshooting a PBR configuration on a Cisco router. The engineer has configured a route map named 'PBR-MAP' with a match statement matching traffic from source IP 10.1.1.0/24 and a set statement to forward the traffic to next-hop 192.168.1.2. The engineer applies the route map to the incoming interface GigabitEthernet0/0 using 'ip policy route-map PBR-MAP'. However, traffic from 10.1.1.0/24 is still being forwarded using the routing table instead of the PBR next-hop. What is the most likely cause?
The route map is applied to the outgoing interface instead of the incoming interface.
Correct because PBR must be applied to the incoming interface to intercept traffic before routing decision.
The 'set ip next-hop' command requires the 'verify-availability' keyword to activate PBR.
The route map sequence number is missing; PBR requires sequence numbers to be explicitly defined.
The 'ip policy route-map' command must be applied globally under 'ip route-cache policy'.
A network engineer is troubleshooting PBR on a Cisco router where traffic from VLAN 100 (192.168.10.0/24) should be forwarded to next-hop 10.10.10.2 via a route map named 'VLAN100-PBR'. The engineer has applied the route map to interface GigabitEthernet0/0.100 (subinterface) using 'ip policy route-map VLAN100-PBR'. The engineer verifies that the route map is correctly configured with 'match ip address 100' and 'set ip next-hop 10.10.10.2', and the access list 100 matches the source subnet. However, traffic from VLAN 100 is still forwarded using the routing table. What is the most likely cause?
The traffic is arriving on the physical interface GigabitEthernet0/0 instead of the subinterface GigabitEthernet0/0.100.
Correct because PBR is applied per-interface; traffic must ingress the subinterface where the policy is configured.
The access list 100 is missing the 'permit' keyword; PBR only processes permit statements.
The 'set ip next-hop' command must be followed by 'force' to override the routing table.
The route map must be applied to the VLAN interface (SVI) instead of the subinterface.
A network engineer is troubleshooting PBR on a Cisco router where traffic from source 10.1.2.0/24 should be forwarded to next-hop 192.168.1.2. The route map 'PBR-TEST' is configured with 'match ip address 101' and 'set ip next-hop 192.168.1.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for most traffic, but traffic from a specific host (10.1.2.100) is not being policy-routed. The engineer checks the ACL 101 and confirms it includes 10.1.2.0/24. What is the most likely cause?
The router is using CEF switching, and PBR is not applied to CEF-switched traffic without the 'ip route-cache policy' command.
Correct because by default, PBR only affects process-switched packets; CEF-switched packets ignore PBR unless 'ip route-cache policy' is enabled.
The host 10.1.2.100 is sending traffic with a different source IP than expected.
The 'set ip next-hop' command requires the next-hop to be directly connected, and 192.168.1.2 is not reachable.
The route map is missing a 'sequence 10' statement; PBR requires explicit sequence numbers.
A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 172.16.1.0/24 should be forwarded to next-hop 10.10.10.2. The route map 'PBR-172' is applied to interface GigabitEthernet0/0. The engineer notices that the PBR policy is not working at all. The engineer checks the route map configuration and sees 'match ip address 110' and 'set ip next-hop 10.10.10.2'. The engineer also checks the ACL 110 and confirms it matches 172.16.1.0/24. The engineer then checks the interface configuration and sees 'ip policy route-map PBR-172' applied. What should the engineer do next to isolate the issue?
Check if the next-hop 10.10.10.2 is reachable via the routing table.
Correct because PBR requires the next-hop to be reachable; if not, traffic uses the routing table.
Add the 'set ip default next-hop' command to the route map.
Change the route map to use 'set interface' instead of 'set ip next-hop'.
Apply the route map to the outgoing interface instead of the incoming interface.
A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.20.0/24 should be forwarded to next-hop 10.20.20.2. The route map 'PBR-20' is configured with 'match ip address 120' and 'set ip next-hop 10.20.20.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.20.0/24, but traffic from other subnets is also being forwarded to 10.20.20.2. What is the most likely cause?
The route map has a permit statement with no match condition, causing all traffic to be policy-routed.
Correct because a permit statement without a match condition matches all traffic, causing PBR to apply to all packets.
The 'set ip next-hop' command is applied globally under the routing process.
The ACL 120 is configured with 'permit ip any any' at the end.
Correct because if the ACL has a 'permit ip any any' statement, it will match all traffic, causing PBR to apply to all packets.
The route map is applied to the wrong interface, but the interface is receiving traffic from all subnets.
A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.10.10.0/24 should be forwarded to next-hop 192.168.100.2. The route map 'PBR-10' is configured with 'match ip address 130' and 'set ip next-hop 192.168.100.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is dropping packets instead of forwarding them. The engineer checks the ACL 130 and confirms it matches 10.10.10.0/24. What is the most likely cause?
The route map has a deny statement that matches the traffic, causing packets to be dropped.
Correct because a deny statement in the route map will cause the router to drop the packet if no other permit statement matches.
The next-hop 192.168.100.2 is unreachable, and PBR drops packets when the next-hop is down.
The 'ip policy route-map' command is applied to the wrong interface, and the router is dropping packets due to ACL filtering.
The ACL 130 is missing the 'permit' keyword, causing all traffic to be denied.
Want more Policy-Based Routing (PBR) practice?
Practice this domainA network engineer is troubleshooting a VRF-Lite setup where two customer VRFs (VRF_A and VRF_B) are configured on a router. The engineer notices that routes from VRF_A are appearing in the routing table of VRF_B, causing traffic misdirection. The router is running IOS-XE 17.3. What is the most likely cause of this issue?
The router has 'ip routing' disabled globally.
The 'route-target import' and 'route-target export' commands are misconfigured, causing VRF_A routes to be imported into VRF_B.
Incorrect route-target configuration can lead to unintended route leaking between VRFs.
The 'ip vrf forwarding' command is missing on the interfaces.
The router is running OSPF with the same process ID in both VRFs.
A network engineer is troubleshooting a VRF-Lite configuration on a Cisco router. The router has two VRFs (VRF_RED and VRF_BLUE) configured with OSPF as the routing protocol. The engineer notices that OSPF neighborships are not forming between routers in VRF_RED. The 'show ip ospf neighbor' command shows no neighbors. What is the most likely cause?
The OSPF process ID is not unique across VRFs.
The interfaces in VRF_RED are missing the 'ip ospf network point-to-point' command.
The OSPF process is not configured with the 'vrf VRF_RED' command.
Without the VRF association in the OSPF process, OSPF will not form neighborships on interfaces belonging to that VRF.
The 'router-id' command is missing in the OSPF process.
A network engineer is troubleshooting a VRF-Lite deployment where two routers are connected via a trunk link. Each router has two VRFs (VRF_A and VRF_B). The engineer configures subinterfaces on the trunk link, assigning each subinterface to a different VRF. However, traffic between the two routers for VRF_A is not working. The 'show vrf' command shows the VRFs are active. What is the most likely issue?
The subinterface on Router1 is configured with 'encapsulation dot1q 10', but the subinterface on Router2 is configured with 'encapsulation dot1q 20'.
Mismatched VLAN IDs prevent the Layer 2 frames from being correctly tagged and forwarded between the VRFs.
The 'ip vrf forwarding VRF_A' command is missing on the main interface.
The 'no ip routing' command is configured globally.
The 'mtu' command is set differently on the two subinterfaces.
A network engineer is troubleshooting a VRF-Lite scenario where a router is configured with two VRFs (VRF_X and VRF_Y). The engineer notices that routes from VRF_X are not being advertised to the neighbor router via eBGP. The BGP configuration includes 'neighbor 10.1.1.2 remote-as 65002' under the VRF_X BGP address-family. The 'show bgp vpnv4 unicast all neighbors' command shows the BGP session is established. What is the most likely cause?
The 'network' command for the prefix is configured under the global BGP configuration, not under the VRF address-family.
For VRF-Lite, the network command must be under the VRF address-family to advertise routes from that VRF.
The BGP session is not using the correct update-source interface.
The 'maximum-paths' command is set to 1.
The 'bgp router-id' command is missing.
A network engineer is troubleshooting a VRF-Lite setup where a router is configured with VRF_GREEN. The engineer pings the gateway IP of a host in VRF_GREEN from the router, but the ping fails. The 'show ip route vrf VRF_GREEN' command shows the connected network for the host's subnet. The 'show ip interface brief' shows the interface is up/up. What is the most likely cause?
The host's default gateway is not set to the router's interface IP in VRF_GREEN.
The router's interface in VRF_GREEN has 'ip proxy-arp' disabled.
The host's IP address is not in the same subnet as the router's interface IP in VRF_GREEN.
If the host's IP is in a different subnet, the router will not have a connected route for that host, and ARP will fail.
The 'ip routing' command is disabled in VRF_GREEN.
A network engineer is troubleshooting a VRF-Lite configuration where a router is using RIP as the routing protocol in VRF_BLUE. The engineer notices that RIP routes are not being learned from a neighbor router. The 'show ip rip database vrf VRF_BLUE' shows no entries. The 'show ip vrf interfaces VRF_BLUE' shows the correct interface. What is the most likely cause?
The 'network' command is configured under the global RIP process, not under the VRF address-family.
For RIP to operate in a VRF, the network command must be under the VRF address-family.
The 'version 2' command is missing under the VRF address-family.
The 'no auto-summary' command is missing.
The 'timers basic' command is set to a very low value.
Want more VRF-Lite practice?
Practice this domainA network engineer is troubleshooting a BGP route filtering issue. Router R1 is advertising a prefix 10.1.1.0/24 to its eBGP neighbor R2, but R2 is not receiving it. The engineer checks R1's BGP configuration and sees a route-map named FILTER-OUT applied outbound to the neighbor. The route-map references an ACL that permits 10.1.1.0/24, but the prefix is still not being sent. What is the most likely cause?
The route-map is missing a 'permit' statement; the default action is deny.
Correct because route-maps without an explicit permit will implicitly deny all prefixes.
The ACL is using the wrong wildcard mask; it should be 0.0.0.255 instead of 0.0.0.0.
The neighbor is configured with 'soft-reconfiguration inbound' which blocks outbound updates.
The route-map is applied inbound instead of outbound on R1.
A network engineer is troubleshooting a redistribution issue between OSPF and EIGRP. Router R3 is redistributing OSPF routes into EIGRP, but some OSPF external routes are not appearing in the EIGRP topology table. The engineer checks the redistribute command under EIGRP and sees a route-map named RM-OSPF that uses a prefix-list to match specific prefixes. The missing routes are permitted by the prefix-list. What is the most likely cause?
The route-map is missing a 'set metric' command; EIGRP requires a metric for redistributed routes.
Correct because EIGRP will not accept redistributed routes without an explicit metric.
The prefix-list is using the wrong sequence number and is being overridden by a later deny statement.
The OSPF routes are type-5 LSAs, which cannot be redistributed into EIGRP.
The route-map is applied to the OSPF process instead of the EIGRP process.
A network engineer is troubleshooting a PBR (Policy-Based Routing) issue on router R5. The engineer configured a route-map to set the next-hop for traffic from a specific source subnet. The route-map is applied to the incoming interface, but traffic from the source subnet is still being forwarded using the regular routing table. The engineer verifies that the ACL matches the traffic correctly. What is the most likely cause?
The route-map is missing a 'set ip next-hop' command, or the next-hop is not reachable.
Correct because without a valid 'set' command, PBR does not alter forwarding.
The route-map is applied outbound instead of inbound on the interface.
The ACL is using a standard ACL, which cannot match source subnet correctly.
The route-map has a 'set default interface' command that overrides the next-hop.
A network engineer is troubleshooting a route filtering problem with prefix-lists. Router R6 is using a prefix-list to filter routes from a BGP neighbor. The prefix-list is configured to permit only 192.168.0.0/16 and 192.168.1.0/24, but routes with prefix 192.168.2.0/24 are also being accepted. The engineer checks the prefix-list configuration and sees only two permit statements. What is the most likely cause?
The prefix-list is not applied to the BGP neighbor; the neighbor is using a different filter or no filter.
Correct because if the prefix-list is not applied, no filtering occurs.
The prefix-list has an implicit permit at the end for all routes.
The prefix-list is using 'ge 24' which permits any prefix with a mask >= 24, including 192.168.2.0/24.
The BGP neighbor is configured with 'soft-reconfiguration inbound' which overrides prefix-list filtering.
A network engineer is troubleshooting a redistribution loop between OSPF and EIGRP. Router R7 is redistributing EIGRP routes into OSPF, and also redistributing OSPF routes into EIGRP. The engineer notices that some OSPF routes are appearing in the EIGRP topology table with a higher metric than expected, causing suboptimal routing. What is the most likely cause?
Routes are being re-redistributed due to missing route tags; a route-map with 'set tag' should be used to prevent loops.
Correct because route tags allow filtering to prevent redistribution loops.
The OSPF process has a 'default-information originate' command that is injecting a default route into EIGRP.
The EIGRP process has a 'variance' command that is causing unequal-cost load balancing.
The route-map applied to redistribution is missing a 'match tag' statement to filter out redistributed routes.
A network engineer is troubleshooting a BGP route-map that is supposed to set a community value on routes from a specific neighbor. The engineer configures a route-map with 'set community 100:100' and applies it inbound to the neighbor. After the configuration, the engineer checks the BGP table on the local router and sees that the routes do not have the community set. What is the most likely cause?
The neighbor is missing the 'send-community' command under the BGP neighbor configuration.
Correct because communities are not exchanged without this command.
The route-map is applied outbound instead of inbound.
The community value 100:100 is reserved and cannot be used.
The route-map has a 'match community' statement that is filtering the routes before the set command.
Want more Route Maps and Route Filtering practice?
Practice this domainA network engineer is troubleshooting a BGP route reachability issue. R1 learns the prefix 10.1.1.0/24 via eBGP from R2 with an AD of 20, and via OSPF from R3 with an AD of 110. The engineer notices that R1 installs the OSPF route in the routing table instead of the eBGP route, even though the eBGP route is preferred by default. What is the most likely cause of this behavior?
The OSPF route has a lower metric than the eBGP route.
The distance bgp 20 200 200 command is configured under the BGP process, increasing the AD of eBGP routes to 200.
This command sets the AD for eBGP routes to 200, making OSPF (AD 110) preferred.
The OSPF route is an inter-area route, which has a lower AD than intra-area routes.
The eBGP route is not the best path because the next-hop is unreachable.
An engineer is troubleshooting a network where R1 and R2 are running EIGRP, and R2 redistributes a static route for 192.168.1.0/24 into EIGRP. R1 also learns the same prefix via OSPF from R3 with an AD of 110. The engineer observes that R1 prefers the EIGRP external route (AD 170) over the OSPF route. What configuration change would cause this behavior?
The OSPF route is a type 5 LSA, which has a higher AD than type 3 LSAs.
The engineer applied the distance eigrp 90 100 command under EIGRP, lowering the AD for external routes to 100.
This sets the AD for EIGRP internal routes to 90 and external to 100, making the external route (AD 100) preferred over OSPF (AD 110).
The OSPF route has a metric of 20, while the EIGRP route has a metric of 2560.
The static route was redistributed with a route-map that sets the EIGRP metric to 1.
A network engineer is troubleshooting a connectivity issue between two sites. R1 learns the prefix 10.0.0.0/8 via RIP (AD 120) from R2, and also via a directly connected interface on R3. The engineer notices that R1 uses the RIP route instead of the connected route. What is the most likely cause?
The connected interface on R3 has a higher metric than the RIP route.
The RIP route has an AD of 120, but the connected route is for a different subnet mask.
If the connected route is for 10.0.0.0/16 and the RIP route is for 10.0.0.0/8, they are different prefixes; the router will use the most specific match, but if the connected route is not for the exact prefix, RIP may be the only route.
The distance rip 0 command was applied under RIP, making RIP routes have AD 0.
The connected interface is administratively down.
An engineer is troubleshooting a routing loop between two routers. R1 and R2 are running both OSPF and EIGRP. R1 learns the prefix 172.16.1.0/24 via OSPF with AD 110 and via EIGRP internal with AD 90. The engineer notices that R1 installs the EIGRP route, but traffic to 172.16.1.0/24 is being dropped. What is the most likely issue?
The OSPF route has a better metric, but the EIGRP route is preferred due to lower AD.
The EIGRP route is a summary route pointing to a null0 interface.
If R1 has an EIGRP summary route for 172.16.1.0/24 pointing to Null0, it will be installed with AD 90 and drop traffic, causing a black hole.
The OSPF route has a higher AD because it is a type 5 LSA.
The EIGRP route is an external route with AD 170.
A network engineer is troubleshooting a multi-homed BGP setup. R1 receives the prefix 10.1.1.0/24 from two eBGP peers: R2 (AS 100) and R3 (AS 200). The engineer configures the distance bgp 20 20 20 command on R1 to make all BGP routes have the same AD. However, R1 still prefers the route from R2 over R3. What is the most likely reason?
The route from R2 has a lower MED than the route from R3.
The route from R2 has a higher local preference than the route from R3.
Local preference is compared before AS path and MED; if R2's route has a higher local preference (e.g., 150 vs 100), it will be preferred even with equal AD.
The route from R2 is the oldest BGP route.
The AS path for the route from R2 is shorter than that from R3.
An engineer is troubleshooting a route redistribution issue between OSPF and EIGRP. R1 runs both protocols and redistributes OSPF into EIGRP. The engineer notices that OSPF routes redistributed into EIGRP have an AD of 170, but some routes from OSPF are not being redistributed. What is the most likely cause?
The OSPF routes have a higher metric than the EIGRP routes.
The OSPF routes are not in the routing table because they are overridden by a static route with AD 1.
If a static route with AD 1 exists for the same prefix, the OSPF route will not be installed, and redistribution will not include it.
The redistribute ospf 1 metric 10000 command is missing.
The OSPF routes are external type 2, which are not redistributed by default.
Want more Administrative Distance practice?
Practice this domainA network engineer is troubleshooting a connectivity issue between two branches connected via a WAN link. Router R1 (10.1.0.0/16) is summarizing its directly connected subnets (10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24) as a single 10.1.0.0/16 route to Router R2 via EIGRP. Users at R2 report that they cannot reach the 10.1.4.0/24 subnet, which was recently added to R1. What is the most likely cause of the problem?
The summary route 10.1.0.0/16 was configured manually, and the new subnet 10.1.4.0/24 is not within the summary range because the mask is too specific.
The new subnet 10.1.4.0/24 was not advertised because the summary address command suppresses more specific routes, but the summary itself is not being generated due to a missing network statement under the EIGRP process.
Correct. In EIGRP, a manually configured summary address suppresses the advertisement of more specific routes and generates the summary only if the component routes exist. If the new subnet is not in the EIGRP network, the summary may not be generated or the specific route is missing.
The WAN link is down, causing R2 to lose the summary route.
The engineer forgot to configure the summary address on the interface facing R2 for the new subnet.
A network engineer is troubleshooting an OSPF network where routers R1, R2, and R3 are in area 0. R1 has a summary route 192.168.0.0/22 configured on its interface to R2, summarizing four /24 subnets (192.168.0.0/24 through 192.168.3.0/24). After the configuration, R3 loses connectivity to the 192.168.0.0/24 subnet, although other subnets are reachable. What is the most likely cause?
The summary route 192.168.0.0/22 is being advertised with a metric of 0, causing R3 to prefer a less specific route from another source.
The summary-address command was applied on R1 as an ABR, but R1 is not an ABR because it is in area 0 only; the command is ignored.
The 192.168.0.0/24 subnet is not included in the summary because the summary mask is /22, but the subnet mask of 192.168.0.0/24 is not contiguous with the others due to a configuration error.
The summary-address command on R1 is configured with the 'not-advertise' keyword, suppressing the summary but not the specific routes, causing a routing black hole for the 192.168.0.0/24 subnet.
Correct. The 'not-advertise' keyword in OSPF summary-address prevents the summary from being advertised, but the specific routes may still be suppressed if the command is misapplied, leading to loss of connectivity to the specific subnet.
A network engineer is troubleshooting BGP route summarization on a border router that advertises a summary route 172.16.0.0/16 to an ISP neighbor. The engineer notices that the ISP is receiving the summary route but also receiving the more specific routes (172.16.1.0/24, 172.16.2.0/24), causing suboptimal routing. What should the engineer do to ensure only the summary route is advertised?
Configure the 'network' command for the summary route and remove the network statements for the specific subnets.
Use the 'aggregate-address 172.16.0.0 255.255.0.0 summary-only' command under the BGP process.
Correct. The aggregate-address with summary-only keyword creates the summary and suppresses all more specific routes from being advertised.
Apply a route-map to the neighbor to filter out the specific routes using an ACL.
Configure the 'summary-address' command under the BGP process.
A network engineer is troubleshooting a redistribution issue between EIGRP and OSPF. Router R1 redistributes EIGRP routes into OSPF. The engineer configured a summary route 10.0.0.0/8 using the 'summary-address' command under the OSPF process. After the configuration, OSPF neighbors lose connectivity to the 10.1.0.0/16 subnet, which is one of the component routes. What is the most likely cause?
The summary-address command on R1 is configured with the 'tag' keyword, causing the summary to be ignored by other routers.
The summary route 10.0.0.0/8 is not being generated because the component routes are not all present in the OSPF database.
Correct. In OSPF, the summary-address command generates a summary only if at least one component route exists in the OSPF database. If the component route is missing due to redistribution issues, the summary may not be generated, and the specific routes may be suppressed.
The OSPF neighbor relationship is down due to a mismatch in area IDs.
The engineer forgot to configure the 'network' command for the summary route under OSPF.
A network engineer is troubleshooting a route summarization issue in a network using RIP. Router R1 is configured with the 'ip summary-address rip 192.168.0.0 255.255.252.0' command on its serial interface. After the configuration, R2, which is connected via that interface, can no longer reach the 192.168.1.0/24 subnet, although other subnets within the summary are reachable. What is the most likely cause?
The 192.168.1.0/24 subnet is not directly connected to R1, so it cannot be summarized.
The summary route 192.168.0.0/22 is being advertised with a higher metric than the specific routes, causing R2 to prefer a different path.
The summary address command was applied on the wrong interface, causing the summary to be sent out all interfaces, including the one facing the 192.168.1.0/24 subnet's origin.
The 192.168.1.0/24 subnet is not included in the summary range because the summary mask is /22, but the subnet's network address is 192.168.1.0, which is within the range, but the RIP process may have a split-horizon issue preventing the route from being advertised.
Correct. In RIP, split horizon prevents a route from being advertised out the interface it was learned on. If the 192.168.1.0/24 subnet was learned on the same interface where the summary is applied, it will not be advertised, causing loss of connectivity.
A network engineer is troubleshooting an OSPF network where an ABR (R1) is configured with the 'area 1 range 10.0.0.0 255.255.0.0' command to summarize routes from area 1 into area 0. After the configuration, routers in area 0 lose connectivity to the 10.0.1.0/24 subnet, although the summary route 10.0.0.0/16 is present in their routing tables. What is the most likely cause?
The summary route 10.0.0.0/16 is being advertised with a metric of 0, causing routers to prefer a default route instead.
The ABR is not generating the summary route because the component routes are not all in the same area.
The 10.0.1.0/24 subnet is not included in the summary range because the range command uses a network mask that does not match the subnet's network address.
The summary route is installed, but the next-hop IP address for the summary route is not reachable from routers in area 0, causing traffic to be dropped.
Correct. In OSPF, the summary route's next hop is set to the ABR's interface IP. If that interface is down or the path is not reachable, traffic to the summary may fail, and since specific routes are suppressed, connectivity to the subnet is lost.
Want more Route Summarization practice?
Practice this domainA network engineer is troubleshooting an OSPF adjacency that is flapping between two routers. The adjacency forms and then drops repeatedly. Both routers are configured for BFD on the OSPF interface. The engineer checks the BFD session and sees it is up, but the OSPF neighbor state transitions from FULL to DOWN every few seconds. What is the most likely cause of this issue?
The BFD timers are set too low on one router.
The OSPF dead interval is mismatched between the two routers.
A mismatch in OSPF dead interval (or hello interval) causes the adjacency to reset even if BFD is healthy, because OSPF uses its own keepalive mechanism.
The interface is flapping due to a physical issue.
BFD is configured with the 'strict-mode' command, causing OSPF to ignore BFD state.
A network engineer is troubleshooting a scenario where two routers running EIGRP are not forming an adjacency. Both routers have BFD configured under the EIGRP process and on the interfaces. The BFD session is up and operational. However, the EIGRP neighbor status shows 'Pending' and never transitions to 'Up'. What is the most likely cause?
The BFD timers are set too high, causing EIGRP to time out before BFD can respond.
EIGRP is configured with 'no auto-summary' on one router and 'auto-summary' on the other.
The EIGRP K-values are mismatched between the two routers.
EIGRP K-values must match for adjacency to form; a mismatch causes the neighbor to stay in Pending state even if BFD is up.
The interface is configured with 'bfd interval 50 min_rx 50 multiplier 3' but the neighbor expects different values.
A network engineer is troubleshooting a BGP session that is dropping intermittently. The routers are connected via a Layer 2 switch. BFD is configured for the BGP session. The engineer notices that the BFD session goes down briefly, causing the BGP session to reset. The BFD timers are set to 100 ms interval with a multiplier of 3. The switch is not configured for BFD. What is the most likely cause?
The BFD timers are too aggressive for the switch's processing capabilities, causing BFD packets to be dropped during high traffic.
Aggressive BFD timers (100 ms) can overwhelm a switch that is not optimized for fast packet forwarding, leading to intermittent BFD failures.
The BGP session is not configured with the 'bfd' command under the neighbor statement.
The switch is running Spanning Tree Protocol (STP) and causing delays.
One router has 'bfd slow-timers' configured, causing a mismatch.
A network engineer is troubleshooting an OSPF adjacency that fails to come up. Both routers are directly connected via a serial link. BFD is enabled on the interface. The engineer sees that the BFD session is down. The OSPF configuration shows 'ip ospf bfd' under the interface. The serial interface is up/up. What should the engineer check first?
Verify that the 'bfd' command is configured under the OSPF process.
For OSPF BFD to work, the 'bfd' command must be enabled under the OSPF routing process (router ospf X, then 'bfd all-interfaces' or per-neighbor). Without it, the BFD session will not be initiated.
Check if the serial interface is configured with 'encapsulation ppp'.
Ensure that the 'ip ospf bfd' command is also configured on the neighbor router.
Verify that the serial interface clock rate is set correctly.
A network engineer is troubleshooting a BGP session that is not establishing. The routers are connected via a Layer 3 switch. BFD is configured for BGP. The engineer checks the BFD session and sees it is 'Down'. The BGP configuration appears correct. The interface between the routers is up/up. What is the most likely cause?
The BGP neighbor is not directly connected; BFD requires a directly connected interface or a static route pointing to the neighbor's IP.
BFD sessions over multihop BGP require special configuration (bfd all-interfaces under BGP) and a route to the neighbor; if the neighbor is not directly connected, BFD will fail without proper setup.
The Layer 3 switch is not configured for BFD, causing it to drop BFD packets.
The BGP session is using EBGP multihop, and the TTL is set to 1.
The interface is configured with 'bfd interval 50 min_rx 50 multiplier 3' but the neighbor is not configured for BFD.
A network engineer is troubleshooting an OSPF adjacency that is not forming. Both routers are running OSPF with BFD enabled. The engineer checks the BFD session and sees it is 'Up'. However, the OSPF neighbor state is stuck in 'INIT'. What is the most likely cause?
The OSPF hello interval is mismatched between the two routers.
The OSPF network type is mismatched (e.g., broadcast vs point-to-point).
The OSPF area ID is mismatched between the two routers.
If the area ID does not match, the router will ignore the hello packets, causing the neighbor to remain in INIT state.
The interface is configured with 'ip ospf bfd' but the OSPF process is not configured with 'bfd all-interfaces'.
Want more Bidirectional Forwarding Detection (BFD) practice?
Practice this domainA network engineer is troubleshooting an MPLS L3VPN where CE1 cannot reach CE2. The PE routers are running OSPF as the IGP and LDP for label distribution. On PE1, the engineer sees that the VRF route for CE2's subnet is present, but the corresponding MPLS label is missing in the LFIB. The show mpls ldp neighbor command shows LDP neighbors are up. What is the most likely cause of the missing label?
LDP is not enabled on the interface facing the next-hop router.
Correct because LDP must be enabled on the interface that connects to the next-hop router to assign a label for the IGP route, which is used to resolve the BGP next-hop in MPLS VPN.
The VRF route is not redistributed into BGP on the remote PE.
MTU mismatch on the link between PE1 and P causes label imposition failure.
The mpls label protocol ldp command is missing under the VRF.
A network engineer is troubleshooting MPLS traffic engineering (TE) tunnels. A TE tunnel from Router A to Router B is configured but remains down. The engineer runs show mpls traffic-eng tunnels and sees that the tunnel is in 'down' state with the error 'Path computation failed'. The IGP is OSPF with MPLS TE enabled, and the network is fully meshed. What is the most likely root cause?
MPLS TE is not enabled on all interfaces along the path.
Correct because MPLS TE must be enabled on each interface to advertise link attributes into the TED; otherwise, the headend cannot compute a constraint-based path.
The tunnel destination is not reachable via the IGP.
RSVP is not configured on the tunnel interface.
The tunnel bandwidth is set too high, exceeding available bandwidth.
A network engineer is troubleshooting an MPLS L2VPN (VPWS) where the pseudowire between two PE routers is down. The show mpls l2transport vc command displays state 'down' and the VC ID is correct on both ends. The engineer checks the MPLS LDP session and sees it is up, but the targeted LDP session for the pseudowire is not established. What is the most likely cause?
The mpls ldp neighbor command is missing on one or both PEs.
Correct because targeted LDP sessions require explicit configuration using the mpls ldp neighbor command to initiate the session for pseudowire signaling.
The VC ID does not match on both ends.
The IGP is not converging, causing reachability issues.
The mpls label protocol ldp command is missing globally.
A network engineer is troubleshooting MPLS traffic where packets are being dropped at a P router. The engineer runs show mpls forwarding-table and sees that the outgoing label for a specific FEC is 'Untagged' instead of a valid label. The IGP is running correctly, and LDP neighbors are established. What is the most likely cause?
LDP is not enabled on the outgoing interface.
Correct because LDP must be enabled on each interface to assign a label for the FEC; without it, the label remains 'Untagged' and packets are dropped.
The IGP metric is too high, causing LDP to prefer a different path.
The mpls label range is exhausted.
The router is configured with mpls ldp advertise-labels for host routes only.
A network engineer is troubleshooting an MPLS L3VPN where CE1 can ping the PE1 interface but cannot ping CE2. On PE1, show ip route vrf CUSTOMER shows the route to CE2's subnet, but show bgp vpnv4 unicast all neighbors 10.0.0.2 advertised-routes does not show the route. The BGP session between PE1 and PE2 is established. What is the most likely cause?
The VRF export route-target does not match the import route-target on the remote PE.
A route-map applied to the VRF export is filtering the route.
Correct because a route-map on VRF export can filter routes before they are advertised to BGP, preventing the route from being sent to the remote PE.
The BGP session is not using the correct update-source.
The next-hop-self command is missing under the VRF address-family.
A network engineer is troubleshooting MPLS LDP where the LDP session between two directly connected routers is not forming. The engineer runs show mpls ldp discovery and sees that LDP hellos are being sent and received on the link. However, show mpls ldp neighbor shows no neighbors. What is the most likely cause?
The LDP router-id is not reachable via the IGP.
Correct because LDP uses TCP to establish the session, and the router-id must be reachable; if the IGP does not have a route to the peer's LDP router-id, the TCP connection fails.
The mpls label protocol ldp command is missing globally.
The interface is configured with mpls ldp igp sync.
The LDP session is using a non-default transport address.
Want more MPLS Operations practice?
Practice this domainA network engineer is troubleshooting an MPLS L3VPN where CE1 (192.168.1.0/24) cannot reach CE2 (192.168.2.0/24). The PE routers are running OSPF with the CEs. On PE1, the VRF configuration includes route-target import and export 100:100. The show ip vrf detail command on PE1 shows the VRF is active, but the CE1 loopback is not present in the VRF routing table. The show ip route vrf CUSTOMER command on PE1 shows only directly connected interfaces. What is the most likely cause?
The route-target import on PE1 is misconfigured.
The OSPF process on PE1 is not configured under the VRF.
Correct: OSPF must be configured with 'router ospf <pid> vrf CUSTOMER' to populate the VRF routing table.
The CE1 interface is not in the VRF.
The MP-BGP session between PE1 and PE2 is down.
An engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers have MP-BGP peering and the VRF is configured with route-target import 100:100. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2 (the PE2 loopback), but the show ip route vrf CUSTOMER command does not have this route. The show mpls forwarding-table on PE1 does not show a label for 192.168.1.2. What is the most likely cause?
The VRF route-target import is missing on PE2.
LDP is not enabled on the core-facing interfaces of PE1 or the P routers.
Correct: Without LDP, there is no label for the BGP next-hop, preventing route installation.
The MP-BGP session is not using the loopback interface.
The VRF on PE1 has the wrong route-target export.
A network engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using OSPF with the CEs and MP-BGP between them. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route as well. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 but the output interface is 'no route'. What is the most likely cause?
The OSPF process on PE1 is not redistributing connected routes.
The PE2 loopback is not advertised into the IGP (OSPF/IS-IS) of the service provider core.
Correct: The BGP next-hop must be reachable via IGP for CEF to resolve the output interface.
The VRF route-target import is misconfigured.
MPLS is not enabled on the core-facing interfaces.
An engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers have MP-BGP peering and the VRF is configured with route-target import 100:100. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, but the show ip route vrf CUSTOMER command does not have this route. The show ip bgp vpnv4 all 10.2.2.0/24 command on PE1 shows the route is received but not best. What is the most likely cause?
The route-target import on PE1 is missing.
The BGP next-hop (PE2 loopback) is not reachable in the global routing table.
Correct: BGP requires the next-hop to be reachable for the route to be considered best and installed.
The VRF on PE1 has a different route-target export.
The MP-BGP session is using an incorrect address family.
A network engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using eBGP with the CEs. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 and the output interface as GigabitEthernet0/0. The show mpls forwarding-table 192.168.1.2 detail command on PE1 shows a label but the outgoing interface is 'aggregate'. What is the most likely cause?
The PE2 loopback address is accidentally configured on PE1.
Correct: If PE1 has the same loopback IP, it will treat itself as the egress for that prefix, causing 'aggregate' in the LFIB.
LDP is not enabled on the core-facing interfaces.
The VRF route-target import is misconfigured.
The MP-BGP session is using the wrong update-source.
An engineer is troubleshooting an MPLS L3VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are using OSPF with the CEs. On PE1, the show ip bgp vpnv4 vrf CUSTOMER command shows the route for 10.2.2.0/24 with a next-hop of 192.168.1.2, and the show ip route vrf CUSTOMER command shows the route. However, traffic from CE1 to CE2 fails. The show ip cef vrf CUSTOMER 10.2.2.0 command on PE1 shows the next-hop as 192.168.1.2 and the output interface as GigabitEthernet0/0. The show ip route 192.168.1.2 command on PE1 shows the route with a next-hop of 10.0.0.2 and output interface GigabitEthernet0/0. The show mpls forwarding-table 192.168.1.2 detail command on PE1 shows a label with outgoing interface GigabitEthernet0/0. What is the most likely cause?
The VRF route-target import on PE1 is misconfigured.
The CE1 router does not have a default route or specific route to 10.2.2.0/24.
Correct: If CE1 does not have a route to the remote prefix, it will drop traffic or send it to a default gateway that may not exist.
The OSPF process on PE1 is not redistributing BGP routes into OSPF.
The MP-BGP session is not using the loopback interface.
Want more MPLS L3VPN practice?
Practice this domainA network engineer is troubleshooting a DMVPN phase 2 hub-and-spoke deployment. The hub router has mGRE and NHRP configured, and spokes register successfully. However, spoke-to-spoke traffic is not being encrypted, even though IPsec profiles are applied to the mGRE tunnel interface on both the hub and spokes. The engineer verifies that the crypto map is not applied to the tunnel interface. What is the most likely cause of this issue?
The NHRP authentication string does not match between the hub and spokes.
The IPsec profile is not applied to the mGRE tunnel interface on the hub and spokes.
Correct because DMVPN phase 2 requires the IPsec profile to be applied to the tunnel interface to protect spoke-to-spoke traffic.
The tunnel key is not configured on the spokes.
The spokes have a static crypto map applied to their physical interface.
An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are not being established dynamically. The hub router has NHRP redirect enabled, and spokes have NHRP shortcut enabled. The engineer notices that when a spoke sends traffic to another spoke, the hub forwards the traffic but does not send an NHRP redirect. The hub's NHRP configuration includes the command 'ip nhrp redirect'. What is the most likely cause?
The spoke does not have 'ip nhrp shortcut' enabled.
The hub router does not have a route to the spoke's LAN subnet.
Correct because the hub must have a route to the spoke's subnet to generate an NHRP redirect; without it, the hub forwards traffic without sending a redirect.
The tunnel interface on the hub has 'no ip nhrp redirect' configured.
The spoke's NHRP registration does not include the LAN subnet.
A network engineer is troubleshooting a DMVPN phase 2 network where spoke-to-spoke tunnels are established, but traffic between spokes is intermittently dropped. The engineer captures packets and sees that IPsec packets are being fragmented. The tunnel interface MTU is set to 1400 bytes, and the physical interface MTU is 1500 bytes. The engineer also notices that the IPsec transform set uses ESP with AES-256 and SHA-256. What is the most likely cause of the intermittent drops?
The IPsec transform set uses AES-256, which requires more CPU and causes performance drops.
The tunnel MTU is set too high for the IPsec overhead, causing fragmentation and potential drops.
Correct because the tunnel MTU of 1400 bytes does not account for IPsec overhead, leading to fragmentation and drops.
The physical interface MTU is set to 1500, which is too high for DMVPN.
The spokes have different IPsec transform sets configured.
An engineer is troubleshooting a DMVPN phase 3 network where spokes are unable to reach the hub's LAN subnet. The hub router is running EIGRP over the DMVPN tunnel interface, and the spokes are learning the hub's LAN route. However, pings from a spoke to the hub's LAN IP fail. The engineer checks the hub's routing table and sees the spoke's LAN route. The hub's tunnel interface has 'ip nhrp redirect' and 'ip nhrp shortcut' enabled. What is the most likely cause?
The hub's EIGRP is not configured to advertise the LAN subnet.
Correct because if the hub's LAN subnet is not advertised via EIGRP, the spokes will not have a route to it.
The spoke's tunnel interface has 'ip nhrp shortcut' disabled.
The hub's tunnel interface has 'no ip nhrp redirect' configured.
The spoke's NHRP registration is not reaching the hub.
A network engineer is troubleshooting a DMVPN phase 2 network where the hub router is not forming an NHRP adjacency with a spoke. The spoke router is configured with 'ip nhrp nhs 10.0.0.1' and 'ip nhrp map 10.0.0.1 192.168.1.1'. The hub's tunnel interface IP is 10.0.0.1, and the physical interface IP is 192.168.1.1. The engineer pings the hub's tunnel IP from the spoke and it succeeds. However, 'show ip nhrp' on the spoke shows no NHRP entries. What is the most likely cause?
The hub router has 'ip nhrp authentication DMVPN' configured, but the spoke does not.
Correct because NHRP authentication must match between hub and spoke for registration to succeed.
The spoke's tunnel interface is in a different VRF than the hub's.
The hub's tunnel interface has 'no ip nhrp server-only' configured.
The spoke's NHRP map is incorrect; it should map the hub's tunnel IP to the hub's tunnel IP.
An engineer is troubleshooting a DMVPN phase 3 network where spoke-to-spoke tunnels are established, but traffic between spokes is taking a suboptimal path through the hub. The engineer checks 'show ip nhrp shortcut' on the spoke and sees no shortcut entries. The hub has 'ip nhrp redirect' enabled, and the spoke has 'ip nhrp shortcut' enabled. The engineer also verifies that the spoke's routing table has a route to the remote spoke's LAN via the hub. What is the most likely cause?
The hub router does not have a route to the remote spoke's LAN subnet.
Correct because the hub must have a route to the destination subnet to send an NHRP redirect.
The spoke's 'ip nhrp shortcut' command is missing on the tunnel interface.
The spoke's routing table has a static route to the remote spoke's LAN via the hub.
The hub's tunnel interface has 'no ip nhrp redirect' configured.
Want more DMVPN practice?
Practice this domainA network engineer is troubleshooting an IPsec site-to-site VPN between two routers. The tunnel interface is up/up, but traffic from the local LAN to the remote LAN is not passing. The engineer checks the crypto map and sees it is applied to the outside interface. What is the most likely cause of the traffic failure?
The crypto map is not applied to the tunnel interface.
The access list in the crypto map does not match the LAN-to-LAN traffic.
Correct because the crypto map uses an access list to define which traffic is encrypted; if it does not match the actual LAN subnets, traffic will be sent unencrypted and may be dropped by the remote router.
The IPsec transform set is missing the esp-aes encryption algorithm.
The IKE phase 1 proposal is mismatched between the two routers.
A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is not coming up. The engineer runs 'show crypto isakmp sa' and sees no active IKE SAs. The peer IP address is correctly configured. What should the engineer check first?
Verify that the crypto map is correctly applied to the outside interface.
Check the IP connectivity between the two public IP addresses using ping.
Correct because without basic IP reachability, IKE packets cannot be exchanged, and the VPN cannot establish.
Check the IPsec transform set configuration on both routers.
Verify the pre-shared key is identical on both routers.
A network engineer is troubleshooting an IPsec site-to-site VPN between two Cisco routers. The tunnel is up, but traffic intermittently drops. The engineer notices that the 'show crypto ipsec sa' output shows the packet counters incrementing for both encrypt and decrypt, but the 'pkts encaps failed' counter is also increasing. What is the most likely cause?
The crypto map is not applied to the correct interface.
Correct because if the route to the remote LAN points to an interface without the crypto map, the router will attempt to send the packet unencrypted, resulting in encapsulation failure.
The IPsec transform set is misconfigured with incompatible algorithms.
The IKE keepalive timer is too short, causing frequent rekeying.
The MTU on the outside interface is too small, causing fragmentation.
A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up but traffic from the remote LAN to the local LAN is not working. The engineer pings from the remote router to the local LAN IP and it succeeds. However, pings from a host on the remote LAN to a host on the local LAN fail. What is the most likely cause?
The crypto map access list on the remote router does not include the remote LAN subnet.
The local router does not have a route to the remote LAN subnet in its routing table.
Correct because the local router must have a route to the remote LAN subnet to route the return traffic back through the tunnel. Without it, the return traffic is dropped.
The IPsec transform set is missing the esp-sha-hmac authentication.
The pre-shared key is mismatched between the two routers.
A network engineer is troubleshooting an IPsec site-to-site VPN that uses a GRE tunnel over IPsec. The GRE tunnel is up/up, but the routing protocol (EIGRP) running over the GRE tunnel is not forming an adjacency. The engineer checks the tunnel configuration and sees that the tunnel source and destination are correct. What is the most likely cause?
The crypto map access list does not match GRE protocol (47) traffic.
Correct because GRE uses protocol 47; if the crypto map's access list only matches IP traffic between the LAN subnets, the GRE packets themselves are not encrypted and are dropped, causing the GRE tunnel to appear up but the routing protocol to fail.
The EIGRP hello timer is set too high.
The tunnel interface is not configured with an IP address.
The IPsec transform set does not include ESP encryption.
A network engineer is troubleshooting an IPsec site-to-site VPN where the tunnel is up, but the engineer notices that the 'show crypto ipsec sa' output shows that the number of packets encrypted is much higher than the number of packets decrypted on the remote side. What is the most likely cause?
The remote router has a misconfigured route that sends return traffic out the wrong interface.
Correct because if the remote router does not have a route to the local LAN that points to the tunnel interface, the return traffic will be sent out the physical interface without encryption, and the local router will not see corresponding decrypted packets.
The IPsec SA lifetime is set too low, causing frequent rekeying.
The crypto map on the local router is applied to the wrong interface.
The access list in the crypto map on the remote router is too permissive, encrypting extra traffic.
Want more IPsec Site-to-Site VPN practice?
Practice this domainA network engineer is troubleshooting an IPv6 connectivity issue between two sites connected via a 6to4 tunnel. The tunnel is configured on both routers and shows as up/up, but the engineer cannot ping the IPv6 address of the remote tunnel endpoint. The engineer checks the routing table and sees no route to the remote IPv6 prefix. What is the most likely cause of this problem?
The tunnel source interface is configured with a private IPv4 address, causing the 6to4 prefix to be invalid.
Correct because 6to4 requires a global IPv4 address to form a valid 2002::/16 prefix. A private address leads to an invalid 6to4 address, preventing proper routing.
The tunnel mode is incorrectly set to ipv6ip instead of 6to4.
The tunnel destination is misconfigured with the remote router's IPv6 address instead of its IPv4 address.
The IPv6 address on the tunnel interface is not in the 2002::/16 range.
An engineer is troubleshooting an ISATAP tunnel between a Windows host and a Cisco router. The host can ping the router's IPv6 address configured on the tunnel interface, but cannot reach any other IPv6 networks beyond the router. The router has a default route pointing to an upstream IPv6 router. What is the most likely cause?
The router is not configured as an ISATAP router; it only has the tunnel interface but lacks the 'ipv6 isatap' command.
Correct because without 'ipv6 isatap', the router does not respond to ISATAP router solicitations, and the host will not use it as a default gateway for off-link traffic.
The host's ISATAP interface has an incorrect IPv4 address for the router's tunnel source.
The router's tunnel interface is missing the 'ipv6 enable' command.
The upstream router does not have a route back to the ISATAP prefix.
A network engineer is troubleshooting a manual IPv6-in-IPv4 tunnel between two Cisco routers. The tunnel is up, and both routers can ping each other's tunnel IPv6 addresses. However, traffic from a host behind Router A to a host behind Router B fails. The engineer notices that Router A has a route to the remote IPv6 prefix via the tunnel, but Router B does not have a route to the local IPv6 prefix. What is the most likely cause?
Router B is missing a static route pointing the local IPv6 prefix to the tunnel interface.
Correct because without a return route, Router B cannot forward packets destined to the local prefix, breaking bidirectional communication.
The tunnel mode is set to 'ipv6ip 6to4' instead of 'ipv6ip'.
The tunnel source on Router B is misconfigured with the wrong IPv4 address.
The IPv6 access-list on Router B is blocking incoming traffic from the local prefix.
An engineer is troubleshooting a GRE IPv6 tunnel between two sites. The tunnel is up, and the engineer can ping the remote tunnel endpoint IPv6 address. However, OSPFv3 neighbors over the tunnel fail to form. The engineer verifies that OSPFv3 is configured on both tunnel interfaces with the same area and that the network type is broadcast. What is the most likely cause?
The tunnel MTU is set to 1500, but the GRE encapsulation adds 24 bytes, causing OSPFv3 packets to be fragmented.
Correct because the default tunnel MTU of 1500 does not account for GRE overhead, leading to fragmentation that OSPFv3 may not handle properly, especially with authentication or large LSAs.
The OSPFv3 network type is set to point-to-point instead of broadcast.
The tunnel interface is missing the 'ipv6 ospf 1 area 0' command.
The tunnel keepalive is misconfigured, causing the tunnel to flap.
A network engineer is troubleshooting an IPv6 connectivity problem across an IPv4 MPLS network using 6PE. The 6PE routers have MP-BGP sessions to exchange IPv6 prefixes, and the tunnel between them is up. However, a customer edge router behind one 6PE router cannot reach an IPv6 prefix behind the other 6PE router. The engineer checks the 6PE router's BGP table and sees the prefix, but the routing table shows the next-hop as unreachable. What is the most likely cause?
The MPLS LDP session between the 6PE routers or between the 6PE and P routers is down, so no label exists for the BGP next-hop.
Correct because 6PE relies on MPLS labels to reach the remote 6PE router; without a label, the next-hop is unreachable, and traffic is dropped.
The 6PE router is missing the 'ipv6 unicast-routing' command.
The tunnel interface is not in the VRF of the customer.
The remote 6PE router is not advertising the IPv6 prefix via BGP.
An engineer is troubleshooting a DMVPN phase 2 deployment with IPv6 over mGRE tunnels. The spoke routers can ping the hub's tunnel IPv6 address, but cannot reach IPv6 networks behind other spokes. The engineer verifies that NHRP is configured and that the hub has a route to the spoke's internal networks. What is the most likely cause?
The spoke routers are missing a static route for the remote spoke's internal network pointing to the mGRE tunnel interface.
Correct because without a route to the remote spoke's network via the tunnel, the spoke will send traffic to the hub, which may not forward it correctly, or the spoke may use a default route that does not use the tunnel.
The NHRP authentication key is mismatched between the spokes.
The tunnel key is not configured on the mGRE interface.
The hub is not configured with 'ip nhrp redirect' and the spokes with 'ip nhrp shortcut'.
Want more IPv6 Tunneling Techniques practice?
Practice this domainA network engineer is troubleshooting a site-to-site VPN between two Cisco routers. The tunnel is up, but traffic is not passing. On R1, the engineer issues the command 'show crypto map' and sees that the crypto map is applied to the outbound interface. What is the most likely cause of the traffic failure?
The crypto map is applied to the wrong interface.
Correct because crypto maps should be applied to the inbound direction of the interface to match traffic for encryption.
The access-list in the crypto map does not permit the traffic.
The ISAKMP policy is misconfigured.
The transform set is incorrect.
A network administrator is configuring AAA for device access on a Cisco router. After configuring the RADIUS server and AAA authentication login default group radius local, the engineer tests Telnet access and receives 'Access denied' even with correct credentials. The RADIUS server is reachable. What is the most likely cause?
The VTY lines are not configured with 'login authentication default'.
Correct because the AAA login method list must be explicitly applied to the VTY lines using the 'login authentication' command.
The RADIUS server shared key is incorrect.
The enable password is not set.
The 'aaa new-model' command is missing.
An engineer configures a Cisco router for SSH access. The router has an IP address on interface GigabitEthernet0/0, and the engineer generates RSA keys using the command 'crypto key generate rsa modulus 2048'. However, SSH connections fail with 'Connection refused'. What is the most likely cause?
The hostname and domain name are not configured.
Correct because SSH uses the hostname and domain name to generate the RSA key pair; without them, the SSH server may not function.
The VTY lines are not configured with 'transport input ssh'.
The RSA key modulus is too small.
The IP address on GigabitEthernet0/0 is not in the same subnet as the client.
A network engineer is troubleshooting a Cisco router that is not responding to SNMP polls from a management station. The router has 'snmp-server community public RO' configured. The management station can ping the router. What is the most likely cause?
The SNMP community string is not associated with an ACL that permits the management station.
Correct because without an ACL, the default behavior is to deny all SNMP access; the community must be bound to an ACL that permits the management station.
The SNMP version is not configured.
The router's SNMP agent is disabled.
The management station is using the wrong SNMP port.
An engineer configures a Cisco router with 'aaa authentication login default local' and 'aaa authorization exec default local'. The engineer then attempts to log in via the console and is prompted for a username and password. The username 'admin' with password 'cisco' is configured locally. The login fails. What is the most likely cause?
The console line is not configured with 'login authentication default'.
Correct because the default AAA login method list must be applied to the console line using the 'login authentication' command.
The username 'admin' is not in the local database.
The password 'cisco' is incorrect.
The 'aaa new-model' command is missing.
A network engineer is troubleshooting a Cisco router that is configured for RADIUS authentication. The engineer issues 'debug radius authentication' and sees that the RADIUS server is not responding. The router can ping the RADIUS server. What is the most likely cause?
UDP port 1812 is blocked between the router and the RADIUS server.
Correct because RADIUS authentication uses UDP port 1812; if blocked, the server will not receive or respond to requests.
The RADIUS server shared key is incorrect.
The router's IP address is not in the RADIUS server's client list.
The RADIUS server is down.
Want more Device Access Control practice?
Practice this domainA network engineer runs the following command on Router R1:
R1# show access-lists
Extended IP access list 101
10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 (10 matches)
20 deny tcp any host 10.1.1.1 eq 22 (5 matches)
30 permit icmp any any (2 matches)
40 deny ip any any (1 match)Based on this output, which statement is correct?
Traffic matching line 10 is permitted and counted correctly.
Line 10 has 10 matches and is a permit statement, so traffic matching it is permitted.
All traffic is permitted because line 40 has only 1 match.
Line 20 denies SSH traffic to host 10.1.1.1, and 5 packets matched.
Line 20 denies TCP port 22 (SSH) to host 10.1.1.1, with 5 matches.
The ACL has no effect because it is not applied to an interface.
A network engineer runs the following command on Router R1:
R1# show ip interface GigabitEthernet0/1
GigabitEthernet0/1 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 101 Inbound access list is not set
Based on this output, which statement is correct?
ACL 101 filters traffic entering the interface.
ACL 101 filters traffic leaving the interface.
The output shows 'Outgoing access list is 101', so traffic exiting is filtered.
The interface has no ACL applied.
ACL 101 is applied in both directions.
A network engineer runs the following command on Router R1:
R1# show ip access-lists
Extended IP access list 120
10 permit tcp 10.0.0.0 0.255.255.255 any eq www (1000 matches)
20 permit udp any any eq dns (500 matches)
30 deny ip any any (200 matches)Based on this output, what is the problem?
The ACL is correctly permitting web and DNS traffic.
The ACL is blocking all traffic except web and DNS, which may be too restrictive.
The deny ip any any with matches shows that other traffic is being denied, which could be a problem.
The ACL has no effect because it is not applied.
The ACL allows all traffic because of the permit statements.
A network engineer runs the following command on Router R1:
R1# show ip access-lists
Extended IP access list 130
10 deny ip 192.168.1.0 0.0.0.255 any (0 matches)
20 permit ip any any (1000 matches)Based on this output, which statement is correct?
Traffic from 192.168.1.0/24 is being denied.
Traffic from 192.168.1.0/24 is being permitted.
Since line 10 has no matches, traffic from that subnet is matched by line 20 (permit any any) and permitted.
The ACL is blocking all traffic.
The ACL is misconfigured because line 10 is not needed.
A network engineer runs the following command on Router R1:
R1# show ip access-lists
Extended IP access list 140
10 deny tcp any host 10.1.1.1 eq 23 (15 matches)
20 permit tcp any host 10.1.1.1 eq 22 (20 matches)
30 permit ip any any (5 matches)Based on this output, what is the problem?
SSH to 10.1.1.1 is being denied.
Telnet to 10.1.1.1 is being denied, which may be intentional.
Line 10 denies Telnet with 15 matches, so Telnet traffic is blocked.
All traffic is permitted because of line 30.
The ACL is not applied to any interface.
A network engineer runs the following command on Router R1:
R1# show ip access-lists
Extended IP access list 150
10 permit ip 10.0.0.0 0.255.255.255 any (500 matches)
20 deny ip any any (100 matches)Based on this output, which statement is correct?
Traffic from 10.0.0.0/8 is denied.
Traffic not from 10.0.0.0/8 is denied.
Line 20 denies all other traffic with 100 matches.
All traffic is permitted.
The ACL has no effect.
Want more IPv4 Access Control Lists practice?
Practice this domainA network engineer is troubleshooting a connectivity issue between two routers R1 and R2 connected via GigabitEthernet0/0. The engineer notices that R1 can ping its own IPv6 address 2001:db8:1::1/64, but cannot ping R2's interface address 2001:db8:1::2/64. The output of 'show ipv6 interface GigabitEthernet0/0' on R1 indicates that IPv6 is enabled and the interface is up/up. The engineer checks the access list applied to the interface and sees an inbound IPv6 ACL that permits only ICMPv6 echo requests from a specific source. What is the most likely cause of the ping failure?
The ACL is applied inbound on R1 and does not permit ICMPv6 echo replies from R2.
Correct because ICMPv6 echo replies are sourced from the destination address (R2) and must be permitted inbound on R1 for the ping to succeed.
The ACL is applied outbound on R1 and blocks the echo request.
IPv6 unicast-routing is not enabled on R1.
The ACL is missing a permit statement for IPv6 neighbor discovery (ND) messages.
A network engineer is troubleshooting a BGP IPv6 peering issue between two routers, R1 and R2, connected via a point-to-point link. The engineer notices that the BGP session is flapping with error 'BGP Notification sent: 3/2 (Update malformed)'. The engineer checks the IPv6 ACL applied to the interface on R1 and sees an inbound ACL that permits only TCP port 179 from the neighbor's link-local address. The BGP peering uses the global unicast addresses of the interfaces. What is the most likely cause of the BGP session failure?
The ACL is blocking TCP packets from the neighbor's global unicast address because it only permits traffic from the link-local address.
Correct because BGP uses TCP, and the ACL permits only traffic from the link-local address, but the BGP session is established using global addresses, causing the TCP handshake to fail.
The BGP update is malformed because the neighbor does not have the correct route-map applied.
The ACL is missing a permit statement for ICMPv6 neighbor discovery messages.
The BGP session is using link-local addresses, but the ACL permits global addresses.
A network engineer is troubleshooting an IPv6 routing issue on a router that is receiving OSPFv3 routes from multiple neighbors. The engineer notices that some routes are missing from the routing table. The engineer checks the interface configuration and finds an inbound IPv6 ACL applied to the interface that permits only specific prefixes. The engineer also notices that the missing routes are from a neighbor that is sending routes with a prefix length of /48, while the ACL permits only /64 prefixes. What is the most likely cause of the missing routes?
The ACL is filtering the OSPFv3 routes based on prefix length, and the /48 routes are not permitted.
Correct because the ACL permits only /64 prefixes, so /48 routes are dropped, preventing them from being installed in the routing table.
The OSPFv3 neighbor relationship is down due to a mismatched area ID.
The router has a route-map that is denying the /48 routes before they are installed.
The IPv6 ACL is applied outbound, blocking the routes from being sent.
A network engineer is troubleshooting a connectivity issue where a host on VLAN 10 cannot reach a server on VLAN 20. Both VLANs are on the same switch, which is running IPv6. The engineer checks the switch and finds that uRPF (unicast Reverse Path Forwarding) is enabled in strict mode on the VLAN 20 interface. The host's IPv6 address is 2001:db8:10::100/64, and the server's address is 2001:db8:20::200/64. The switch has a default route pointing to a next-hop router. The host sends traffic to the server, but the switch drops the packets. What is the most likely cause?
The uRPF strict mode check fails because the switch does not have a specific route to the host's subnet pointing back to the VLAN 10 interface.
Correct because uRPF strict mode requires a matching route in the FIB that points to the same interface on which the packet was received; a default route does not satisfy this requirement.
The uRPF mode should be loose mode to allow traffic from any source as long as there is a route in the FIB.
The host's IPv6 address is not in the switch's neighbor cache.
The switch has an ACL that blocks traffic between VLANs.
A network engineer is troubleshooting an IPv6 connectivity issue on a router that is receiving routes via EIGRP for IPv6. The engineer notices that some routes are not being installed in the routing table, even though the EIGRP neighbor relationship is established. The engineer checks the interface configuration and finds an inbound IPv6 ACL that permits only certain EIGRP packets. The ACL permits EIGRP hello packets and updates, but not EIGRP queries or replies. What is the most likely cause of the missing routes?
The ACL is blocking EIGRP query and reply packets, which are necessary for the EIGRP process to install routes.
Correct because EIGRP queries and replies are used to ensure route consistency and convergence; blocking them can prevent route installation.
The EIGRP router ID is not configured.
The ACL is applied outbound, blocking the EIGRP updates from being sent.
The EIGRP for IPv6 is not enabled on the interface.
A network engineer is troubleshooting a scenario where a router is dropping IPv6 packets that are destined for a server on a directly connected network. The engineer checks the interface and finds that uRPF is enabled in loose mode. The router has a default route pointing to an upstream router. The source address of the packets is 2001:db8:100::1, which is not in the routing table (the router has no route to that prefix). What is the most likely cause of the packet drops?
The uRPF loose mode check fails because there is no route to the source address in the routing table.
Correct because loose mode requires at least one route to the source address in the FIB; if no route exists, the packet is dropped.
The uRPF loose mode check fails because the source address is not reachable via the same interface.
The router has an ACL that blocks traffic from that source.
The uRPF mode should be strict mode to allow the traffic.
Want more IPv6 Traffic Filtering and uRPF practice?
Practice this domainA network engineer notices that BGP sessions between two directly connected routers are flapping every few minutes. The routers are running IOS-XE 17.3 and have CoPP enabled. The engineer checks the CoPP policy and sees a class-map matching BGP packets with a police rate of 8000 bps. The BGP session uses MD5 authentication and the routers exchange a full BGP table with 500,000 prefixes. What is the most likely cause of the BGP session flapping?
The BGP MD5 authentication is causing excessive CPU utilization, triggering CoPP drops.
The CoPP police rate of 8000 bps is too low for the BGP keepalive and update traffic, causing packet drops.
BGP with 500,000 prefixes generates significant update traffic, and 8000 bps is insufficient, leading to dropped packets and session flapping.
The CoPP class-map is not matching BGP packets correctly because it uses a wrong access-list.
The BGP hold timer is set too low, causing the session to reset before CoPP drops are noticed.
A router experiences high CPU utilization due to SSH login attempts from an external attacker. The network engineer implements a CoPP policy to rate-limit SSH traffic to 10000 bps. After applying the policy, the engineer notices that legitimate SSH sessions from the management network are also being dropped intermittently. The CoPP policy uses a class-map that matches TCP port 22 traffic. What should the engineer do to fix this issue?
Increase the police rate for the SSH class to 100000 bps to allow all SSH traffic.
Modify the class-map to match only SSH traffic from the attacker's source IP addresses using an access-list.
Create a separate class for legitimate SSH traffic from the management network with a higher police rate, and police the attacker's traffic more aggressively.
This allows legitimate SSH sessions to pass while still protecting the control plane from the attacker.
Remove the CoPP policy and implement an ACL on the interface to block the attacker's IP address.
An engineer applies a CoPP policy to a router to protect the control plane. The policy includes a class-map that matches all ICMP traffic and polices it to 5000 bps. After the policy is applied, the engineer notices that OSPF adjacencies are going down. The OSPF hello packets are not being received. What is the most likely cause?
The CoPP policy is policing OSPF packets because the class-map matches all IP traffic, not just ICMP.
The CoPP policy has a default class that drops all unmatched traffic, including OSPF packets.
If the CoPP policy does not explicitly permit OSPF packets, a default drop class will cause OSPF adjacencies to fail.
The OSPF hello packets are being rate-limited because they are ICMP packets.
The CoPP policy is applied to the wrong interface, causing OSPF packets to be dropped.
A router running EIGRP has a CoPP policy that includes a class-map matching EIGRP packets with a police rate of 2000 bps. The network engineer notices that EIGRP neighbor adjacencies are flapping. The EIGRP network has 100 routes. The engineer checks the CoPP statistics and sees that the EIGRP class has dropped 500 packets in the last hour. What is the most likely root cause?
The EIGRP hello interval is set too low, causing excessive hello packets that exceed the police rate.
The CoPP police rate of 2000 bps is insufficient for EIGRP hello and update traffic, causing packet drops.
EIGRP packets, though small, can be dropped if the police rate is too low, leading to adjacency flapping.
The EIGRP authentication is causing larger packets that exceed the police rate.
The CoPP class-map is matching EIGRP packets incorrectly, causing them to be dropped by a default class.
A network engineer configures CoPP on a router to limit PIM-SM control plane traffic. The policy includes a class-map matching PIM packets and polices them to 10000 bps. After the policy is applied, the engineer notices that multicast traffic is not being forwarded correctly, and PIM neighbors are not forming. The router is a PIM-SM rendezvous point (RP). What is the most likely issue?
The CoPP policy is dropping PIM register messages because the police rate is too low for the burst of register traffic.
PIM register messages can be large and bursty, and a police rate of 10000 bps may not be sufficient, causing drops and preventing RP functionality.
The CoPP class-map is not matching PIM packets because it uses the wrong protocol number.
The PIM hello interval is set too high, causing the router to miss hello packets from neighbors.
The CoPP policy is applied to the wrong control plane, such as the IPv6 control plane.
A router has a CoPP policy that includes a class-map matching all TCP traffic with a police rate of 5000 bps. The engineer notices that Telnet sessions to the router are timing out, but SSH sessions work fine. The router is configured to accept both Telnet and SSH. What is the most likely cause?
The CoPP policy has a separate class for Telnet with a lower police rate or a drop action.
If Telnet is in a different class with a lower rate or drop, it would explain why Telnet fails while SSH works.
The SSH traffic is encrypted, so it uses less bandwidth than Telnet.
The Telnet server on the router is not responding due to a configuration error.
The CoPP policy is rate-limiting TCP traffic to 5000 bps, which is enough for SSH but not for Telnet.
Want more Control Plane Policing (CoPP) practice?
Practice this domainA network engineer is troubleshooting an IPv6 neighbor discovery issue on a switch running IOS-XE. Hosts on VLAN 100 are intermittently losing connectivity to the default gateway. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The engineer notices that the switch is dropping valid Router Advertisements from the legitimate router. What is the most likely cause of this issue?
The RA Guard policy is configured with 'device-role router' on the port connected to the legitimate router, but the router's MAC address is not in the allowed list.
Correct because RA Guard requires explicit authorization of routers; if the legitimate router's MAC is not allowed, its RAs are dropped.
DHCPv6 Guard is blocking DHCPv6 Advertise messages from the router, preventing hosts from obtaining IPv6 addresses.
IPv6 Source Guard is dropping packets from the router because the router's IPv6 address is not in the binding table.
The switch has IPv6 unicast-routing enabled, causing it to send its own RAs and override the legitimate router.
An engineer is troubleshooting a network where IPv6 hosts cannot obtain IP addresses via DHCPv6. The switch is configured with DHCPv6 Guard to prevent rogue DHCP servers. The legitimate DHCPv6 server is connected to port GigabitEthernet1/0/1. The engineer sees that DHCPv6 Solicit messages from hosts reach the server, but the server's Advertise and Reply messages are not reaching the hosts. What is the most likely root cause?
The DHCPv6 Guard policy is applied globally, and the port connected to the DHCP server is not configured as a trusted port for DHCPv6 server messages.
Correct because DHCPv6 Guard by default blocks server messages on untrusted ports; the server port must be explicitly trusted.
RA Guard is blocking the DHCPv6 server's Router Advertisements, causing hosts to not send Solicit messages.
IPv6 Source Guard is filtering the server's responses because the server's IPv6 address is not in the binding table.
The switch has DHCP snooping enabled for IPv4, which is interfering with IPv6 DHCPv6 operation.
A network engineer is troubleshooting an issue where IPv6 traffic is being forwarded incorrectly on a switch. The switch is configured with IPv6 Source Guard on access ports. A legitimate host on port Fa0/1 with IPv6 address 2001:db8:1::10 is unable to send traffic to the default gateway. The engineer checks the IPv6 binding table and sees that the host's entry is missing. What is the most likely cause?
The host is using a static IPv6 address, and ND snooping is not enabled on the VLAN, so the binding was never learned.
Correct because IPv6 Source Guard relies on ND snooping to learn static addresses; without it, the host's traffic is dropped.
The host's MAC address is not in the MAC address table for VLAN 1.
The switch is running IPv6 First Hop Security in monitor mode, which logs violations but does not drop traffic.
The default gateway router is not sending Router Advertisements, so the host cannot form a default route.
An engineer is troubleshooting an IPv6 connectivity issue where hosts on VLAN 10 cannot reach the internet. The switch is configured with IPv6 First Hop Security features including RA Guard and DHCPv6 Guard. The legitimate router is connected to port Gi1/0/1. The engineer notices that the router is sending RAs, but hosts are not receiving them. The switch shows that RA Guard is dropping packets on port Gi1/0/1. What is the most likely misconfiguration?
The RA Guard policy is configured with 'device-role host' on port Gi1/0/1, which causes the switch to drop all RAs received on that port.
Correct because 'device-role host' tells the switch that only hosts are allowed on that port; RAs from a router will be dropped.
DHCPv6 Guard is configured on port Gi1/0/1, blocking the router's DHCPv6 server messages.
IPv6 Source Guard is enabled on the VLAN, and the router's IPv6 address is not in the binding table.
The switch has IPv6 unicast-routing enabled, and it is sending its own RAs, causing a conflict.
A network engineer is troubleshooting an issue where IPv6 hosts are unable to perform Duplicate Address Detection (DAD) successfully. The switch is configured with IPv6 First Hop Security features including ND Inspection and ND Suppress. The engineer notices that Neighbor Solicitation messages for DAD are being dropped by the switch. What is the most likely cause?
ND Inspection is configured to drop Neighbor Solicitations with an unspecified source address (::) because it has no binding for that address.
Correct because ND Inspection typically requires a valid binding for the source address; DAD uses :: as source, which is not in the binding table, causing drops.
RA Guard is configured to drop all multicast traffic, including Neighbor Solicitations.
DHCPv6 Guard is blocking the DAD messages because they are considered DHCPv6 traffic.
IPv6 Source Guard is dropping the DAD messages because the source address :: is not in the binding table.
An engineer is troubleshooting a network where IPv6 hosts on VLAN 20 are unable to communicate with each other. The switch is configured with IPv6 First Hop Security features including Private VLAN (PVLAN) and IPv6 Source Guard. The hosts are in the same VLAN but cannot ping each other. What is the most likely cause?
The switch has Private VLAN configured on VLAN 20, and the hosts are on isolated ports, which prevents direct communication.
Correct because PVLAN isolates traffic between hosts on isolated ports within the same VLAN.
IPv6 Source Guard is blocking inter-host traffic because the hosts' bindings are not in the binding table.
RA Guard is blocking Neighbor Advertisements between hosts.
DHCPv6 Guard is blocking DHCPv6 messages between hosts.
Want more IPv6 First Hop Security practice?
Practice this domainA network engineer is troubleshooting a router that is not sending SNMP traps to the NMS server at 10.1.1.100. The SNMP configuration includes 'snmp-server enable traps' and 'snmp-server host 10.1.1.100 version 2c public'. The engineer can ping the NMS server from the router, and 'show snmp' indicates SNMP is enabled. What is the most likely cause of the missing traps?
The NMS server is not listening on UDP port 162.
The 'snmp-server trap-source' command is missing, causing traps to use an incorrect source IP.
Without 'snmp-server trap-source', the router uses the outgoing interface IP, which may not match the NMS's expected source or may be unreachable.
The SNMP community string 'public' is not configured on the router.
The router's ACL is blocking outbound UDP traffic to port 162.
An engineer is troubleshooting a router that fails to write its running configuration to startup configuration using 'copy running-config startup-config'. The command returns 'Destination filename [startup-config]?' and then the prompt returns without error. 'show startup-config' shows an empty configuration. What is the most likely cause?
The router is configured to boot from a TFTP server using the 'boot host' command, and the TFTP server is unreachable or does not allow writes.
When 'boot host' points to a remote file, 'copy running-config startup-config' tries to write to that remote server; if it fails, the local startup-config remains empty.
The NVRAM is full and the router cannot save the configuration.
The 'file prompt quiet' command is configured, suppressing prompts.
The router is running in ROMMON mode.
A network engineer is troubleshooting a router that has been running for 200 days. The router experiences a sudden reboot, and after reload, the configuration is missing. 'show startup-config' returns 'startup-config is not present'. The engineer checks the boot variable: 'boot system flash:ios-image.bin'. What is the most likely cause of the configuration loss?
The router's NVRAM has a hardware failure and lost the configuration.
The engineer did not execute 'copy running-config startup-config' before the reboot.
The router had been running for 200 days without a save; after reload, the running-config is lost, and startup-config is empty because it was never saved.
The 'boot system' command points to a TFTP server that also contains a configuration file, overwriting the local startup-config.
The router's configuration register is set to 0x2142, ignoring startup-config.
An engineer is troubleshooting a router that is not sending syslog messages to the syslog server at 192.168.1.10. The configuration includes 'logging host 192.168.1.10' and 'logging trap informational'. The engineer can ping the syslog server from the router. 'show logging' shows that the logging buffer is filling with messages. What is the most likely cause?
The syslog server is not listening on UDP port 514.
The 'logging source-interface' command is missing, causing syslog messages to use an incorrect source IP.
Without 'logging source-interface', the router uses the IP of the egress interface, which may not be reachable from the syslog server or may be filtered.
The 'logging on' command is not configured.
The syslog server's IP address is incorrect in the configuration.
A network engineer is troubleshooting a router that is not responding to ICMP echo requests from a management station at 10.10.10.1. The router has an ACL applied to the VTY lines that permits only 10.10.10.0/24. The engineer can telnet to the router from the management station. What is the most likely cause?
The VTY ACL also applies to ICMP traffic.
An inbound ACL on the interface denies ICMP from 10.10.10.1.
Since Telnet works, the VTY ACL is not the issue; an interface ACL blocking ICMP is the likely cause.
The router has 'no ip icmp echo' configured globally.
The management station is not in the routing table of the router.
An engineer is troubleshooting a router that is configured as an NTP client. The router's clock is not synchronizing with the NTP server at 192.168.1.1. 'show ntp status' shows 'clock is unsynchronized', and 'show ntp associations' shows the server as '.INIT.' with no reachability. The engineer can ping the NTP server. What is the most likely cause?
The NTP server is not configured to respond to NTP requests from this client.
Ping works, but NTP uses UDP 123; the server may be configured to deny service to this client, or the server's NTP service is not running.
The router's 'ntp source' command is missing, causing NTP packets to use an incorrect source IP.
The router's clock is set too far in the future, causing NTP to reject the server's time.
The router has 'ntp authenticate' enabled without the proper key.
Want more Device Management practice?
Practice this domainA network engineer notices that an SNMPv3 poll from the NMS to router R1 fails with an authentication error. The engineer has configured 'snmp-server group ADMIN v3 priv' and 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456'. The NMS is configured with the same credentials. What is the most likely cause of the failure?
The SNMP group is missing the 'access' ACL that permits the NMS IP address.
Correct because SNMPv3 requires an access list on the group to allow the NMS; without it, the NMS is denied despite correct credentials.
The SNMP user password must be at least 8 characters; 'cisco123' is only 8, but the hash algorithm requires a minimum of 12 characters.
The NMS is using SNMPv2c, which is incompatible with SNMPv3 configuration.
The 'priv' keyword in the group definition should be 'auth' instead to match the user's authentication settings.
An engineer is troubleshooting why the NMS is not receiving SNMP traps from router R2. The configuration includes 'snmp-server enable traps', 'snmp-server host 10.1.1.100 version 2c public', and an extended ACL 100 that permits UDP port 162 from 10.1.1.100. The NMS can ping R2. What is the most likely cause?
The ACL is applied inbound on the interface, but it should be applied outbound to allow trap packets to leave the router.
Correct because traps are sent from the router; the ACL must permit outbound UDP port 162 to the NMS, not inbound.
The 'snmp-server host' command is missing the 'trap' keyword, causing the router to send informs instead.
The community string 'public' is case-sensitive; the NMS is using 'Public' with a capital P.
The router needs the 'snmp-server trap-source' command to specify the source interface for traps.
A network engineer configures SNMPv2c on router R3 with 'snmp-server community cisco RO' and 'snmp-server community cisco RW'. The NMS can poll read-only data but fails when trying to write a configuration value. The NMS uses the RW community string. What is the most likely cause?
The community string 'cisco' is used for both RO and RW; the router applies the first matching community, which is RO.
Correct because identical community strings cause the router to use the RO access, preventing writes.
The NMS is sending the community string in uppercase, but the router expects lowercase.
The router needs the 'snmp-server enable traps' command to allow write operations.
The NMS must use SNMPv3 for write operations; SNMPv2c does not support writes.
An engineer is troubleshooting why the NMS is not receiving SNMP traps for interface up/down events on router R4. The configuration includes 'snmp-server enable traps snmp linkdown linkup' and 'snmp-server host 10.1.1.200 version 2c public'. The NMS can receive other traps from R4. What is the most likely cause?
The engineer combined 'linkdown' and 'linkup' in a single command; they must be configured as separate 'snmp-server enable traps' commands.
Correct because the IOS syntax requires separate commands for each trap type; combining them is invalid.
The NMS is configured to filter out link up/down traps, so they are not displayed.
The router needs the 'snmp-server trap-source' command to specify the loopback interface for traps.
The 'snmp-server host' command must include the 'udp-port' option to specify port 162.
A network engineer is troubleshooting why the NMS cannot poll SNMP data from router R5. The router has 'snmp-server community cisco RO' configured. The NMS is on subnet 192.168.1.0/24, and the router has an ACL applied to the VTY lines that permits only 10.0.0.0/8. The NMS can ping the router. What is the most likely cause?
The engineer applied an ACL to the SNMP community that denies the NMS subnet, but the VTY ACL is unrelated.
Correct because the community string's ACL must permit the NMS; the VTY ACL does not affect SNMP.
The VTY ACL is blocking SNMP packets because SNMP uses TCP port 161.
The router needs the 'snmp-server ifindex persist' command to enable polling.
The NMS is using SNMPv3, but the router only has SNMPv2c configured.
An engineer is troubleshooting why SNMPv3 informs are not being received by the NMS from router R6. The configuration includes 'snmp-server group ADMIN v3 priv', 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456', and 'snmp-server host 10.1.1.100 informs version 3 priv admin'. The NMS can receive SNMPv3 traps from other routers. What is the most likely cause?
The NMS is not configured to respond to SNMP informs, so the router does not receive acknowledgment.
Correct because informs require an acknowledgment; if the NMS does not support it, informs fail.
The 'snmp-server host' command should use 'traps' instead of 'informs' for SNMPv3.
The router needs the 'snmp-server enable informs' command globally.
The SNMPv3 user must have the 'auth' privilege instead of 'priv' to send informs.
Want more SNMP Troubleshooting practice?
Practice this domainA network engineer notices that the syslog server at 10.1.1.100 is not receiving any log messages from a Cisco router running IOS-XE 16.9. The engineer has configured 'logging host 10.1.1.100' and 'logging trap debugging'. The router can ping the syslog server successfully. What is the most likely cause of the missing syslog messages?
The 'logging on' command is not configured globally.
Correct because 'logging on' must be enabled to allow any syslog messages to be sent to a remote server. Without it, all syslog output is suppressed.
The syslog server is using UDP port 514, but the router is sending over TCP.
The 'logging source-interface' is set to a loopback that is not advertised in the routing table.
The 'logging buffered' command is overriding the remote logging configuration.
An engineer is troubleshooting why syslog messages from a router are not being received by the syslog server at 192.168.1.10. The router configuration includes 'logging host 192.168.1.10' and 'logging trap 6'. The engineer runs 'debug ip packet' and sees packets destined for 192.168.1.10 being sent but no response. What should the engineer check first?
Verify that the syslog server is running and listening on UDP port 514.
Correct because if the server is not listening or a firewall drops the packets, the messages will never be received despite the router sending them.
Change the logging trap level to 7 (debugging) to ensure all messages are sent.
Add the 'logging source-interface' command to use a loopback interface.
Configure 'logging on' if it is not already enabled.
A network engineer is troubleshooting a router that is generating excessive syslog messages, filling up the local logging buffer and causing performance issues. The engineer wants to reduce the volume of messages sent to the remote syslog server while still capturing critical alerts locally. The current configuration includes 'logging buffered 4096 debugging' and 'logging host 10.1.1.100'. What is the best approach?
Change 'logging buffered 4096 debugging' to 'logging buffered 4096 errors' to reduce local messages.
Configure 'logging trap errors' under the logging host configuration to limit remote messages to severity 3 and above.
Correct because 'logging trap errors' sets the remote syslog threshold to severity 3 (errors), reducing volume while keeping local debugging intact.
Remove the 'logging buffered' command to stop all local logging.
Add 'logging rate-limit 10' to limit the number of messages per second.
A router is configured with 'logging host 10.1.1.100' and 'logging trap informational'. The engineer notices that syslog messages with severity 5 (notice) are being sent, but messages with severity 6 (informational) are not. What is the most likely cause?
The 'logging trap' command is set to 5 (notice) rather than 6 (informational).
Correct because if the trap level is 5, only messages severity 0-5 are sent; severity 6 messages are excluded.
The syslog server is dropping severity 6 messages due to its own configuration.
The 'logging console' command is overriding the remote logging level.
The router's clock is not synchronized, causing timestamp issues.
An engineer is troubleshooting a router that is not sending syslog messages to the remote server at 192.168.1.10. The configuration includes 'logging host 192.168.1.10' and 'logging trap 7'. The router can ping 192.168.1.10. The engineer runs 'show logging' and sees 'Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)'. What is the most likely cause?
The 'logging source-interface' is configured to an interface that is administratively down.
Correct because if the source interface is down, the router cannot use its IP address, and the syslog server may drop messages from an unexpected source IP or the packets may be routed incorrectly.
The 'logging on' command is missing from the configuration.
The syslog server is using TCP, but the router is configured for UDP.
The logging buffer is full, preventing new messages from being generated.
A router is configured to send syslog messages to two servers: 10.1.1.100 and 10.1.1.200. The engineer notices that only server 10.1.1.100 is receiving messages. The configuration shows 'logging host 10.1.1.100' and 'logging host 10.1.1.200'. Both servers are reachable via ping. What is the most likely cause?
The syslog service on 10.1.1.200 is not running or is blocked by a firewall.
Correct because if the server is not listening or traffic is blocked, messages will not be received even though the router sends them.
The router can only send to one syslog server at a time.
The 'logging host 10.1.1.200' command is missing the 'transport udp' keyword.
The second server is configured with a different severity level using 'logging trap' under the host.
Want more Network Logging and Syslog practice?
Practice this domainA network engineer is troubleshooting an intermittent BGP session failure between two routers. The BGP session drops every few hours and recovers after a few seconds. The engineer checks the logs and sees that an EEM applet is triggered just before each failure. The applet is configured to run a script that clears the BGP session when a specific syslog message is generated. What is the most likely cause of the BGP session failure?
The BGP session is failing due to a physical layer issue.
The EEM applet is clearing the BGP session as part of its configured action.
Correct because the applet's action to clear the BGP session directly causes the session failure when triggered.
The BGP session is failing due to a routing loop.
The EEM applet is causing a memory leak that crashes the BGP process.
A network engineer notices that a router is sending SNMP traps for interface state changes even when there is no actual interface flapping. The engineer checks the running configuration and finds an EEM applet that monitors interface state changes and sends a syslog message. The applet is configured with a trigger condition that matches any interface state change. What should the engineer do to resolve the issue?
Remove the EEM applet entirely.
Modify the EEM applet trigger to match only the specific interfaces of interest.
Correct because narrowing the trigger condition prevents false positives while retaining monitoring capability.
Increase the debounce timer on the interface to reduce flapping.
Disable SNMP traps for interface state changes.
A network engineer is troubleshooting a router that fails to apply a specific configuration change after a reload. The engineer has an EEM applet that runs at boot time to apply a set of commands. After a reload, the engineer checks the configuration and finds that the commands were not applied. The applet is configured with event syslog pattern 'SYS-5-RESTART' and action cli command 'configure terminal'. What is the most likely cause of the failure?
The EEM applet is not enabled globally.
The syslog pattern 'SYS-5-RESTART' is misspelled.
The EEM applet runs before the router is fully booted, so the CLI commands fail.
Correct because the syslog message may be generated early in the boot process, and the router may not be ready to accept configuration commands at that point.
The EEM applet requires a 'event manager directory user' command to be configured.
A network engineer is troubleshooting a router that is experiencing high CPU utilization. The engineer checks the process list and sees that the 'EEM Server' process is consuming a significant amount of CPU. The engineer reviews the EEM configuration and finds multiple applets that are triggered by syslog events. What should the engineer do first to reduce CPU utilization?
Disable all EEM applets.
Use the 'show event manager statistics' command to see which applets are triggered most often.
Correct because this command provides per-applet trigger counts, helping pinpoint the culprit.
Increase the router's CPU priority for the EEM process.
Change the syslog trigger to use a less frequent pattern.
A network engineer is troubleshooting a router that is not sending SNMP traps for a specific interface down event. The engineer has an EEM applet configured to send an SNMP trap when the interface goes down. The applet uses event syslog pattern 'LINK-3-UPDOWN' and action snmp-trap. The interface goes down, but no trap is sent. What is the most likely cause?
The syslog pattern 'LINK-3-UPDOWN' is incorrect; the correct pattern is 'LINK-5-CHANGED'.
The EEM applet is not registered with the SNMP agent.
The SNMP trap action requires an SNMP community string to be specified in the applet.
The SNMP trap destination is not configured globally.
Correct because the EEM applet's SNMP trap action sends traps to the configured SNMP trap receivers; if none are configured, the trap is not sent.
A network engineer is troubleshooting a router that is not executing an EEM applet that is supposed to run when a specific interface goes down. The applet is configured with event syslog pattern 'LINK-3-UPDOWN' and matches the interface with a regex. The engineer checks the syslog and sees the message 'LINK-3-UPDOWN: GigabitEthernet0/1, changed state to down' but the applet does not run. What is the most likely cause?
The EEM applet is disabled.
The syslog message is not being sent to the EEM server due to logging level restrictions.
The regex pattern in the applet does not match the syslog message.
Correct because a mismatch in the regex pattern is a common cause for an applet not triggering.
The interface is not being monitored because it is a subinterface.
Want more Embedded Event Manager (EEM) practice?
Practice this domainA network engineer is troubleshooting a site-to-site VPN that intermittently drops. The engineer configured IP SLA 10 to track reachability of the remote LAN gateway (10.1.2.1) using ICMP echo probes every 5 seconds. The IP SLA is used in a static route to influence failover. The engineer notices that the IP SLA state shows 'Active' but the tracked route is not installed. What is the most likely cause?
The IP SLA probe is sending packets to the wrong destination IP.
The track object is configured with 'ip sla 10 reachability' but the static route references the track object incorrectly.
If the track object is not properly linked (e.g., 'track 1 ip sla 10 reachability' missing), or the static route uses a different track number, the route will not be installed even though the IP SLA is active.
The IP SLA probe frequency is too high, causing the router to ignore the results.
The remote gateway is not responding to ICMP echo requests due to firewall rules.
An engineer configured IP SLA 20 to monitor the reachability of a next-hop router (192.168.1.1) using UDP jitter probes. The goal is to use the IP SLA with a track object to influence EIGRP route selection. However, the EIGRP route is not being affected by the IP SLA state. The engineer verifies that the IP SLA is 'Active' and the track object shows 'Up'. What is the most likely misconfiguration?
The IP SLA probe type (UDP jitter) is not supported for tracking EIGRP routes.
The track object is not configured to influence the EIGRP route; EIGRP does not support direct tracking of IP SLA for route metrics.
EIGRP does not have a mechanism to directly track IP SLA states. The engineer must use a tracked static route or policy-based routing to influence traffic.
The EIGRP route has a higher administrative distance than the tracked route.
The IP SLA threshold is set too low, causing flapping.
A network engineer configured IP SLA 30 to monitor the reachability of a server (10.10.10.10) using ICMP echo probes. The IP SLA is linked to a track object that is used in a static default route. The engineer notices that the IP SLA state is 'Active', but the static route is not present in the routing table. The track object shows 'Up'. What should the engineer check first?
Verify that the static route includes the 'track' keyword and references the correct track object number.
The static route must be configured with 'ip route 0.0.0.0 0.0.0.0 <next-hop> track <track-number>'. If missing or wrong track number, the route will not be installed.
Check if the server is responding to ICMP echo requests.
Ensure the IP SLA probe is configured with a timeout value less than the frequency.
Reboot the router to clear any routing table inconsistencies.
An engineer configured IP SLA 40 with a UDP echo probe to monitor a remote server port 80. The IP SLA is used in a track object for a backup static route. The engineer observes that the IP SLA state is 'Timeout' even though the server is reachable via ping from the router. What is the most likely cause?
The router's firewall is blocking UDP packets to the server.
The server is not running a UDP service on port 80; HTTP uses TCP, so the UDP probe will fail.
UDP echo probes expect a UDP service on the target port. Port 80 is typically TCP, so the probe times out.
The IP SLA frequency is set too high, causing the router to miss responses.
The track object is misconfigured with the wrong IP SLA number.
A network engineer configured IP SLA 50 to monitor a remote router's loopback (5.5.5.5) using ICMP echo. The IP SLA is linked to a track object that is used in a PBR (policy-based routing) route-map. The engineer notices that the PBR is not applying the alternate path when the IP SLA goes down. The track object shows 'Down'. What is the most likely misconfiguration?
The route-map is missing the 'set ip next-hop verify-availability' command with the track object.
Without 'verify-availability', PBR does not check the track state and will continue using the primary next-hop even if the track is down.
The IP SLA probe is using the wrong source interface.
The track object is configured with a delay that prevents immediate reaction.
The PBR is applied to the wrong interface.
An engineer configured IP SLA 60 to monitor the reachability of a WAN link's next-hop (203.0.113.1) using ICMP echo. The IP SLA is used in a track object for a floating static route. The engineer notices that the primary route (EIGRP) is present, but the floating static route is not installed when the primary fails. The track object shows 'Down' after the primary fails. What should the engineer check?
Verify that the static route's administrative distance is higher than the EIGRP route (e.g., 170 vs 90).
If the static route has an AD lower than EIGRP (e.g., 1), it would be installed even when the primary is up, causing issues. For a floating static, AD must be higher.
Check if the IP SLA probe is configured with a timeout greater than the frequency.
Ensure the primary route is removed from the routing table before the static route is installed.
Reboot the router to clear the routing table.
Want more IP SLA practice?
Practice this domainA network engineer is troubleshooting a sudden drop in NetFlow data on a Cisco router running IOS-XE 17.x. The engineer verifies that 'ip flow-export destination 10.1.1.100 2055' is configured, and the collector is reachable. However, 'show ip flow export' shows zero packets exported. What is the most likely cause?
The collector IP address is incorrect.
No flow monitor is applied to any interface.
NetFlow data is only generated when a monitor or flow is enabled on an interface; without it, no flows are exported.
The export version is set to 9 but the collector expects version 5.
The router is in a VRF that is not configured for NetFlow export.
An engineer configures Flexible NetFlow on a Cisco router to monitor traffic on GigabitEthernet0/1. The flow record is defined with 'match ipv4 source address' and 'collect counter bytes'. The flow exporter sends data to 192.168.1.10:2055. After applying the monitor to the interface, 'show flow monitor name MONITOR cache' shows zero entries. What is the most likely root cause?
The flow exporter is not configured with a source interface.
The flow monitor is applied in the wrong direction.
If the monitor is applied ingress but traffic is egress, no flows are recorded. The engineer should check the direction.
The flow record does not include 'match ipv4 protocol'.
The collector is unreachable, causing the router to stop caching flows.
A network engineer configures Flexible NetFlow to export traffic statistics for a VRF named CUSTOMER_A. The configuration includes 'flow exporter EXPORTER' with destination 10.10.10.10:2055 and 'vrf CUSTOMER_A' under the exporter. The flow monitor is applied to the VRF interface. However, 'show flow monitor name MONITOR cache' shows no entries for VRF traffic. What is the most likely cause?
The exporter is missing the 'source' interface command.
The flow monitor is applied to the global routing table interface instead of the VRF interface.
The monitor must be applied under the VRF interface (e.g., interface GigabitEthernet0/1.100 with encapsulation dot1q and VRF forwarding CUSTOMER_A). Applying it to the physical interface without VRF will not capture VRF traffic.
The VRF is not configured with 'ip flow-export' commands.
The flow record does not match any VRF-specific fields.
An engineer notices that NetFlow export packets are being sent from a router but the collector reports missing data for certain flows. The engineer checks 'show ip flow export' and sees 'Exporting flows to 10.1.1.100 (2055)' with packets being sent. However, 'show flow monitor name MONITOR cache' shows many flows with zero byte counts. What is the most likely cause?
The flow exporter is using UDP port 2055, but the collector expects TCP.
The flow record includes 'collect counter packets' but not 'collect counter bytes'.
Without 'collect counter bytes', the byte counter remains zero. The engineer must add this directive to the record.
The router's CPU is overloaded, causing byte counters to not update.
The flow monitor is applied in egress direction, which does not support byte collection.
A network engineer configures a Flexible NetFlow monitor to capture traffic on a router's WAN interface. The flow record includes 'match ipv4 source address', 'match ipv4 destination address', and 'collect counter bytes'. After applying the monitor, 'show flow monitor name MONITOR cache' shows flows, but the collector receives no data. 'show flow exporter name EXPORTER statistics' shows 'Export packets sent: 0'. What is the most likely cause?
The flow exporter is configured with the wrong destination IP address.
The flow monitor is not associated with any flow exporter.
The monitor must be linked to an exporter using the 'exporter' command under the flow monitor configuration. Without it, no export occurs.
The flow exporter is missing the 'source' interface command.
The flow cache is full, preventing new exports.
An engineer configures Flexible NetFlow on a router to monitor both IPv4 and IPv6 traffic. The flow record is defined with 'match ipv4 source address' and 'match ipv6 source address'. After applying the monitor to an interface, 'show flow monitor name MONITOR cache' shows only IPv4 flows. What is the most likely cause?
IPv6 traffic is not present on the interface.
The flow record cannot combine IPv4 and IPv6 match fields; separate monitors are needed.
Flexible NetFlow requires separate flow records and monitors for each address family. Mixing IPv4 and IPv6 in one record is invalid.
The interface does not have IPv6 enabled.
The flow exporter is not configured to send IPv6 flows.
Want more NetFlow and Flexible NetFlow practice?
Practice this domainA network engineer configures SPAN on a Cisco Catalyst switch to monitor traffic between two hosts. The engineer configures the source interface as GigabitEthernet0/1 and the destination interface as GigabitEthernet0/2. After the configuration, the engineer notices that the monitored traffic is not being forwarded to the destination port. What is the most likely cause?
The destination port is not in the same VLAN as the source port.
The destination port is configured as a trunk port.
The destination port is in a blocking state due to Spanning Tree Protocol.
Correct because SPAN destination ports are not expected to participate in STP; they should be configured with 'spanning-tree portfast' to avoid blocking.
The source interface is not in the same VLAN as the destination interface.
An engineer configures RSPAN on a Cisco switch to monitor traffic from VLAN 10 across multiple switches. The engineer creates an RSPAN VLAN (VLAN 100) on the source switch and configures the source as VLAN 10. On the remote switch, the engineer configures the destination port as GigabitEthernet0/1 in VLAN 100. However, the destination port does not forward any monitored traffic. What is the most likely cause?
The RSPAN VLAN is not allowed on the trunk links between the switches.
Correct because the RSPAN VLAN must be permitted on all intermediate trunks for the monitored traffic to traverse the network.
The destination port is configured as an access port in VLAN 100.
The source switch does not have the RSPAN VLAN configured as a remote-span VLAN.
The destination port is not configured with 'monitor session' on the remote switch.
A network engineer is troubleshooting an ERSPAN configuration where traffic from a source router is being sent to a remote monitoring server. The engineer configures an ERSPAN source session on Router A to capture traffic on GigabitEthernet0/0 and send it to the IP address 10.1.1.100. The monitoring server does not receive any packets. The engineer verifies that IP connectivity exists between Router A and the server. What is the most likely cause?
The ERSPAN session is missing a tunnel interface configuration.
Correct because ERSPAN encapsulates monitored traffic in GRE tunnels; a tunnel interface must be configured and referenced in the monitor session.
The monitoring server is not listening on the correct UDP port.
The source interface is not in the same subnet as the destination IP.
The ERSPAN session is configured with the wrong source IP address.
An engineer configures a local SPAN session on a Cisco switch to monitor all traffic on VLAN 20. The engineer uses the command 'monitor session 1 source vlan 20' and 'monitor session 1 destination interface GigabitEthernet0/3'. The engineer connects a laptop to GigabitEthernet0/3 and runs a packet capture, but sees only traffic from the switch itself, not from other devices in VLAN 20. What is the most likely cause?
The SPAN session is configured to monitor only ingress traffic by default.
Correct because the default direction for a SPAN source VLAN is 'rx' (received traffic); to capture all traffic, the engineer must add 'both' or 'tx'.
The destination port is in a different VLAN than the source VLAN.
The switch does not support SPAN on VLANs.
The laptop is not configured to accept tagged traffic.
A network engineer configures an RSPAN session on Switch A to monitor traffic from interface GigabitEthernet0/1 and sends it to Switch B. The engineer creates RSPAN VLAN 50 on both switches and configures the trunk between them to allow VLAN 50. On Switch B, the engineer configures the destination port as GigabitEthernet0/2 in VLAN 50. The engineer notices that the destination port is not forwarding any traffic. What should the engineer check first?
Verify that the RSPAN VLAN is configured with the 'remote-span' command on both switches.
Correct because the 'remote-span' command is essential to designate the VLAN as an RSPAN VLAN; without it, the VLAN behaves as a normal VLAN.
Check that the destination port is not in a shutdown state.
Ensure that the source interface is not configured with 'no monitor session'.
Confirm that the trunk between switches is configured as a dot1q trunk.
An engineer configures ERSPAN on a Cisco router to monitor traffic on interface GigabitEthernet0/0/0 and send it to a monitoring server at 192.168.1.100. The engineer configures the ERSPAN session with a tunnel source of 10.0.0.1 and a tunnel destination of 192.168.1.100. The monitoring server receives no packets. The engineer pings 192.168.1.100 from the router and succeeds. What is the most likely cause?
The monitoring server does not have a route to the tunnel source IP 10.0.0.1.
Correct because the server needs to be able to respond to or process GRE packets; if it cannot reach the tunnel source, the packets may be discarded.
The ERSPAN session is configured with the wrong direction.
The router does not support ERSPAN.
The monitoring server is not listening on the correct TCP port.
Want more SPAN, RSPAN, and ERSPAN practice?
Practice this domainA network engineer is troubleshooting a DHCPv4 issue on a Cisco router configured as a DHCP server. Clients on VLAN 10 are unable to obtain IP addresses. The engineer verifies that the DHCP pool is correctly configured and that the router interface facing the clients has 'ip helper-address 192.168.1.1' pointing to the DHCP server. However, the DHCP server is on a different subnet and the router's interface is in a VRF. The DHCP DISCOVER messages are not reaching the server. What is the most likely cause?
The DHCP pool is missing the 'default-router' command.
The router needs the 'ip dhcp relay information option' command to insert Option 82.
The 'ip helper-address' command must be configured under the interface with the VRF name using 'ip helper-address vrf <vrf-name> <server-ip>'.
Correct because when the interface is in a VRF, the helper address must specify the VRF to ensure the DHCP broadcast is forwarded into the correct routing table.
The DHCP server is not configured with a scope for the client subnet.
An engineer is troubleshooting an IPv6 deployment where hosts on a subnet are not receiving IPv6 addresses via SLAAC. The router is configured with 'ipv6 unicast-routing' and the interface has 'ipv6 address 2001:db8:1::1/64' and 'ipv6 nd other-config-flag'. The hosts are sending Router Solicitations but receive no Router Advertisements. What is the root cause?
The interface is missing the 'ipv6 enable' command.
The 'ipv6 nd ra suppress' command is configured on the interface.
Correct because this command suppresses Router Advertisements, preventing hosts from receiving RAs even though the interface has an IPv6 address.
The 'ipv6 nd prefix' command is missing for the subnet.
The hosts are using DHCPv6 instead of SLAAC.
A network engineer is troubleshooting a DHCPv4 relay scenario where clients on subnet 10.1.1.0/24 are unable to obtain IP addresses from a DHCP server at 192.168.1.10. The router interface Gi0/0 (10.1.1.1/24) has 'ip helper-address 192.168.1.10' configured. The engineer captures packets and sees DHCP DISCOVER messages sourced from 10.1.1.1 being sent to 192.168.1.10, but no replies are seen. The server is reachable via ping from the router. What is the most likely cause?
The DHCP server does not have a route to 10.1.1.0/24.
The DHCP server is not configured with a scope for subnet 10.1.1.0/24.
Correct because if the server has no scope for the client subnet, it will ignore the DISCOVER message and not send any reply, even though the relayed packet reaches the server.
The 'ip helper-address' command should be configured on the server-facing interface, not the client-facing interface.
The router needs the 'ip dhcp relay information option' command.
An engineer is troubleshooting a DHCPv6 stateful (DHCPv6) deployment. The router is configured as a DHCPv6 server with a pool for prefix 2001:db8:2::/64. Clients on the LAN are configured to use DHCPv6, but they are not receiving IPv6 addresses. The router interface has 'ipv6 address 2001:db8:2::1/64' and 'ipv6 dhcp server DHCP_POOL'. The engineer sees that the clients are sending SOLICIT messages, but the router sends no REPLY. What is the issue?
The interface is missing the 'ipv6 nd managed-config-flag' command.
The DHCPv6 pool is missing the 'address prefix 2001:db8:2::/64' command.
Correct because without an address prefix in the pool, the DHCPv6 server has no addresses to assign and will not send a REPLY to SOLICIT messages.
The router needs the 'ipv6 dhcp relay' command on the interface.
The 'ipv6 unicast-routing' command is missing globally.
A network engineer is troubleshooting a DHCPv4 issue where clients on a subnet are getting IP addresses from the correct pool, but they cannot reach the default gateway. The router is configured as a DHCP server with pool 'POOL' that includes 'default-router 192.168.1.1'. The router's interface IP is 192.168.1.1/24. Clients receive the address and default gateway, but pings to 192.168.1.1 fail. What is the most likely cause?
The DHCP pool has the wrong subnet mask.
The router interface Gi0/0 is administratively down.
Correct because if the interface is down, the router cannot respond to ARP requests or pings from clients, even though DHCP assignments are still possible (the server process runs independently).
The 'ip helper-address' command is interfering with DHCP.
The clients have a static ARP entry for the gateway.
An engineer is troubleshooting a DHCPv4 issue where a Cisco router acting as a DHCP client on interface Gi0/0 is not receiving an IP address from an ISP modem. The router has 'ip address dhcp' on the interface. The engineer sees that the interface is up/up, but no IP address is assigned. Debug shows that the router is sending DHCP DISCOVER messages but receives no OFFER. The ISP modem is known to work with other devices. What is the most likely cause?
The router needs the 'ip dhcp client broadcast-flag' command.
The router is sending the client identifier as the MAC address in a non-standard format; the modem expects the client identifier to be the MAC address only.
Correct because Cisco routers by default send the client identifier as the MAC address with a type byte (0x01), while some modems expect only the MAC address; configuring 'ip dhcp client client-id' with the correct format resolves the issue.
The router's interface is in a VRF, and the DHCP client needs VRF awareness.
The ISP modem requires DHCP Option 82 to be present.
Want more DHCP (IPv4 and IPv6) practice?
Practice this domainA network engineer is troubleshooting connectivity from a host inside a corporate network to a public web server. The host has IP 10.1.1.10/24, and the router's outside interface is 203.0.113.1/24. The engineer configured a dynamic NAT pool (203.0.113.10-203.0.113.20) and an access list permitting 10.1.1.0/24. However, traffic from the host fails. A 'show ip nat translations' reveals no translations. What is the most likely cause?
The NAT pool is exhausted.
The 'ip nat inside' and 'ip nat outside' commands are misapplied on the interfaces.
The access list used in the NAT configuration does not match the source IP of the host.
Correct because dynamic NAT requires the ACL to match the source; if the ACL is misconfigured (e.g., denies the subnet), no translations are created.
The host's default gateway is not the router's inside interface.
A network engineer is troubleshooting PAT (overload) on a Cisco router. The inside network uses 192.168.1.0/24, and the outside interface has IP 198.51.100.1. The engineer configured 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. Traffic from inside hosts works initially, but after a few minutes, new connections fail. 'Show ip nat translations' shows many entries with the same outside global IP but different ports. 'Show ip nat statistics' indicates that the number of translations is near 500. What is the most likely cause?
The NAT pool is not configured with overload.
The outside interface is flapping, causing translations to be cleared.
The router has run out of available port numbers for PAT.
Correct because PAT uses a limited port range (usually 1024-65535), and with many sessions, ports can be exhausted, preventing new translations.
The access list is denying some inside hosts.
An engineer configures static NAT on a router to map a public IP 203.0.113.5 to an internal server 10.0.0.5. The configuration includes 'ip nat inside source static 10.0.0.5 203.0.113.5'. The server is reachable from the outside, but the server cannot initiate connections to the outside network. 'Show ip nat translations' shows the static entry. What is the most likely cause?
The server's default gateway is not the router's inside interface.
The 'ip nat outside' command is missing on the outside interface.
Static NAT does not translate the source IP for outbound traffic initiated by the inside host.
Correct because static NAT only translates destination IP for inbound traffic; for outbound, the source remains private unless additional NAT (e.g., overload) is configured for that host.
The router's routing table does not have a route back to the server's subnet.
A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?
The PAT port range is exhausted.
The router's SIP ALG is disabled, so the private IP in the SDP is not translated.
Correct because without SIP ALG, the router does not inspect and translate the IP addresses inside the SIP messages, causing media to be sent to the private IP.
The phone's default gateway is misconfigured.
The outside interface has a firewall blocking UDP ports.
An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?
The host's IP address is statically assigned and conflicts with another device.
The host has a misconfigured subnet mask or default gateway.
Correct because if the host's default gateway is not the router's inside interface (or subnet mask is wrong), the host will not send traffic to the router, so no NAT translation is attempted.
The NAT pool is exhausted.
The router's inside interface is administratively down.
A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?
Add an 'ip nat outside' command on the inside interface.
Configure a route-map to exempt the VPN traffic from NAT.
Ensure that the router has a route to the remote site's public IP via the outside interface, and that the static NAT entry is correctly applied.
Correct because if the return traffic from the server is routed out a different interface (e.g., a VPN tunnel interface), the NAT might not be applied; the router needs to route the traffic via the outside interface where NAT is configured.
Change the static NAT to 'ip nat inside source static 10.0.0.10 203.0.113.10 extendable'.
Want more NAT and PAT practice?
Practice this domainThe 300-410 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 29 domains: EIGRP Troubleshooting, OSPF Troubleshooting (v2/v3), BGP Troubleshooting, Route Redistribution, Policy-Based Routing (PBR), VRF-Lite, Route Maps and Route Filtering, Administrative Distance, Route Summarization, Bidirectional Forwarding Detection (BFD), MPLS Operations, MPLS L3VPN, DMVPN, IPsec Site-to-Site VPN, IPv6 Tunneling Techniques, Device Access Control, IPv4 Access Control Lists, IPv6 Traffic Filtering and uRPF, Control Plane Policing (CoPP), IPv6 First Hop Security, Device Management, SNMP Troubleshooting, Network Logging and Syslog, Embedded Event Manager (EEM), IP SLA, NetFlow and Flexible NetFlow, SPAN, RSPAN, and ERSPAN, DHCP (IPv4 and IPv6), NAT and PAT. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 300-410 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.