Cisco · Free Practice Questions · Last reviewed May 2026
234real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A network engineer is designing a campus network with high availability for critical services. Which Cisco technology enables traffic to be forwarded to an alternate next hop in the event of a first-hop router failure, without requiring any configuration changes on the hosts?
Static default route with a floating static
GLBP
VRRP
HSRP
HSRP is a Cisco proprietary FHRP that provides transparent failover without host configuration changes.
A company is deploying a wireless network in an office with high client density. Which Cisco architecture is best suited to handle client roaming without requiring a central controller for every roaming event?
Mesh networking
Autonomous APs
Centralized switching with a WLC
FlexConnect
FlexConnect allows local data switching and fast roaming with minimal controller interaction.
An enterprise is using OSPF in a multi-area design. Area 1 is a regular area, and Area 2 is a totally stubby area. Which LSA types are present in Area 2?
Type 1, Type 2, Type 3 (including default)
Totally stubby areas allow only Type 1, Type 2, and a default Type 3 LSA.
Type 1, Type 2, Type 3, Type 5
Type 1, Type 2, Type 4, Type 5
Type 1, Type 2, Type 3 (including default), Type 4
A network engineer is troubleshooting a routing loop in an EIGRP network. Which mechanism is designed to prevent routing loops by causing a router to reject routes that are learned from a neighbor that is not the successor?
Split horizon
Route poisoning
Hold-down timers
Feasibility condition
The feasibility condition ensures loop-free paths by verifying that the neighbor's reported distance is lower than the feasible distance.
A company is implementing QoS in a network where voice traffic must have strict priority over all other traffic. Which queuing mechanism should be used on the outbound interface of a router to ensure voice packets are always sent first?
Random Early Detection (RED)
Low Latency Queuing (LLQ)
LLQ combines a strict priority queue with CBWFQ, ensuring voice gets priority.
First In First Out (FIFO)
Class-Based Weighted Fair Queuing (CBWFQ)
A network administrator is configuring a new VLAN 100 on a switch and wants to ensure that the VLAN is created and active. Which command is required to create a VLAN in the VLAN database?
interface vlan 100
name VLAN100
vlan 100
This command creates VLAN 100 and enters VLAN configuration mode.
switchport access vlan 100
Want more Architecture practice?
Practice this domainA large enterprise is redesigning its campus network to support 5000 users across three buildings. The design must provide high availability and fast convergence in case of a link failure. The network engineer is considering using Spanning Tree Protocol (STP) in the access layer. What is the primary design concern with using STP in this scenario?
STP will cause slow convergence and inefficient use of redundant links.
Correct because STP blocks redundant links and convergence can take 30-50 seconds, which is not suitable for high-availability designs.
STP requires all switches to be in the same VLAN to function correctly.
STP cannot be used with 5000 users due to MAC address table limitations.
STP will cause broadcast storms in a three-building design.
A company is deploying a new data center and needs to choose between a three-tier (core, aggregation, access) and a spine-leaf architecture. The network engineer is concerned about east-west traffic patterns for server virtualization. Which architecture is most suitable and why?
Spine-leaf, because it provides equal-cost multipath (ECMP) for all leaf-to-leaf traffic.
Correct because spine-leaf uses ECMP to forward traffic between any two leaf switches with predictable latency, supporting east-west traffic efficiently.
Three-tier, because it offers more redundancy with multiple aggregation layers.
Spine-leaf, because it supports legacy spanning tree protocols.
Three-tier, because it is easier to manage with traditional VLANs.
An enterprise network is experiencing high CPU utilization on the distribution layer switches. The design uses VLANs with SVIs for inter-VLAN routing, and HSRP for first-hop redundancy. The engineer notices that the standby switch is also experiencing high CPU. What is the most likely cause?
The standby switch is processing HSRP hellos for all VLANs, causing CPU spikes.
Correct because HSRP hellos are sent every 3 seconds per group; with many VLANs (e.g., 500), the CPU must process all hellos, leading to high utilization.
The standby switch is forwarding all broadcast traffic due to a misconfigured STP root.
The standby switch is performing routing for all VLANs because the active switch failed.
The standby switch is processing VTP updates from the distribution layer.
A network engineer is designing a WAN connection for a branch office that requires high availability and bandwidth aggregation. The branch has two internet connections from different ISPs. The engineer wants to use both links actively for load balancing and failover. Which design approach should be used?
Deploy SD-WAN to actively use both links with policy-based load balancing.
Correct because SD-WAN is designed to utilize multiple WAN links simultaneously, providing load balancing and failover based on application policies.
Configure static routes with different metrics for each link and use HSRP for failover.
Use BGP with both ISPs and rely on BGP best path selection for load balancing.
Implement a VPN tunnel between the branch and headquarters using only one link.
A campus network uses a collapsed core design with two distribution switches and multiple access switches. The engineer wants to ensure that if one distribution switch fails, the access switches can still reach the core. The access switches are connected to both distribution switches. What additional configuration is required on the access switches?
Configure the access switches with VPC (Virtual Port Channel) to the distribution switches.
Correct because VPC allows both uplinks to be active simultaneously, providing redundancy and load balancing without STP blocking.
Enable STP on the access switches and set the root bridge priority to 0.
Configure the access switches with HSRP to the distribution switches.
Use static routing with equal-cost paths from the access switches to the distribution switches.
An enterprise is migrating from a traditional three-tier campus design to a software-defined access (SD-Access) fabric. The engineer needs to ensure that the existing wireless infrastructure integrates seamlessly. Which component of SD-Access is responsible for integrating wireless and wired policies?
Fabric Edge node
Correct because the Fabric Edge node is the entry point for both wired and wireless users into the fabric, enforcing policies and providing connectivity.
Fabric Control node
Fabric Border node
Wireless LAN Controller (WLC)
Want more Enterprise Network Design practice?
Practice this domainA network engineer is deploying Cisco SD-Access in a large enterprise campus. The design requires that all user traffic be segmented by Virtual Network (VN) and that the fabric edge nodes perform SGT-based enforcement. The engineer notices that traffic between two endpoints in the same IP subnet but different VNs is being forwarded directly at the fabric edge without any SGT inspection. What is the most likely cause?
The fabric edge nodes have not been configured with the proper SGT mappings.
The endpoints are in the same IP subnet, so they must be in the same Virtual Network; SGT enforcement only applies to inter-VN traffic.
Correct. In SD-Access, endpoints in the same subnet belong to the same VN. SGT enforcement is only performed when traffic crosses VNs (inter-VN). Intra-VN traffic is bridged locally without SGT inspection.
The fabric edge nodes are operating in Layer 2 mode and do not support SGT enforcement.
The control plane node has not been configured with the correct IP-SGT mappings.
An enterprise is migrating from a traditional three-tier campus network to Cisco SD-Access. The network engineer has deployed a fabric with a single fabric edge node and a single control plane node. Users in VLAN 10 report that they cannot reach the default gateway, which is a virtual IP on the fabric edge. The fabric edge is configured with a VLAN 10 SVI and the anycast gateway feature is enabled. What is the most likely cause of the problem?
The fabric edge node is not configured with the VLAN 10 SVI or the anycast gateway feature is disabled.
Correct. Without the SVI and anycast gateway enabled, the fabric edge cannot provide the default gateway for VLAN 10 users.
The control plane node is not reachable from the fabric edge, causing the fabric edge to drop traffic.
The endpoints are not configured with the correct IP address for the default gateway.
The fabric edge node is in Layer 2 mode and cannot route traffic.
A network architect is designing an SD-Access fabric for a large enterprise campus. The design must support segmentation at Layer 2 and Layer 3 across the fabric, using a centralized control plane and policy enforcement. Which two protocols are essential for the SD-Access overlay to meet these requirements?
LISP and VXLAN
LISP provides the control plane and VXLAN provides the data plane encapsulation for the overlay.
MP-BGP and MPLS
OSPF and GRE
IS-IS and NVGRE
An architect is planning a Cisco SD-Access fabric deployment. The design must support host mobility across multiple fabric edge nodes while ensuring consistent policy enforcement. Which fabric component is responsible for tracking endpoint locations and mapping them to the fabric?
Fabric control plane node
The control plane node uses LISP to track and map endpoints to their location in the fabric.
Fabric border node
Fabric edge node
Fabric wireless controller
A company is deploying an SD-Access fabric with multiple sites connected via a WAN. The design must allow inter-site traffic to be forwarded without requiring a full mesh of VXLAN tunnels between all edge nodes. Which fabric role should be used to interconnect the sites?
Fabric border node
Border nodes act as the gateway between the fabric and external networks, enabling inter-site connectivity.
Fabric control plane node
Fabric edge node
Fabric WAN controller
An architect is designing an SD-Access fabric for a campus network that requires segmentation of guest, employee, and IoT traffic. The design must use Cisco TrustSec for policy enforcement. Which component is responsible for assigning the Security Group Tag (SGT) to endpoints upon authentication?
Cisco ISE
ISE authenticates endpoints and assigns SGTs, which are then used for policy enforcement in the fabric.
Fabric edge node
Fabric control plane node
Cisco DNA Center
Want more SD-Access Architecture practice?
Practice this domainA network engineer is deploying a Cisco SD-WAN solution for a global enterprise with multiple regional hubs. The engineer wants to ensure that traffic from branch offices to the internet is always forwarded directly from the branch, even if the branch has a primary MPLS link and a backup broadband link. The engineer configures the vSmart policy to direct internet-bound traffic to use the local exit at the branch. However, after deployment, the engineer notices that some internet traffic is still being sent to the regional hub before reaching the internet. What is the most likely cause of this behavior?
The engineer configured the data policy under VPN 0 instead of the service VPN (e.g., VPN 10).
Correct because VPN 0 is for transport, and internet traffic from the service side must be matched in the service VPN policy to enforce local exit.
The branch router does not have a default route in its routing table for the service VPN.
The engineer used a localized data policy instead of a centralized data policy.
The OMP route redistribution is not enabled on the branch router.
An enterprise is migrating from a traditional MPLS WAN to Cisco SD-WAN. The network team has deployed vEdge routers at all branch offices and a vSmart controller in the data center. The engineer configures a centralized control policy to influence path selection based on cost and latency. After the policy is activated, the engineer notices that some branches are not receiving the updated policy and are still using the default best-path selection. The vSmart is reachable from all branches, and the vEdge routers show that they are connected to the vSmart. What is the most likely reason for this issue?
The vEdge routers have not been rebooted after the policy change.
The control policy is not attached to the appropriate site list or VPN list.
Correct because a control policy must be associated with a list to be applied; otherwise, it is not enforced.
The OMP graceful restart timer has expired, causing the vEdge to ignore the policy.
The BFD sessions between vEdge and vSmart are flapping.
A network engineer is configuring a Cisco SD-WAN fabric with vManage, vSmart, and vBond controllers. The engineer wants to ensure that all branch routers automatically discover the vSmart and vBond controllers without manual configuration on each branch. The engineer has configured the vBond with a public IP address and enabled NAT traversal. However, branch routers are failing to establish control connections. The engineer verifies that the branch routers have the correct organization name and that the vBond is reachable from the branches. What is the most likely missing configuration?
The vManage IP address is not configured on the branch routers.
The vSmart IP address is not configured on the branch routers.
The vBond IP address is not configured on the branch routers.
Correct because the branch routers need the vBond IP to initiate the initial contact and receive the list of controllers.
The DTLS port 12346 is not open on the branch routers' firewall.
A large enterprise uses Cisco SD-WAN with multiple transport clouds (MPLS and Internet). The network team wants to ensure that voice traffic between two branch offices always uses the MPLS link, even if the Internet link has lower latency. The engineer creates a centralized data policy on the vSmart to match voice traffic based on DSCP EF and sets the preferred color to 'mpls'. After applying the policy, the engineer tests and finds that voice traffic is still using the Internet link. The vEdge routers show that the policy is received and active. What is the most likely reason for this failure?
The vEdge routers have not rebooted after the policy was applied.
The data policy was applied on the vEdge instead of the vSmart.
The DSCP EF marking is not supported in SD-WAN data policies.
The policy does not include a match condition for the correct VPN or site list.
Correct because the policy must be associated with the specific VPN and site list to apply to the traffic.
A network engineer is troubleshooting a Cisco SD-WAN deployment where a branch office has two WAN links: a primary MPLS link and a backup LTE link. The engineer wants to configure application-aware routing so that critical applications (e.g., Salesforce) always use the MPLS link as long as its loss is below 2% and latency below 150 ms. The engineer configures an app-route policy on the vSmart with the appropriate SLA requirements. After deployment, the engineer notices that Salesforce traffic is still using the LTE link even when the MPLS link meets the SLA. What is the most likely cause?
The app-route policy is not attached to the correct site list or VPN list.
Correct because the policy must be associated with the specific sites and VPNs to be applied.
The LTE link has a lower cost metric than the MPLS link.
The app-route policy was applied on the vEdge instead of the vSmart.
The SLA requirements are not configured correctly in the policy.
An enterprise is deploying Cisco SD-WAN with a hub-and-spoke topology. The hub site has a vSmart controller and a vEdge router. The branch sites have vEdge routers. The engineer wants to ensure that all inter-branch traffic goes through the hub for security inspection. The engineer configures a centralized control policy on the vSmart to set the 'hub' as the preferred path for all routes. After the policy is applied, the engineer notices that branch-to-branch traffic is still going directly, bypassing the hub. The vEdge routers show that the control policy is received. What is the most likely issue?
The control policy is not attached to the correct site list.
The hub site is not configured with a different site ID than the branches.
Correct because the hub must have a unique site ID to be recognized as the hub in the topology.
The engineer should have used a data policy instead of a control policy.
The OMP admin distance is set too high on the hub.
Want more SD-WAN Architecture practice?
Practice this domainA network engineer is configuring QoS on a Cisco Catalyst 9300 switch to prioritize voice traffic. The switch has multiple access ports connected to IP phones and PCs. The engineer applies a policy-map that matches DSCP EF and sets the CoS to 5. However, after testing, the voice packets are not being marked correctly. What is the most likely cause?
The policy-map is not applied to the correct interface direction.
The switch does not support DSCP-to-CoS mapping.
The interface is missing the 'mls qos trust cos' or 'mls qos trust dscp' command.
Correct because by default, Cisco switches do not trust incoming QoS markings; the trust command must be configured to accept the marking from the IP phone.
The IP phone is not sending packets with DSCP EF.
An enterprise is deploying a new VoIP system and wants to ensure voice traffic receives priority over data traffic on a WAN link. The engineer configures a class-map to match RTP traffic using the 'match protocol rtp' command. However, the class-map does not match any packets. What is the most likely reason?
RTP traffic uses UDP ports, and the class-map must match on the UDP port range instead.
The 'match protocol rtp' command requires NBAR to be enabled globally with 'ip nbar protocol-discovery'.
Correct because NBAR-based matching requires the 'ip nbar protocol-discovery' command to be enabled on the interface for the classification to work.
The class-map must be configured with 'match any' to capture all traffic.
RTP traffic is always marked with DSCP EF, so the class-map should match on DSCP instead.
A network engineer is designing a QoS policy for a Cisco router that connects to an MPLS VPN. The service provider expects all traffic to be marked with IP Precedence values. The engineer wants to ensure that voice traffic (DSCP EF) is mapped to IP Precedence 5. What configuration is required on the router to perform this mapping?
Configure a policy-map that sets the IP precedence to 5 using 'set ip precedence 5'.
Correct because setting IP precedence directly achieves the required marking without needing to map from DSCP.
Configure a policy-map that sets the DSCP to EF, and the router will automatically set IP precedence to 5.
Use the 'qos map dscp-ip-precedence' command to create a mapping table.
The router will automatically map DSCP EF to IP precedence 5 without any configuration.
A company is implementing QoS on its campus network. The network engineer configures a policy-map that sets the CoS value for voice traffic to 5 on a switch interface. However, when the traffic reaches the router, the CoS marking is lost. What is the most likely reason?
The router does not trust the CoS marking and re-marks it to 0.
CoS is a Layer 2 marking and is not carried across a Layer 3 hop; the router must map CoS to DSCP.
Correct because CoS is part of the 802.1Q header, which is stripped when the packet is routed; the router needs to map CoS to DSCP to preserve the priority.
The switch must be configured to set DSCP instead of CoS.
The router must have 'mls qos trust cos' configured on the interface.
A network engineer is troubleshooting voice quality issues on a WAN link. The engineer notices that voice packets are being dropped during congestion. The QoS policy uses LLQ for voice traffic, but the priority queue is not providing the expected bandwidth. What is the most likely cause?
The priority queue is not configured with a bandwidth statement.
The priority queue has a built-in policer that drops traffic exceeding the configured bandwidth.
Correct because LLQ uses a policer to limit the priority queue; if voice traffic exceeds the configured bandwidth, it is dropped.
The class-map is not matching voice traffic correctly.
The router is using FIFO queuing instead of LLQ.
An enterprise is deploying QoS across a network that includes both Cisco and non-Cisco devices. The engineer wants to use a marking scheme that is end-to-end and not stripped at Layer 3 boundaries. Which marking field should the engineer use?
CoS
IP Precedence
DSCP
Correct because DSCP is a Layer 3 field that is preserved across routers and is supported by most vendors.
MPLS EXP
Want more QoS Architecture practice?
Practice this domainA network engineer is troubleshooting a Cisco IOS-XE router that hosts multiple virtual routing and forwarding (VRF) instances. Users in VRF-A report they cannot reach a server in VRF-B. The engineer verifies that both VRFs have the correct routes and that the router has a route leaking configuration using route-target import/export. However, connectivity still fails. What is the most likely cause?
The router does not have iBGP configured between the VRFs.
The route-target export is not configured in VRF-A.
The router is using VRF-lite, which does not support route leaking.
The import map is missing in VRF-B.
An import map is required to selectively import routes from VRF-A into VRF-B.
A data center uses Cisco Nexus 9000 switches with VXLAN EVPN to provide network virtualization. The operations team notices that VLAN 100 (mapped to VNI 10100) is not reachable across the fabric, although other VLANs work fine. The NVE interface is up, and the EVPN address-family is configured. Which two actions should the engineer take to isolate the issue?
Check if EVPN type-3 routes are being advertised for VNI 10100.
Confirm that multicast group 239.1.1.1 is reachable across the underlay.
Verify that VLAN 100 is mapped to VNI 10100 consistently on all VTEPs.
Inconsistent mapping breaks VXLAN bridging.
Ensure that VNI 10100 is added under the NVE interface.
VNI must be member of NVE to forward traffic.
Check if the MTU on the underlay is set to at least 1550 bytes.
A network engineer is deploying a Cisco Catalyst 9300 switch as a virtual switch using StackWise Virtual. The switch will connect to two upstream routers for redundancy. What is the best practice for connecting the uplinks?
Bundle the uplinks into an EtherChannel that spans both stack members.
EtherChannel across members provides redundancy and load balancing.
Use two separate routed interfaces, each with a routing protocol.
Connect each uplink to the active switch member.
Configure the uplinks in active/standby mode using STP.
A cloud provider uses Cisco ACI to automate provisioning of tenant networks. A new tenant requires a Layer 2 bridge domain that extends to an external Layer 2 network via a VPC. The engineer creates a bridge domain with the settings: Type: Regular, L2 Unknown Unicast: Flood, L3 Unknown Multicast Flood: Flood, and Multi-Destination Flooding: Flood. The VPC is configured as a virtual port channel. The tenant reports that broadcast traffic is not reaching the external network. What is the most likely cause?
The VPC configuration does not support L2 extension.
The bridge domain is configured as proxy mode for L2 unknown unicast.
The L2Out is not configured to flood BUM traffic.
L2Out must be configured with flood settings to extend flooding.
The bridge domain type should be set to 'L2 Only'.
An enterprise uses VMware vSphere to host multiple virtual machines (VMs). The network team wants to implement a virtual firewall on the hypervisor to inspect traffic between VMs on the same ESXi host. Which technology should be used?
Use VXLAN to encapsulate traffic and send it to a firewall.
Deploy a virtual firewall on a vSphere Distributed Switch with a private VLAN.
Private VLAN can redirect traffic to the virtual firewall.
Use a vSphere Standard Switch and configure port mirroring.
Deploy a physical firewall and route all VM traffic through it.
A network engineer configured three interfaces on a switch as shown. A host connected to Ethernet1/2 sends an untagged frame. Which VLAN will this frame be placed into when it reaches Ethernet1/3?
VLAN 999
VLAN 1
The frame is dropped because VLAN 10 is not allowed.
Ethernet1/3 trunk does not allow VLAN 10.
VLAN 10
Want more Virtualization practice?
Practice this domainA company is migrating its legacy firewall services to a virtualized environment using Cisco NFV. The network engineer deploys a virtual firewall (vFW) on an NFVIS-enabled UCS platform. After the deployment, traffic through the vFW is intermittent and performance monitoring shows high CPU usage on the host. Which action should the engineer take to improve performance?
Enable SR-IOV on the physical NICs and assign VFs to the vFW.
Correct because SR-IOV allows the vFW to directly access the physical NIC, reducing CPU overhead and improving throughput.
Increase the number of vCPUs allocated to the vFW VM.
Configure QoS policies on the vFW to prioritize traffic.
Disable hyperthreading on the host CPU.
An enterprise is deploying a virtual router (vRouter) as part of its NFV infrastructure. The engineer needs to ensure that the vRouter can handle a sudden spike in traffic without dropping packets. The vRouter is running on a KVM hypervisor. What should the engineer configure to guarantee CPU resources for the vRouter during peak demand?
Enable memory ballooning on the vRouter VM.
Configure CPU pinning and CPU reservation for the vRouter VM.
Correct because CPU pinning dedicates specific cores to the VM and reservation guarantees minimum CPU, preventing contention.
Enable DPDK on the vRouter's virtual NICs.
Set the vRouter VM to use NUMA node pinning.
A network engineer is deploying a virtual WAN edge device using Cisco SD-WAN on an NFVIS platform. After powering on the VM, the device fails to boot and the NFVIS console shows 'ERROR: No bootable device found'. The engineer verified that the ISO image is correctly uploaded. What is the most likely cause?
The VM's virtual disk size is too small for the WAN edge image.
The VM's CPU type is set to 'host-passthrough' instead of 'qemu64'.
The boot order in the VM configuration does not have the CD-ROM (ISO) as the first device.
Correct because the VM attempts to boot from the hard disk first, which is empty, leading to the error.
The ISO image is corrupted and NFVIS cannot read it.
An engineer is managing a Cisco NFVIS host running multiple virtual network functions (VNFs). The engineer needs to upgrade the NFVIS software to a new version that includes critical security patches. The upgrade process must minimize downtime. Which upgrade method should the engineer use?
Use the 'patch install' command to apply the upgrade without rebooting.
Use the 'software install add' command to stage the image, then 'activate' and 'commit' with a single reboot.
Correct because this method stages the upgrade and applies it with one reboot, minimizing downtime.
Perform a clean installation of the new NFVIS version and redeploy all VNFs.
Migrate all VNFs to another NFVIS host, then upgrade the original host.
A company uses Cisco NFVIS to host a virtual ASA (vASA) and a virtual router (vRouter). The engineer notices that the vASA cannot communicate with the vRouter even though both are on the same NFVIS host. The vASA is connected to a bridge network, and the vRouter is connected to a different bridge. What should the engineer do to enable communication between the two VNFs?
Connect a physical cable between two ports on the NFVIS host.
Create a new bridge that connects both VNFs, or use a virtual switch to route between the bridges.
Correct because placing both VNFs on the same bridge allows Layer 2 communication; alternatively, a virtual router can route between bridges.
Configure VLAN tagging on both VNFs with the same VLAN ID.
Add a static route on each VNF pointing to the other VNF's IP address.
An engineer is deploying a virtual network function (VNF) on a Cisco NFVIS host. The VNF requires four virtual NICs, each connected to a different network segment. The engineer creates four bridges on NFVIS and attaches each vNIC to a separate bridge. After deployment, the VNF can only communicate on the first bridge. What is the most likely cause?
The bridges are all mapped to the same physical interface without subinterfaces, causing a conflict.
Correct because each bridge must be associated with a unique physical interface or subinterface; otherwise, only one bridge works.
The VNF's operating system does not support multiple NICs.
The vNICs have duplicate MAC addresses.
The bridges were created in the wrong order.
Want more Network Function Virtualization practice?
Practice this domainA network engineer is deploying a new virtualized application on a VMware vSphere cluster. The application requires dedicated CPU cores to meet licensing requirements, and the engineer must ensure that no other virtual machine can use those cores. The cluster uses VMware ESXi 7.0. Which configuration should the engineer apply to the virtual machine?
Configure CPU affinity to pin the VM to specific physical cores.
Correct because CPU affinity binds the VM to designated cores, ensuring exclusive use.
Set a CPU reservation equal to the number of vCPUs.
Enable NUMA node affinity for the VM.
Configure a CPU limit equal to the number of vCPUs.
An enterprise is migrating a legacy application from a physical server to a virtual machine on a KVM-based hypervisor. The application requires direct access to a PCIe network interface card for performance reasons. The engineer needs to provide the VM with dedicated hardware access while maintaining isolation from other VMs. Which technology should the engineer use?
Use PCI passthrough to assign the NIC directly to the VM.
Correct because PCI passthrough gives the VM exclusive access to the physical NIC.
Enable SR-IOV and assign a virtual function to the VM.
Configure a paravirtualized network driver (virtio).
Attach the VM to a Linux bridge using macvtap.
A network engineer is troubleshooting performance issues on a VMware ESXi host running multiple VMs. The host has two physical CPUs, each with 8 cores (16 logical processors with Hyper-Threading enabled). One VM, configured with 8 vCPUs, experiences high CPU ready time. Other VMs on the host are idle. What is the most likely cause of the high CPU ready time?
The VM's vCPUs span multiple NUMA nodes, causing memory access delays.
Correct because when vCPUs are spread across NUMA nodes, memory access becomes non-local, increasing ready time.
Hyper-Threading is disabled on the ESXi host.
The host is overcommitted with too many vCPUs.
The VM has more vCPUs than physical cores on a single socket.
A company is deploying a virtualized firewall on a VMware ESXi host. The firewall VM requires high network throughput and low latency. The engineer decides to use SR-IOV to assign a virtual function (VF) from a physical NIC to the VM. After configuration, the VM can communicate, but the host's management network becomes unreachable. What is the most likely cause?
The physical NIC's PF is also used for the host management network, and SR-IOV configuration disrupted it.
Correct because SR-IOV can interfere with the PF if the management network is on the same port.
The VM's VF is using the same MAC address as the host management interface.
The ESXi host requires a dedicated physical NIC for management when using SR-IOV.
The VM's VF is consuming all available bandwidth on the NIC.
A network engineer is designing a disaster recovery solution using VMware vSphere. The engineer needs to replicate virtual machines from the primary site to a secondary site with minimal downtime. The application VMs are running on NFS datastores. The engineer plans to use vSphere Replication. What prerequisite must be met for vSphere Replication to work with NFS datastores?
The NFS datastores must be mounted on both the source and target ESXi hosts.
Correct because vSphere Replication needs access to the source datastore to read data and the target datastore to write replicas.
The NFS datastores must be backed by a storage array that supports snapshot offloading.
The VMs must be configured with thick provisioning eager zeroed disks.
The NFS datastores must be part of a vSAN cluster.
An engineer is deploying a Linux virtual machine on a KVM hypervisor. The VM needs to be connected to a virtual network that provides isolation from other VMs on the same host but allows communication with the host and external networks. The engineer creates a Linux bridge and attaches the VM's tap interface to it. However, the VM cannot reach the external network. The host has a physical NIC (eth0) connected to the corporate network. What is the missing configuration step?
Add the physical NIC (eth0) as a port to the Linux bridge.
Correct because the bridge must include the physical NIC to forward traffic to the external network.
Configure a default gateway on the VM's network interface.
Assign an IP address to the Linux bridge interface.
Enable IP forwarding and configure NAT on the host.
Want more Virtual Machines and Hypervisors practice?
Practice this domainA network engineer is configuring MPLS L3VPN on a Cisco IOS-XE PE router. The engineer creates a VRF named CUSTOMER_A with route-target import and export 100:1. After configuring the VRF on the interface connected to the CE router, the CE router can ping the PE's VRF interface IP, but cannot reach any remote VPNv4 routes. The BGP session between PE and route reflector is up. What is the most likely cause?
The route-target import/export values are mismatched with the route reflector's configuration.
The VRF is not activated under BGP using the address-family ipv4 vrf CUSTOMER_A command.
Correct because without this command, the PE does not redistribute VRF routes into VPNv4 or import VPNv4 routes into the VRF.
The CE router is not configured with a default route pointing to the PE.
The PE router needs the mpls ip command on the interface facing the CE router.
An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?
The guest server is in a different VLAN than the guest wireless subnet, and inter-VLAN routing is not configured within the GUEST VRF.
Correct because if the guest wireless clients and the captive portal server are in different VLANs but both in the GUEST VRF, the switch must have an SVI for each VLAN in the GUEST VRF and routing must be enabled. Without proper VRF-aware routing, packets are dropped.
The trunk between the switch and the router is not allowing VLAN 100.
The guest VRF is missing the route-target export command.
The captive portal server is configured with a default gateway that points to the corporate VRF.
A service provider uses MPLS L3VPN with multiple VRFs on a Cisco ASR 1000 PE router. One customer VRF (RED) has overlapping IP addresses with another VRF (BLUE). The engineer configures route-target import/export as 100:1 for RED and 200:2 for BLUE. Both VRFs have a static default route pointing to the CE. The PE receives VPNv4 routes from the route reflector for both VRFs. However, traffic from RED to its CE is working, but traffic from BLUE to its CE is intermittently failing. What is the most likely cause?
The BLUE VRF's interface is not configured with the ip vrf forwarding BLUE command, so the interface is in the global routing table.
Correct because if the interface is not associated with the VRF, traffic from that interface uses the global table, causing intermittent failures when the global table has conflicting routes.
The route-target import for BLUE is 200:2, but the route reflector exports routes with a different route-target.
The PE router has too many VRFs, causing memory exhaustion.
The BLUE VRF is missing the rd command.
A network engineer is troubleshooting a VRF-lite deployment on a Cisco Nexus 9000 switch. Two VRFs, PROD and DEV, are configured. The switch has an SVI for VLAN 10 in VRF PROD and VLAN 20 in VRF DEV. A firewall is connected to a Layer 3 port in VRF PROD for internet access. The engineer needs to allow the DEV VRF to reach the internet through the same firewall, but without using a separate physical interface. What should the engineer configure?
Configure a static route in VRF DEV pointing to the firewall's IP address in VRF PROD, and use the route-map to leak the route.
Correct because route leaking allows one VRF to use a next-hop in another VRF. A static route with the appropriate VRF and route-map can achieve this.
Place the firewall interface in both VRFs using the ip vrf forwarding command on the same interface.
Create a VLAN trunk between the switch and firewall, and assign the same VLAN to both VRFs.
Use policy-based routing (PBR) in VRF DEV to forward traffic to the firewall's MAC address.
An engineer is configuring MPLS L3VPN on a Cisco IOS-XR router. The VRF CUSTOMER_B is configured with route-target import 100:1 and export 100:1. The engineer notices that the VRF routes are not being advertised to the route reflector. The BGP session to the route reflector is established and the VPNv4 address family is activated. What is the missing configuration?
The VRF is not configured with a route distinguisher.
The engineer did not configure the address-family ipv4 unicast vrf CUSTOMER_B under BGP and redistribute the routes.
Correct because without this, the VRF routes are not injected into BGP VPNv4.
The route-target import/export values are incorrect.
The interface in the VRF is not configured with the ipv4 address.
A company uses VRF-lite to separate management traffic (VRF MGMT) from user traffic (VRF USER) on a Cisco Catalyst 3850 stack. The management network is 10.0.0.0/24, and the user network is 192.168.1.0/24. The engineer wants to allow SSH access from the user network to the management network for device administration. The switch has an SVI for each VRF. What is the simplest way to achieve this while maintaining VRF isolation?
Configure a static route in VRF USER pointing to the VRF MGMT's SVI IP address, and enable route leaking between the VRFs.
Correct because route leaking allows inter-VRF communication while keeping the VRFs separate. The static route tells USER how to reach MGMT.
Place both SVIs in the same VRF and use access-lists to restrict traffic.
Use a firewall between the VRFs to filter traffic.
Configure the switch to use the global routing table for SSH traffic only.
Want more VRF and Path Isolation practice?
Practice this domainA network engineer is troubleshooting an EIGRP adjacency issue between two routers. The engineer verifies that both routers have the same K-values and autonomous system number. However, the adjacency does not form. Which configuration issue is most likely the cause?
Authentication is configured on one router but not on the other.
Mismatched authentication prevents EIGRP adjacency.
The network statement uses an incorrect subnet mask.
One router has a loopback interface that is not advertised.
The hello and hold timers do not match.
A company is implementing QoS in a campus network. Voice traffic must be prioritized over data traffic, and all traffic should be marked at Layer 2 and Layer 3. Which combination of marking values should be used on access ports to achieve this?
CoS 5, DSCP AF41
CoS 5, DSCP CS3
CoS 5, DSCP EF
CoS 5 and DSCP EF are the standard marks for voice.
CoS 4, DSCP EF
An engineer needs to configure a switchport to carry traffic for multiple VLANs to a router using a single physical link. Which configuration should be applied on the switchport?
Configure the port as a dynamic desirable port.
Configure the port as a trunk port.
Trunk ports carry multiple VLANs.
Configure the port as a routed port.
Configure the port as an access port.
A network engineer is deploying a new WLAN and needs to ensure that client traffic is encrypted using AES with a pre-shared key. Which security configuration should be applied to the wireless SSID?
WPA2-PSK with AES
WPA2-PSK with AES meets the requirements.
WPA3-PSK with AES
WPA2-PSK with TKIP
WEP with AES
A network administrator is troubleshooting an issue where OSPF routes are not being learned from a neighbor. The administrator checks the OSPF configuration and sees that both routers are in the same area. The neighbor state is stuck in EXSTART. What is the most likely cause?
The router ID is the same on both routers.
The area ID is different.
The hello timer is set to 30 seconds on one router.
The interface MTU does not match.
MTU mismatch causes EXSTART state.
An engineer is configuring a new VLAN 100 on a switch. Which command must be used to create the VLAN?
vlan 100
This creates VLAN 100.
switchport access vlan 100
vlan database
interface vlan 100
Want more Infrastructure practice?
Practice this domainA network engineer is troubleshooting OSPF adjacency issues between two routers connected via a Gigabit Ethernet link. The engineer notices that the routers are stuck in the EXSTART state. Both routers have the same MTU of 1500 bytes. What is the most likely cause of this issue?
The OSPF network type is point-to-point on one router and broadcast on the other.
The OSPF hello and dead intervals are mismatched.
One router has a lower IP MTU configured on the interface, causing the DBD packet to be dropped.
Correct because OSPF routers exchange DBD packets in the EXSTART state. If the DBD packet size exceeds the IP MTU, the packet is dropped, and the routers remain stuck in EXSTART.
The OSPF router IDs are the same.
An enterprise network uses OSPF as its IGP. The network engineer notices that a particular route learned via OSPF is not being installed in the routing table, even though the neighbor adjacency is up and the route appears in the OSPF database. The route is an external route redistributed from EIGRP. What is the most likely cause?
The OSPF process ID is different on the routers.
The external route has a higher administrative distance than the internal route.
The forwarding address in the type 5 LSA is not reachable via an OSPF internal route.
Correct because OSPF requires the forwarding address to be reachable via an intra-area or inter-area route; otherwise, the external route is not installed.
The OSPF metric for the external route is too high.
A network engineer is configuring OSPF in a multi-area design. The engineer wants to reduce the amount of LSA flooding and the size of the LSDB in area 0. Which OSPF feature should be implemented on the ABR to achieve this goal?
Configure area 0 as a stub area.
Configure the ABR with an area filter-list to filter type 3 LSAs.
Correct because area filter-list can be used on an ABR to filter type 3 LSAs between areas, reducing LSDB size in area 0.
Configure OSPF database overflow protection.
Configure the ABR as an ASBR.
A network engineer is troubleshooting an OSPF adjacency issue between two routers connected via a serial link. The adjacency is stuck in the INIT state. The engineer has verified that the IP addresses are in the same subnet and that the link is up. What is the most likely cause?
The OSPF router IDs are the same.
The OSPF hello interval is mismatched between the two routers.
Correct because if the hello intervals are different, the routers will not agree on the hello timer, causing the adjacency to remain in INIT.
The OSPF process ID is different.
The OSPF network type is point-to-point on one router and point-to-multipoint on the other.
A network engineer is designing an OSPF network with multiple areas. The engineer wants to ensure that routers in area 2 can reach networks in area 0, but they should not learn any external routes from other ASs. Which OSPF area type should be configured for area 2?
Stub area
Correct because a stub area blocks type 5 LSAs, preventing external routes from being learned, and uses a default route for external destinations.
Not-so-stubby area (NSSA)
Totally stubby area
Standard area
A network engineer is troubleshooting an OSPF issue where a router is not learning a route to a network that is advertised via a type 5 LSA from an ASBR. The engineer checks the OSPF database and sees the type 5 LSA, but the route is not in the routing table. The forwarding address in the LSA is 0.0.0.0. What is the most likely cause?
The ASBR is not reachable via an OSPF internal route.
Correct because OSPF requires the ASBR to be reachable via an intra-area or inter-area route for the type 5 LSA to be installed.
The type 5 LSA has a metric of 16777215.
The OSPF process ID on the ASBR is different from the other routers.
The type 5 LSA is being filtered by an outbound route filter.
Want more OSPF practice?
Practice this domainAn enterprise network has two routers, R1 and R2, both running BGP. R1 is an eBGP speaker with ISP1, and R2 is an eBGP speaker with ISP2. Both routers are in the same AS 65000. The engineer wants to ensure that traffic from the enterprise to the Internet prefers the path through ISP1 when both links are up. R1 learns a default route from ISP1, and R2 learns a default route from ISP2. Which BGP attribute should the engineer modify on R1 to influence outbound traffic selection?
Set a higher local preference on R1 for the default route learned from ISP1.
Correct because local preference influences outbound path selection within the AS; a higher value makes the route more preferred.
Set a lower MED on R1 for the default route learned from ISP1.
Prepend AS 65000 multiple times on R2's updates to ISP2.
Configure a community on R1 to mark the default route as no-export.
A network engineer is troubleshooting BGP peering between two routers in different autonomous systems. The peering is established over a directly connected Ethernet link. The engineer notices that the BGP session is flapping every few minutes. The configuration on both routers appears correct, and the IP connectivity is stable. The engineer checks the BGP logs and sees messages like 'BGP-3-NOTIFICATION: sent 4/0 (Hold Timer Expired)'. What is the most likely cause of this issue?
The hold timer values are mismatched between the two routers.
Correct because a hold timer mismatch causes the router with the smaller hold time to expire, leading to session flaps.
The MTU on the link is mismatched, causing BGP packets to be fragmented.
The TTL for eBGP is set to 1, and the routers are not directly connected.
The BGP update timer is set too high, causing delays in sending updates.
A network engineer is configuring BGP on a Cisco router that is part of an enterprise network with multiple BGP peers. The router receives routes from two different ISPs. The engineer wants to ensure that only specific prefixes from ISP-A are installed in the routing table, while all other routes from ISP-A are ignored. Additionally, the engineer wants to accept all routes from ISP-B. Which BGP feature should be used on the router for the peering with ISP-A?
Apply a distribute list under the BGP neighbor configuration for ISP-A.
Correct because a distribute list with a prefix list can filter incoming routes based on prefix, allowing only specific prefixes.
Configure a network statement under BGP for the desired prefixes.
Use the default-information originate command under BGP.
Apply a route map to the neighbor using the route-map command in the inbound direction.
An enterprise has two BGP routers, R1 and R2, both in AS 65000. R1 peers with ISP1 (AS 100) and R2 peers with ISP2 (AS 200). The enterprise advertises a prefix 192.168.0.0/24 to both ISPs. The engineer wants to ensure that traffic from the Internet to this prefix enters the network primarily via R1, and only uses R2 if the link to ISP1 fails. Which BGP attribute should be manipulated on the updates sent to the ISPs?
Prepend AS 65000 multiple times on R2's updates to ISP2.
Correct because AS_PATH prepending makes the path through R2 longer, so ISP2 will prefer the path through ISP1, directing traffic to R1.
Set a higher MED on R1's updates to ISP1.
Set a higher local preference on R1 for routes learned from ISP1.
Use the no-export community on R1's updates to ISP1.
A network engineer is configuring BGP on a Cisco router that connects to two ISPs. The router has a default route pointing to each ISP. The engineer wants to load balance outbound traffic across both ISPs. The router receives a default route from both ISPs. Which BGP configuration approach will allow the router to install both default routes in the routing table and load balance traffic?
Configure the maximum-paths command under the BGP address family and use the bgp bestpath as-path multipath-relax command.
Correct because maximum-paths allows multiple paths to be installed, and multipath-relax ignores AS_PATH length differences, enabling load balancing across different ASes.
Configure the network command to advertise the default route from both ISPs.
Set the local preference to the same value on both default routes.
Use the redistribute command to redistribute the default routes into BGP.
An engineer is configuring BGP on a router that will act as a route reflector to reduce iBGP peering requirements. The router has several iBGP peers. The engineer wants to ensure that the route reflector does not modify the next-hop attribute of routes it reflects to its clients. Which configuration command should the engineer use?
Configure 'neighbor next-hop-unchanged' under the BGP address family for the route reflector clients.
Correct because this command explicitly instructs the router to not modify the next-hop attribute when sending routes to the specified neighbor, preserving the original next-hop.
Configure 'no bgp next-hop-self' under the BGP address family for the route reflector clients.
Configure 'bgp route-reflector' under the BGP address family.
Configure 'neighbor next-hop-self' on the route reflector for its clients.
Want more BGP practice?
Practice this domainA network engineer is troubleshooting an EIGRP issue in a large enterprise network. Two routers, R1 and R2, are connected via a T1 link. R1 is learning a route to 10.0.0.0/8 from R2 with a metric of 28160, but the same route is also learned from another neighbor with a metric of 26880. The engineer notices that the route from R2 is not being installed in the routing table. What is the most likely cause?
The route from R2 is a feasible successor, so it is not installed in the routing table.
EIGRP is using unequal-cost load balancing, so the higher metric route is not used.
The route with metric 28160 is not installed because EIGRP selects the route with the lowest metric.
Correct. EIGRP installs only the route with the best (lowest) metric in the routing table. Since 26880 is lower than 28160, the route from R2 is not installed.
The route from R2 is a summary route, so it is not installed in the routing table.
An engineer configures EIGRP on a new router in a DMVPN network. The router has a single physical interface with two subinterfaces: one for the DMVPN tunnel and one for a direct point-to-point link to a hub router. The engineer notices that EIGRP adjacencies form only on the point-to-point link, not on the DMVPN tunnel. The tunnel interface is configured with ip nhrp network-id 1 and ip nhrp nhs 10.1.1.1. What is the most likely reason?
The tunnel interface is not configured with the 'ip nhrp map' command for the hub router.
The tunnel interface is not configured with the 'ip eigrp' command under the interface configuration.
Correct. For EIGRP to form an adjacency over the tunnel interface, the interface must be included in the EIGRP process, typically with 'ip eigrp <as-number>' under the interface. Without it, EIGRP will not send or receive hello packets on that interface.
The DMVPN tunnel is using a different autonomous system number than the point-to-point link.
The tunnel interface is in a different VRF than the point-to-point link.
A network engineer is designing an EIGRP network with multiple routers. The network has a core layer where all routers are fully meshed. The engineer wants to ensure that if a link fails, EIGRP converges quickly without relying on route redistribution or static routes. The engineer configures EIGRP with default timers. However, during a failure simulation, convergence takes over 15 seconds. What is the most likely reason?
EIGRP is using passive interfaces on the core routers, preventing rapid updates.
The failed link was the only feasible successor for the affected routes, causing EIGRP to go into active state and query neighbors.
Correct. When the only feasible successor fails, EIGRP transitions to active state and sends queries to all neighbors. The time to receive all replies can exceed 15 seconds, especially in large networks.
EIGRP hold timers are set to 180 seconds by default, causing slow detection.
The engineer configured 'eigrp stub' on the core routers, which prevents query propagation.
An engineer is troubleshooting an EIGRP issue where a router is not learning a specific route from a neighbor. The engineer runs 'show ip eigrp topology all-links' and sees the route in the topology table with a feasible distance of 100 and a reported distance of 120. The neighbor's advertised distance is 80. The router's own computed distance to the network is 150. The route is not in the routing table. What is the most likely cause?
The route is a feasible successor, but the successor route is not present.
The route is not installed because the reported distance (80) from the neighbor is less than the feasible distance (100), but the router's computed distance (150) is higher.
The route is not installed because the feasible distance (100) is not the best metric; the router has another route with a lower metric.
Correct. The feasible distance is 100, but if there is another route with a lower metric (e.g., 90), that route would be the successor and installed. The route with FD 100 would not be installed. The scenario implies the route is not the best.
The route is not installed because EIGRP is configured for stub routing, which prevents learning routes.
A network engineer is configuring EIGRP on a router that connects to multiple remote sites via Frame Relay. The engineer wants to ensure that EIGRP does not form adjacencies over the Frame Relay interfaces to reduce overhead, but still wants to advertise the connected networks. The engineer applies the 'passive-interface' command to the Frame Relay interfaces. However, the remote sites stop receiving the routes. What is the most likely reason?
The 'passive-interface' command also prevents EIGRP from sending routing updates on that interface.
Correct. The passive-interface command suppresses both hello packets and routing updates. Therefore, the remote sites do not receive the routes.
The 'passive-interface' command only affects hello packets, not updates, but the remote sites are not configured correctly.
The engineer should use the 'neighbor' command under the EIGRP process to specify the remote routers.
The remote sites are using a different EIGRP autonomous system number.
An engineer is troubleshooting an EIGRP convergence issue in a network with redundant links. The engineer notices that when a primary link fails, the backup link takes over immediately, but the routing table shows the route with a higher metric. The engineer wants to ensure that the backup link is used only when the primary fails, and that traffic is not load-balanced. The engineer has configured 'variance 2' on all routers. What is the most likely effect of this configuration?
The variance 2 command causes EIGRP to install only the best metric route, so the backup link is not used.
The variance 2 command causes EIGRP to install both the primary and backup routes, resulting in unequal-cost load balancing.
Correct. With variance 2, if the backup route's metric is within twice the best metric, it will be installed and used for load balancing, which the engineer does not want.
The variance 2 command has no effect on route installation; it only affects the feasible successor selection.
The variance 2 command is used for equal-cost load balancing only.
Want more EIGRP practice?
Practice this domainA network engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, connected via a trunk link. SW1 is a Cisco Catalyst 3850 running IOS-XE, and SW2 is a Cisco Catalyst 2960 running IOS. The trunk is configured as a dynamic desirable mode on SW1 and dynamic auto on SW2. The engineer notices that the trunk is not forming. What is the most likely cause?
The native VLAN is different on SW1 and SW2.
Correct because a native VLAN mismatch can cause DTP frames to be dropped, preventing trunk negotiation.
SW2 does not support DTP.
The trunk encapsulation is set to ISL on SW1.
VLAN 1 is not allowed on the trunk.
An engineer is configuring a new access switch for a branch office. The switch must support multiple VLANs for different departments: VLAN 10 (Engineering), VLAN 20 (Sales), and VLAN 30 (Management). The uplink to the distribution switch is a trunk. The engineer wants to ensure that only the required VLANs are allowed on the trunk and that the native VLAN is changed from the default to VLAN 99 for security reasons. Which configuration commands should the engineer apply on the access switch's uplink interface?
switchport mode trunk; switchport trunk native vlan 99; switchport trunk allowed vlan 10,20,30
Correct because it sets the trunk, changes the native VLAN, and restricts allowed VLANs.
switchport mode trunk; switchport trunk native vlan 99; switchport trunk allowed vlan except 10,20,30
switchport mode dynamic desirable; switchport trunk native vlan 99; switchport trunk allowed vlan 10,20,30
switchport trunk encapsulation dot1q; switchport mode trunk; switchport trunk native vlan 99
A network engineer is deploying a new server farm with multiple servers connected to a Cisco Nexus 9000 switch. Each server is dual-homed to two separate access switches for redundancy. The servers are configured with NIC teaming in active-standby mode. The engineer wants to ensure that if the active link fails, traffic continues without interruption. The access switches are connected to each other via a trunk. Which technology should the engineer implement on the access switches to prevent loops and allow both uplinks to be active?
Configure a vPC domain between the two access switches and use a vPC on the server-facing ports.
Correct because vPC allows both switches to act as a single logical switch for the server, providing active-active links and redundancy.
Enable Spanning Tree Protocol (STP) to block one of the links to prevent loops.
Configure an EtherChannel between the server and each access switch individually.
Implement Virtual Switching System (VSS) on the access switches.
An engineer is troubleshooting a problem where a host in VLAN 20 cannot communicate with a host in VLAN 30, even though both are connected to the same access switch. The access switch is configured with VLANs 20 and 30, and the uplink to the distribution switch is a trunk that allows both VLANs. The distribution switch has SVIs for both VLANs and IP routing is enabled. The engineer verifies that the trunk is up and both VLANs are allowed. What is the most likely cause of the communication failure?
The hosts are not configured with the correct default gateway pointing to the SVI on the distribution switch.
Correct because hosts need a default gateway to route traffic to other VLANs; if misconfigured, inter-VLAN communication fails.
The trunk is not allowing VLAN 20 or VLAN 30.
Spanning Tree Protocol is blocking the SVI interfaces.
The native VLAN mismatch on the trunk is causing the issue.
A network engineer is configuring a new Cisco Catalyst 9300 switch to connect to an existing network. The uplink to the core switch is configured as a trunk. The engineer wants to ensure that all VLANs except VLAN 1 are allowed on the trunk, and that the native VLAN is set to VLAN 999. Which configuration should the engineer apply on the uplink interface?
switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan except 1
Correct because it sets the trunk, changes the native VLAN, and allows all VLANs except VLAN 1.
switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan remove 1
switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan 2-4094
switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan none
An engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, connected via a trunk. The trunk is configured with switchport mode trunk on both sides. The engineer notices that some VLANs are not passing traffic, even though they are in the allowed list. The output of 'show interfaces trunk' on SW1 shows that VLANs 10, 20, and 30 are in the allowed list and are active. However, hosts in VLAN 30 cannot reach the distribution switch. What is the most likely cause?
VLAN 30 is not created in the VLAN database on SW2.
Correct because a VLAN must exist in the VLAN database on both ends of a trunk for traffic to pass.
The native VLAN is mismatched between SW1 and SW2.
VTP pruning is removing VLAN 30 from the trunk.
The trunk is not forming due to DTP negotiation.
Want more VLANs and Trunking practice?
Practice this domainA network engineer is troubleshooting an STP issue in a switched network. The network has two distribution switches connected via a trunk, and each distribution switch connects to the same access switch. The engineer notices that the root bridge is not the intended distribution switch. Upon checking, the engineer sees that the access switch has a higher priority than the distribution switches. The engineer needs to ensure that the intended distribution switch becomes the root bridge without causing a temporary loop. What should the engineer do?
Configure the 'spanning-tree vlan vlan-id root primary' command on the intended distribution switch.
Correct because this command sets the switch priority to 24576 (or lower if needed) to ensure it becomes the root bridge without manual configuration.
Set the priority of the access switch to 0 using the 'spanning-tree vlan vlan-id priority 0' command.
Increase the priority of the distribution switch to 61440 using the 'spanning-tree vlan vlan-id priority 61440' command.
Disable STP on the distribution switch and manually configure it as the root bridge.
An engineer is designing a redundant Layer 2 network with multiple VLANs. The network uses Rapid PVST+ for STP. The engineer wants to ensure that different VLANs have different root bridges to optimize traffic flow. The distribution switches are Cisco Catalyst 9300s. The engineer has configured one distribution switch as the root for VLANs 10 and 20, and the other as the root for VLANs 30 and 40. However, after implementation, the engineer notices that all VLANs have the same root bridge. What is the most likely cause?
The engineer used the 'spanning-tree root primary' command without specifying the VLAN, which sets the priority for all VLANs.
Correct because the command without the VLAN keyword applies to all VLANs, causing the same switch to be root for all VLANs.
The engineer enabled BPDU guard on all access ports, which prevents the switch from receiving superior BPDUs.
The engineer enabled PortFast on all trunk ports, which causes the switch to ignore BPDUs and become root.
The engineer enabled UplinkFast, which forces the switch to become the root bridge for all VLANs.
A network engineer is troubleshooting a Layer 2 loop issue. The network consists of three switches: SW1, SW2, and SW3, all connected in a triangle. The engineer notices that SW1 is the root bridge. After a link failure between SW1 and SW2, the network experiences a temporary loop. The engineer wants to prevent such loops in the future by enabling a feature that provides faster convergence and prevents temporary loops during topology changes. The engineer is using Rapid PVST+. Which feature should the engineer enable?
Enable Loop Guard on all switch ports.
Correct because Loop Guard prevents loops by keeping a port in blocking state if BPDUs are not received, ensuring that a port does not transition to forwarding incorrectly.
Enable BPDU Guard on all switch ports.
Enable Root Guard on all switch ports.
Enable UDLD on all fiber links.
An engineer is configuring a new access switch that connects to two distribution switches via trunk links. The distribution switches are configured with Rapid PVST+ and are both running as root bridges for different VLANs. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN, even if the distribution switches fail. The engineer also wants to prevent any unauthorized switch from becoming root. What configuration should the engineer apply on the access switch?
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.
Correct because setting the priority to 61440 ensures the switch will not become root, and Root Guard on uplinks prevents any superior BPDUs from making the switch root.
Configure 'spanning-tree vlan 1-4094 priority 0' and enable BPDU Guard on the uplink ports.
Configure 'spanning-tree vlan 1-4094 priority 4096' and enable Loop Guard on the uplink ports.
Configure 'spanning-tree vlan 1-4094 priority 61440' and enable BPDU Guard on the uplink ports.
A network engineer is troubleshooting a connectivity issue in a switched network. The network uses Rapid PVST+ with multiple VLANs. The engineer notices that a host connected to an access port on SW1 cannot communicate with the default gateway, which is on a distribution switch. The access port is configured with PortFast and BPDU Guard. The engineer checks the switch logs and sees that the port went into errdisable state. What is the most likely cause of the errdisable state?
Another switch was connected to the access port, causing BPDU Guard to disable the port.
Correct because BPDU Guard disables a PortFast-enabled port if a BPDU is received, which happens when another switch is connected.
A broadcast storm occurred due to a loop in the network.
The host connected to the port caused a duplex mismatch.
The cable connecting the host is faulty, causing link flaps.
An engineer is designing a Layer 2 network with redundancy. The network uses MST (Multiple Spanning Tree) to reduce the number of STP instances. The engineer has configured two regions: Region 1 and Region 2. The engineer notices that switches in Region 1 are not forming a single MST region, and instead, they are treating each other as if they are in different regions. The engineer checks the configuration and finds that the region name and revision number are the same on all switches in Region 1, but the VLAN-to-instance mapping is different on one switch. What is the most likely cause of the issue?
The VLAN-to-instance mapping is not consistent across all switches in Region 1.
Correct because MST requires identical VLAN-to-instance mapping, region name, and revision number for switches to be in the same region.
The root bridge for each MST instance is not configured correctly.
BPDU Guard is enabled on the inter-switch links, preventing BPDU exchange.
PortFast is enabled on the inter-switch links, causing the switches to ignore BPDUs.
Want more Spanning Tree Protocol practice?
Practice this domainA network engineer is configuring EtherChannel between two Cisco Catalyst switches. The ports are configured as access ports in VLAN 10. After configuring the port-channel interface and adding the physical ports, the engineer notices that the EtherChannel does not come up. The show etherchannel summary command shows the port-channel in a down state. What is the most likely cause?
The physical ports are configured as access ports in VLAN 10, but the port-channel interface is not configured with the same VLAN.
Correct because the port-channel interface must have the same access VLAN as the physical ports, or the channel will not form.
The physical ports have different duplex settings.
The switch is using PAgP and the neighbor is using LACP.
The physical ports are in different VLANs.
An engineer is troubleshooting an EtherChannel between two switches. The show etherchannel summary output shows that the port-channel is up, but only one physical link is active. The other three links are in a suspended state. The physical ports are all configured identically with the same VLAN allowed. What is the most likely cause?
The port-channel has been configured with the 'channel-group 1 mode on' command, but the physical ports are using different speeds.
The port-channel has been configured with the 'port-channel min-links 1' command.
The port-channel has been configured with the 'port-channel max-links 1' command.
Correct because max-links limits the number of active ports in the EtherChannel.
The physical ports are in different VLANs.
A network engineer is configuring an EtherChannel between a Cisco switch and a server that supports LACP. The switch ports are configured as trunk ports allowing multiple VLANs. The engineer wants to ensure the EtherChannel forms automatically without manual intervention. Which configuration should be applied on the switch?
Configure the port-channel with 'channel-group 1 mode active'.
Correct because LACP active mode initiates negotiation with the server.
Configure the port-channel with 'channel-group 1 mode passive'.
Configure the port-channel with 'channel-group 1 mode desirable'.
Configure the port-channel with 'channel-group 1 mode on'.
A network engineer is troubleshooting an EtherChannel between two Cisco switches. The show etherchannel 1 port-channel command shows the port-channel is up, but traffic is not load-balanced evenly. The engineer notices that all traffic is using only one link. The physical ports are all configured identically. What is the most likely cause?
The load-balancing method is set to src-mac, and the traffic is from multiple MAC addresses.
The load-balancing method is set to src-dst-ip, and all traffic is between the same two IP addresses.
Correct because src-dst-ip hashes on source and destination IP; if they are the same, all traffic goes to the same link.
The physical ports have different speeds.
The port-channel is configured with 'lacp fast-switchover'.
A network engineer is configuring EtherChannel between two Cisco switches using LACP. The engineer wants to ensure that if fewer than two links are operational, the EtherChannel does not come up. Which command should be configured?
Configure 'port-channel min-links 2' under the port-channel interface.
Correct because min-links specifies the minimum number of active links needed for the channel to be up.
Configure 'lacp min-bundle 2' under the port-channel interface.
Configure 'channel-group 1 mode active' on the physical ports.
Configure 'port-channel max-links 2' under the port-channel interface.
A network engineer is configuring an EtherChannel between two Cisco switches. The engineer wants to use PAgP and ensure that the channel forms only if the neighboring switch is also configured for PAgP. Which mode should be configured on the local switch?
Configure 'channel-group 1 mode desirable' on the physical ports.
Correct because PAgP desirable mode actively negotiates with the neighbor to form the channel.
Configure 'channel-group 1 mode auto' on the physical ports.
Configure 'channel-group 1 mode active' on the physical ports.
Configure 'channel-group 1 mode on' on the physical ports.
Want more EtherChannel practice?
Practice this domainA network engineer is deploying a new wireless LAN controller (WLC) in a campus network. The WLC must manage 200 access points across three buildings. The engineer configures the WLC with a management IP address and enables CAPWAP. However, the access points fail to join the WLC. The APs are in the same VLAN as the WLC and can ping the WLC's management IP. What is the most likely cause of the APs not joining?
The WLC does not have a CAPWAP source interface configured.
Correct because the CAPWAP source interface must be configured on the WLC so that APs can discover and communicate with it. Without it, the WLC may not respond to CAPWAP discovery requests.
The APs are not configured with DHCP option 43 to point to the WLC.
The APs are running an incompatible IOS version that does not support CAPWAP.
The APs must be assigned a static IP address to join the WLC.
A company is deploying a new wireless network in a large warehouse. The network engineer must choose between using a centralized WLC architecture (with CAPWAP tunnels) or a converged access (SD-Access) wireless architecture. The warehouse has high-density client areas and requires low latency for real-time applications like voice and video. Which architecture should the engineer choose and why?
Centralized WLC architecture, because it provides better RF management and security.
Converged access (SD-Access) wireless, because it allows local switching of traffic at the access layer, reducing latency.
Correct because SD-Access wireless enables local switching, which minimizes latency for real-time traffic by avoiding backhaul to a central WLC.
Centralized WLC architecture, because it requires fewer access points to cover the warehouse.
Converged access (SD-Access) wireless, because it requires fewer WLCs to manage the network.
A network engineer is troubleshooting a wireless network where clients in a conference room experience intermittent connectivity. The engineer notices that the access point in that room is showing a high number of CRC errors on its uplink interface. The AP is connected to a Cisco 9300 switch via a copper cable. What is the most likely cause of the CRC errors?
The AP is overloaded with too many clients.
The Ethernet cable is faulty or of poor quality.
Correct because CRC errors on a copper link are usually due to physical layer problems like faulty cables, bad connectors, or interference.
The switch port is configured with a duplex mismatch.
The AP is not receiving enough power from Power over Ethernet (PoE).
An engineer is configuring a new Cisco 9800 WLC in a branch office. The WLC will manage 50 APs and must provide guest access with a captive portal. The engineer configures a guest SSID with open authentication and a redirect ACL for the captive portal. However, after the configuration, clients can associate to the guest SSID but cannot reach the captive portal page. What is the most likely cause?
The guest SSID is configured with open authentication, which does not support captive portal.
The redirect ACL is missing entries for DNS and HTTP traffic to the captive portal server.
Correct because the redirect ACL must permit DNS and HTTP traffic to the portal server so that the client's initial HTTP request is redirected to the captive portal.
The WLC does not have a dedicated guest interface configured.
The captive portal requires a RADIUS server to be configured on the WLC.
A network engineer is deploying a wireless mesh network using outdoor access points. The mesh APs are configured to use 802.11a/n on the 5 GHz band for backhaul and 802.11b/g/n on the 2.4 GHz band for client access. The engineer notices that the mesh backhaul links are unstable and have high packet loss. What is the most likely cause of the instability?
The 5 GHz band is being used for both backhaul and client access, causing co-channel interference.
Correct because using the same band for backhaul and client access can cause interference if channels overlap; dedicated backhaul channels should be used.
The 802.11a/n standard is obsolete and does not support mesh networking.
The mesh APs require a wired Ethernet connection to the root AP.
The 2.4 GHz band provides better range for backhaul than the 5 GHz band.
An engineer is configuring a Cisco 9800 WLC for high availability using a pair of WLCs in an active/standby configuration. The engineer configures the same SSID and security settings on both WLCs. However, when the active WLC fails, clients that were connected to the active WLC do not automatically reconnect to the standby WLC. What is the most likely cause?
The APs are not configured with the standby WLC's IP address as a backup controller.
Correct because APs must have the secondary WLC IP configured so they can fail over to it when the primary is unavailable.
Clients must be configured to roam between WLCs, which is not supported in active/standby mode.
The SSID name must be different on the standby WLC to avoid conflicts.
The APs must be rebooted after the active WLC fails to recognize the standby WLC.
Want more Wireless Infrastructure practice?
Practice this domainAn engineer is troubleshooting an MPLS VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are running OSPF with the CE routers. On PE1, the 'show ip route vrf CUSTOMER' output shows 10.2.2.0/24 as an OSPF route, but the prefix is not present in the global BGP table. What is the most likely cause?
Redistribution from OSPF into BGP under the VRF is not configured on PE1.
Correct because VRF routes must be redistributed into BGP to be advertised as VPNv4 prefixes.
The OSPF adjacency between PE1 and CE1 is down.
The VRF forwarding table on PE1 is full.
MPLS LDP is not enabled on the PE1-CE1 link.
A service provider uses MPLS L3VPN with OSPF as the PE-CE routing protocol. A customer reports that a new subnet added on CE1 is not reachable from CE2, even though the PE1 router has the route in its VRF and BGP table. The 'show ip bgp vpnv4 vrf CUSTOMER' on PE2 shows the prefix with a valid next-hop. What should the engineer check next?
Verify that LDP has allocated a label for the BGP next-hop address on PE2.
Correct because without a label for the next-hop, the VPN route cannot be forwarded.
Check if OSPF is redistributed into BGP on PE1.
Ensure the route is present in the global BGP table on PE2.
Confirm that the VRF on PE2 has the correct route-target import.
An engineer is designing an MPLS L3VPN service for a customer that requires overlapping IP addresses between two sites. The customer uses OSPF as the PE-CE protocol. The engineer configures VRFs on the PE routers and assigns unique route distinguishers (RDs) and route targets (RTs). However, the customer reports that routes from one site are not being installed in the other site's VRF. What is the most likely cause?
The route-target export on PE1 does not match the route-target import on PE2.
Correct because route targets must match for routes to be imported into the remote VRF.
The overlapping IP addresses cause a routing loop in OSPF.
OSPF cannot carry overlapping prefixes in different VRFs.
The route distinguisher is not unique between the two sites.
A network engineer is configuring MPLS TE (Traffic Engineering) in an MPLS core to optimize bandwidth utilization. After enabling MPLS TE on all core routers and configuring tunnels, the engineer notices that traffic is not being rerouted when a link fails. The 'show mpls traffic-eng tunnels' shows the tunnels are up but not using the backup path. What is the most likely missing configuration?
MPLS TE FRR (Fast Reroute) is not configured on the tunnels.
Correct because FRR provides backup paths for link failures in MPLS TE.
LDP is not enabled on the core interfaces.
RSVP is not configured on the core routers.
OSPF is not configured with MPLS TE extensions.
An enterprise is implementing MPLS L3VPN to connect multiple branch offices. The PE routers are using eBGP to exchange VPNv4 routes. The engineer notices that some VPN routes are not being advertised to the remote PE. The 'show bgp vpnv4 unicast all' on the local PE shows the routes as valid but not best. What is the most likely reason?
The route has a higher local preference than the best path.
Correct because BGP selects the best path based on local preference; a higher local preference makes a route less preferred.
The route is not valid due to a missing label.
The route is not in the BGP table.
The route has a higher MED value than the best path.
A network engineer is troubleshooting an MPLS L2VPN (VPWS) where two customer sites are connected via a pseudowire. The engineer has configured the xconnect on both PE routers, but the customer reports that the link is down. The 'show mpls l2transport vc' command on PE1 shows the VC state as 'down'. What is the most likely cause?
LDP is not enabled on the core interfaces between the PEs.
Correct because LDP is required to exchange labels for the pseudowire.
The VC ID is different on the two PEs.
The VC type is not set to Ethernet.
The encapsulation is set to VLAN instead of Ethernet.
Want more MPLS practice?
Practice this domainA network engineer is configuring a DMVPN Phase 3 deployment with EIGRP as the routing protocol. The hub router has multiple spoke routers behind a single physical interface. The engineer notices that spoke-to-spoke traffic is being forwarded through the hub instead of directly. The spoke routers have the correct NHRP and mGRE configuration. What is the most likely cause of this issue?
The hub router is configured with 'no ip next-hop-self eigrp' under the tunnel interface.
The hub router is configured with 'ip next-hop-self eigrp' under the tunnel interface.
Correct. With next-hop-self enabled, the hub advertises routes with its own IP as the next hop, preventing spokes from learning the remote spoke's tunnel IP and thus no direct tunnel is built.
The spoke routers have 'ip nhrp shortcut' configured but the hub does not have 'ip nhrp redirect'.
The spoke routers are using static NHRP mappings to the hub only, without dynamic NHRP registration.
An enterprise is replacing its legacy Frame Relay WAN with MPLS L3VPN. The new MPLS provider assigns a single VRF to the customer. The customer's CE routers are running BGP with the provider's PE routers. The engineer notices that the CE routers can ping the PE loopback addresses but cannot reach remote CE loopbacks. The BGP sessions are established and routes are received. What is the most likely cause?
The CE router is not configured with 'no bgp default ipv4-unicast'.
The PE router is not sending the customer routes to the remote CE because the next-hop is set to the local PE's loopback, which is reachable, but the remote PE is not advertising the routes due to route-target mismatch.
The CE router is not advertising its own loopback into BGP, so the remote CE does not have a route to it.
The PE router is not disabling BGP next-hop-self for the VRF, so the routes advertised to the CE have the remote CE's IP as the next-hop, which is not reachable from the local CE.
Correct. In MPLS L3VPN, the PE should set next-hop-self when advertising routes to the CE so that the CE uses the PE as the next hop. If not, the CE will try to reach the remote CE directly, which is not possible over the MPLS network.
A network engineer is troubleshooting a site-to-site IPsec VPN tunnel between two Cisco routers. The tunnel is established and IKEv2 Phase 1 is up, but no traffic passes. The engineer checks the crypto map and sees that the ACL is configured to permit traffic between the two LAN subnets. However, 'show crypto ipsec sa' shows that the number of packets encapsulated and decapsulated is zero. What is the most likely cause?
The crypto map is not applied to the correct interface.
The IPsec transform set uses ESP with SHA-1, but the remote router expects AES-GCM.
Correct. A mismatch in the transform set (e.g., encryption or authentication algorithms) will prevent Phase 2 from establishing, even though Phase 1 (which uses a different proposal) may succeed.
The ACL on the crypto map is missing the 'permit ip' statement for the return traffic.
The tunnel interface is down due to a routing issue.
An engineer is configuring a FlexVPN hub-and-spoke topology using IKEv2. The hub router is configured with a dynamic crypto map and a local pool for assigning IP addresses to spokes. The spokes are configured with a static crypto map and a tunnel interface with an IP address from the pool. The tunnel comes up, but the spoke cannot ping the hub's tunnel interface. The hub can ping the spoke's tunnel interface. What is the most likely cause?
The spoke is configured with a static IP address on the tunnel interface that is not in the hub's IP pool.
Correct. In FlexVPN, the hub assigns IP addresses from a pool. If the spoke statically configures an IP address, the hub may not have a route back to that address, causing asymmetric routing or unreachability.
The hub is missing the 'tunnel protection ipsec' command on the tunnel interface.
The spoke's crypto map is not using the correct pre-shared key.
The hub's IKEv2 profile is not configured with 'authentication remote rsa-sig'.
A company is using a dual-homed MPLS L3VPN connection with two different ISPs. The CE router is running eBGP with both PE routers. The engineer wants to ensure that inbound traffic from the Internet to the company's web servers uses both links, but outbound traffic from the company should prefer ISP A. The company advertises the same /24 prefix to both ISPs. What BGP configuration should the engineer apply on the CE router?
Set a lower MED for routes advertised to ISP A and a higher MED for routes advertised to ISP B.
Use AS path prepending on routes advertised to ISP B and set a higher local preference for routes learned from ISP A.
Correct. AS path prepending makes the path to ISP B longer, discouraging inbound traffic from using it. Setting a higher local preference for routes from ISP A makes outbound traffic prefer ISP A.
Advertise a more specific prefix (e.g., /25) to ISP A and a less specific prefix (/24) to ISP B.
Configure the CE router to use BGP multipath with both ISPs.
An engineer is deploying a new SD-WAN solution using Cisco vManage. The WAN edge routers are connected to two different transport networks: MPLS and Internet. The engineer wants to ensure that voice traffic is always sent over the MPLS link when available, and only fails over to the Internet link if the MPLS link goes down. The engineer has configured a policy to set the preferred color for voice traffic to 'mpls'. However, during a test, voice traffic is still using the Internet link even though the MPLS link is up. What is the most likely cause?
The policy is not attached to the correct VPN or site list.
Correct. In vManage, policies must be associated with specific VPNs or sites. If the policy is not attached to the VPN that carries voice traffic, it will not be applied.
The voice traffic is using a different DSCP value than the one defined in the policy.
The MPLS link is not in the 'up' state in the vManage overlay.
The policy is configured as a local policy instead of a centralized policy.
Want more WAN Technologies practice?
Practice this domainA network engineer is configuring a Cisco router to provide internet access to a small office using a single public IP address assigned by the ISP. The engineer wants to allow internal hosts to initiate connections to the internet, but also needs to make a web server on the internal network reachable from the internet. The engineer configures a standard access list for NAT and an ip nat inside source list command. However, external users cannot reach the internal web server. What is the most likely cause?
The access list used for NAT does not permit the web server's IP address.
The engineer forgot to add the ip nat inside source static command for the web server.
Correct because a static NAT entry is required to map the public IP to the internal web server's private IP, allowing inbound connections.
The ip nat inside and ip nat outside commands are applied on the wrong interfaces.
The global configuration mode is missing the ip nat pool command.
A network engineer is troubleshooting a DHCP issue on a Cisco router configured as a DHCP server for a VLAN. Clients in the VLAN are able to obtain IP addresses from the DHCP server, but they are not receiving the correct DNS server address. The engineer checks the DHCP pool configuration and sees the dns-server command is configured with the correct IP address. What is the most likely cause of the problem?
The DHCP pool is not associated with the correct VLAN interface using the network command.
Correct because if the network command in the DHCP pool does not match the subnet of the VLAN, the DHCP server may assign addresses but not apply the pool-specific options like DNS.
The DNS server is unreachable from the DHCP server.
The ip dhcp excluded-address command is blocking the DNS server IP.
The DHCP client is configured with a static DNS server address.
A network engineer is configuring NAT overload (PAT) on a Cisco router to allow multiple internal hosts to share a single public IP address. The engineer uses the command ip nat inside source list 1 interface GigabitEthernet0/0 overload. After testing, internal hosts can access the internet, but some applications fail intermittently. The engineer suspects a NAT issue. What is the most likely cause?
The access list 1 is too permissive and includes the public IP address of the router.
The NAT translation table is filling up due to a large number of concurrent sessions, causing new translations to be denied.
Correct because PAT has a limited number of available port numbers (approximately 65,000 per public IP), and if many sessions are active, the table can become full, dropping new connections.
The router is not configured with ip nat inside on the internal interface.
The overload keyword is misspelled or not supported on this IOS version.
A network engineer is configuring a Cisco router as a DHCP relay agent to forward DHCP requests from a client VLAN to a centralized DHCP server located in a different subnet. The engineer configures the ip helper-address command on the VLAN interface. However, clients in the VLAN are not receiving IP addresses. The DHCP server is reachable from the router. What is the most likely cause?
The ip helper-address command is applied on the wrong interface (e.g., the interface facing the DHCP server).
The DHCP server is not configured with a scope for the client subnet.
The router does not have a return route to the client subnet, so the DHCP server's reply is dropped.
Correct because the DHCP server sends the reply to the relay agent (router), which then forwards it as a broadcast to the client. If the router cannot reach the client subnet, the reply is lost.
The DHCP client is using DHCPv6 instead of DHCPv4.
A network engineer is troubleshooting a NAT issue where an internal host cannot establish an SSH session to a remote server on the internet. The engineer checks the NAT translations on the border router and sees that the translation for the host's source IP is present. However, the SSH session times out. The engineer also notices that the remote server's IP is not in the NAT translation table. What is the most likely cause?
The router is performing NAT only for the source IP, but the return traffic is taking a different path that does not go through the NAT router.
Correct because if the return traffic does not pass through the same NAT router, the router will not create an inbound translation entry, and the packet will not be translated back to the private IP.
The SSH server is blocking connections from the public IP address.
The NAT overload is causing port conflicts for SSH.
The access list used for NAT is denying the SSH traffic.
A network engineer is configuring a Cisco router to act as a DHCP server for a branch office. The engineer creates a DHCP pool for the 192.168.1.0/24 subnet and configures the default-router, dns-server, and domain-name options. However, clients are able to obtain IP addresses but cannot ping the default gateway. The engineer verifies that the router's interface IP is 192.168.1.1. What is the most likely cause?
The router's interface is not configured with an IP address in the 192.168.1.0/24 subnet.
Correct because if the router interface is not in the same subnet, the clients will have a default gateway that is unreachable.
The DHCP pool is missing the lease command.
The router's interface is administratively down.
The ip dhcp excluded-address command is blocking the default gateway IP.
Want more NAT and DHCP practice?
Practice this domainA network engineer is troubleshooting multicast video distribution across an enterprise campus. The multicast source is connected to a switch that is the PIM Designated Router (DR) on a multi-access segment. Receivers in a different VLAN report that they are not receiving the multicast stream, although the DR shows the correct (S,G) entry. The engineer checks the RPF neighbor for the source and notices that the unicast route to the source points to a different interface than the one where the multicast stream is received. What is the most likely cause of the issue?
The DR is not configured as the RP (Rendezvous Point).
The multicast stream is arriving on an interface that is not the RPF interface for the source.
Correct because multicast forwarding requires the incoming interface to match the unicast RPF interface; a mismatch causes the packet to be dropped.
The switchport connected to the source is not configured as a trunk.
IGMP snooping is disabled on the receiver VLAN.
A network engineer is deploying IP multicast in an OSPF-based enterprise network. The network uses PIM sparse mode with a static RP. The engineer notices that multicast traffic from a source to a group is not reaching receivers in a remote subnet, even though the RP is reachable and the receivers have sent IGMP joins. The engineer checks the multicast routing table on the last-hop router and sees that the (S,G) entry is present, but the outgoing interface list (OIL) is empty. What is the most likely reason for the empty OIL?
The RP is not configured on the last-hop router.
Correct because without the RP configured, the router cannot send a PIM join to the RP, so the OIL remains empty.
The multicast source is not registered with the RP.
PIM dense mode is enabled on the last-hop router.
The TTL of the multicast packets is too low.
An engineer is configuring multicast on a Cisco router running IOS-XE. The network uses PIM sparse mode with a static RP at 10.1.1.1. The engineer enters the command 'ip pim rp-address 10.1.1.1' but multicast traffic is not being forwarded. Upon verification, the engineer sees that the RP is reachable via OSPF, but the 'show ip pim rp mapping' command does not list any RP for the group. What is the most likely cause?
The RP address is not reachable via the unicast routing table.
The command 'ip pim rp-address 10.1.1.1' must include an access-list to define the group range.
Correct because the RP mapping requires an access-list to specify the groups; without it, the RP is not associated with any group.
PIM sparse mode must be enabled on all interfaces first.
The router must be configured as a candidate RP using 'ip pim send-rp-announce'.
A network engineer is troubleshooting multicast connectivity in a large enterprise. The network uses PIM sparse mode with Auto-RP. The engineer notices that some routers are not receiving the RP mapping for a particular group. The engineer checks the Auto-RP mapping agent and sees that it is sending RP announcements, but the routers that are missing the mapping are not in the same PIM domain. What is the most likely reason?
The routers missing the mapping do not have 'ip pim autorp listener' configured.
Correct because Auto-RP uses reserved multicast groups; without this command, routers may not process the RP announcements.
The mapping agent is not configured as a candidate RP.
The TTL of the RP announcements is set too low.
The routers missing the mapping have PIM dense mode enabled.
An engineer is configuring multicast on a Cisco switch running IOS. The switch is acting as the IGMP querier for a VLAN. The engineer notices that multicast traffic is being flooded to all ports in the VLAN, even though only a few receivers have joined the group. The engineer checks the IGMP snooping configuration and sees that IGMP snooping is enabled globally and on the VLAN. What is the most likely cause of the flooding?
The IGMP querier is not elected on the VLAN.
Correct because without a querier, IGMP snooping cannot learn group memberships, causing the switch to flood multicast traffic.
The multicast source is connected to a trunk port.
The switch has PIM enabled on the VLAN interface.
The receivers are using IGMPv3.
A network engineer is configuring PIM sparse mode in a network that uses a Bootstrap Router (BSR) for RP discovery. The engineer has configured a candidate BSR and candidate RPs. However, some routers in the network are not learning the RP set. The engineer checks the BSR and sees that it is receiving candidate RP advertisements, but the BSR messages are not being forwarded to all routers. What is the most likely cause?
PIM is not enabled on all interfaces between the BSR and the other routers.
Correct because BSR messages rely on PIM to flood; without PIM on intermediate interfaces, the messages are dropped.
The candidate BSR priority is set too low.
The candidate RPs are not in the same OSPF area as the BSR.
The BSR is not configured as a candidate RP.
Want more IP Multicast practice?
Practice this domainA network engineer is configuring QoS on a Cisco Catalyst 3850 switch to prioritize voice traffic. The switch is connected to an IP phone and a PC using a single access port. The engineer applies a service policy on the access port that marks CoS 5 for voice and CoS 0 for data. However, the IP phone is not receiving any voice packets. What is the most likely cause?
The switchport is configured as an access port without 'mls qos trust cos'
Correct because without trusting CoS, the switch ignores the phone's markings and treats all traffic as best-effort.
The IP phone is not configured with the correct VLAN for voice traffic
The service policy is applied in the output direction instead of input
The switch does not support CoS marking on access ports
An engineer is deploying QoS on a WAN link between two sites using a Cisco ISR 4451 router. The link is a 10 Mbps MPLS circuit. The engineer wants to ensure that voice traffic (EF) is never dropped, even during congestion. The current policy uses a single class map for voice with a policer that drops excess traffic. During peak hours, users report choppy voice calls. What change should the engineer make?
Change the policer to a shaper and apply it to the voice class
Correct because shaping buffers excess traffic instead of dropping it, reducing jitter and packet loss for voice.
Increase the policer rate to 20 Mbps to accommodate voice bursts
Remove the policer and rely on FIFO queuing
Apply the policy in the output direction only
A network engineer is troubleshooting QoS on a Cisco Nexus 9000 switch. The switch is configured with a policy map that uses a class-default with a bandwidth remaining percent of 100. However, during congestion, traffic in a priority queue (class-map for EF) is experiencing drops even though the priority queue is not fully utilized. What is the most likely cause?
The priority queue is implicitly policed to a default rate on Nexus switches
Correct because Nexus switches enforce a default policer on the priority queue to protect other traffic, which can cause drops.
The class-default bandwidth remaining percent should be set to 0
The priority queue is not configured with a queue-limit
The switch is using strict priority queuing without any shaping
An engineer is configuring QoS on a Cisco ASR 1000 router to support three traffic classes: voice (EF), video (AF41), and data (default). The link is a 50 Mbps Ethernet circuit. The engineer wants to guarantee 10 Mbps for voice, 20 Mbps for video, and the remaining for data. The current policy uses bandwidth percent statements. During congestion, voice traffic is not receiving its guaranteed bandwidth. What is the most likely cause?
The interface bandwidth command is not set to 50000 kbps
Correct because bandwidth percent uses the interface bandwidth value; if it is set to a default (e.g., 1000000 for Ethernet), the percentages do not match the actual link speed.
The voice class should use priority instead of bandwidth
The video class should use bandwidth remaining percent
The policy map is applied in the input direction
A network engineer is troubleshooting voice quality issues on a Cisco Catalyst 9300 switch. The switch is configured with auto QoS for voice, which enabled trust on the access ports. However, voice packets are being marked with DSCP EF but are still experiencing jitter. The engineer checks the interface queue statistics and sees that the priority queue is not being used. What is the most likely reason?
Auto QoS does not create a priority queue; a manual policy is required
Correct because auto QoS only sets trust and marks; the queuing policy must be applied separately to prioritize voice.
The switch does not support DSCP-based queuing
The voice VLAN is not configured on the access port
The switch is using default CoS-to-queue mapping which maps EF to a non-priority queue
An engineer is configuring QoS on a Cisco ISR 4331 router for a site-to-site VPN tunnel. The tunnel interface is configured with a service policy that uses a class map matching DSCP EF. The engineer notices that the policy is not shaping traffic as expected; the tunnel bandwidth is 20 Mbps but the shaper is set to 10 Mbps. However, traffic still exceeds 10 Mbps. What is the most likely cause?
The shaper should be applied to the physical interface instead of the tunnel interface
Correct because tunnel interfaces encapsulate traffic; shaping on the tunnel does not control the actual output rate on the physical link.
The shaper rate should be set to 20 Mbps to match the tunnel bandwidth
The class map should match on the outer IP header instead of the inner DSCP
The service policy should be applied in the input direction
Want more QoS practice?
Practice this domainA network engineer notices intermittent connectivity issues between two switches connected via a trunk link. The trunk is configured with DTP in dynamic desirable mode on one side and trunk mode on the other. Which action should the engineer take to resolve the issue?
Configure both sides with switchport mode trunk.
Option A is correct because it ensures both ends are unconditionally set to trunk mode, avoiding negotiation issues.
Set both sides to access mode.
Disable DTP on both sides using switchport nonegotiate.
Change one side to dynamic auto.
A network administrator is troubleshooting high CPU utilization on a Catalyst 9300 switch. The output of 'show processes cpu sorted' shows the 'IP Input' process consuming 45% CPU. Which tool should be used to identify the specific packets causing the issue?
Use extended ping from the switch to generate traffic.
Configure a SPAN session to capture all traffic to the CPU.
Check CDP neighbors to see if any devices are flooding.
Enable IP traffic export (NetFlow) on the switch.
Option C is correct because NetFlow can identify the flows that are being processed by the CPU.
A network engineer is implementing QoS on a WAN link to prioritize voice traffic. Which queuing mechanism provides the lowest latency for real-time traffic?
Low Latency Queuing (LLQ)
Option B is correct because LLQ provides a strict priority queue for real-time traffic.
Weighted Random Early Detection (WRED)
Class-Based Weighted Fair Queuing (CBWFQ)
First-In, First-Out (FIFO)
A network administrator is troubleshooting a BGP routing issue where routes from an eBGP neighbor are not being installed in the routing table. The 'show ip bgp' output shows the routes are received but not valid. What is the most likely cause?
The AS-path contains the local AS number.
The next-hop IP address is not reachable.
Option B is correct because if the next-hop is not reachable, the route is not installed.
BGP synchronization is enabled.
The maximum-prefix limit has been exceeded.
A network engineer is designing a multicast network for IPTV. Which protocol is used by routers to discover which multicast groups are of interest to directly connected hosts?
Rendezvous Point (RP)
Internet Group Management Protocol (IGMP)
Option D is correct because IGMP is used by hosts to report group membership to routers.
Protocol Independent Multicast (PIM)
Multicast Source Discovery Protocol (MSDP)
Which TWO statements are true about IP SLA? (Choose two.)
IP SLA is only supported on ASR routers.
IP SLA can be used with tracking objects to trigger route changes.
Option D is correct because IP SLA can be tracked and used for conditional routing.
IP SLA can measure jitter between two devices.
Option B is correct because IP SLA has a jitter operation.
IP SLA uses actual user traffic for measurements.
IP SLA can only measure round-trip time, not one-way delay.
Want more Network Assurance practice?
Practice this domainA network engineer configures SNMPv2c on a Cisco router to monitor CPU and memory utilization. The NMS is reachable and configured with the same community string 'public'. However, the NMS receives no traps from the router. The engineer verifies that the router's SNMP configuration includes 'snmp-server enable traps' and 'snmp-server host 192.168.1.100 version 2c public'. What is the most likely cause of the missing traps?
The router's SNMP agent is disabled.
The community string 'public' is not defined on the router.
The router lacks specific trap configuration for CPU and memory utilization.
Correct because 'snmp-server enable traps' alone does not enable all traps; specific traps like 'snmp-server enable traps cpu threshold' and 'snmp-server enable traps memory' are needed.
The NMS is using SNMPv3, which is incompatible with SNMPv2c traps.
An engineer is troubleshooting a syslog issue on a Cisco switch. The switch is configured with 'logging host 10.1.1.1' and 'logging trap informational'. The syslog server at 10.1.1.1 receives messages from other devices but not from this switch. The engineer can ping 10.1.1.1 from the switch. What is the most likely cause?
The syslog server is configured to accept messages only from a specific source IP address.
The switch's logging process is disabled by default and must be enabled with 'logging on'.
Correct because 'logging on' is required to start the syslog logging process; without it, no messages are sent even if hosts are configured.
The 'logging trap informational' command is incorrect; it should be 'logging trap 6'.
The switch uses UDP port 514, but the server listens on TCP port 514.
A network engineer configures SNMPv3 on a Cisco router for secure monitoring. The configuration includes 'snmp-server group ADMIN v3 priv', 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456', and 'snmp-server host 10.1.1.2 version 3 priv admin'. The NMS is configured with the same credentials. However, the NMS cannot poll the router. The engineer verifies that the router's SNMP agent is enabled. What is the most likely cause?
The SNMPv3 user is not associated with the group correctly.
The NMS must be configured with the router's SNMP engine ID.
Correct because SNMPv3 uses engine IDs for authentication; if the NMS does not have the correct engine ID, it cannot authenticate.
The 'priv' keyword in the host command should be 'auth' instead.
The AES encryption key must be exactly 16 characters.
An engineer notices that syslog messages from a Cisco router are not timestamped correctly. The router is configured with 'service timestamps log datetime msec' and 'logging host 10.1.1.1'. The syslog server shows messages with the correct time but the local logs on the router show incorrect timestamps. What is the most likely cause?
The 'service timestamps log datetime msec' command is not supported on this platform.
The router's system clock is not synchronized via NTP or manual setting.
Correct because timestamps are based on the router's clock; if it's incorrect, local logs will have wrong timestamps.
The syslog server is overwriting the timestamps.
The 'logging host' command must include the 'transport tcp' option.
A network engineer configures SNMPv2c on a Cisco switch to send traps to an NMS at 192.168.1.100 with community 'monitor'. The engineer also configures 'snmp-server enable traps snmp linkdown linkup'. The NMS receives link traps but not authentication failure traps. The engineer has not configured any access control. What is the most likely reason?
Authentication failure traps are disabled by default and must be explicitly enabled.
Correct because 'snmp-server enable traps snmp authentication' is needed to send authentication failure traps.
The NMS is not configured to receive authentication failure traps.
The community string 'monitor' has read-write access, which suppresses authentication traps.
The switch must be configured with 'snmp-server trap-source' to send authentication traps.
An engineer is configuring syslog on a Cisco router to send messages to two servers: 10.1.1.1 (primary) and 10.1.1.2 (secondary). The configuration includes 'logging host 10.1.1.1' and 'logging host 10.1.1.2'. The engineer wants messages to be sent to both servers simultaneously. However, only the first server receives messages. What is the most likely cause?
The second syslog server is not reachable from the router.
The router's syslog process sends messages to all configured hosts by default; the issue is that the second server is not configured to accept syslog messages.
Correct because the server-side configuration is missing; the router is sending but the server is not listening.
The 'logging host' command for the second server must be entered before the first.
The router requires 'logging on' to send to multiple hosts.
Want more SNMP and Syslog practice?
Practice this domainA network engineer is troubleshooting intermittent packet loss on a WAN link connecting two data centers. The engineer suspects that certain traffic types are being dropped but needs to confirm this without impacting production. The engineer has access to Cisco IOS-XE routers at both ends. Which approach should the engineer use to identify the specific flows being dropped?
Configure Flexible NetFlow on the routers with a flow monitor that includes the 'drop' keyword to capture dropped packets per flow.
Correct because Flexible NetFlow with the 'drop' keyword allows per-flow drop monitoring, directly identifying which flows are being dropped.
Enable SNMP polling of interface counters to identify the total number of dropped packets on the WAN interface.
Use Embedded Event Manager (EEM) to trigger on interface drops and capture a packet trace.
Deploy IP SLA probes to measure latency and jitter, and correlate with drop events.
A large enterprise is migrating from traditional SNMP-based monitoring to streaming telemetry for better scalability and real-time visibility. The network team has Cisco Nexus 9000 switches running NX-OS. They want to stream interface counters and BGP neighbor state changes to a collector. Which telemetry technology should they implement?
Configure model-driven telemetry (MDT) using gRPC or gNMI to subscribe to the desired YANG data models for interface counters and BGP state.
Correct because MDT with gRPC/gNMI provides scalable, real-time streaming of structured data from NX-OS devices.
Enable NetFlow v9 on the switches and configure the collector to receive flow records that include interface statistics.
Use SNMP traps to send interface and BGP state changes to the collector.
Deploy IP SLA responders on the switches to measure performance and send results via syslog.
A network engineer is configuring NetFlow on a Cisco ISR 4451 router to analyze traffic patterns. The engineer wants to export flow data to a collector every 60 seconds. After applying the configuration, the engineer notices that the export packets are not reaching the collector. The collector is reachable via ICMP. What is the most likely cause?
The 'ip flow-export destination' command is missing or specifies an incorrect UDP port number.
Correct because the export destination must include the correct IP and UDP port; if missing or wrong, export packets won't reach the collector.
The router is using TCP for NetFlow export, but the collector only supports UDP.
The flow monitor is not applied to any interface, so no flows are being collected.
The 'ip flow-export timeout rate' is set too high, causing export packets to be delayed.
A service provider is using Cisco ASR 9000 routers and needs to collect NetFlow data from multiple customers' traffic. The engineer wants to ensure that flow records from different customers are not mixed and can be identified separately. The router supports Flexible NetFlow. What is the best approach?
Define a custom flow record that includes the 'match ipv4 vlan' or 'match ipv4 vrf' field to identify each customer's traffic, and apply a single flow monitor on the shared interface.
Correct because including the VRF or VLAN match field in the flow record allows the collector to distinguish flows per customer.
Configure a separate flow monitor for each customer interface and export to different collectors.
Use NetFlow v9 export with the 'match ipv4 source address' field only, and rely on the collector to separate by source IP.
Enable SNMP interface polling to track per-customer traffic statistics.
A network operations center (NOC) is deploying streaming telemetry from Cisco IOS-XE devices to a Kafka-based analytics platform. The engineer needs to ensure that the telemetry data is encoded in a compact, efficient format for high-volume streaming. Which encoding format should the engineer configure?
Google Protocol Buffers (GPB) encoding.
Correct because GPB is a binary, compact format that minimizes bandwidth and CPU usage for high-volume streaming.
JSON encoding.
XML encoding.
CSV encoding.
A network engineer is troubleshooting a performance issue on a Cisco Catalyst 9300 switch. The engineer suspects that a specific application is using excessive bandwidth. The switch supports Flexible NetFlow. The engineer wants to monitor only the traffic from that application without affecting the switch's CPU. What is the most efficient way to configure this?
Define a flow record that matches the specific application using NBAR or an ACL, and apply a flow monitor with a sampler rate to reduce CPU impact.
Correct because matching only the application of interest and using a sampler minimizes the number of flows processed, reducing CPU load.
Enable NetFlow on all interfaces and export all flows to the collector, then filter at the collector.
Use SNMP to poll interface counters and calculate the bandwidth used by the application.
Configure port mirroring (SPAN) to send all traffic to an external probe for analysis.
Want more NetFlow and Telemetry practice?
Practice this domainA network engineer is troubleshooting a performance issue between two hosts connected to a Cisco Catalyst 3850 switch. The engineer wants to capture all traffic sent and received by Host A (Gi1/0/1) and send it to a monitoring station connected to Gi1/0/24. The engineer configures 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'. However, the monitoring station receives only traffic sent by Host A, not traffic received. What is the most likely cause?
The source interface is configured as an access port, and the SPAN session cannot capture both directions on an access port.
The destination port is in the same VLAN as the source interface, causing the switch to drop the copied frames due to loop prevention.
Correct; when the destination port is in the same VLAN as the source, the switch may drop the replicated frames to prevent loops, especially if the destination port is also in the forwarding path.
The 'monitor session 1 destination interface Gi1/0/24' command does not support egress SPAN; only ingress SPAN is allowed.
The engineer must also configure 'monitor session 1 filter ip' to capture both directions.
A network engineer needs to monitor traffic between two VLANs on a Cisco Catalyst 9300 switch. The engineer wants to capture all packets that traverse the switch between VLAN 10 and VLAN 20. The monitoring station is connected to port Gi1/0/24. Which configuration should the engineer use to capture this inter-VLAN traffic?
Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'.
Configure 'monitor session 1 source vlan 10 - 20 both' and 'monitor session 1 destination interface Gi1/0/24'.
Correct; VLAN-based SPAN captures all traffic entering or leaving the specified VLANs, including routed traffic between them.
Configure an RSPAN VLAN and use 'monitor session 1 source vlan 10 - 20' and 'monitor session 1 destination remote vlan 100'.
Configure an ERSPAN session with source IP and destination IP.
An engineer is configuring RSPAN to monitor traffic from multiple switches in a data center. The monitoring station is connected to a central switch. The engineer has configured an RSPAN VLAN (VLAN 999) on all switches and set up the source sessions on the remote switches. However, the monitoring station receives no traffic. On the central switch, the engineer verifies that the RSPAN VLAN is active and that the destination session is configured. What is a likely missing configuration?
The trunk ports between the switches do not have the RSPAN VLAN (999) in their allowed VLAN list.
Correct; the RSPAN VLAN must be allowed on all trunk links to transport the mirrored traffic to the destination switch.
The destination session on the central switch is configured with 'monitor session 2 destination remote vlan 999' instead of 'monitor session 2 destination interface Gi1/0/1'.
The source sessions on the remote switches are configured with 'monitor session 1 source vlan 100' but the destination is not set to 'remote vlan 999'.
The RSPAN VLAN is not created as a remote SPAN VLAN; it must be configured with 'remote-span' command.
A network engineer is using a Cisco Catalyst 3850 switch to monitor traffic from a server connected to port Gi1/0/1. The monitoring station is on port Gi1/0/24. The engineer configures 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'. The monitoring station receives traffic, but the engineer notices that the switch CPU utilization is high. What is the most likely cause of the high CPU?
The SPAN session is capturing both directions, which doubles the number of packets and increases CPU usage.
The destination port is not configured with 'switchport nonegotiate' and is still participating in DTP, causing CPU overhead.
The destination port is still a member of a VLAN, and the switch is processing the copied frames as normal traffic, leading to high CPU.
Correct; when a destination port is not dedicated to SPAN, the switch may attempt to switch the copied frames, increasing CPU load.
The source interface is a trunk port, and SPAN is capturing all VLANs, causing high CPU.
A network engineer needs to monitor traffic from a specific VLAN (VLAN 100) on a Cisco Catalyst 9300 switch and send the mirrored traffic to a monitoring station on a different switch across a routed network. The engineer decides to use ERSPAN. Which configuration is required on the source switch?
Configure 'monitor session 1 type erspan-source' and then 'source vlan 100' and 'destination ip 192.168.1.100'.
Correct; ERSPAN source session requires the type erspan-source, source VLAN, and destination IP address.
Configure 'monitor session 1 source vlan 100' and 'monitor session 1 destination interface Gi1/0/24'.
Configure 'monitor session 1 source vlan 100' and 'monitor session 1 destination remote vlan 999'.
Configure 'monitor session 1 source vlan 100' and 'monitor session 1 destination interface Gi1/0/24' and then 'monitor session 1 encapsulation replicate'.
An engineer is configuring SPAN on a Cisco Catalyst 3850 switch to monitor traffic from a trunk port (Gi1/0/1) that carries VLANs 10, 20, and 30. The monitoring station is on port Gi1/0/24. The engineer wants to capture only VLAN 20 traffic from the trunk. Which configuration should the engineer use?
Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 filter vlan 20'.
Correct; the filter vlan option limits the SPAN session to only VLAN 20 traffic on the source interface.
Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'.
Configure 'monitor session 1 source vlan 20' and 'monitor session 1 destination interface Gi1/0/24'.
Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 filter vlan 10,30'.
Want more SPAN and RSPAN practice?
Practice this domainA network engineer configures an IP SLA on a Cisco router to monitor reachability to a critical server at 10.1.1.1 using ICMP echo. The IP SLA is used as a track object for a static default route. After deployment, the engineer notices that the static route is never removed from the routing table, even when the server is unreachable. The IP SLA operation shows 'State: Active' and 'Latest RTT: NoConnection/Busy/Timeout'. What is the most likely cause?
The IP SLA operation is not configured with a timeout value, so it never times out.
The IP SLA operation needs a threshold configured to mark the operation as 'down' when the RTT exceeds the threshold or a timeout occurs.
Correct. IP SLA uses thresholds to determine when an operation should be considered failed. Without a threshold, the operation stays active regardless of timeouts.
The track object must be configured with a 'down' delay to allow the route to be removed.
The static route must be configured with a higher administrative distance to allow the IP SLA to remove it.
An engineer configures IP SLA 100 to monitor the jitter and latency of a VoIP call path between two branch routers. The configuration uses UDP jitter with a target of 192.168.2.2 on port 16384. The engineer notices that the IP SLA operation shows 'State: Active' but no jitter or latency statistics are collected. The router is generating the probe packets, but the remote router does not respond. What is the most likely reason?
The IP SLA operation must be configured with a 'request-data-size' value to match the remote router's MTU.
The remote router must have an IP SLA responder configured to process the UDP jitter probes.
Correct. For UDP jitter (and other UDP-based probes), the destination router must run the IP SLA responder to echo the packets back. Without it, the source cannot compute one-way metrics.
The source router needs a 'frequency' setting that matches the remote router's response interval.
The firewall on the remote router is blocking the UDP port 16384, preventing the probe from reaching the target.
A network engineer configures IP SLA 1 to monitor HTTP server availability at 10.1.1.1 using HTTP GET. The operation is used as a track object for a backup static route. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 200 ms', but the track object shows 'Track 1: up' even though the HTTP server returns a 404 error. What is the cause?
The IP SLA HTTP operation must be configured with a 'url' that includes the full path, otherwise it defaults to the root and returns 404.
The IP SLA HTTP operation does not interpret HTTP status codes by default; it only checks if a TCP connection is established.
Correct. IP SLA HTTP probe by default only verifies that the TCP handshake succeeds and a response is received. It does not parse the HTTP status code unless a 'status-code' match is configured.
The track object must be configured with a 'down' threshold to trigger when the HTTP response time exceeds a value.
The HTTP server is responding, so the IP SLA operation correctly shows success; the engineer must use a different type of probe, like TCP connect, to detect the 404.
An engineer configures IP SLA 10 to monitor the reachability of a next-hop router at 10.1.1.1 using ICMP echo. The IP SLA is used as a track object for a static route. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 1 ms', but the track object shows 'Track 10: up' even though the next-hop router is actually unreachable from the source. The source router has a default route pointing to 10.1.1.1. What is the most likely cause?
The IP SLA operation is using the wrong source IP address; it should be sourced from the interface that connects to the next-hop router.
Correct. If the IP SLA probe is sourced from a different interface (e.g., loopback), it may take a different path and succeed even if the next-hop router is unreachable via the intended interface.
The IP SLA operation must be configured with a 'timeout' value lower than the RTT to force a failure.
The track object must be configured with a 'down' delay to prevent flapping.
The static route must be configured with a higher administrative distance to allow the IP SLA to remove it.
A network engineer configures IP SLA 20 to monitor the response time of a DNS server at 10.1.1.1 using DNS query for 'example.com'. The operation is used to influence routing decisions. The engineer notices that the IP SLA operation shows 'State: Active' and 'Latest RTT: 50 ms', but the DNS server is actually down and not responding to any queries. What is the most likely reason?
The IP SLA DNS probe is using a cached DNS response from the router's DNS resolver, so it does not actually query the server.
Correct. If the router has DNS caching enabled, the IP SLA DNS probe may receive a cached response, making it appear as if the server is reachable when it is not.
The IP SLA DNS probe must be configured with a 'timeout' value lower than 50 ms to detect the failure.
The DNS server is responding to the probe but not to other queries because the probe uses a different port.
The IP SLA operation is configured with a 'frequency' that is too low, causing the probe to be sent before the server times out.
An engineer configures IP SLA 30 to monitor the one-way delay to a remote site using UDP jitter. The operation is used to adjust routing metrics via route maps. The engineer notices that the IP SLA operation shows 'State: Active' but the one-way delay values are inconsistent, sometimes showing negative values. What is the most likely cause?
The IP SLA operation is not configured with a 'request-data-size' that matches the remote router's MTU, causing fragmentation and delay variations.
The source and destination routers do not have synchronized clocks via NTP, causing one-way delay calculations to be inaccurate.
Correct. One-way delay is computed by subtracting the send timestamp from the receive timestamp. If clocks are not synchronized, the result can be negative or wildly inaccurate.
The IP SLA operation is using a 'frequency' that is too high, causing the probes to overlap and corrupt the statistics.
The remote router's IP SLA responder is not configured, so the source is using a different method to estimate delay.
Want more IP SLA practice?
Practice this domainA network engineer is configuring port security on a Cisco switch to prevent unauthorized devices from connecting. The requirement is to allow only the first two MAC addresses learned on an interface, and to disable the interface if a violation occurs. Which configuration achieves this?
switchport port-security maximum 2 switchport port-security violation err-disable
switchport port-security maximum 2 switchport port-security violation shutdown
Correct: sets max to 2 and violation shutdown disables interface.
switchport port-security maximum 2 switchport port-security violation protect
switchport port-security maximum 2 switchport port-security violation restrict
An organization wants to implement 802.1X authentication on its wired network using Cisco ISE as the authentication server. The switches are configured with the necessary RADIUS settings. Which additional configuration is required on the switch interfaces to enable 802.1X?
dot1x pae authenticator
authentication port-control auto
Correct: this command enables 802.1X authentication on the interface.
authentication port-control force-authorized
authentication port-control force-unauthorized
A security engineer is configuring CoPP (Control Plane Policing) on a Cisco router to protect the control plane from DoS attacks. The policy must rate-limit SSH traffic to 1 Mbps with a burst of 2000 bytes, and drop all other traffic destined to the control plane that exceeds a default rate. Which class-map and policy-map configuration is correct?
class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop
class-map match-all SSH match access-group name SSH_ACL policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
class-map match-all SSH match protocol ssh policy-map COPP class SSH police 1000000 2000 conform-action transmit exceed-action drop class class-default police 8000 conform-action transmit exceed-action drop
Correct: matches SSH protocol, police rate 1Mbps burst 2000, and default police for all other traffic.
class-map match-all SSH match protocol ssh policy-map COPP class SSH police 2000 1000000 conform-action transmit exceed-action drop
A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?
access-list INSIDE extended permit tcp 192.168.1.0 255.255.255.0 any eq 443 access-group INSIDE in interface inside
access-list GLOBAL extended permit ip 192.168.1.0 255.255.255.0 any
access-list GLOBAL extended permit tcp any any eq 443
access-list GLOBAL extended permit tcp 192.168.1.0 255.255.255.0 any eq 443
Correct: global access-list permits traffic from inside subnet to any on port 443.
A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?
The switch has IP Source Guard enabled, blocking valid DHCP traffic.
The interface GigabitEthernet0/1 is not configured as a trusted port for DHCP snooping.
Correct: Untrusted ports drop DHCP server messages; the server port must be trusted.
The DHCP server is on a different subnet and the switch lacks an IP helper address.
The DHCP server is sending offers too quickly, exceeding the rate-limit on the switch.
Which TWO of the following are valid methods to mitigate VLAN hopping attacks?
Configure switchport mode dynamic auto on all ports.
Disable Dynamic Trunking Protocol (DTP) on all access ports.
Prevents trunk negotiation.
Set the native VLAN to VLAN 1 on all trunk ports.
Set the native VLAN to an unused VLAN ID on all trunk ports.
Mitigates double-tagging VLAN hopping.
Use 802.1Q trunking instead of ISL.
Want more Security practice?
Practice this domainA network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?
The router's SSH service is not enabled.
The RADIUS server is rejecting the authentication because the user is not defined on the server, and the 'local' fallback only applies if the server is unreachable.
Correct because the 'group radius local' method list tries RADIUS first; if RADIUS responds with a reject (user not found), the router does not fall back to local. The fallback only occurs if the RADIUS server does not respond.
The 'aaa new-model' command must be followed by a 'aaa authentication login default local' command to use local authentication.
The router's VTY lines are not configured to use the default authentication list.
An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?
The router's 'aaa authorization commands 15 default group tacacs+' command is missing the 'local' keyword, so if TACACS+ denies, there is no fallback.
The TACACS+ server upgrade changed the default authorization behavior from permissive to restrictive, requiring explicit 'permit' statements for each command, and the existing rules may not cover all commands.
Correct because TACACS+ authorization rules are defined on the server; an upgrade can change default behavior (e.g., from permit-all to deny-all), requiring updated rules to allow previously permitted commands.
The router's privilege level 15 is not correctly assigned to the user.
The TACACS+ server is not reachable due to a firewall change, causing the router to deny all commands.
A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?
The interface needs the 'authentication guest-vlan <vlan-id>' command to specify the VLAN for non-802.1X devices.
Correct because the guest VLAN is a separate configuration that tells the switch to place the port into a specific VLAN when authentication fails or times out.
The switch must have 'aaa authentication dot1x default group radius' configured globally.
The 'authentication host-mode multi-host' command should be replaced with 'authentication host-mode multi-domain' to support guest VLAN.
The port must be configured as a trunk port to allow the guest VLAN.
A company is deploying a new Cisco wireless LAN controller (WLC) and wants to use RADIUS for authenticating wireless users. The WLC is configured with the RADIUS server IP, shared secret, and authentication port 1812. However, users are unable to authenticate. The network engineer checks the RADIUS server logs and sees that the server is receiving authentication requests from the WLC but is responding with an 'Access-Reject' message. The WLC logs show 'RADIUS server not responding' for the same server. What is the most likely cause?
The RADIUS server is configured to use a different source IP address for RADIUS responses than the IP address configured on the WLC, causing the WLC to drop the responses.
Correct because the WLC typically expects RADIUS responses to come from the same IP address as the configured server; if the server uses a different source IP (e.g., a loopback or secondary IP), the WLC may not recognize the response and logs 'server not responding'.
The WLC is configured with the wrong authentication port; RADIUS uses port 1645, not 1812.
The WLC's RADIUS server configuration has the wrong shared secret, causing the server to reject requests.
The WLC is not configured with a valid management interface IP address to reach the RADIUS server.
A network engineer is configuring a Cisco router to use TACACS+ for authentication and authorization of EXEC sessions. The engineer configures 'aaa new-model', 'aaa authentication login default group tacacs+ local', and 'aaa authorization exec default group tacacs+ local'. When a user tries to log in via SSH, the router prompts for username and password, but after entering correct credentials, the user is immediately disconnected. The TACACS+ server logs show that the authentication was successful. What is the most likely cause?
The TACACS+ server is not configured to authorize the user for EXEC access, so it sends a 'deny' response, causing the router to disconnect the user.
Correct because TACACS+ authorization for EXEC determines whether the user is allowed to start a shell; if the server denies, the router disconnects even though authentication succeeded.
The 'aaa authorization exec' command should be 'aaa authorization commands 15' to allow the user to execute commands after login.
The router's SSH configuration is missing the 'ip ssh authentication-retries' command.
The 'local' fallback in the authorization command is overriding the TACACS+ response.
A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?
The switch is missing the 'aaa accounting dot1x default start-stop group radius' command to enable accounting for 802.1X sessions.
Correct because accounting is a separate AAA function that must be explicitly configured; the RADIUS server definition alone does not enable accounting.
The RADIUS server is using a different accounting port than 1813; the switch should use port 1646.
The switch must have 'aaa new-model' configured before accounting can work.
The RADIUS server's shared secret for accounting is different from the authentication secret.
Want more AAA, RADIUS, and TACACS+ practice?
Practice this domainA network engineer is troubleshooting an issue where SSH access to a Cisco router from a specific management subnet (10.10.10.0/24) is intermittently failing. The router has a CoPP policy applied to the control plane. The engineer checks the CoPP statistics and sees that packets from the management subnet are being dropped by the control-plane service-policy. Which configuration change should the engineer make to allow SSH from the management subnet while still protecting the control plane?
Modify the CoPP ACL to include a permit statement for TCP port 22 from 10.10.10.0/24 before the deny statement.
Correct because this allows SSH traffic from the management subnet to be classified and permitted by the CoPP policy, preventing drops.
Remove the deny statement from the CoPP ACL to allow all traffic.
Increase the police rate for the CoPP class that matches SSH traffic.
Remove the CoPP policy from the control plane and rely on interface ACLs.
An enterprise network uses a Cisco Catalyst 9300 switch as a distribution layer device. The network team notices that ICMP echo requests from a monitoring server (192.168.1.100) to the switch's management IP are being dropped intermittently. The switch has a CoPP policy that includes a class-map matching ICMP traffic. The engineer checks the CoPP statistics and sees that ICMP packets from the monitoring server are being dropped by the policy. What is the most likely cause of this issue?
The CoPP policy is policing ICMP traffic to a rate that is too low for the monitoring server's traffic.
Correct because CoPP polices traffic to the control plane; if the rate is too low, legitimate ICMP packets may be dropped.
An ACL applied to the management interface is blocking ICMP from the monitoring server.
The monitoring server is sending ICMP packets with a TTL of 1, causing them to be dropped.
The switch's CPU is overloaded, causing CoPP to drop all packets.
A network engineer is configuring CoPP on a Cisco ASR 1000 router to protect the control plane from excessive traffic. The engineer wants to allow BGP traffic from a specific peer (10.0.0.1) while rate-limiting all other BGP traffic. The engineer creates an ACL that permits TCP port 179 from host 10.0.0.1 and denies all other BGP traffic. The CoPP class-map matches this ACL. However, after applying the policy, BGP sessions from other peers are still being established. What is the most likely reason?
The ACL denies all other BGP traffic, so CoPP does not match it, and it falls through to the default class, which permits it.
Correct because CoPP only applies to traffic matched by the class-map; if the ACL denies traffic, it is not matched, and the default class (often permit) allows it.
The ACL is applied in the wrong order; the deny statement should be before the permit statement.
BGP uses UDP port 179, not TCP, so the ACL does not match BGP traffic.
CoPP does not affect BGP sessions because they are established before the policy is applied.
A network engineer is troubleshooting a connectivity issue between two VLANs on a Cisco Catalyst 3850 switch. The switch has an ACL applied to VLAN 10 that permits traffic from VLAN 20 to VLAN 10, but denies all other traffic. Hosts in VLAN 20 can ping hosts in VLAN 10, but not vice versa. The engineer checks the ACL and finds that it is applied inbound on VLAN 10. What is the most likely cause of the issue?
The ACL is applied inbound on VLAN 10, so it only filters traffic entering VLAN 10, not traffic leaving VLAN 10.
Correct because inbound ACLs filter traffic entering the interface; traffic from VLAN 10 to VLAN 20 is leaving VLAN 10 and is not filtered.
The ACL is applied outbound on VLAN 10, so it filters traffic leaving VLAN 10, preventing replies.
The ACL is applied to the SVI for VLAN 10, but the hosts are in VLAN 10, so the ACL does not apply.
The ACL is blocking ICMP echo replies from VLAN 10 to VLAN 20.
A network engineer is configuring CoPP on a Cisco Nexus 9000 switch to protect the control plane from a potential DoS attack. The engineer creates a class-map that matches traffic with a specific DSCP value (AF41) and applies a police rate of 10 Mbps. After applying the policy, the engineer notices that legitimate traffic with DSCP AF41 is being dropped even though the traffic rate is only 5 Mbps. What is the most likely cause?
The CoPP policy has a conform-action of drop, which drops all traffic matching the class.
Correct because if the conform-action is set to drop, all traffic in that class is dropped, even if it is within the police rate.
The police rate is too low, and the traffic is being dropped due to exceeding the rate.
The DSCP value AF41 is not supported on Nexus switches.
The CoPP policy is applied to the wrong queue, causing all traffic to be dropped.
A network engineer is troubleshooting an issue where a Cisco router is not responding to SNMP polls from a network management station (NMS) at 192.168.1.50. The router has a CoPP policy that includes a class-map matching SNMP traffic (UDP port 161). The engineer checks the CoPP statistics and sees that SNMP packets from the NMS are being dropped. The engineer wants to allow SNMP from the NMS while still protecting the control plane. Which configuration change should the engineer make?
Modify the CoPP ACL to include a permit statement for UDP port 161 from host 192.168.1.50 before the deny statement.
Correct because this allows SNMP traffic from the NMS to be classified and permitted by the CoPP policy.
Increase the police rate for the CoPP class that matches SNMP traffic.
Remove the CoPP policy from the control plane and rely on interface ACLs.
Change the SNMP port on the router to a non-standard port to avoid the CoPP policy.
Want more ACLs and CoPP practice?
Practice this domainA network engineer is deploying 802.1X on a Cisco switch for a mixed environment of Windows laptops and IP phones. The engineer configures the switchport with 'authentication port-control auto' and 'dot1x pae authenticator'. After connecting a Windows laptop, the switch logs show 'Authentication failed' for the laptop. The engineer verifies that the RADIUS server is reachable and the laptop's supplicant is configured correctly. What is the most likely cause of the authentication failure?
The switch lacks 'aaa new-model' configuration.
The switch is not configured to send EAP-Request/Identity packets; the 'dot1x timeout tx-period' is too long or missing.
Correct because without proper EAP initiation, the supplicant may not respond, leading to authentication failure.
The switchport is configured as 'switchport mode trunk' instead of 'switchport mode access'.
The RADIUS server is not configured with the correct shared secret.
An enterprise is implementing Cisco TrustSec (CTS) to enforce role-based access control. The network engineer configures the switch with 'cts role-based enforcement' and 'cts manual' on an interface connecting to a trusted Cisco switch. The engineer also configures Security Group Tags (SGTs) on the RADIUS server. However, traffic between two hosts in different SGTs is not being filtered as expected. The engineer checks 'show cts role-based counters' and sees no drops. What is the most likely reason for the lack of enforcement?
The switch is not configured for 802.1X on the interface.
The 'cts manual' command is incorrect; 'cts dot1x' should be used instead.
The SGTs are not being propagated to the switch; the switch lacks SGT mappings for the hosts.
Correct because without SGTs, the switch cannot enforce role-based policies.
The 'show cts role-based counters' command shows no drops, indicating the ACLs are not configured.
A network engineer is configuring 802.1X on a Cisco Catalyst 9300 switch for a wired network. The engineer wants to allow devices that do not support 802.1X (e.g., printers) to still access the network using MAB (MAC Authentication Bypass). The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'mab'. However, after connecting a printer, the switch logs show 'MAB failed' repeatedly. The printer's MAC address is in the RADIUS server database. What is the most likely cause?
The RADIUS server is not configured to accept MAC addresses in the format sent by the switch (e.g., with dots or colons).
Correct because MAB uses the MAC address as credentials; format mismatch causes failure.
The switch is not configured with 'dot1x timeout tx-period' to initiate MAB.
The interface is configured as 'switchport mode trunk', which does not support MAB.
The printer is not responding to EAP-Request/Identity packets.
A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?
The RADIUS server is not configured to send the SGT in the Access-Accept message.
Correct because the SGT must be assigned by the RADIUS server during authentication.
The SGACL is applied to the wrong interface.
The switch is not configured with 'cts role-based enforcement'.
The user's SGT is 0, which is a valid SGT that denies all traffic.
An organization is implementing 802.1X for wireless users using Cisco ISE as the RADIUS server. The network engineer configures the wireless LAN controller (WLC) with 802.1X authentication. Users report that they can connect to the SSID but cannot access any network resources. The engineer checks the WLC and sees that users are authenticated and assigned to VLAN 100. The engineer also checks the switchport connecting the WLC and sees it is a trunk. What is the most likely issue?
The RADIUS server is not sending the correct VLAN ID in the Access-Accept.
The switch trunk port does not have VLAN 100 allowed.
Correct because the WLC sends tagged traffic on VLAN 100, and the trunk must permit it.
The WLC is not configured for 802.1X on the uplink to the switch.
The users' devices are not configured for MAB.
A network engineer is configuring 802.1X on a Cisco switch for a voice VLAN deployment. The switchport is connected to an IP phone, which then connects to a PC. The engineer configures the interface with 'authentication port-control auto', 'dot1x pae authenticator', and 'switchport voice vlan 10'. The PC authenticates successfully, but the IP phone does not get an IP address from the voice VLAN. The engineer verifies that the phone is configured for 802.1X and the RADIUS server is correct. What is the most likely cause?
The IP phone does not support 802.1X and is not configured for MAB.
Correct because the phone must authenticate to be placed in the voice VLAN; if it fails, it may not get the voice VLAN.
The switchport is missing 'switchport mode access' command.
The RADIUS server is not sending the voice VLAN ID in the Access-Accept.
The PC is using the voice VLAN instead of the data VLAN.
Want more 802.1X and TrustSec practice?
Practice this domainA network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?
The lifetimes are set too high; they should be 3600 seconds.
The hash algorithm is not specified and defaults may differ between routers.
Correct because the default hash algorithm can vary, causing a mismatch.
The Diffie-Hellman group 14 is not supported on these routers.
Pre-shared keys cannot be used with AES-256 encryption.
A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?
The NHRP network ID is mismatched between the hub and spokes.
The spokes are not configured with a crypto map for IPsec.
The hub is not configured to propagate spoke routes to other spokes.
Correct because without route propagation, spokes cannot learn each other's networks.
The tunnel mode is set to GRE instead of mGRE on the spokes.
An engineer is configuring a FlexVPN hub-and-spoke network. The hub router has a loopback0 with IP 10.0.0.1/32. The spokes are configured to use IKEv2 with certificates. The engineer notices that the spokes can establish the IKEv2 tunnel and can ping the hub's tunnel IP, but cannot reach the loopback0 address. The hub has a static route for the spoke subnets. What is the most likely issue?
The IKEv2 proposal does not match between hub and spoke.
The certificate authority is not trusted by the hub.
The tunnel interface is not in an up/up state.
The loopback0 is not advertised in the routing protocol.
Correct because without a route, the spokes cannot reach the loopback.
A network engineer is configuring a GETVPN solution for a large enterprise with many remote sites. The engineer wants to ensure that all traffic between sites is encrypted using a common group key. The key server (KS) is a Cisco ASR 1000. After configuration, the group members (GMs) can register with the KS, but traffic between GMs is not encrypted. The engineer checks the KS configuration and sees that the crypto gdoi group has been defined with a transform set and a security association. What is the most likely missing configuration?
The KS is missing an access list to define the traffic to encrypt.
Correct because the traffic selector is required for GETVPN policy.
The group name on the GMs does not match the KS.
The KS is not configured with an IPsec profile.
The GMs are in different IP subnets than the KS.
An engineer is troubleshooting a site-to-site VPN between a Cisco ASA and a Cisco IOS router. The VPN is configured using IKEv1 with pre-shared keys. The tunnel establishes and traffic flows, but after a few hours, the tunnel drops and re-establishes. The engineer checks the logs and sees that the Phase 1 SA is being rekeyed. What is the most likely reason for the tunnel dropping?
The Dead Peer Detection (DPD) interval is too short.
The IKE Phase 1 lifetime is set too low.
Correct because a short lifetime causes frequent rekeys, which can lead to drops if not synchronized.
The IPsec transform set is misconfigured.
The Phase 2 lifetime is longer than Phase 1.
A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?
Re-enroll the CA certificate on the ASA.
Change the connection profile to use the correct group.
Configure the group policy to require certificates.
Change the tunnel group authentication method to certificate.
Correct because the authentication method must be set to certificate.
Want more VPN Technologies practice?
Practice this domainA network engineer is configuring port security on a Cisco switch. The requirement is to allow only the first MAC address that appears on the port to be learned and to automatically disable the port if a violation occurs. The engineer configures 'switchport port-security mac-address sticky' but does not specify a maximum number of secure MAC addresses. After connecting a single host, the port works. However, when the host is replaced with a different device, the port is error-disabled. What is the most likely reason?
The default maximum number of secure MAC addresses is 1, so the second MAC address triggers a violation.
Correct because the default maximum is 1, and sticky learning does not change that.
The sticky keyword requires the engineer to first manually configure a maximum number of MAC addresses.
The violation mode is set to 'restrict' by default, which causes the port to error-disable after one violation.
The port security aging type is set to 'absolute' by default, causing the sticky address to expire immediately.
An enterprise network uses 802.1X for wired access. The authentication server is a Cisco ISE. Recently, some Windows 10 clients fail to authenticate, while others succeed. The engineer checks the switch configuration and finds 'authentication port-control auto' and 'dot1x pae authenticator' are configured. The failing clients show 'EAP failure' in the logs. The engineer suspects a mismatch in EAP method. Which EAP method is most likely causing the issue if the ISE is configured to require EAP-TLS but the Windows clients are configured for PEAP-MSCHAPv2?
EAP-TLS requires a client certificate, which the Windows clients do not have.
Correct because EAP-TLS requires client certificates, and PEAP-MSCHAPv2 does not provide them.
EAP-FAST requires a PAC file that the Windows clients do not have.
LEAP uses a shared secret that is not configured on the clients.
EAP-MD5 does not support mutual authentication, causing the failure.
A network engineer is configuring CoPP on a Cisco router to protect the control plane from excessive traffic. The router experiences high CPU utilization due to SSH and SNMP traffic. The engineer creates a class-map to match SSH (TCP/22) and SNMP (UDP/161) and applies a policy-map that polices this traffic to 1 Mbps. After applying the policy, legitimate SSH sessions from the management station start dropping intermittently. What is the most likely cause?
The police rate of 1 Mbps is too low for the combined SSH and SNMP traffic from the management station.
Correct because the police rate is insufficient, causing drops of legitimate control plane traffic.
The CoPP policy is applied to the wrong interface, affecting transit traffic instead of control plane traffic.
The class-map should match on DSCP values instead of port numbers to be effective.
The policy-map should use the 'drop' action instead of 'police' to protect the control plane.
A network engineer is implementing DHCP snooping on a Cisco switch to prevent rogue DHCP servers. The switch has multiple VLANs, and the DHCP server is connected to interface GigabitEthernet0/1 in VLAN 10. The engineer enables DHCP snooping globally and for VLAN 10, then configures 'ip dhcp snooping trust' on GigabitEthernet0/1. However, clients in VLAN 10 are not receiving IP addresses. The engineer checks the DHCP snooping binding table and sees no entries. What is the most likely cause?
The switch does not have an 'ip helper-address' configured to forward DHCP requests to the server.
Correct because the DHCP server is in VLAN 10, but clients may be in a different VLAN, requiring a helper address.
The interface GigabitEthernet0/1 should be configured as an untrusted port for DHCP snooping.
The switch has DHCP snooping rate limiting enabled, which is dropping all DHCP packets.
The DHCP server is connected to a port in a different VLAN, and DHCP snooping only works within the same VLAN.
A network engineer is configuring dynamic ARP inspection (DAI) on a Cisco switch to prevent ARP spoofing. The switch has DHCP snooping enabled and the DHCP server is trusted. The engineer enables DAI on VLAN 10 and configures 'ip arp inspection trust' on the port connected to the DHCP server. After enabling DAI, some legitimate ARP replies from hosts are being dropped. The engineer checks the DAI statistics and sees 'ARP ACL drops' incrementing. What is the most likely reason?
The hosts have static IP addresses, so their MAC-IP bindings are not in the DHCP snooping database.
Correct because DAI relies on the DHCP snooping binding table; static hosts require an ARP ACL.
The port connected to the DHCP server should be untrusted for DAI to work correctly.
The DHCP server is in a different VLAN, and DAI cannot validate cross-VLAN ARP.
DAI is checking the destination MAC address, which does not match the expected value.
A network engineer is configuring IPv6 First Hop Security on a Cisco switch to mitigate rogue RA attacks. The engineer enables RA guard on the switch and applies a policy that allows only the default gateway to send RAs. After configuration, hosts are unable to obtain IPv6 addresses via SLAAC. The engineer checks the switch and sees that RA guard is dropping all RAs. What is the most likely cause?
The RA guard policy does not include the IPv6 address or MAC address of the legitimate default gateway.
Correct because RA guard drops RAs from devices not matching the policy, so the gateway's RAs are dropped.
The switch has DHCPv6 snooping enabled, which conflicts with RA guard.
SLAAC requires the host to send a router solicitation first, which is being blocked by RA guard.
RA guard is configured in 'block' mode, which drops all RAs regardless of the policy.
Want more Infrastructure Security practice?
Practice this domainA network engineer needs to automate the backup of running configurations from multiple Cisco IOS XE devices to a central TFTP server. Which tool is best suited for this task in a Python-based automation framework?
RESTCONF
Ansible
Paramiko
Paramiko provides SSH connectivity to network devices.
Netmiko
An organization uses Cisco DNA Center to automate network provisioning. A network engineer deploys a new access switch but finds that the switch does not receive the intended configuration template. The switch appears in DNA Center inventory with status 'Managed'. What is the most likely cause?
The switch has not been discovered by DNA Center
The switch is not in Plug and Play mode
The switch does not have a valid DNA license
The switch is not assigned to a site
Site assignment is required for template application.
A network team uses Ansible to automate VLAN configuration on Cisco IOS devices. The playbook fails with the error 'Failed to connect to the host via ssh: Permission denied (publickey)'. The control node runs Ubuntu, and the network devices are configured with SSH key authentication. Which solution should the engineer implement?
Set ansible_ssh_private_key_file in the inventory but omit the passphrase
Set ansible_user to the correct username in the inventory
Run ssh-add on the control node to add the private key to the SSH agent
The SSH agent must have the key loaded for authentication.
Enable keyboard-interactive authentication on the IOS devices
A company uses Cisco Catalyst Center (formerly DNA Center) for intent-based networking. After upgrading the Catalyst Center appliance, the engineer notices that some devices are unreachable via the network, but the Catalyst Center GUI shows them as 'Managed'. What is the most likely cause?
SNMP community strings are misconfigured
Devices were reassigned to different roles
Certificate trust between devices and Catalyst Center expired
The IP address of the Catalyst Center appliance changed after the upgrade
A changed IP address would break management connectivity.
A network engineer is creating a Python script using the Cisco IOS XE RESTCONF API to configure a loopback interface. The script sends a PUT request to the URI /restconf/data/Cisco-IOS-XE-native:native/interface/Loopback=100 with a JSON body that includes the IP address. The API returns a 201 Created status, but the loopback interface does not appear in the running configuration. What is the most likely issue?
The RESTCONF API returned an error but the script ignored it
The loopback interface number is incorrect in the URI
The script is not authenticated properly
The PUT request should be a POST request to create a new resource
POST is used to create a new resource; PUT replaces an existing one.
A network engineer uses Netmiko to connect to multiple Cisco IOS XE devices and execute commands. The script runs correctly for most devices but fails for one device with the error: 'ValueError: SSH session not active'. The device is reachable and SSH credentials are correct. What is the most likely cause?
The connection timeout is set too low
The device has reached the maximum number of SSH sessions
The device's SSH server is not fully initialized
The device may still be booting or SSH service is not started.
The device requires an enable password but none was provided
Want more Automation practice?
Practice this domainA network engineer is writing a Python script to automate the backup of running configurations from a list of 50 Cisco IOS-XE devices. The script uses the netmiko library and a for loop to connect to each device, execute 'show run', and write the output to a file. After running the script, the engineer notices that the script fails on the 15th device with a timeout error, and the remaining devices are not processed. The engineer wants to ensure that if one device fails, the script continues with the next device. What is the best way to modify the script?
Increase the global timeout value in the netmiko connection handler.
Use the concurrent.futures module to run each connection in a separate thread.
Wrap the connection and backup logic inside a try-except block within the for loop.
Correct because a try-except block catches the exception for the failing device and allows the loop to continue to the next device.
Replace the for loop with a while loop that retries the connection three times before moving on.
An engineer is using the Cisco DNA Center REST API to retrieve a list of network devices and their health scores. The engineer writes a Python script using the requests library. The script successfully retrieves data for the first 100 devices, but when trying to get the next 100, the API returns an empty list. The engineer checks the API documentation and finds that the endpoint supports pagination with the 'offset' and 'limit' parameters. The current script does not handle pagination. What should the engineer do to retrieve all devices?
Increase the 'limit' parameter to 1000 in a single API call.
Use the 'next' URL from the response headers to automatically fetch the next page.
Write a loop that increments the 'offset' parameter by the 'limit' value until all pages are retrieved.
Correct because this implements standard pagination by adjusting the offset parameter in each iteration until no more data is returned.
Switch to using the Cisco DNA Center Python SDK which handles pagination automatically.
A network engineer is automating the configuration of VLANs on a Cisco Nexus 9000 switch using Python and the NX-API. The engineer sends a Python dictionary with the CLI commands to the API and receives a successful response. However, when checking the switch, the VLANs are not created. The engineer verifies that the credentials and IP address are correct, and the API is enabled. The engineer also notices that the API response contains a 'code' field of '200' and a 'result' field that shows the command output. What is the most likely cause of the issue?
The API response code of 200 indicates an error, and the engineer should check for a different status code.
The VLAN commands are incorrect; the engineer should use 'vlan 10' instead of 'vlan 10-20'.
The engineer used the 'show' message type in the API request instead of 'cli_conf'.
Correct because NX-API requires the 'cli_conf' type to execute configuration commands; 'show' only executes show commands and does not apply changes.
The switch requires a 'commit' command after configuration changes via NX-API.
A junior engineer is tasked with writing a Python script that uses the Cisco IOS-XE RESTCONF API to retrieve the hostname of a router. The engineer uses the requests library and sends a GET request to the URL 'https://router/restconf/data/Cisco-IOS-XE-native:native/hostname'. The request returns a 404 Not Found error. The engineer has verified that the RESTCONF service is enabled and the credentials are correct. What is the most likely reason for the 404 error?
The hostname data node does not exist in the YANG model.
The engineer forgot to include the 'Accept: application/yang-data+json' header in the request.
The URL path should be '/restconf/data/Cisco-IOS-XE-native:hostname' instead of including 'native' in the path.
Correct because the YANG module name is 'Cisco-IOS-XE-native', and the top-level node is 'hostname', so the path should be '/restconf/data/Cisco-IOS-XE-native:hostname'.
The engineer must use a different HTTP method like POST to retrieve the hostname.
A network engineer is using the Cisco Meraki Dashboard API to automate the creation of VLANs across multiple networks. The engineer writes a Python script that uses the 'createNetworkVlan' endpoint. The script runs successfully for the first few networks, but then starts returning HTTP 429 errors. The engineer checks the API documentation and finds that the Meraki API has rate limits. The script currently sends requests as fast as possible. What should the engineer implement to avoid hitting the rate limit?
Reduce the number of networks being processed in a single script run.
Increase the 'per-second' rate limit by setting a higher value in the API request header.
Add a retry mechanism with exponential backoff when a 429 response is received.
Correct because exponential backoff is a standard technique to handle rate limits by pausing and retrying after increasing intervals.
Switch to using the Meraki API version 1.0 which has no rate limits.
An engineer is writing a Python script to parse the output of 'show ip interface brief' from multiple Cisco routers. The engineer uses the netmiko library to collect the output and then uses regular expressions to extract the interface name, IP address, and status. The script works correctly for most routers, but on one router, the output format is slightly different (e.g., extra spaces or different column headers). The engineer wants to make the parsing more robust. What is the best approach?
Write a custom parser that handles each router's output format individually.
Use the 'split()' method to tokenize each line and then extract the relevant fields by position.
Use the 'textfsm' library with a pre-defined template for 'show ip interface brief'.
Correct because textfsm templates are designed to handle variations in output format and provide structured data.
Use the 're' module with a more complex regular expression that accounts for optional whitespace.
Want more Python for Network Automation practice?
Practice this domainA network engineer is automating the deployment of VLAN configurations on a set of Cisco IOS-XE switches using Ansible. The playbook uses the ios_vlans module and runs successfully on the first switch, but fails on the second switch with an error indicating that the module is not found. Both switches are running the same IOS-XE version and have the same management access configured. What is the most likely cause of this issue?
The second switch does not have the ios_vlans module installed locally.
The cisco.ios collection is not installed on the Ansible control node.
The ios_vlans module is part of the cisco.ios collection; without it, the playbook fails on any device.
The second switch has a different SSH key that is not accepted by the Ansible control node.
The playbook uses a fully qualified collection name (FQCN) incorrectly.
An engineer is writing an Ansible playbook to configure OSPF on a fleet of Cisco Nexus 9000 switches. The playbook uses the nxos_ospf module. When executed, the playbook reports 'changed' for every switch, even on subsequent runs when no configuration changes are made. The engineer wants to achieve idempotent behavior. What is the most likely cause of the non-idempotent results?
The Ansible control node is using an outdated version of the nxos_ospf module that does not support idempotency.
The playbook does not specify all OSPF parameters, such as 'router-id', causing the module to detect a difference with the running configuration.
If the playbook omits parameters that the module manages (e.g., router-id defaults to a loopback IP), the module sees a change and marks it as 'changed'.
The switches have different NX-OS versions, causing the module to behave inconsistently.
The engineer forgot to use the '--check' flag to verify idempotency.
A network team uses Ansible Tower to manage configuration backups of 500 Cisco IOS routers. They have a playbook that uses the ios_config module with the 'backup: yes' option. Recently, backups started failing for a subset of routers, with errors like 'backup destination path does not exist'. The playbook uses a variable 'backup_dir' set in the Tower job template. What is the most likely cause of these failures?
The routers have insufficient storage space to save the backup locally.
The 'backup_dir' variable is not defined for those specific routers in their host_vars or group_vars, causing the playbook to use an undefined path.
If the variable is overridden or missing for certain hosts, the backup path may be invalid, leading to the error.
The ios_config module requires the 'backup_options' sub-option to specify the directory, and the playbook is using the deprecated 'backup' parameter.
The routers are not reachable via SSH during the backup window.
An engineer is automating the configuration of SNMPv3 on a large number of Cisco IOS-XE devices using Ansible. The playbook uses the ios_snmp_server module. The engineer wants to ensure that the SNMP configuration is applied only if the device is running a specific IOS version that supports SNMPv3. Which Ansible feature should the engineer use to conditionally execute the task?
Use the 'tags' feature to selectively run the SNMP task only on certain devices.
Use the 'register' directive to capture the output and then use 'failed_when' to skip the task.
Use the 'when' clause with a condition on the 'ansible_net_version' fact.
The 'when' clause allows dynamic conditional execution based on gathered facts like the IOS version.
Use the 'block' and 'rescue' structure to handle version mismatches.
A network engineer is using Ansible to push ACL changes to a group of Cisco IOS routers. The playbook uses the ios_acl_interfaces module to bind ACLs to interfaces. After running the playbook, the engineer notices that some routers have the ACL applied inbound instead of outbound as intended. The playbook specifies 'direction: outbound'. What is the most likely cause of this issue?
The routers have a different IOS version that interprets 'outbound' as 'in'.
The playbook uses 'direction: outbound' but the module expects 'direction: out'.
The ios_acl_interfaces module expects 'in' or 'out'; 'outbound' is not a valid value, causing the module to either ignore the parameter or default to 'in'.
The engineer forgot to include the 'state: present' parameter, so the module did not apply the ACL.
The ACL itself is defined with the wrong direction in the playbook.
An organization uses Ansible to manage network device configurations. They have a playbook that uses the ios_command module to execute 'show ip route' on multiple routers and then uses the 'debug' module to print the output. Recently, the playbook started failing with 'Timeout (12s) waiting for privilege escalation prompt'. The routers are reachable and SSH credentials are correct. What is the most likely cause?
The routers are configured with a different enable secret that does not match the one in the Ansible vault.
The 'ansible_connection' is set to 'network_cli' but the 'ansible_become_method' is not set to 'enable'.
For network_cli connections, the become method must be 'enable'; otherwise, Ansible waits indefinitely for the privilege prompt.
The SSH key exchange is taking longer than the default 12-second timeout.
The ios_command module requires a different privilege level to execute 'show ip route'.
Want more Ansible Automation practice?
Practice this domainA network engineer is automating the configuration of a new VLAN on a Cisco Catalyst 9000 switch using RESTCONF. The engineer sends a PUT request to the URI 'https://switch/restconf/data/Cisco-NX-OS-device:Native/VlanList' with a JSON payload containing the VLAN details. The switch responds with a 405 Method Not Allowed error. What is the most likely cause of this error?
The engineer used the wrong URI; the correct URI should include a specific VLAN ID.
The engineer should have used the POST method instead of PUT to create a new list entry.
Correct because RESTCONF uses POST to create a new resource in a list, while PUT is used to replace an existing resource.
The payload format is incorrect; the engineer must use XML instead of JSON.
The switch does not support RESTCONF for VLAN configuration; NETCONF must be used instead.
An engineer is using a Python script to retrieve interface statistics from a Cisco IOS-XE device via the REST API. The script sends a GET request to 'https://device/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1/statistics' and receives a 404 Not Found response. The interface exists and is operational. What is the most likely issue?
The interface name must be URL-encoded because it contains a slash.
The URI is incorrect; statistics are under 'interfaces-state' not 'interfaces'.
Correct because operational state data like statistics is in the 'interfaces-state' container, while 'interfaces' contains configuration data.
The device requires authentication; the script must include a valid token.
The REST API is not enabled on the device; the engineer must enable it first.
A network team is using Ansible with the iosxr_config module to push configuration changes to a Cisco IOS-XR router. The playbook uses the REST API via the 'ansible_connection: restconf' setting. The engineer notices that the changes are applied but the playbook reports 'changed: false' even when changes were made. What is the most likely reason for this behavior?
The REST API on the router does not return a proper response, so Ansible cannot determine if a change occurred.
The engineer should use the 'uri' module with the REST API instead of the 'iosxr_config' module.
Correct because 'iosxr_config' is for CLI-based connections; for RESTCONF, the 'uri' module or a dedicated RESTCONF module should be used.
The playbook is missing the 'gather_facts: no' directive, causing Ansible to skip change detection.
The router requires a commit operation after configuration changes, and Ansible does not perform that.
An engineer is developing a script to automate the backup of running configurations from multiple Cisco IOS-XE devices using RESTCONF. The script sends a GET request to 'https://device/restconf/data/Cisco-IOS-XE-native:native/configuration' and receives a 501 Not Implemented error. What is the most likely cause?
The device does not support RESTCONF; the engineer must use NETCONF for configuration backup.
The URI is incorrect; the running configuration is under 'ietf-netconf-monitoring:netconf-state/capabilities'.
The URI is incorrect; the running configuration is accessed via the 'Cisco-IOS-XE-native:native' module without the '/configuration' suffix.
Correct because the native model does not have a 'configuration' container; the correct URI is '/restconf/data/Cisco-IOS-XE-native:native'.
The request must use the POST method instead of GET to retrieve the running configuration.
A network engineer is using the Cisco DNA Center REST API to retrieve the list of network devices. The engineer sends a GET request to '/dna/intent/api/v1/network-device' and receives a 400 Bad Request response. The API documentation indicates that the request requires a query parameter 'siteId'. What should the engineer do to resolve the issue?
Include the 'siteId' query parameter in the request URL.
Correct because the API requires the 'siteId' parameter to filter devices by site.
Change the HTTP method to POST because GET is not supported for this endpoint.
Add an 'Authorization' header with a valid token because the API requires authentication.
Use a different API endpoint, such as '/dna/intent/api/v1/site', to retrieve device information.
An engineer is using a Python script to configure a new VLAN on a Cisco Nexus 9000 switch using the NX-API REST API. The script sends a POST request to 'https://switch/api/mo/org.json' with a JSON payload containing the VLAN configuration. The switch responds with a 403 Forbidden error. What is the most likely cause?
The payload format is incorrect; the engineer must use XML instead of JSON.
The user account does not have the required RBAC privileges to configure VLANs.
Correct because 403 indicates authorization failure; the user needs appropriate privileges.
The switch does not support NX-API; the engineer must use NETCONF instead.
The URI is incorrect; the correct URI should be 'https://switch/api/node/mo/org.json'.
Want more REST APIs and Data Models practice?
Practice this domainA network engineer is deploying Cisco DNA Center in a large campus network with 5000+ devices. After initial setup, the engineer notices that the Assurance module is not receiving telemetry data from many access switches. The switches are running IOS-XE 16.12 and are reachable via SNMP. What is the most likely cause of this issue?
The switches are not configured with NETCONF/YANG or telemetry streaming.
Correct because Assurance requires telemetry streaming (e.g., model-driven telemetry) from devices; SNMP alone is insufficient.
The DNA Center appliance is not licensed for the Assurance module.
The switches are not running the correct IOS-XE version for DNA Center compatibility.
The SNMP community string is incorrect on the switches.
A network engineer is using Cisco DNA Center to automate the deployment of a new VLAN across multiple access switches. The engineer creates a new network profile with the VLAN definition and assigns it to a site. However, after provisioning, the VLAN is not created on any of the switches. The engineer verifies that the devices are in the Inventory and are reachable. What is the most likely cause?
The engineer did not run the Provision workflow to push the configuration to the devices.
Correct because creating a profile and assigning it to a site only defines the intent; the actual configuration is pushed only when the Provision workflow is executed.
The VLAN ID conflicts with an existing VLAN on the switches.
The switches do not support the VLAN ID range.
The DNA Center appliance is not licensed for the Automation module.
A network engineer is troubleshooting a wireless connectivity issue in a campus network managed by Cisco DNA Center. The Assurance module shows that several access points have high client association failures. The engineer checks the wireless controller configuration and finds that the APs are registered and functional. What is the most likely cause of the association failures?
RF interference or poor signal-to-noise ratio on the affected APs.
Correct because high association failures are often due to RF issues, which DNA Center Assurance can detect and report.
The APs are not running the recommended firmware version.
The wireless controller has reached its maximum number of APs.
The DNA Center Assurance module is not properly configured to monitor wireless events.
A network engineer is deploying Cisco DNA Center in a brownfield network. The engineer wants to use DNA Center to automate the configuration of QoS policies across all access switches. After discovering the devices and adding them to Inventory, the engineer creates a QoS policy and assigns it to a site. However, when attempting to provision, DNA Center reports that the devices are in 'Compliance Error' state. What is the most likely reason?
The devices have existing QoS configurations that conflict with the new policy.
Correct because DNA Center's compliance check compares the intended configuration with the actual device configuration. Conflicts cause compliance errors.
The devices are not running a supported IOS-XE version for QoS automation.
The DNA Center appliance does not have enough storage to process the QoS policy.
The QoS policy was created with an invalid DSCP value.
A network engineer is using Cisco DNA Center to manage a network with multiple sites. The engineer wants to ensure that all devices at a remote site have the same NTP server configuration. The engineer creates a network profile with the NTP settings and assigns it to the site. After provisioning, the engineer checks one of the switches and finds that the NTP configuration is missing. What should the engineer check first?
Verify that the device is assigned to the correct site in DNA Center.
Correct because if the device is not in the site where the profile is applied, it will not receive the configuration.
Check if the NTP server is reachable from the device.
Ensure that the device is running a supported IOS version.
Recreate the network profile with the correct NTP settings.
A network engineer is troubleshooting an issue where Cisco DNA Center is not sending configuration changes to a group of switches. The engineer checks the Provisioning dashboard and sees that the devices are in 'Pending' state. The engineer has already created the intent (network profile) and assigned it to the site. What is the most likely cause?
The engineer has not executed the Provision workflow to deploy the configuration.
Correct because 'Pending' means the configuration is ready but not yet deployed; the engineer must run the Provision workflow.
The devices are not reachable from DNA Center.
The DNA Center appliance is out of disk space.
The network profile contains an invalid configuration.
Want more Cisco DNA Center practice?
Practice this domainA network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream interface statistics to a collector using gRPC. The engineer wants to ensure that the telemetry data is sent only when there is a change in the interface counters, rather than at a fixed interval. Which configuration parameter should the engineer use to achieve this behavior?
Use a periodic subscription with a sample-interval of 0
Configure an on-change subscription
An on-change subscription sends updates only when the monitored data changes, which matches the requirement.
Set the suppress-repetition flag in a periodic subscription
Use a dynamic subscription with a sample-interval of 1 second
A network engineer is deploying model-driven telemetry on a Cisco Nexus 9000 switch to monitor BGP prefix changes. The engineer wants to use YANG data models and prefers a transport protocol that is lightweight and uses UDP. Which transport protocol should the engineer select for the telemetry stream?
gRPC
gRPC is the standard transport for model-driven telemetry on Cisco Nexus switches, though it uses TCP, not UDP. It is the only option that supports YANG data models.
NETCONF
RESTCONF
SNMP
A network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream CPU and memory statistics to a collector. The engineer wants to use the YANG model 'Cisco-IOS-XE-process-cpu-oper' and 'Cisco-IOS-XE-memory-oper'. After configuring the telemetry subscription, the engineer notices that no data is being received at the collector. The collector is reachable and the gRPC dial-out is configured correctly. What is the most likely cause of the issue?
The YANG models specified are not supported on IOS-XE
The telemetry subscription is missing the 'source-interface' configuration
Without a source-interface, the router may use an unreachable IP address, causing the collector to drop the connection or not receive data.
The collector is blocking UDP traffic from the router
The engineer must enable 'ip http secure-server' for telemetry to work
A network engineer is designing a model-driven telemetry solution for a large enterprise network with thousands of devices. The engineer wants to minimize the load on the network devices and the collector by sending data only when significant changes occur. The engineer decides to use on-change subscriptions. However, after deployment, the engineer notices that some subscriptions are sending updates too frequently, causing high CPU usage on the devices. What is the most likely reason for this excessive update frequency?
The engineer configured a sample-interval in addition to on-change, causing both periodic and on-change updates
The YANG paths include high-frequency changing leafs like interface counters or CPU load
On-change subscriptions trigger updates for any change in the monitored data, so including frequently changing leafs causes excessive updates.
The collector is overwhelmed and sending back-pressure signals causing retransmissions
The engineer used JSON encoding instead of GPB, causing larger payloads and more CPU usage
A network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream BGP route updates to a collector using gRPC dial-out. The engineer wants to ensure that the telemetry data is encrypted in transit. Which additional configuration is required to secure the gRPC telemetry stream?
Configure IPsec between the router and the collector
Enable TLS on the gRPC connection by configuring a trustpoint and using the 'transport grpc tls' command
TLS provides encryption for gRPC telemetry, and IOS-XE supports it with proper trustpoint configuration.
Use SSH tunneling for the gRPC connection
Configure DTLS on the telemetry receiver
A network engineer is implementing model-driven telemetry on a Cisco Nexus 9000 switch to monitor VLAN and STP changes. The engineer wants to use the native telemetry protocol with UDP as the transport. After configuring the telemetry subscription with the 'destination-group' and 'sensor-group', the engineer notices that the collector is not receiving any data. The collector is reachable and the UDP port is open. What is the most likely missing configuration?
The engineer forgot to configure a 'source-interface' under the destination-group
The engineer did not create a 'policy' that binds the sensor-group and destination-group
On Nexus, a telemetry policy is required to link the sensor and destination groups; without it, no data is streamed.
The YANG models for VLAN and STP are not supported in the native telemetry protocol
The engineer used GPB encoding instead of JSON, and the collector only accepts JSON
Want more Model-Driven Telemetry practice?
Practice this domainThe 350-401 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 39 domains: Architecture, Enterprise Network Design, SD-Access Architecture, SD-WAN Architecture, QoS Architecture, Virtualization, Network Function Virtualization, Virtual Machines and Hypervisors, VRF and Path Isolation, Infrastructure, OSPF, BGP, EIGRP, VLANs and Trunking, Spanning Tree Protocol, EtherChannel, Wireless Infrastructure, MPLS, WAN Technologies, NAT and DHCP, IP Multicast, QoS, Network Assurance, SNMP and Syslog, NetFlow and Telemetry, SPAN and RSPAN, IP SLA, Security, AAA, RADIUS, and TACACS+, ACLs and CoPP, 802.1X and TrustSec, VPN Technologies, Infrastructure Security, Automation, Python for Network Automation, Ansible Automation, REST APIs and Data Models, Cisco DNA Center, Model-Driven Telemetry. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 350-401 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.