ENCOR 350-401 (350-401) — Questions 751825

2015 questions total · 27pages · All types, answers revealed

Page 10

Page 11 of 27

Page 12
751
Drag & Dropmedium

Drag and drop the steps of deploying a virtual machine from a template in VMware vSphere into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Deploying from a template begins with selecting the template and specifying a name and location. Next, the compute resource (host or cluster) is chosen, followed by storage. Customization specifications (like hostname and IP) are applied, and finally the VM is powered on.

752
Multi-Selecthard

Which three statements about Cisco QoS queuing and scheduling are true? (Choose three.)

Select 3 answers
A.Strict priority queuing ensures that voice traffic is always sent before other traffic.
B.Weighted Round Robin (WRR) is used to service non-priority queues in a round-robin fashion based on configured weights.
C.On Cisco Catalyst switches, the default queue (queue 1) is typically used for best-effort traffic.
D.Tail drop is a scheduling algorithm that determines which queue to service next.
E.Queuing and scheduling are performed on the ingress interface before routing decisions.
AnswersA, B, C

Correct because strict priority queue guarantees low latency for delay-sensitive traffic like voice.

Why this answer

Queuing manages packets when output is congested, and scheduling determines the order of transmission. Cisco uses multiple queues (e.g., 4 queues on Catalyst switches) with strict priority or weighted round-robin (WRR). Option A is correct because strict priority queue (PQ) ensures low-latency for voice.

Option B is correct because WRR (or shaped round robin) is used for non-priority queues. Option C is correct because the default queue is usually queue 1 (or the best-effort queue). Option D is incorrect because tail drop is a congestion avoidance mechanism applied to a queue, not a scheduling method.

Option E is incorrect because scheduling occurs on the egress interface, not ingress.

753
Drag & Dropmedium

Drag and drop the steps of PHP (Penultimate Hop Popping) operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PHP operation begins with the egress LSR assigning a label to a FEC and advertising it. The penultimate hop receives this label and recognizes implicit-null. The penultimate hop then pops the label before forwarding the packet.

The egress receives an unlabeled packet and performs a standard IP lookup.

754
MCQmedium

A medium-sized enterprise is migrating to a Cisco DNA Center-managed network. The security policy requires that all administrative access to network devices be authenticated via TACACS+ and that authorization for commands be enforced per user role. The network team has configured ISE as the AAA server and integrated it with DNA Center. After configuration, engineers report that they can log in to devices via SSH but are not prompted for a password when entering 'enable' mode; instead, they are granted full privileges immediately. Additionally, while in configuration mode, some engineers can issue 'debug' commands that they should not have access to. The configuration on the devices includes 'aaa new-model', 'aaa authentication login default group tacacs+ local', 'aaa authorization exec default group tacacs+ local', and 'aaa authorization commands 15 default group tacacs+ local'. What is the most likely cause of the privilege escalation and missing authorization?

A.The TACACS+ server is not reachable, so the device is using local authentication, but the local database has all users at privilege level 15.
B.The 'aaa authentication enable default' command is missing, so the device is not requiring authentication to enter enable mode, and command authorization is not being enforced because the user is already at privilege 15.
C.Command authorization is only configured for privilege level 15, but users are logging in at level 1; they need 'aaa authorization commands 1 default' as well.
D.The 'privilege level' command is set to 15 on the VTY lines, bypassing AAA authorization.
AnswerB

Correct: Without enable authentication, users can enter enable mode without password; command authorization for level 15 may not be triggered if user already at level 15.

Why this answer

The missing 'aaa authentication enable default group tacacs+ local' command means the device does not require TACACS+ authentication to enter enable mode. Since the user is already at privilege level 15 after login (due to the 'aaa authorization exec' command or local user configuration), they are not prompted for a password and are granted full privileges immediately. Additionally, command authorization is only configured for privilege level 15 ('aaa authorization commands 15'), so once the user is at level 15, no further authorization checks are performed for commands like 'debug', bypassing the intended per-role enforcement.

Exam trap

Cisco often tests the distinction between authentication (who you are) and authorization (what you can do), and the trap here is that candidates assume 'aaa authorization commands 15' alone enforces command restrictions, but they overlook that without 'aaa authentication enable', users may already be at privilege 15, making command authorization ineffective.

How to eliminate wrong answers

Option A is wrong because if the TACACS+ server were unreachable, the 'aaa authentication login default group tacacs+ local' command would fall back to local authentication, but the issue is about enable mode and command authorization, not login; also, local users would not automatically be at privilege 15 unless explicitly configured. Option C is wrong because command authorization for privilege level 1 is irrelevant; the problem is that users are already at privilege 15, so commands at level 15 are authorized without further checks, and adding 'aaa authorization commands 1' would not fix the enable mode or the privilege escalation. Option D is wrong because the 'privilege level' command on VTY lines would set the initial privilege level for all users, but the configuration shown does not include this command, and the described behavior (no password prompt for enable, debug commands allowed) is consistent with missing enable authentication and command authorization at the current privilege level, not with a VTY line setting.

755
MCQmedium

Consider the following IPv6 access-list on a Cisco IOS-XE router: ``` ipv6 access-list PERMIT_ICMP permit icmp any any echo-request permit icmp any any echo-reply deny ipv6 any any ! interface GigabitEthernet0/0 ipv6 traffic-filter PERMIT_ICMP in ``` What is the effect of this configuration?

A.Only IPv6 ping (echo-request and echo-reply) is allowed inbound on Gi0/0; all other IPv6 traffic is dropped.
B.All ICMPv6 traffic is permitted inbound on Gi0/0.
C.The ACL is applied outbound, so it filters traffic leaving Gi0/0.
D.The ACL permits all IPv6 traffic because the deny statement is at the end.
AnswerA

Correct. The ACL permits only those two ICMP types and denies everything else.

Why this answer

The IPv6 ACL permits only ICMP echo-request and echo-reply (ping) and denies all other IPv6 traffic. It is applied inbound on Gi0/0.

756
Drag & Dropmedium

Drag and drop the steps of OSPF summarization at ABR configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, identify the subnets to summarize into a single prefix. Then, configure the area range command on the ABR under the OSPF process, specifying the area and the summary prefix. Optionally, set the 'not-advertise' keyword to suppress the summary.

Verify the summary route in the OSPF database using 'show ip ospf summary-address'. Finally, check that the summary route appears in the routing table of other routers.

757
MCQhard

A network engineer runs the following command on Switch SW4: SW4# show etherchannel 1 detail Channel-group number: 1 Group state = L2 Ports in the group: ------------------- Port: Gi0/0 -------- Port state = Up, In-Bundle Channel group = 1 Mode = Active/PagNego Gcchange = - Port-channel = Po1 GC = 0x00010001 Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Flags: S - Device is sending Slow LACPDUs F - Device is sending Fast LACPDUs A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi0/0 SA bndl 32768 0x1 0x1 0x101 0x3D Partner information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi0/0 SA bndl 32768 0x1 0x1 0x102 0x3D Age of the port = 0d:00h:15m:20s Based on this output, what can be concluded?

A.The port is in passive mode and waiting for the partner to initiate.
B.The port is sending fast LACPDUs because the flag is 'F'.
C.The port is bundled and the LACP state is synchronized.
D.The port is not in use because the load is 0x00.
AnswerC

State 'bndl' and the port state '0x3D' indicate synchronization and bundling.

Why this answer

The output shows detailed LACP information for port Gi0/0. The local and partner states are both 'bndl', meaning the port is bundled. The flags 'SA' indicate the port is in active mode and sending slow LACPDUs.

The port state '0x3D' is a hexadecimal representation of the LACP state, which includes bits for activity, aggregation, synchronization, collecting, distributing, and defaulted. The correct answer is that the port is actively participating in LACP and is bundled.

758
MCQmedium

Consider the following configuration: flow exporter EXPORTER-1 destination 10.0.0.1 source Loopback0 transport udp 9996 template data timeout 60 ! Which statement about this configuration is true?

A.Template data records are sent every 60 seconds to the collector.
B.The exporter uses UDP port 9996 to send flow data and templates.
C.The source interface Loopback0 is used only for flow data, not for templates.
D.The exporter will send template data only when a new flow is detected.
AnswerA

The 'template data timeout' command defines the refresh interval for template records.

Why this answer

The 'template data timeout' command sets the interval (in seconds) at which the exporter sends NetFlow template data records to the collector. A shorter timeout ensures the collector has up-to-date templates but increases overhead.

759
Matchingmedium

Drag and drop each TACACS+ packet type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Initiates an authentication session and contains the username

Sends a challenge (e.g., password prompt) or authentication result

Carries the user's response to a challenge

Indicates successful authentication and may include authorization attributes

Indicates authentication failure

Why these pairings

START begins authentication and contains username; REPLY sends challenge or result; CONTINUE sends response to challenge; ACCEPT indicates successful authentication; REJECT indicates authentication failure.

760
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure SNMP hosts: routers gather_facts: no tasks: - name: SNMP community ios_config: lines: - snmp-server community public RO What is the result of this playbook?

A.It configures an SNMP community string 'public' with read-only access.
B.It fails because 'RO' is not a valid keyword; it should be 'read-only'.
C.It configures the community string only for SNMPv3.
D.It removes any existing SNMP community strings.
AnswerA

Correct. The command is applied globally and sets the community string.

Why this answer

The playbook uses ios_config to add a line globally. The command 'snmp-server community public RO' configures an SNMP community string 'public' with read-only access. This is a valid global configuration command.

761
MCQmedium

A network engineer is designing an EIGRP network with multiple routers in a hub-and-spoke topology. The engineer wants to ensure that the spoke routers do not become transit routers for traffic between other spokes. The engineer configures 'eigrp stub' on the spoke routers. However, after configuration, the spoke routers stop learning some routes from the hub. What is the most likely reason?

A.The spoke routers are configured with 'eigrp stub receive-only', which prevents them from advertising any routes, so the hub does not have routes to the spoke's networks.
B.The 'eigrp stub' command prevents the spoke from learning routes from the hub.
C.The hub router is also configured as stub, which prevents route propagation.
D.The spoke routers have a different EIGRP autonomous system number than the hub.
AnswerA

Correct. The 'receive-only' keyword prevents the spoke from advertising any routes, including its connected networks. The hub then cannot reach the spoke's networks, and the spoke may not learn routes that depend on those advertisements.

Why this answer

The 'eigrp stub receive-only' command configures the spoke router to only receive routes and not advertise any of its own networks. This causes the hub router to lack routes to the spoke's directly connected or summarized networks, breaking reachability from the hub to the spoke. The correct answer is A because this specific stub mode prevents the spoke from advertising any routes, which is the most likely reason the spoke stops learning some routes from the hub (since the hub may not have a route back to the spoke's networks).

Exam trap

Cisco often tests the misconception that 'eigrp stub' prevents a router from learning routes, when in fact it only restricts the routes the router advertises, and the 'receive-only' keyword is the specific variant that stops all advertisements, causing the hub to lack routes to the spoke's networks.

How to eliminate wrong answers

Option A is correct as explained. Option B is wrong because the 'eigrp stub' command (without 'receive-only') actually allows the spoke to learn routes from the hub; it only restricts the spoke from acting as a transit router by limiting the routes it advertises (e.g., connected, summary). Option C is wrong because configuring the hub as a stub would prevent the hub from learning routes from spokes, but the question states the spoke routers stop learning routes from the hub, which is not caused by the hub being a stub.

Option D is wrong because if the spoke and hub had different EIGRP autonomous system numbers, they would not form an adjacency at all, and the spoke would not learn any routes from the hub—this is a fundamental configuration mismatch, not a subtle effect of the stub command.

762
Drag & Dropmedium

Drag and drop the steps of Cisco IOS-XE mdt subscription via CLI configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The CLI configuration order follows Cisco IOS-XE syntax: enter telemetry mode, define subscription, set receiver, specify stream, and apply sensor path.

763
Multi-Selecthard

Which three statements about RADIUS and TACACS+ are true? (Choose three.)

Select 3 answers
A.RADIUS combines authentication and authorization in a single packet.
B.TACACS+ uses TCP port 49 by default.
C.RADIUS encrypts the entire packet payload for all attributes.
D.TACACS+ provides separate authentication, authorization, and accounting processes.
E.RADIUS supports per-command authorization for shell sessions.
AnswersA, B, D

Correct because RADIUS merges authentication and authorization in the Access-Accept packet.

Why this answer

RADIUS and TACACS+ are both AAA protocols but differ in transport, encryption, and authorization granularity. RADIUS uses UDP and encrypts only the password; TACACS+ uses TCP and encrypts the entire packet. TACACS+ supports per-command authorization, while RADIUS does not.

Both can be used for device administration, but RADIUS is more common for network access.

764
Drag & Dropmedium

Drag and drop the steps of JSON vs XML encoding selection for RESTCONF into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The selection process starts with the client choosing an encoding, setting the Accept header, the server reading it, encoding the response accordingly, and the client parsing the response.

765
MCQmedium

A network engineer runs the following command on Router R4: R4# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.10:1024 10.0.0.10:1024 203.0.113.5:80 203.0.113.5:80 tcp 192.168.1.10:1024 10.0.0.10:1024 203.0.113.5:80 203.0.113.5:80 --- 192.168.1.11:2048 10.0.0.11:2048 198.51.100.2:443 198.51.100.2:443 Based on this output, what can be concluded?

A.Both translations are dynamic NAT entries.
B.The translation for 10.0.0.10 is a static NAT entry.
C.The router is performing PAT for both translations.
D.The outside global address is the same as the outside local address for both entries.
AnswerB

The absence of a protocol (---) and the presence of an inside global address that does not change indicates a static NAT.

Why this answer

The output shows NAT translations. The first entry has no protocol (---) indicating a static translation, while the second is a dynamic TCP translation (tcp). The inside global addresses are 192.168.1.10 and 192.168.1.11, mapping to inside local addresses 10.0.0.10 and 10.0.0.11.

The outside addresses show the destinations. The key is that the first entry is static (no protocol) and the second is dynamic.

766
MCQhard

An enterprise has two BGP routers, R1 and R2, both in AS 65000. R1 peers with ISP1 (AS 100) and R2 peers with ISP2 (AS 200). The enterprise advertises a prefix 192.168.0.0/24 to both ISPs. The engineer wants to ensure that traffic from the Internet to this prefix enters the network primarily via R1, and only uses R2 if the link to ISP1 fails. Which BGP attribute should be manipulated on the updates sent to the ISPs?

A.Prepend AS 65000 multiple times on R2's updates to ISP2.
B.Set a higher MED on R1's updates to ISP1.
C.Set a higher local preference on R1 for routes learned from ISP1.
D.Use the no-export community on R1's updates to ISP1.
AnswerA

Correct because AS_PATH prepending makes the path through R2 longer, so ISP2 will prefer the path through ISP1, directing traffic to R1.

Why this answer

To influence inbound traffic from the Internet, you must manipulate attributes sent to the ISPs. AS path prepending makes a route appear less preferred by artificially lengthening the AS path. By prepending AS 65000 multiple times on R2's updates to ISP2, ISP2 will see a longer AS path for the prefix and prefer the shorter path via ISP1, causing traffic to enter primarily via R1 unless the ISP1 link fails.

Exam trap

Cisco often tests the distinction between attributes that influence inbound vs. outbound traffic; the trap here is confusing local preference (outbound) with AS path prepending (inbound), leading candidates to incorrectly choose local preference manipulation.

How to eliminate wrong answers

Option B is wrong because MED is a metric exchanged between ASes to influence inbound traffic from a neighboring AS, but it is only compared when paths come from the same neighboring AS; here ISP1 and ISP2 are different ASes, so MED would not be compared. Option C is wrong because local preference is an attribute used within an AS to influence outbound traffic, not sent to external peers; setting it on R1 for routes learned from ISP1 affects R1's choice of exit path, not how ISPs send traffic inbound. Option D is wrong because the no-export community prevents a route from being advertised to any eBGP peers beyond the immediate neighbor; using it on R1's updates to ISP1 would block the prefix from being propagated further, which is unrelated to influencing inbound path preference.

767
MCQeasy

An architect is designing a virtualized environment for network functions that require direct access to physical NICs for performance. The hypervisor must support PCI passthrough. Which hypervisor type is best suited for this requirement?

A.Type 1 hypervisor (e.g., VMware ESXi or KVM).
B.Type 2 hypervisor (e.g., VirtualBox or VMware Workstation).
C.Container runtime (e.g., Docker).
D.Bare-metal server without virtualization.
AnswerA

Type 1 hypervisors have direct hardware control and support PCI passthrough.

Why this answer

A Type 1 hypervisor (bare-metal) runs directly on the hardware and has direct access to physical resources, including PCIe devices. It supports PCI passthrough (e.g., Intel VT-d or AMD IOMMU), which allows a virtual machine to directly access a physical NIC without hypervisor intervention, maximizing performance for network functions. VMware ESXi and KVM are common Type 1 hypervisors that implement this capability.

Exam trap

Cisco often tests the distinction between Type 1 and Type 2 hypervisors, and the trap here is that candidates may assume any hypervisor can support PCI passthrough, overlooking the architectural overhead of Type 2 hypervisors that prevents direct hardware access.

How to eliminate wrong answers

Option B is wrong because a Type 2 hypervisor (e.g., VirtualBox or VMware Workstation) runs on top of a host OS, adding an extra layer that introduces latency and typically does not support direct PCI passthrough to physical NICs for production-grade performance. Option C is wrong because container runtimes (e.g., Docker) share the host kernel and do not provide direct access to physical PCI devices; they rely on the host's network stack, which cannot achieve the same performance as PCI passthrough for network functions. Option D is wrong because a bare-metal server without virtualization cannot host multiple virtualized network functions simultaneously, which defeats the purpose of a virtualized environment; the question explicitly requires virtualization.

768
MCQmedium

ip vrf BLUE rd 100:1 route-target export 100:1 route-target import 100:1 ! interface GigabitEthernet0/1 ip vrf forwarding BLUE ip address 10.1.1.1 255.255.255.0 ! router bgp 65000 neighbor 192.168.1.1 remote-as 65000 neighbor 192.168.1.1 update-source Loopback0 address-family ipv4 vrf BLUE neighbor 192.168.1.1 activate network 10.1.1.0 mask 255.255.255.0 ! What is missing from this MPLS L3VPN configuration?

A.The BGP neighbor needs 'send-community extended' under the address-family to exchange VPN routes.
B.The VRF definition is missing the 'mdt' command for multicast VPN.
C.The interface needs 'mpls ip' enabled for MPLS forwarding.
D.The BGP neighbor needs 'remote-as 65000' under the VRF address-family.
AnswerA

Correct. Without 'send-community extended', the router will not send extended communities, which are essential for VPN route import/export.

Why this answer

The configuration lacks the 'neighbor 192.168.1.1 send-community extended' command under the BGP address-family, which is required to exchange VPNv4 routes with extended communities.

769
Drag & Dropmedium

Drag and drop the steps of DHCP snooping operation on a Cisco switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping begins by enabling the feature globally with 'ip dhcp snooping'. Then, the feature is enabled on specific VLANs. Trusted interfaces (typically uplinks to DHCP servers) are configured with 'ip dhcp snooping trust'.

The switch then intercepts DHCP messages, building the DHCP snooping binding database from valid server responses. Finally, any DHCP server messages received on untrusted interfaces are dropped to prevent rogue server attacks.

770
MCQmedium

A network engineer is troubleshooting a routing loop in an EIGRP network. Which mechanism is designed to prevent routing loops by causing a router to reject routes that are learned from a neighbor that is not the successor?

A.Split horizon
B.Route poisoning
C.Hold-down timers
D.Feasibility condition
AnswerD

The feasibility condition ensures loop-free paths by verifying that the neighbor's reported distance is lower than the feasible distance.

Why this answer

The feasibility condition is a loop-prevention mechanism unique to EIGRP. It ensures that a router only accepts a route from a neighbor if that neighbor's reported distance (RD) to the destination is less than the router's own feasible distance (FD). This guarantees that the path through that neighbor is loop-free, effectively rejecting routes learned from any neighbor that is not the successor.

Exam trap

Cisco often tests the distinction between EIGRP's feasibility condition and other distance-vector loop-prevention mechanisms like split horizon or hold-down timers, expecting candidates to confuse these concepts because they all prevent loops but operate at different stages of the routing process.

How to eliminate wrong answers

Option A is wrong because split horizon prevents loops by not advertising a route back out the interface from which it was learned, but it does not evaluate whether the neighbor is the successor. Option B is wrong because route poisoning (setting the metric to infinity) is used to signal a failed route, not to reject routes from non-successor neighbors. Option C is wrong because hold-down timers are used in distance-vector protocols like RIP to suppress updates after a metric change, but EIGRP does not use hold-down timers; it relies on the Diffusing Update Algorithm (DUAL) and the feasibility condition for loop prevention.

771
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 100 spanning-tree portfast spanning-tree bpduguard enable What is the effect of this configuration?

A.The port will immediately transition to forwarding state and will be error-disabled if a BPDU is received.
B.The port will remain in blocking state until a BPDU is received from the root bridge.
C.The port will only forward BPDUs and will not forward data traffic.
D.The port will participate in RSTP and will not be affected by BPDU reception.
AnswerA

PortFast skips listening/learning; BPDU Guard error-disables the port on BPDU reception.

Why this answer

The configuration enables PortFast and BPDU Guard on an access port. PortFast immediately transitions the port to forwarding state, bypassing the usual STP listening and learning phases. BPDU Guard monitors for incoming BPDUs; if any are received, it error-disables the port to prevent a potential bridging loop from an unauthorized switch connection.

Exam trap

Cisco often tests the distinction between PortFast (which speeds up convergence) and BPDU Guard (which protects against loops) — the trap here is assuming PortFast alone prevents BPDU issues, when in fact BPDU Guard is required to error-disable the port upon BPDU reception.

How to eliminate wrong answers

Option B is wrong because PortFast forces the port into forwarding state immediately, not blocking; BPDU Guard does not alter this behavior. Option C is wrong because the port forwards normal data traffic as an access port in VLAN 100, not just BPDUs. Option D is wrong because BPDU Guard explicitly reacts to BPDU reception by error-disabling the port, so the port is affected by BPDUs; RSTP is not relevant here as PortFast overrides the STP state machine.

772
MCQhard

A network team is designing QoS for a multi-tenant data center using leaf-spine architecture. Each tenant requires guaranteed bandwidth for their mission-critical applications, while best-effort traffic must not interfere. The design must use hierarchical queuing to enforce per-tenant fairness. Which queuing mechanism should the architect implement on the leaf switches?

A.Implement hierarchical QoS (HQoS) with a parent policy shaping per-tenant traffic and a child policy applying class-based weighted fair queuing (CBWFQ) for each tenant's applications.
B.Use a single level of CBWFQ on all interfaces, classifying traffic by tenant using VLANs.
C.Apply strict priority queuing for all mission-critical traffic across all tenants.
D.Configure separate physical interfaces for each tenant and apply independent QoS policies.
AnswerA

HQoS provides per-tenant shaping and per-class queuing, meeting the requirements for fairness and isolation.

Why this answer

Hierarchical QoS (HQoS) is the correct choice because it allows the architect to enforce per-tenant bandwidth guarantees using a parent policy (shaping) while applying class-based weighted fair queuing (CBWFQ) in a child policy to prioritize each tenant's mission-critical applications. This two-level structure ensures that best-effort traffic from one tenant cannot starve another tenant's guaranteed traffic, meeting the multi-tenant fairness requirement.

Exam trap

Cisco often tests the misconception that a single level of CBWFQ or strict priority queuing can achieve per-tenant fairness, but without hierarchical shaping, one tenant's bursty traffic can consume all available bandwidth, breaking the isolation required in multi-tenant environments.

How to eliminate wrong answers

Option B is wrong because a single level of CBWFQ on all interfaces, classifying by VLAN, cannot enforce per-tenant fairness; it would treat all traffic from different tenants equally within the same queue, allowing one tenant's best-effort traffic to interfere with another tenant's critical traffic. Option C is wrong because strict priority queuing for all mission-critical traffic across all tenants would allow a single tenant's high-priority traffic to monopolize bandwidth, starving other tenants' critical applications and violating per-tenant fairness. Option D is wrong because configuring separate physical interfaces for each tenant is not scalable in a leaf-spine architecture and does not inherently provide hierarchical queuing or per-tenant fairness; it would require excessive port consumption and does not address intra-tenant application differentiation.

773
MCQhard

A network engineer is troubleshooting performance issues on a VMware ESXi host running multiple VMs. The host has two physical CPUs, each with 8 cores (16 logical processors with Hyper-Threading enabled). One VM, configured with 8 vCPUs, experiences high CPU ready time. Other VMs on the host are idle. What is the most likely cause of the high CPU ready time?

A.The VM's vCPUs span multiple NUMA nodes, causing memory access delays.
B.Hyper-Threading is disabled on the ESXi host.
C.The host is overcommitted with too many vCPUs.
D.The VM has more vCPUs than physical cores on a single socket.
AnswerA

Correct because when vCPUs are spread across NUMA nodes, memory access becomes non-local, increasing ready time.

Why this answer

The VM has 8 vCPUs, but each physical CPU has only 8 cores (16 logical processors with Hyper-Threading). Since a single NUMA node typically corresponds to one physical CPU socket, an 8-vCPU VM cannot fit entirely within one NUMA node if the VM's vCPUs exceed the number of physical cores on that socket (8 cores). The hypervisor must span the VM across both NUMA nodes, causing remote memory access and increasing CPU ready time due to NUMA latency.

Exam trap

Cisco often tests the misconception that CPU ready time is always caused by overcommitment, but here the trap is that a VM with vCPUs equal to the number of cores per socket can still suffer NUMA spanning if the hypervisor schedules vCPUs across sockets, especially when Hyper-Threading is enabled and the VM size matches a socket's core count but not its logical processor count.

How to eliminate wrong answers

Option B is wrong because Hyper-Threading is enabled on the host (16 logical processors per socket), and disabling it would reduce logical CPUs, not cause high ready time for an 8-vCPU VM on an otherwise idle host. Option C is wrong because the host is not overcommitted; other VMs are idle, and the total vCPUs (only 8 from this VM) are far below the 32 logical processors available. Option D is wrong because the VM has 8 vCPUs, which equals the number of physical cores on a single socket (8 cores), not more; the issue is that vCPUs are scheduled across sockets, not that they exceed core count.

774
Drag & Dropmedium

Drag and drop the steps of SD-WAN traffic engineering app-aware routing steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

App-aware routing begins with classifying traffic by application, then measuring path performance (loss, latency, jitter), comparing against SLA requirements, selecting the best path, and finally steering traffic over that path.

775
MCQhard

A network engineer runs the following command on Router R1: R1# show policy-map control-plane Control Plane Service-policy input: CoPP-POLICY Class-map: BGP-CLASS (match-all) 50 packets, 2500 bytes 5 minute offered rate 500 bps Match: access-group name BGP-ACL police: cir 64000 bps, bc 8000 bytes, be 8000 bytes conformed 50 packets, 2500 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Class-map: SNMP-CLASS (match-all) 200 packets, 10000 bytes 5 minute offered rate 2000 bps Match: access-group name SNMP-ACL police: cir 16000 bps, bc 2000 bytes, be 2000 bytes conformed 150 packets, 7500 bytes; actions: transmit exceeded 40 packets, 2000 bytes; actions: drop violated 10 packets, 500 bytes; actions: drop Class-map: class-default (match-any) 100 packets, 5000 bytes 5 minute offered rate 1000 bps Match: any police: cir 32000 bps, bc 4000 bytes, be 4000 bytes conformed 100 packets, 5000 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop Based on this output, what can be concluded?

A.SNMP traffic to the control plane is experiencing drops due to exceeding its policer rate, while BGP traffic is within its rate.
B.BGP traffic is being dropped because it exceeds the CIR.
C.All traffic to the control plane is being dropped.
D.The control-plane policy is applied in the output direction.
AnswerA

The SNMP class shows 150 conformed and 50 dropped (exceeded+violated), while BGP shows all 50 conformed.

Why this answer

The BGP class has a CIR of 64 kbps and all 50 packets conformed. The SNMP class has a CIR of 16 kbps, but 50 out of 200 packets exceeded or violated, meaning 50 packets were dropped. The class-default has a CIR of 32 kbps and all 100 packets conformed.

The correct answer is that SNMP traffic to the control plane is experiencing drops due to exceeding its policer rate, while BGP traffic is within its rate.

776
MCQeasy

A service provider is migrating a customer from a global routing table to a VRF on a Cisco ASR 1000. The customer has a BGP session with the provider for internet access. After moving the customer's interface to VRF CUSTOMER_D, the BGP session goes down. The engineer verifies that the VRF is configured with the correct route-target and that the BGP neighbor is configured under address-family ipv4 vrf CUSTOMER_D. What else is missing?

A.The IP address on the interface was removed when the VRF was applied, and it was not reconfigured.
B.The BGP neighbor is not configured with the password command.
C.The route-target import/export values are incorrect for the customer.
D.The engineer forgot to configure the VRF under the BGP router-id.
AnswerA

Correct because the ip vrf forwarding command clears the IP address on the interface, requiring it to be re-entered.

Why this answer

When a VRF is applied to an interface on a Cisco ASR 1000, the interface's IP address is removed because the VRF changes the routing context. The engineer must reconfigure the IP address under the VRF interface. Without the IP address, the BGP session cannot establish a TCP connection, causing it to go down.

Exam trap

Cisco often tests the fact that applying a VRF to an interface removes the IP address, leading candidates to overlook the need to reconfigure it, and instead focus on BGP or VRF configuration errors.

How to eliminate wrong answers

Option B is wrong because BGP password configuration is optional and not required for session establishment; the session fails due to missing IP address, not authentication. Option C is wrong because the engineer verified correct route-target import/export values, so this is not the issue. Option D is wrong because BGP router-id is a global or VRF-level parameter that does not need to be explicitly configured under the VRF; it defaults to the highest loopback or interface IP, and the session failure is unrelated to router-id.

777
Multi-Selecthard

Which three statements about the Differentiated Services (DiffServ) QoS model are true? (Choose three.)

Select 3 answers
A.DiffServ uses the 6-bit DSCP field in the IP header to mark packets, allowing up to 64 different classes of service.
B.In DiffServ, core routers perform complex classification and marking based on deep packet inspection.
C.The Assured Forwarding (AF) PHB group provides four classes, each with three drop precedence levels.
D.DiffServ requires end-to-end signaling using RSVP to reserve bandwidth along the path.
E.The Expedited Forwarding (EF) PHB is designed for low-loss, low-latency traffic such as voice.
AnswersA, C, E

Correct. DSCP is 6 bits, providing 64 possible codepoints.

Why this answer

DiffServ is a class-based model that uses the DSCP field in the IP header to classify traffic. It provides per-hop behavior (PHB) and is scalable because core routers only need to inspect the DSCP field. The model does not guarantee end-to-end bandwidth reservation like IntServ does; instead, it relies on traffic conditioning at the edge.

778
MCQmedium

A network administrator issues the following command on a Cisco WLC: WLC# show ap config general AP-1 AP Name: AP-1 MAC Address: aabb.cc00.0100 Country Code: US - United States Regulatory Domain: 802.11bg: -A 802.11a: -A AP Submode: Normal AP Mode: Local AP Join Priority: 1 Primary Controller: WLC-1 Secondary Controller: WLC-2 Tertiary Controller: WLC-3 Based on this output, what can be concluded?

A.The AP is operating in FlexConnect mode.
B.The AP will attempt to join the primary controller WLC-1 first.
C.The AP is in Monitor mode and will not serve clients.
D.The AP has a join priority of 1, meaning it is the highest priority.
AnswerB

The primary controller is configured as WLC-1, and APs try to join their primary controller first.

Why this answer

The output shows the AP is in Local mode (not FlexConnect or Monitor). It has a primary, secondary, and tertiary controller configured, which is typical for high availability. The AP will attempt to join the primary controller first.

779
MCQmedium

A network engineer is configuring a zone-based firewall (ZBF) on a Cisco router to allow traffic from the inside zone to the outside zone while blocking traffic from outside to inside. The engineer creates zones, assigns interfaces, and configures a policy-map with a class-map that matches all traffic from inside to outside. The engineer applies the policy to the zone-pair inside-to-outside. However, traffic from inside to outside is being dropped. What is the most likely reason?

A.The policy-map does not include an 'inspect' or 'pass' action for the matched traffic.
B.The zone-pair should be configured as outside-to-inside instead.
C.The class-map must also match return traffic for the firewall to allow the session.
D.The policy-map is applied to the wrong zone-pair; it should be applied to the inside zone.
AnswerA

Correct because without an explicit action, ZBF drops all traffic.

Why this answer

In ZBF, the policy-map must include an action for the matched traffic. If the class-map matches traffic but the policy-map does not have an 'inspect' or 'pass' action, the default action is to drop. Option A is correct because the engineer likely omitted the action.

Option B is incorrect because the zone-pair is correctly defined. Option C is incorrect because the class-map does not need to match return traffic; inspection handles that. Option D is incorrect because the policy is applied to the correct zone-pair.

780
MCQmedium

A network engineer is configuring a Cisco switch for 802.1X with RADIUS authentication. The switch is also configured with 'aaa authentication dot1x default group radius'. The engineer wants to use a single RADIUS server for both authentication and accounting. The RADIUS server is configured with the same shared secret for both services. The engineer configures 'radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco123'. However, accounting records are not being sent to the server. The engineer verifies that the RADIUS server is reachable and that accounting is enabled on the server. What is the most likely cause?

A.The switch is missing the 'aaa accounting dot1x default start-stop group radius' command to enable accounting for 802.1X sessions.
B.The RADIUS server is using a different accounting port than 1813; the switch should use port 1646.
C.The switch must have 'aaa new-model' configured before accounting can work.
D.The RADIUS server's shared secret for accounting is different from the authentication secret.
AnswerA

Correct because accounting is a separate AAA function that must be explicitly configured; the RADIUS server definition alone does not enable accounting.

Why this answer

The switch must have accounting enabled globally and for the specific service (dot1x). The 'radius-server host' command only defines the server; accounting is not automatically enabled. The engineer needs to configure 'aaa accounting dot1x default start-stop group radius' to send accounting records.

781
MCQhard

A network engineer runs the following command on Router R1: R1# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1024 1020 10 0 0 02:30:15 5 192.168.1.3 4 65003 500 498 10 0 0 00:15:20 3 10.0.0.2 4 65004 0 0 0 0 0 never Active Based on this output, what can be concluded?

A.All BGP neighbors are fully established.
B.The BGP session to 10.0.0.2 is down due to a TCP connection issue.
C.The BGP session to 192.168.1.3 has been up for 2 hours 30 minutes.
D.The router is receiving prefixes from all neighbors.
AnswerB

The Active state indicates the router is trying to open a TCP connection but has not succeeded.

Why this answer

The output shows BGP neighbors. The first two neighbors are established (up/down time and prefixes received). The third neighbor (10.0.0.2) is in Active state, meaning it is trying to establish a TCP connection but failing.

This could be due to a missing route, ACL blocking, or incorrect configuration.

782
Multi-Selectmedium

Which two statements about YANG data models and their role in model-driven telemetry are true? (Choose two.)

Select 2 answers
A.YANG is a data modeling language used to define the structure of configuration and operational state data.
B.OpenConfig YANG models are vendor-specific and only supported on Cisco devices.
C.Native YANG models are developed by the device vendor and may expose platform-specific features.
D.IETF YANG models are the only models that can be used for model-driven telemetry subscriptions.
E.YANG is a transport protocol used to stream telemetry data from network devices to collectors.
AnswersA, C

Correct because YANG (RFC 7950) is indeed a data modeling language for defining data structures, which are then used by telemetry to stream operational state.

Why this answer

YANG models define the structure and constraints of data that can be streamed via telemetry. Native models are vendor-specific, while OpenConfig models are vendor-neutral. IETF models are standards-based but not necessarily vendor-neutral.

YANG is a data modeling language, not a transport protocol. Telemetry subscriptions reference YANG paths to specify which data to stream.

783
MCQmedium

An engineer uses the following Ansible playbook to configure an interface on a Cisco IOS-XE device using the cisco.ios.ios_interfaces module: ```yaml --- - name: Configure interface hosts: cisco-routers gather_facts: no tasks: - name: Set interface description cisco.ios.ios_interfaces: config: - name: GigabitEthernet0/1 description: "Uplink to Core" enabled: true state: replaced ``` What is the result of running this playbook?

A.The interface will have the description set and all other parameters remain unchanged.
B.The playbook will fail because 'enabled' is not a valid parameter for ios_interfaces.
C.The interface will be configured with only the description and enabled state, removing any other existing configuration.
D.The playbook will fail because 'state: replaced' requires a 'before' and 'after' state.
AnswerC

The 'replaced' state replaces the whole interface configuration with the provided values.

Why this answer

The 'state: replaced' will replace the entire interface configuration with only the provided parameters. This means that any existing configuration on GigabitEthernet0/1 (like IP address, speed, duplex) will be removed and only the description and enabled state will be applied. This is a common pitfall.

784
MCQmedium

A network engineer is deploying a new wireless LAN controller (WLC) in a campus network. The WLC must manage 200 access points across three buildings. The engineer configures the WLC with a management IP address and enables CAPWAP. However, the access points fail to join the WLC. The APs are in the same VLAN as the WLC and can ping the WLC's management IP. What is the most likely cause of the APs not joining?

A.The WLC does not have a CAPWAP source interface configured.
B.The APs are not configured with DHCP option 43 to point to the WLC.
C.The APs are running an incompatible IOS version that does not support CAPWAP.
D.The APs must be assigned a static IP address to join the WLC.
AnswerA

Correct because the CAPWAP source interface must be configured on the WLC so that APs can discover and communicate with it. Without it, the WLC may not respond to CAPWAP discovery requests.

Why this answer

The correct answer is that the APs are unable to discover the WLC via CAPWAP because the WLC's CAPWAP source interface is not configured or is misconfigured. Even though the APs can ping the management IP, CAPWAP discovery requires the WLC to respond from a consistent source IP. The other options are less likely: DHCP option 43 is not needed if APs are in the same subnet, APs do not need a specific IOS version to join, and APs do not need a static IP if they can obtain one via DHCP.

785
MCQeasy

An enterprise is deploying Cisco SD-WAN with vManage, vSmart, vBond, and vEdge routers. The architect must design the control plane to securely onboard new vEdge routers and establish DTLS/TLS tunnels. Which component is responsible for the initial authentication and coordination of control plane connections?

A.vManage
B.vSmart
C.vBond
D.vEdge
AnswerC

vBond authenticates vEdge routers and orchestrates the control plane connections, acting as the initial contact point.

Why this answer

In Cisco SD-WAN, vBond is the orchestrator responsible for the initial authentication and coordination of control plane connections. When a new vEdge router attempts to join the fabric, it first contacts vBond, which authenticates the device using its serial number and certificate, then provides the IP addresses of the vSmart controllers and vManage. This establishes the DTLS/TLS tunnels for the control plane.

Exam trap

Cisco often tests the misconception that vManage handles all initial authentication because it is the central management interface, but vBond is specifically designed for orchestrating the initial control plane connections.

How to eliminate wrong answers

Option A is wrong because vManage is the management and monitoring plane, handling configuration, policy, and analytics, but it does not perform initial authentication or coordinate control plane connections. Option B is wrong because vSmart is the control plane controller that distributes routing and policy information via OMP, but it relies on vBond for initial device onboarding and authentication. Option D is wrong because vEdge is the data plane router that initiates connections to vBond, vSmart, and vManage, but it is not responsible for authenticating or coordinating other components.

786
Drag & Dropmedium

Drag and drop the steps of NBAR2 application recognition and classification steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable NBAR2 on the interface using ip nbar protocol-discovery. Then create a class-map to match the application using match protocol. Next, create a policy-map to mark or apply QoS actions.

Apply the policy-map to the interface. Finally, verify NBAR2 statistics using show ip nbar protocol-discovery.

787
MCQmedium

An engineer is configuring multicast on a Cisco switch running IOS. The switch is acting as the IGMP querier for a VLAN. The engineer notices that multicast traffic is being flooded to all ports in the VLAN, even though only a few receivers have joined the group. The engineer checks the IGMP snooping configuration and sees that IGMP snooping is enabled globally and on the VLAN. What is the most likely cause of the flooding?

A.The IGMP querier is not elected on the VLAN.
B.The multicast source is connected to a trunk port.
C.The switch has PIM enabled on the VLAN interface.
D.The receivers are using IGMPv3.
AnswerA

Correct because without a querier, IGMP snooping cannot learn group memberships, causing the switch to flood multicast traffic.

Why this answer

IGMP snooping relies on the switch seeing IGMP membership reports. If the switch does not see the reports because the querier is not elected or because the reports are not forwarded to the switch CPU, the switch will flood multicast traffic to all ports.

788
MCQeasy

What is the maximum hop count for EIGRP?

A.100
B.15
C.255
D.16
AnswerA

Correct. The default maximum hop count for EIGRP is 100.

Why this answer

EIGRP uses a maximum hop count of 100 by default to prevent routing loops. This is a hard limit; if a route's hop count exceeds 100, EIGRP considers it unreachable. This value is configurable via the 'metric maximum-hops' command under the EIGRP process.

Exam trap

Cisco often tests the EIGRP hop count limit of 100 to trap candidates who confuse it with RIP's 15-hop limit or OSPF's 255-hop limit, especially when the question omits the protocol name in the stem.

How to eliminate wrong answers

Option B (15) is wrong because 15 is the maximum hop count for RIP, not EIGRP; this is a common confusion between distance-vector protocols. Option C (255) is wrong because 255 is the maximum hop count for OSPF (via the 'max-metric' LSA) or the TTL field in IP packets, but EIGRP defaults to 100. Option D (16) is wrong because 16 is the 'infinity' metric in RIP (indicating an unreachable route), not a hop count limit for EIGRP.

789
Drag & Dropmedium

Drag and drop the steps of ISE profiling-based dynamic ACL assignment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ISE profiles endpoints by collecting attributes, then matches the profile to a policy, downloads a dACL to the switch, and the switch applies it to the port.

790
MCQhard

A network engineer is troubleshooting a VMware vSphere cluster where a VM with a large memory footprint (256 GB) is experiencing poor performance. The host has two NUMA nodes, each with 128 GB of memory. The VM is configured with 256 GB of memory and 4 vCPUs. Performance monitoring shows high memory latency and CPU ready time. What is the most likely cause?

A.The VM's memory size forces it to span multiple NUMA nodes, increasing memory access latency.
B.The VM has too few vCPUs for the memory size.
C.The host is using memory ballooning to reclaim memory from other VMs.
D.The host's memory is overcommitted.
AnswerA

Correct because when a VM's memory exceeds a single NUMA node, memory accesses cross nodes, causing higher latency.

Why this answer

The VM is configured with 256 GB of memory, but each NUMA node on the host has only 128 GB. Since a single NUMA node cannot satisfy the VM's memory allocation, the hypervisor must split the VM across both NUMA nodes. This forces memory accesses to cross the NUMA interconnect (e.g., QPI or UPI), which introduces significantly higher latency compared to local memory access, directly causing the observed high memory latency and increased CPU ready time.

Exam trap

Cisco often tests the misconception that memory performance issues are always due to overcommitment or ballooning, but the trap here is that the VM's memory size exactly matches the total host memory, leading candidates to overlook the NUMA boundary constraint.

How to eliminate wrong answers

Option B is wrong because the number of vCPUs (4) is not directly related to memory latency; CPU ready time is affected by vCPU-to-pCPU scheduling contention, not by memory size. Option C is wrong because memory ballooning reclaims memory from VMs to avoid overcommitment, but it does not cause high memory latency or CPU ready time; it would instead cause guest OS swapping or performance degradation due to memory pressure. Option D is wrong because memory overcommitment would lead to ballooning or swapping, not specifically to NUMA-spanning latency; the host has exactly 256 GB total memory, so the VM's allocation is not overcommitted.

791
Matchingmedium

Drag and drop each multicast tree type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A source-specific multicast tree rooted at the source

A shared multicast tree rooted at the RP

A shared tree where traffic flows both toward and away from the RP

A shared tree for group G, used in PIM SM before switching to SPT

A source-specific tree for source S and group G

Why these pairings

SPT is a source-specific tree rooted at the source; RPT is a shared tree rooted at the RP; Bidir tree is a shared tree used in Bidir PIM; (*,G) tree is a shared tree for all sources; (S,G) tree is a source-specific tree.

792
Multi-Selectmedium

Which two statements about native VLANs on an 802.1Q trunk are true? (Choose two.)

Select 2 answers
A.Frames belonging to the native VLAN are transmitted untagged on the trunk link.
B.The native VLAN must be the same on both ends of the trunk link.
C.The native VLAN can be any VLAN from 1 to 4094.
D.The native VLAN is always VLAN 1 and cannot be changed.
E.A native VLAN mismatch will cause all traffic on the trunk to be dropped.
AnswersA, B

802.1Q does not tag frames for the native VLAN, so they are sent as standard Ethernet frames.

Why this answer

The native VLAN is a key concept in 802.1Q trunking. Frames on the native VLAN are sent untagged to maintain compatibility with legacy devices that do not understand VLAN tags. Both ends of the trunk must agree on the native VLAN; a mismatch can cause connectivity issues or VLAN hopping.

The default native VLAN is VLAN 1.

793
Multi-Selectmedium

Which two statements about MPLS label operations are true? (Choose two.)

Select 2 answers
A.The ingress LSR performs a label push operation.
B.Transit LSRs perform a label swap operation.
C.The egress LSR performs a label push operation.
D.PHP (Penultimate Hop Popping) causes the egress LSR to pop the label.
E.The egress LSR always performs an IP lookup after label removal.
AnswersA, B

Correct because the ingress LSR adds the initial MPLS label to the packet.

Why this answer

In MPLS, the ingress LSR pushes a label onto the packet, and transit LSRs swap the incoming label with an outgoing label based on the LFIB. PHP removes the label before the egress LSR, so the egress LSR does not perform a label lookup. The egress LSR forwards based on the IP header after label removal.

794
MCQhard

A network engineer configures SNMPv3 on a Cisco router for secure monitoring. The configuration includes 'snmp-server group ADMIN v3 priv', 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456', and 'snmp-server host 10.1.1.2 version 3 priv admin'. The NMS is configured with the same credentials. However, the NMS cannot poll the router. The engineer verifies that the router's SNMP agent is enabled. What is the most likely cause?

A.The SNMPv3 user is not associated with the group correctly.
B.The NMS must be configured with the router's SNMP engine ID.
C.The 'priv' keyword in the host command should be 'auth' instead.
D.The AES encryption key must be exactly 16 characters.
AnswerB

Correct because SNMPv3 uses engine IDs for authentication; if the NMS does not have the correct engine ID, it cannot authenticate.

Why this answer

SNMPv3 requires proper configuration of authentication and encryption. The issue is that the user is created with authentication and privacy, but the host command specifies 'priv' which is correct. However, the NMS may not be using the correct engine ID.

The most common mistake is not specifying the engine ID on the NMS or having a mismatch. But in this scenario, the router's engine ID is automatically generated, and the NMS must match it. The correct answer is that the user configuration is missing the engine ID specification.

795
MCQmedium

A network administrator runs the following command on a switch: Switch# show aaa method-list Method List Name: default Type: authentication Group: radius Group: local Method List Name: console Type: authentication Group: local Method List Name: default Type: authorization Group: tacacs+ Group: local Based on this output, what can be concluded?

A.Authorization for all users uses RADIUS.
B.Console authentication uses RADIUS as fallback.
C.RADIUS is the primary authentication method for default login.
D.TACACS+ is used for authentication.
AnswerC

The default authentication list has 'group radius' listed first.

Why this answer

The output shows the configured method lists. The default authentication list uses RADIUS first, then local. The console authentication list uses only local.

The default authorization list uses TACACS+ first, then local. This matches typical AAA configuration.

796
Drag & Dropmedium

Drag and drop the steps of Cisco DHCP snooping binding table population into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DHCP snooping first validates DHCP server messages on trusted ports, then creates a binding entry from the DHCPACK, stores the entry with MAC/IP/port/VLAN, updates the table on lease renewal, and finally removes the entry on lease expiry or DHCPRELEASE.

797
MCQmedium

Given the following snippet from a Cisco 9800 WLC: ap ethernet-port default-ethernet-port description "Default Ethernet Port" mode trunk allowed vlan 10,20,30 native vlan 10 What is the effect of this configuration on the AP?

A.The AP's Ethernet port will tag all traffic with VLAN 10.
B.The AP will use VLAN 10 for management traffic and VLANs 20 and 30 for client traffic.
C.The AP will only allow VLAN 10 traffic.
D.The AP's Ethernet port is configured as an access port.
AnswerB

Native VLAN is typically for management; other VLANs are for client data.

Why this answer

The Ethernet port configuration on an AP defines how the AP's wired interface handles VLANs, typically for management and client traffic.

798
MCQmedium

A network engineer runs the following command on Switch SW2: SW2# show interfaces port-channel 1 etherchannel Port-channel1 : Age of the Port-channel = 0d:00h:10m:32s Logical slot/port = 16/1 Number of ports = 2 HotStandby port = null Port state = Port-channel Ag-Inuse Protocol = LACP Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+----------------+---------- 0 00 Gi0/0 Active 4 1 00 Gi0/1 Active 4 Time since last port bundled: 0d:00h:05m:23s Gi0/1 Based on this output, what can be concluded?

A.The EtherChannel is not operational because the load is zero.
B.Both member ports are in Active state, meaning they are participating in LACP negotiation.
C.The port-channel is in 'Ag-Inuse' state, which means it is not yet forwarding traffic.
D.Load balancing is set to source-destination IP, causing the zero load values.
AnswerB

Active state in LACP means the port is actively trying to form an aggregation.

Why this answer

The output shows that the port-channel is in 'Ag-Inuse' state, meaning the aggregation is active. Both Gi0/0 and Gi0/1 are in 'Active' state, which is correct for LACP. The load field shows '00' for both, indicating that load balancing is not distributing traffic evenly; this could be because there is no traffic or the load-balancing method is not effective.

The correct answer is that the EtherChannel is operational with two active member ports.

799
MCQmedium

A network engineer is automating configuration backups using Ansible. The playbook uses the ios_config module to retrieve running configurations from Cisco IOS XE devices. However, the playbook fails with a timeout error on a specific device. Other devices respond correctly. What is the most likely cause of the failure?

A.The device is configured for HTTP/HTTPS access only.
B.The device has incorrect SSH credentials configured in the Ansible vault.
C.The device has NetFlow enabled, consuming CPU cycles.
D.The device has SNMPv3 enabled with authentication traps.
AnswerB

Incorrect SSH credentials cause authentication failure and timeout.

Why this answer

The ios_config module in Ansible uses SSH to connect to Cisco IOS XE devices and execute commands. A timeout error on a specific device while others succeed strongly indicates an authentication or authorization failure, such as incorrect SSH credentials stored in the Ansible vault. This prevents the SSH session from being established, causing the playbook to wait until the timeout threshold is reached.

Exam trap

Cisco often tests the distinction between connectivity issues (like SSH credentials) and unrelated features (like NetFlow or SNMP) that candidates might incorrectly assume cause automation failures, leading them to choose a distractor that sounds plausible but is technically irrelevant.

How to eliminate wrong answers

Option A is wrong because the ios_config module relies on SSH (or Telnet) for network device access, not HTTP/HTTPS; HTTP/HTTPS access is used by RESTCONF or NETCONF, not the ios_config module. Option C is wrong because NetFlow, while consuming CPU cycles, does not prevent SSH connectivity or cause a timeout on the ios_config module; it may degrade performance but not block the session. Option D is wrong because SNMPv3 with authentication traps is unrelated to SSH-based Ansible automation; SNMP is a separate management protocol and does not interfere with SSH connections used by the ios_config module.

800
Drag & Dropmedium

Drag and drop the steps of IKEv2 IPsec tunnel establishment into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IKEv2 uses a two-phase process: Phase 1 (IKE_SA_INIT) establishes a secure channel, then Phase 2 (IKE_AUTH and CREATE_CHILD_SA) authenticates peers and creates IPsec SAs. The order is: 1. IKE_SA_INIT exchange, 2.

IKE_AUTH exchange, 3. CREATE_CHILD_SA exchange, 4. IPsec SA installation, 5.

Data encryption/decryption.

801
MCQhard

An engineer is deploying a virtual network function (VNF) on a Cisco NFVIS host. The VNF requires four virtual NICs, each connected to a different network segment. The engineer creates four bridges on NFVIS and attaches each vNIC to a separate bridge. After deployment, the VNF can only communicate on the first bridge. What is the most likely cause?

A.The bridges are all mapped to the same physical interface without subinterfaces, causing a conflict.
B.The VNF's operating system does not support multiple NICs.
C.The vNICs have duplicate MAC addresses.
D.The bridges were created in the wrong order.
AnswerA

Correct because each bridge must be associated with a unique physical interface or subinterface; otherwise, only one bridge works.

Why this answer

In Cisco NFVIS, bridges are Layer 2 forwarding constructs that must be mapped to a physical interface (or subinterface) to provide external connectivity. When multiple bridges are all mapped to the same physical interface without using subinterfaces (e.g., GigabitEthernet0/0), they share the same VLAN and MAC domain, causing traffic from the second, third, and fourth bridges to be dropped or misdirected. The VNF can only communicate on the first bridge because that bridge's vNIC is the only one that successfully establishes a valid forwarding path through the physical interface.

Exam trap

Cisco often tests the misconception that bridges in NFVIS are isolated by default, when in fact they require explicit mapping to unique physical interfaces or subinterfaces to avoid Layer 2 conflicts.

How to eliminate wrong answers

Option B is wrong because modern VNF operating systems (e.g., Linux, Cisco IOS XE) fully support multiple NICs; the issue is not OS-level but NFVIS bridge configuration. Option C is wrong because NFVIS automatically assigns unique MAC addresses to each vNIC from a pool, and duplicate MACs would cause a different symptom (e.g., ARP flapping) rather than total loss of communication on all but one bridge. Option D is wrong because the order in which bridges are created has no effect on their functionality; NFVIS treats all bridges equally regardless of creation sequence.

802
Multi-Selecthard

Which three statements about configuring AAA on Cisco IOS devices are true? (Choose three.)

Select 3 answers
A.The aaa new-model command enables AAA services on the device.
B.The aaa new-model command disables local authentication and forces the use of an external server.
C.The radius-server host command is used to specify the IP address and shared secret for a RADIUS server.
D.The tacacs-server host command is used to specify the IP address and shared secret for a RADIUS server.
E.The aaa authentication login command defines a method list for login authentication.
AnswersA, C, E

Correct because aaa new-model is required to activate AAA on Cisco IOS.

Why this answer

The correct answers cover common AAA configuration steps. Option A is correct because the aaa new-model command enables AAA on a Cisco IOS device. Option C is correct because the radius-server host command specifies the RADIUS server IP and shared secret.

Option E is correct because the aaa authentication login command defines a method list for login authentication. Option B is wrong because the aaa new-model command does not disable local authentication; it enables AAA. Option D is wrong because the tacacs-server host command is used for TACACS+, not RADIUS.

803
Drag & Dropmedium

Drag and drop the steps of Dynamic ARP Inspection (DAI) packet validation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DAI first intercepts ARP packets on untrusted ports, then checks the sender MAC and IP against the DHCP snooping binding, validates ARP cache consistency, drops packets that mismatch, and finally forwards valid packets to the destination.

804
Drag & Dropmedium

Drag and drop the steps of configuring a Cisco IOS Zone-Based Firewall (ZBFW) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

ZBFW configuration begins by defining zones to group interfaces. Next, create a class-map to classify traffic of interest. Then, create a policy-map to specify actions (inspect, drop, pass) for each class.

After that, assign the policy-map to a zone-pair between source and destination zones. Finally, assign interfaces to their respective zones to activate the firewall.

805
MCQhard

A network engineer needs to monitor traffic between two VLANs on a Cisco Catalyst 9300 switch. The engineer wants to capture all packets that traverse the switch between VLAN 10 and VLAN 20. The monitoring station is connected to port Gi1/0/24. Which configuration should the engineer use to capture this inter-VLAN traffic?

A.Configure 'monitor session 1 source interface Gi1/0/1 both' and 'monitor session 1 destination interface Gi1/0/24'.
B.Configure 'monitor session 1 source vlan 10 - 20 both' and 'monitor session 1 destination interface Gi1/0/24'.
C.Configure an RSPAN VLAN and use 'monitor session 1 source vlan 10 - 20' and 'monitor session 1 destination remote vlan 100'.
D.Configure an ERSPAN session with source IP and destination IP.
AnswerB

Correct; VLAN-based SPAN captures all traffic entering or leaving the specified VLANs, including routed traffic between them.

Why this answer

Inter-VLAN traffic is routed by the switch's Layer 3 engine. To capture it, the engineer must use a SPAN session that sources from the VLANs themselves (VLAN-based SPAN) or from the SVI. The correct answer is to configure a SPAN session with source VLANs 10 and 20, and destination interface Gi1/0/24.

This captures all traffic entering or leaving those VLANs, including routed traffic. Option A is incorrect because interface SPAN would only capture traffic on that specific port, not all inter-VLAN traffic. Option C is incorrect because RSPAN is for remote monitoring, not needed here.

Option D is incorrect because ERSPAN is for encapsulated remote SPAN over IP, not needed.

806
Matchingmedium

Drag and drop each traffic shaping or policing characteristic on the left to its correct description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Buffers excess traffic to smooth output rate

Drops or marks packets exceeding the rate

Why these pairings

Traffic shaping buffers excess traffic to smooth output rate. Policing drops or marks excess traffic. Shaping introduces delay; policing does not.

Shaping uses a token bucket; policing uses a token bucket. Shaping is applied outbound; policing is typically inbound.

807
MCQmedium

Given the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet0/1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,20,30 What is the effect of this configuration?

A.The interface will forward traffic for VLANs 10, 20, and 30, and all untagged frames will be placed into VLAN 999.
B.The interface will forward traffic for all VLANs except 10, 20, and 30, and the native VLAN is 1.
C.The interface will operate as an access port in VLAN 999.
D.The interface will forward traffic for VLANs 10, 20, and 30, and all frames will be tagged including the native VLAN.
AnswerA

Correct. The allowed VLAN list restricts traffic to those three VLANs, and the native VLAN is 999.

Why this answer

Option A is correct because the configuration sets the interface as a trunk port, explicitly allows only VLANs 10, 20, and 30 to traverse it, and designates VLAN 999 as the native VLAN. On a trunk, the native VLAN is used for untagged frames (e.g., DTP, CDP, or any traffic sent without an 802.1Q header), so all untagged frames received or sent on this interface will be associated with VLAN 999.

Exam trap

Cisco often tests the distinction between the native VLAN being untagged by default and the 'switchport trunk native vlan tag' command that forces tagging, leading candidates to incorrectly assume that all VLANs on a trunk are always tagged.

How to eliminate wrong answers

Option B is wrong because the 'switchport trunk allowed vlan 10,20,30' command explicitly permits only those VLANs, not all VLANs except them; the interface will not forward traffic for any other VLANs. Option C is wrong because the 'switchport mode trunk' command forces the interface to operate as a trunk port, not an access port; the native VLAN setting does not change the port mode. Option D is wrong because the native VLAN on an 802.1Q trunk is by default untagged; the configuration does not include 'switchport trunk native vlan tag' (which would force tagging of the native VLAN), so frames in VLAN 999 remain untagged.

808
Drag & Dropmedium

Drag and drop the steps of IGMP v3 SSM membership report process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In IGMPv3 SSM, the host first sends a membership report with (S,G) inclusion, the querier processes it, updates its state, and then triggers PIM (S,G) join toward the source.

809
Matchingmedium

Drag and drop each EtherChannel protocol on the left to its matching vendor on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IEEE standard, supported by multiple vendors

Cisco proprietary

Standard for LACP

Vendor that developed PAgP

Describes LACP

Why these pairings

LACP is IEEE 802.3ad standard, used by all vendors; PAgP is Cisco proprietary.

810
Multi-Selecteasy

Which three statements about Syslog severity levels are true? (Choose three.)

Select 3 answers
A.Severity level 0 (Emergency) indicates that the system is unusable.
B.Severity level 5 (Notice) is a normal but significant condition.
C.Severity level 6 (Informational) is used for informational messages that require immediate action.
D.Severity level 7 (Debugging) is the lowest severity level.
E.Severity level 4 (Warning) is more severe than level 3 (Error).
AnswersA, B, D

Correct: Emergency is the highest severity and means the system is unusable.

Why this answer

Syslog severity levels range from 0 (Emergency) to 7 (Debugging). Level 0 is the highest severity (most critical), and level 7 is the lowest. Level 5 (Notice) is normal but significant condition.

Level 6 (Informational) is for informational messages. Level 4 (Warning) indicates a warning condition. Level 3 (Error) is for error conditions.

Level 2 (Critical) is for critical conditions. Level 1 (Alert) requires immediate action. Level 0 (Emergency) means system is unusable.

811
Drag & Dropmedium

Drag and drop the steps of DMVPN Phase 2 NHRP resolution process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DMVPN Phase 2, the spoke sends an NHRP Resolution Request to the hub to learn the public address of the destination spoke. The hub forwards this request to the destination spoke, which replies with an NHRP Resolution Reply containing its public address. The hub forwards the reply back to the requesting spoke, and then the two spokes establish a direct tunnel.

812
Drag & Dropmedium

Drag and drop the steps of parsing 'show interfaces' output using TextFSM into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the raw CLI output is captured from the device. Then, the TextFSM template file is loaded. The TextFSM parser is initialized with the template.

The parsed data is extracted using the ParseText method. Finally, the structured data (list of dictionaries) is accessed for further processing.

813
MCQmedium

Examine the following BGP configuration: router bgp 65001 bgp log-neighbor-changes neighbor 10.1.1.1 remote-as 65002 neighbor 10.1.1.1 route-map SET_MED out ! route-map SET_MED permit 10 set metric 50 What is the purpose of this configuration?

A.It sets the MED value to 50 for all routes sent to the neighbor 10.1.1.1.
B.It sets the local preference to 50 for routes received from the neighbor.
C.It filters routes with a metric of 50 from being advertised to the neighbor.
D.It sets the weight to 50 for routes learned from the neighbor.
AnswerA

The route-map is applied outbound, and the set metric command sets the MED attribute.

Why this answer

The configuration applies a route-map named SET_MED to outbound updates toward neighbor 10.1.1.1. The route-map permits all routes (no match statement) and sets the Multi-Exit Discriminator (MED) to 50. MED is a BGP path attribute that influences inbound traffic from the neighbor AS, making this path less preferred if the neighbor has a lower MED from another entry point.

Thus, all routes sent to 10.1.1.1 will carry a MED of 50.

Exam trap

Cisco often tests the distinction between BGP path attributes (MED vs. local preference vs. weight) and the direction in which they are applied (inbound vs. outbound), causing candidates to confuse 'set metric' with 'set local-preference' or 'set weight'.

How to eliminate wrong answers

Option B is wrong because local preference is set using the 'set local-preference' command in a route-map, and it applies to inbound updates, not outbound; the configuration here uses 'set metric' (MED) on outbound updates. Option C is wrong because the route-map is configured with 'permit' and no match condition, so it does not filter routes; it modifies the MED attribute of all advertised routes, not filtering based on metric. Option D is wrong because weight is a Cisco-proprietary attribute set with 'set weight' in a route-map, and it applies to inbound updates; this configuration sets MED on outbound updates, not weight.

814
MCQhard

An Ansible playbook is written to configure a VLAN on a Cisco IOS-XE device via Cisco DNA Center's intent API: - name: Configure VLAN via DNA Center hosts: localhost gather_facts: no tasks: - name: Create VLAN 100 cisco.dnac.vlan: host: "{{ dnac_host }}" username: "{{ dnac_username }}" password: "{{ dnac_password }}" validate_certs: no state: present vlan_name: "Engineering" vlan_id: 100 site_id: "{{ site_id }}" register: result - debug: var=result What is a potential issue with this playbook?

A.The module name is incorrect; it should be cisco.dnac.network_vlan.
B.The playbook does not include a task to obtain an authentication token, which is required by DNA Center API.
C.The 'site_id' parameter is mandatory for creating a VLAN in DNA Center; if missing, the task will fail.
D.The 'state: present' is invalid; it should be 'state: create'.
AnswerC

Correct. DNA Center requires a site ID to associate the VLAN with a specific site. Without it, the API call will return an error.

Why this answer

The cisco.dnac.vlan module requires the 'site_id' parameter to associate the VLAN with a specific site. If the site_id is not provided or is incorrect, the task will fail or create the VLAN in the wrong location. Additionally, the playbook assumes the DNA Center credentials are correctly set.

815
Matchingmedium

Drag and drop each AAA function on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Verifies the identity of a user or device

Determines what resources or services a user is allowed to access

Collects and logs usage data for auditing or billing

Why these pairings

Authentication verifies identity; Authorization determines permitted actions; Accounting tracks usage for auditing or billing.

816
Drag & Dropmedium

Drag and drop the steps of VRF-Lite inter-VRF route leaking configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you create the VRF definitions. Then, you assign interfaces to the VRFs. Next, you configure the route targets for import and export.

After that, you enable route leaking between VRFs using the 'route-replicate' command. Finally, you verify the routing tables to confirm the leaked routes are present.

817
Drag & Dropmedium

Drag and drop the steps of SNMP bulk walk operation process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The bulk walk starts with GetBulkRequest, retrieves multiple rows, then iterates until the end of the MIB subtree.

818
Matchinghard

Drag and drop each IPv6 ACL feature on the left to its matching IPv4 equivalent on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

access-list (IPv4 numbered/named ACL)

permit/deny ip any any (IPv4)

sequence numbers (IPv4 ACL line numbering)

log (IPv4 ACL logging)

match protocol tcp (IPv4 extended ACL)

Why these pairings

IPv6 ACLs use ipv6 access-list instead of access-list; They match on IPv6 source/dest addresses; They support the same permit/deny actions; They can use named entries; They can log matches similarly.

819
Multi-Selecthard

Which two statements about DMVPN phase 2 are true? (Choose two.)

Select 2 answers
A.In DMVPN phase 2, spoke routers can establish direct tunnels to each other without traffic passing through the hub.
B.DMVPN phase 2 requires mGRE on the hub only; spokes use point-to-point GRE tunnels.
C.NHRP redirect messages are used in phase 2 to inform spokes of better paths to remote destinations.
D.DMVPN phase 2 supports only IPsec protection and cannot operate without encryption.
E.In DMVPN phase 2, spoke routers must be configured with static crypto maps for IPsec.
AnswersA, C

Correct because phase 2 enables spoke-to-spoke dynamic tunnels after the hub provides the peer's NBMA address via NHRP.

Why this answer

DMVPN phase 2 allows spoke-to-spoke tunnels after initial hub registration, using NHRP to resolve destination addresses and enabling direct traffic flows.

820
MCQeasy

What is the default OSPF hello interval on an Ethernet broadcast network?

A.10 seconds
B.30 seconds
C.5 seconds
D.20 seconds
AnswerA

The default hello interval for OSPF on broadcast and point-to-point networks is 10 seconds.

Why this answer

On Ethernet broadcast networks, OSPF defaults to a hello interval of 10 seconds, as specified in RFC 2328. This interval is used to maintain neighbor relationships and detect failures quickly on high-speed multi-access links.

Exam trap

Cisco often tests the OSPF hello interval default by mixing up broadcast and NBMA values, leading candidates to mistakenly choose 30 seconds for Ethernet networks.

How to eliminate wrong answers

Option B is wrong because 30 seconds is the default hello interval for OSPF on non-broadcast multi-access (NBMA) networks, such as Frame Relay, not on Ethernet broadcast networks. Option C is wrong because 5 seconds is not a standard OSPF hello interval; it is sometimes used in proprietary or tuned configurations but not the default. Option D is wrong because 20 seconds is not a default OSPF hello interval; it might be confused with the default dead interval multiplier (4 times the hello interval) which would be 40 seconds for a 10-second hello, not 20.

821
Matchingmedium

Drag and drop each YANG statement on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Groups related nodes in the data tree

Holds a single scalar value of a specific type

Defines a sequence of entries, each with a key

Holds an ordered set of scalar values of the same type

Defines a new type derived from an existing YANG type

Why these pairings

Correct pairings: container groups related nodes; leaf holds a single scalar value; list defines a sequence of entries; leaf-list holds an ordered set of scalar values; typedef defines a new derived type.

822
Drag & Dropmedium

Drag and drop the steps of SD-WAN zero-touch provisioning (ZTP) flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The ZTP flow begins with the device obtaining an IP address via DHCP, then contacting the cloud portal to authenticate and receive the vManage list, followed by establishing a DTLS connection to vManage, downloading the full configuration, and finally joining the control plane.

823
Drag & Dropmedium

Drag and drop the steps for the three-way TCP handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TCP uses a three-way handshake (SYN, SYN-ACK, ACK) to establish a connection before data transfer.

824
Drag & Dropmedium

Drag and drop the steps of IP SLA DNS lookup operation setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the DNS operation is defined with the target hostname. Then the DNS server is specified if needed. The operation is configured to perform a lookup.

Next, the operation is scheduled. Finally, the DNS resolution result is verified.

825
Multi-Selectmedium

Which two statements about SD-WAN policy architecture are true? (Choose two.)

Select 2 answers
A.Centralized control policies are configured on the vSmart controller and affect route advertisement and path selection.
B.Localized data policies, such as QoS and ACL, are configured on vEdge or cEdge routers and affect traffic forwarding.
C.Application-aware routing policies are a type of localized control policy that steers traffic based on application performance.
D.Centralized data policies are applied on the edge devices to enforce per-tunnel QoS and ACL rules.
E.vManage is the primary device where all SD-WAN policies are enforced and processed in real time.
AnswersA, B

Correct because control policies on vSmart manipulate OMP routes and TLOCs to influence routing decisions.

Why this answer

Centralized control policies are applied on vSmart to influence routing (e.g., path selection), while localized data policies are applied on edge devices for QoS, ACL, and forwarding. App-route policies are a type of centralized data policy. vManage is for configuration, not policy enforcement. Centralized data policies are applied on vSmart, not edge devices.

Page 10

Page 11 of 27

Page 12