ENCOR 350-401 (350-401) — Questions 901975

2015 questions total · 27pages · All types, answers revealed

Page 12

Page 13 of 27

Page 14
901
Drag & Dropmedium

Drag and drop the steps of BGP route aggregation and suppress-map process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Aggregation requires creating a prefix-list to match specific subnets, then a route-map to suppress more-specifics, applying it under the aggregate-address command, and finally verifying the summary route.

902
Matchingmedium

Drag and drop each container technology on the left to its matching orchestration tool on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Kubernetes

LXD

Kubernetes

Kubernetes

Proxmox VE

Why these pairings

Docker is orchestrated by Docker Swarm or Kubernetes, but Kubernetes is the primary orchestrator; LXC/LXD is orchestrated by LXD; containerd is often used with Kubernetes; rkt was orchestrated by Kubernetes; and OpenVZ is managed by Proxmox VE.

903
Matchingeasy

Drag and drop each ACL action on the left to its matching result on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allows the packet to pass through the ACL

Discards the packet and optionally logs it

Adds a descriptive comment to the ACL entry

Generates a log message when the ACL entry is matched

Matches TCP packets with ACK or RST bit set

Why these pairings

Permit allows traffic, deny drops traffic, remark adds a comment, log records matches, and established matches TCP with ACK/RST set.

904
Drag & Dropmedium

Drag and drop the steps of OSPFv3 IPv6 neighbor adjacency formation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

OSPFv3 neighbor formation begins with the router sending Hello packets on the link. The neighbor receives the Hello and replies with its own Hello, including the router ID. Both routers then exchange Database Description packets to summarize their LSDB.

Link State Request packets are sent for missing LSAs, and Link State Update packets provide the requested LSAs. Finally, Link State Acknowledgment packets confirm receipt, completing the adjacency.

905
MCQeasy

A network engineer is monitoring traffic from a server connected to a Cisco Catalyst 3850 switch. The engineer configures a SPAN session with source interface Gi1/0/1 and destination interface Gi1/0/24. The monitoring station receives traffic, but the engineer notices that the destination port is not forwarding any normal traffic. What is the most likely reason?

A.The destination port is automatically configured as a SPAN destination port, which disables normal switching on that port.
B.The destination port must be configured as a trunk port to forward SPAN traffic.
C.The destination port must be configured as an access port to forward SPAN traffic.
D.The destination port is in an err-disabled state due to a loop.
AnswerA

Correct; a SPAN destination port is dedicated to receiving mirrored traffic and does not forward normal traffic.

Why this answer

When a port is configured as a SPAN destination, it stops forwarding normal traffic by default. The port becomes a SPAN-only port. The correct answer is that the destination port is automatically put into a special state where it only sends SPAN traffic and does not forward normal data.

Option B is incorrect because the destination port does not need to be in trunk mode. Option C is incorrect because the destination port does not need to be in access mode. Option D is incorrect because the destination port is not disabled; it is active for SPAN.

906
Drag & Dropmedium

Drag and drop the steps of YANG push periodic vs on-change subscription into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with configuring the subscription on the device, then specifying the data nodes, setting the update policy, and finally the device starts sending updates based on the policy.

907
MCQmedium

A network engineer uses NAPALM to retrieve the ARP table from a Cisco IOS-XE device: ```python from napalm import get_network_driver driver = get_network_driver('ios') device = driver('192.168.1.1', 'admin', 'cisco123') device.open() arp_table = device.get_arp_table() print(arp_table) device.close() ``` What is the expected data type of arp_table?

A.A list of dictionaries, each with keys such as 'interface', 'ip', 'mac', and 'age'.
B.A dictionary with keys 'arp_table' and a list of tuples.
C.A string containing the raw CLI output of 'show arp'.
D.A list of strings, each representing an ARP entry.
AnswerA

NAPALM returns structured data as a list of dictionaries for ARP entries.

Why this answer

NAPALM's get_arp_table() returns a list of dictionaries, each containing keys like 'interface', 'ip', 'mac', and 'age'. This is standard across all NAPALM drivers.

908
Matchingmedium

Drag and drop each LACP port mode on the left to its matching negotiation behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends LACP packets to negotiate

Responds only to received LACP packets

Why these pairings

Active initiates negotiation, passive waits for partner.

909
MCQmedium

Consider the following EIGRP configuration on a Cisco IOS router: router eigrp 100 network 10.0.0.0 passive-interface default no passive-interface GigabitEthernet0/1 What is the effect of this configuration?

A.All interfaces except GigabitEthernet0/1 are passive and will not form EIGRP adjacencies.
B.EIGRP hellos are sent on all interfaces, but GigabitEthernet0/1 is prevented from forming adjacencies.
C.Only the network 10.0.0.0 is advertised, and all interfaces are passive.
D.EIGRP will only form adjacencies on interfaces with an IP address in the 10.0.0.0/8 range.
AnswerA

Correct. The default passive setting applies to all interfaces, and the exception is made only for GigabitEthernet0/1.

Why this answer

The 'passive-interface default' command sets all interfaces to passive by default, preventing them from sending EIGRP hellos and forming adjacencies. The 'no passive-interface GigabitEthernet0/1' command then overrides this default for that specific interface, allowing it to send hellos and form adjacencies. Therefore, only GigabitEthernet0/1 is active for EIGRP neighbor discovery, while all other interfaces remain passive.

Exam trap

Cisco often tests the interaction between 'passive-interface default' and 'no passive-interface' to see if candidates understand that the default command makes all interfaces passive, and the 'no' form selectively activates only the specified interface, rather than the reverse.

How to eliminate wrong answers

Option B is wrong because it reverses the logic: 'passive-interface default' prevents hellos on all interfaces by default, not sends them, and 'no passive-interface' enables hellos on the specified interface, not prevents them. Option C is wrong because the 'network 10.0.0.0' command enables EIGRP on any interface whose IP address falls within the 10.0.0.0/8 range, but the passive-interface configuration still controls whether hellos are sent and adjacencies formed; the configuration does not make all interfaces passive—only the default passive setting does, which is overridden for GigabitEthernet0/1. Option D is wrong because the 'network 10.0.0.0' command does not restrict adjacency formation to only 10.0.0.0/8 interfaces; it enables EIGRP on those interfaces, but the passive-interface default command would still prevent adjacencies on all interfaces except GigabitEthernet0/1, regardless of their IP address range.

910
Drag & Dropmedium

Drag and drop the steps of configuring and applying a QoS policy using MQC into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The MQC process first defines traffic classes with class maps, then associates actions with policy maps, and finally applies the policy to an interface with a service-policy statement. Verification ensures correct operation.

911
MCQeasy

What is the default CAPWAP control path DTLS encryption mode on Cisco 9800 WLCs?

A.Enabled
B.Disabled
C.Optional (configurable per AP)
D.Only for data path
AnswerA

DTLS is enabled by default for control path.

Why this answer

By default, DTLS encryption is enabled for the CAPWAP control path to secure management traffic between AP and WLC.

912
Multi-Selecteasy

Which two statements about STP port roles and states are true? (Choose two.)

Select 2 answers
A.A root port is the port on a non-root bridge that provides the best path to the root bridge.
B.A designated port is the port on a segment that has the lowest path cost to the root bridge, and there can be multiple designated ports on the same segment.
C.In classic STP, a port in the blocking state can still send and receive BPDUs.
D.An alternate port is a port that provides a backup path to the root bridge and is in the forwarding state when the root port is active.
E.A backup port is a port that provides a redundant connection to the same segment and is in the learning state when the designated port is active.
AnswersA, C

Correct. The root port is selected based on the lowest root path cost to the root bridge.

Why this answer

In classic STP (802.1D), a port can be in blocking, listening, learning, forwarding, or disabled state. The root port is the port on a non-root bridge that has the best path to the root bridge. A designated port is the port on a segment that has the best path to the root bridge; there is exactly one designated port per segment.

Alternate and backup ports are roles defined in RSTP, not classic STP. A port in blocking state does not send or receive user data but can still receive BPDUs.

913
Matchingmedium

Drag and drop each SNMP version on the left to its matching security feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses community strings in plaintext

Uses community strings in plaintext

Provides authentication and encryption

Provides authentication only

Provides authentication and encryption

Why these pairings

SNMPv1 and v2c use community strings (plaintext) for authentication; SNMPv3 provides authentication and encryption.

914
Matchingmedium

Drag and drop each syslog severity level on the left to its matching severity number on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

0

1

2

3

4

Why these pairings

Emergency=0, Alert=1, Critical=2, Error=3, Warning=4, Notice=5, Informational=6, Debug=7.

915
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 1 Po1(SU) LACP Gi0/1(P) Gi0/2(P) Gi0/3(D) Based on this output, what can be concluded?

A.The EtherChannel is fully operational with three active links
B.The EtherChannel is operational with two active links
C.The EtherChannel is using PAgP protocol
D.The EtherChannel is a Layer 3 port-channel
AnswerB

Gi0/1 and Gi0/2 are bundled (P), and the port-channel is up (SU), so the EtherChannel is working with two links.

Why this answer

The output shows an EtherChannel summary. Port-channel 1 is in use (U) and Layer2 (S). The protocol is LACP.

Two ports (Gi0/1 and Gi0/2) are bundled (P), but Gi0/3 is down (D). The correct answer is that the EtherChannel is operational with two active links.

916
MCQmedium

Which BGP attribute is preferred when the local preference is equal?

A.AS-path length (shorter is better)
B.MED (lower is better)
C.Origin code (IGP is preferred over EGP)
D.Next-hop IP address (lowest is preferred)
AnswerA

After local preference, BGP compares AS-path length; shorter paths are preferred.

Why this answer

When the local preference is equal, BGP selects the path with the shortest AS-path length. This is because AS-path length is the second tiebreaker in the BGP best path selection algorithm (after highest weight, then highest local preference). A shorter AS-path implies fewer autonomous system hops, which is generally preferred for routing efficiency.

Exam trap

Cisco often tests the order of BGP path selection tiebreakers, and the trap here is that candidates mistakenly think MED is compared before AS-path length, or that next-hop IP address is a valid tiebreaker.

How to eliminate wrong answers

Option B is wrong because MED (Multi-Exit Discriminator) is compared only when the paths come from the same neighboring AS; it is not the next tiebreaker after local preference — AS-path length is evaluated first. Option C is wrong because origin code (IGP < EGP < incomplete) is compared after AS-path length, not before. Option D is wrong because the next-hop IP address is never a tiebreaker in BGP path selection; BGP uses the IGP metric to the next-hop, not the IP address value.

917
MCQmedium

Consider the following configuration on a Cisco 9800 WLC: ap join-profile default-join-profile description "Default Join Profile" controller 1 primary 10.1.1.1 controller 2 secondary 10.1.1.2 What is the purpose of this configuration?

A.It configures the AP's management IP address.
B.It specifies the WLCs that the AP should attempt to join in order of priority.
C.It enables CAPWAP DTLS encryption.
D.It defines the AP's radio parameters.
AnswerB

The primary and secondary keywords set the join priority.

Why this answer

Join profiles define how APs discover and connect to WLCs, including primary and secondary controller IP addresses.

918
MCQmedium

Examine the following RSPAN configuration on a Cisco switch: vlan 200 name RSPAN_VLAN remote-span monitor session 3 source interface GigabitEthernet1/0/5 both monitor session 3 destination remote vlan 200 interface GigabitEthernet1/0/10 switchport mode trunk switchport trunk allowed vlan 200 What is missing for RSPAN to function correctly across multiple switches?

A.The RSPAN VLAN 200 must be created on all switches that will forward the mirrored traffic.
B.The destination remote vlan 200 command should include 'encapsulation replicate'.
C.The source interface must be in trunk mode to monitor VLANs.
D.The monitor session number must match on all switches.
AnswerA

Without the RSPAN VLAN on all switches, the mirrored traffic cannot traverse the network.

Why this answer

For RSPAN to work across multiple switches, the RSPAN VLAN must be created on all switches and allowed on trunk links. The configuration shown only creates the VLAN on one switch and allows it on one trunk, but the VLAN must exist on all switches in the path.

919
MCQeasy

A network engineer is using the Cisco DNA Center REST API to retrieve the list of network devices. The engineer sends a GET request to '/dna/intent/api/v1/network-device' and receives a 400 Bad Request response. The API documentation indicates that the request requires a query parameter 'siteId'. What should the engineer do to resolve the issue?

A.Include the 'siteId' query parameter in the request URL.
B.Change the HTTP method to POST because GET is not supported for this endpoint.
C.Add an 'Authorization' header with a valid token because the API requires authentication.
D.Use a different API endpoint, such as '/dna/intent/api/v1/site', to retrieve device information.
AnswerA

Correct because the API requires the 'siteId' parameter to filter devices by site.

Why this answer

A 400 Bad Request typically indicates a malformed request, such as missing required parameters. The API documentation specifies that 'siteId' is required, so the engineer must include it as a query parameter in the request.

920
Matchingmedium

Drag and drop each SPAN source type on the left to its correct monitored traffic description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monitors traffic on a single physical interface

Monitors all traffic in a specific VLAN

Monitors traffic on a port-channel interface

The port whose traffic is copied

The VLAN whose traffic is copied

Why these pairings

Port SPAN monitors all traffic on a specific port; VLAN SPAN monitors all traffic in a VLAN; EtherChannel SPAN monitors all traffic on a port-channel interface.

921
MCQmedium

Consider the following configuration: class-map match-any VOICE match ip dscp ef class-map match-any VIDEO match ip dscp af41 match ip dscp af42 What is the effect of the match-any keyword in these class-maps?

A.A packet must match all specified DSCP values to be classified into the class.
B.A packet matching either DSCP EF or AF41 will be classified into both classes.
C.A packet matching any one of the specified DSCP values is classified into that class.
D.The match-any keyword is invalid for DSCP matching; only match-all is supported.
AnswerC

match-any means logical OR of the match conditions.

Why this answer

The `match-any` keyword in a Cisco class-map means that a packet needs to match only one of the listed match criteria to be classified into that class. In the VIDEO class-map, a packet matching either DSCP AF41 or AF42 will be classified as VIDEO. This is the default behavior for class-maps when no keyword is specified, but explicitly using `match-any` reinforces that logical OR operation is applied.

Exam trap

Cisco often tests the confusion between `match-any` (logical OR) and `match-all` (logical AND), expecting candidates to mistakenly think that `match-any` requires all conditions or that it causes a packet to be placed into multiple classes simultaneously.

How to eliminate wrong answers

Option A is wrong because `match-any` uses logical OR, not AND; a packet does not need to match all specified DSCP values. Option B is wrong because a packet matching DSCP EF would be classified only into the VOICE class, not both classes, as class-maps are evaluated independently and a single packet can match multiple class-maps but the keyword does not cause cross-classification. Option D is wrong because `match-any` is perfectly valid for DSCP matching; Cisco IOS supports both `match-any` and `match-all` keywords in class-map definitions.

922
Drag & Dropmedium

Drag and drop the steps of Cisco DNA Center assurance data collection workflow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Assurance begins with network devices streaming telemetry data (e.g., NetFlow, SNMP, syslog) to DNA Center. DNA Center processes and correlates the data to build a baseline of normal behavior. It then applies machine learning models to detect anomalies.

Alerts and insights are generated for potential issues. Finally, the dashboard displays health scores and recommended actions for the administrator.

923
MCQmedium

A network engineer is troubleshooting an EIGRP adjacency issue between two routers. The engineer verifies that both routers have the same K-values and autonomous system number. However, the adjacency does not form. Which configuration issue is most likely the cause?

A.Authentication is configured on one router but not on the other.
B.The network statement uses an incorrect subnet mask.
C.One router has a loopback interface that is not advertised.
D.The hello and hold timers do not match.
AnswerA

Mismatched authentication prevents EIGRP adjacency.

Why this answer

In EIGRP, authentication (MD5 or SHA) must be configured identically on both peers. If one router has authentication enabled and the other does not, the routers will reject each other's hello packets, preventing adjacency formation even if K-values and AS numbers match. This is a common misconfiguration that breaks neighbor relationships silently.

Exam trap

Cisco often tests the misconception that EIGRP requires matching hello and hold timers (like OSPF), but EIGRP is more tolerant; the real adjacency blocker is authentication mismatch, which is frequently overlooked when K-values and AS numbers are correct.

How to eliminate wrong answers

Option B is wrong because the network statement in EIGRP uses a wildcard mask, not a subnet mask; an incorrect subnet mask in the network statement would affect which interfaces participate in EIGRP but would not prevent adjacency if both routers have matching interfaces and AS numbers. Option C is wrong because a loopback interface that is not advertised does not affect EIGRP adjacency; adjacency forms on directly connected interfaces, and a non-advertised loopback has no impact on hello packet exchange. Option D is wrong because EIGRP does not require hello and hold timers to match; EIGRP uses a graceful restart mechanism where mismatched timers still allow adjacency (though hold time must be greater than hello interval to avoid flapping).

924
MCQeasy

A network engineer is configuring multicast on a Cisco router that connects to a multi-access network. The engineer wants to ensure that only one router forwards multicast traffic onto the segment to avoid duplication. The engineer enables PIM on the interface. However, multicast traffic is still being duplicated on the segment. What is the most likely reason?

A.Both routers have the same DR priority and the DR election has not completed.
B.The interface is configured as a passive interface under OSPF.
C.IGMP snooping is disabled on the switch connecting the routers.
D.The multicast group is in the 224.0.0.0/24 range.
AnswerA

Correct because if the DR priority is equal, the router with the higher IP address becomes DR; if not elected, both may forward.

Why this answer

On a multi-access network, PIM elects a Designated Router (DR) to forward multicast traffic. If the DR election fails or if both routers have the same DR priority, both may forward traffic, causing duplication.

925
MCQmedium

A company is deploying a virtualized network function (VNF) on a KVM-based host. The VNF requires dedicated CPU cores and must avoid performance interference from other VMs. Which hypervisor configuration best meets these requirements?

A.Enable CPU overcommitment and use a single NUMA node.
B.Configure CPU pinning and use dedicated NUMA nodes.
C.Use VMware vSphere with DRS set to Aggressive.
D.Deploy the VNF as a container instead of a VM.
AnswerB

CPU pinning and dedicated NUMA nodes minimize interference and improve performance.

Why this answer

Option B is correct because CPU pinning binds the VNF's vCPUs to specific physical cores, ensuring dedicated CPU resources and preventing interference from other VMs. Using dedicated NUMA nodes further optimizes memory locality, reducing latency and avoiding cross-NUMA memory access, which is critical for performance-sensitive VNFs.

Exam trap

Cisco often tests the distinction between hypervisor-agnostic concepts (like CPU pinning) and vendor-specific features (like VMware DRS), and the trap here is that candidates may choose VMware options even when the question explicitly specifies a KVM-based host.

How to eliminate wrong answers

Option A is wrong because CPU overcommitment allows multiple VMs to share physical cores, which can cause performance interference and is the opposite of dedicated resource requirements. Option C is wrong because VMware vSphere with DRS set to Aggressive is a VMware-specific solution, not a KVM-based hypervisor configuration, and DRS focuses on load balancing rather than dedicated CPU pinning. Option D is wrong because deploying the VNF as a container does not provide dedicated CPU cores in the same way as CPU pinning; containers share the host OS kernel and can still experience resource contention without explicit CPU affinity settings.

926
Drag & Dropmedium

Drag and drop the steps of NFVI resource allocation and VNF instantiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with the NFVI administrator creating a tenant and allocating compute, storage, and network resources. Then the VNF descriptor is uploaded to the NFVO, which triggers the VNFM to request resource reservation. After resources are reserved, the VNFM instantiates the VNF using the allocated resources.

Finally, the VNF is configured and activated to provide the intended service.

927
MCQmedium

A network engineer is troubleshooting a Cisco IOS-XE router that hosts multiple virtual routing and forwarding (VRF) instances. Users in VRF-A report they cannot reach a server in VRF-B. The engineer verifies that both VRFs have the correct routes and that the router has a route leaking configuration using route-target import/export. However, connectivity still fails. What is the most likely cause?

A.The router does not have iBGP configured between the VRFs.
B.The route-target export is not configured in VRF-A.
C.The router is using VRF-lite, which does not support route leaking.
D.The import map is missing in VRF-B.
AnswerD

An import map is required to selectively import routes from VRF-A into VRF-B.

Why this answer

Option D is correct because route leaking between VRFs using route-target import/export requires both an export configuration on the source VRF and an import configuration on the destination VRF. If VRF-B lacks an import map (or the route-target import statement), it will not accept the routes exported from VRF-A, even if VRF-A has the correct export configuration. This is a common misconfiguration in MPLS L3VPN or VRF-lite route leaking scenarios.

Exam trap

Cisco often tests the misconception that route-target export alone is sufficient for route leaking, but the import configuration on the receiving VRF is equally mandatory.

How to eliminate wrong answers

Option A is wrong because iBGP is not required for VRF route leaking; route leaking can be achieved via static routes, route-replicate, or route-target import/export without any BGP session between VRFs. Option B is wrong because the issue is that VRF-B cannot receive the routes; if VRF-A had no export configuration, the routes would not be advertised at all, but the engineer verified correct routes in both VRFs, implying export is present. Option C is wrong because VRF-lite fully supports route leaking using route-target import/export or other methods like route-replicate; the statement that VRF-lite does not support route leaking is false.

928
MCQmedium

An architect is designing an SD-Access fabric for a large enterprise campus. The design must support segmentation based on user identity and device type, and must integrate with Cisco ISE. Which fabric component and protocol should be used to enforce micro-segmentation?

A.Use VXLAN with BGP EVPN for segmentation.
B.Deploy Cisco TrustSec with SGTs and integrate with ISE.
C.Use LISP to map endpoints to virtual networks.
D.Implement VLAN-based segmentation with 802.1X.
AnswerB

TrustSec uses SGTs for identity-based micro-segmentation, and ISE provides policy management.

Why this answer

Cisco TrustSec with Security Group Tags (SGTs) is the correct choice because it provides identity- and device-type-based micro-segmentation in an SD-Access fabric. SGTs are assigned by Cisco ISE based on user/device attributes, and the fabric enforces policies by tagging packets with SGTs, allowing granular traffic filtering regardless of IP address or VLAN.

Exam trap

Cisco often tests the distinction between macro-segmentation (VXLAN/VRF) and micro-segmentation (SGT/TrustSec), and the trap here is assuming VXLAN with BGP EVPN alone provides identity-based segmentation, when it only creates separate overlay networks.

How to eliminate wrong answers

Option A is wrong because VXLAN with BGP EVPN provides network virtualization and macro-segmentation (overlay networks), not identity-based micro-segmentation; it lacks the per-user/per-device policy enforcement that SGTs offer. Option C is wrong because LISP is used for endpoint mapping and location/identity separation in SD-Access, but it does not enforce micro-segmentation policies; that role belongs to SGTs and Cisco TrustSec. Option D is wrong because VLAN-based segmentation with 802.1X only provides network-level isolation and authentication, not granular, identity-aware micro-segmentation across the fabric; it cannot dynamically enforce policies based on user identity and device type beyond initial access.

929
Multi-Selecteasy

Which three statements about named ACLs and their configuration are true? (Choose three.)

Select 3 answers
A.Named ACLs can be either standard or extended.
B.Named ACLs allow individual entries to be added, removed, or reordered using sequence numbers.
C.Named ACLs are entered in global configuration mode using the 'ip access-list' command.
D.Named ACLs automatically renumber entries when a new entry is inserted between existing entries.
E.Named ACLs can be applied to interfaces using the 'ip access-group' command with the keyword 'in' or 'out'.
AnswersA, B, C

Correct because named ACLs support both 'ip access-list standard' and 'ip access-list extended'.

Why this answer

Named ACLs offer flexibility in editing and naming. The correct answers cover their naming, editing capability, and support for both standard and extended types. The incorrect options confuse sequencing or the use of the 'ip access-list' command.

930
MCQmedium

Consider the following partial syslog configuration on a Cisco IOS-XE switch: logging host 10.10.10.1 transport udp port 514 logging trap 6 logging source-interface Loopback0 logging on Which statement is true about this configuration?

A.Syslog messages with severity level 7 (Debugging) will be sent to 10.10.10.1.
B.Syslog messages will be sourced from the IP address of Loopback0 interface.
C.The syslog server must be configured to receive messages on TCP port 514.
D.Only syslog messages with severity level 6 (Informational) will be sent.
AnswerB

The 'logging source-interface Loopback0' command makes all syslog messages use the IP address of Loopback0 as the source.

Why this answer

The configuration sends syslog messages to 10.10.10.1 via UDP port 514, with severity level 6 (Informational) and above, sourced from Loopback0, with logging enabled.

931
MCQmedium

A network engineer issues the following command on Router R3: R3# show ip sla statistics 2 Round Trip Time (RTT) for Index 2 Latest RTT: 12 ms Latest RTT: NoConnection/Busy/Timeout Latest Operation Start Time: 12:00:00.000 UTC Mon Mar 1 2021 Latest Operation Return Code: Timeout Number of successes: 45 Number of failures: 5 Over thresholds: 0 Based on this output, what is the most likely issue?

A.The IP SLA operation has never succeeded.
B.The target is unreachable due to a persistent failure.
C.The most recent probe timed out, indicating a possible connectivity issue.
D.The round-trip time is 12 ms, which is above the threshold.
AnswerC

The return code 'Timeout' for the latest operation suggests a recent failure.

Why this answer

The 'Latest Operation Return Code: Timeout' indicates that the most recent probe did not receive a response, suggesting a connectivity problem to the target. The presence of both successes and failures shows intermittent issues.

932
MCQmedium

Consider the following configuration on a Cisco IOS-XE router: ``` ip access-list extended BLOCK_SSH deny tcp any any eq 22 permit ip any any ! line vty 0 4 access-class BLOCK_SSH in ``` Which statement is true about this configuration?

A.The ACL blocks all SSH traffic to the router, but permits other IP traffic.
B.The ACL blocks all traffic to the router because the deny statement is first.
C.The ACL only filters traffic going through the router, not destined to it.
D.The ACL permits SSH traffic because the permit statement overrides the deny.
AnswerA

Correct. The ACL is applied inbound on VTY lines, so SSH (TCP/22) is denied.

Why this answer

The access-class applied to the VTY lines filters incoming Telnet/SSH sessions. The ACL denies TCP port 22 (SSH) and permits all other IP traffic. This blocks SSH access to the router.

933
MCQmedium

Examine the following EIGRP configuration for route summarization: interface GigabitEthernet0/0 ip summary-address eigrp 100 192.168.0.0 255.255.252.0 What is the effect of this command?

A.EIGRP will advertise the 192.168.0.0/22 summary route out of GigabitEthernet0/0 and create a discard route.
B.EIGRP will only accept routes within the 192.168.0.0/22 range on this interface.
C.The summary route will have a metric equal to the best metric among the component routes.
D.This command will cause EIGRP to automatically summarize routes to their classful boundaries.
AnswerA

Correct. The summary-address command creates a summary route and a corresponding discard route.

Why this answer

Option A is correct because the `ip summary-address eigrp` command creates a summary route (192.168.0.0/22) that EIGRP advertises out of the specified interface, and it automatically installs a discard (null0) route to prevent routing loops when the summary is advertised but some component routes may not be present in the routing table.

Exam trap

Cisco often tests the misconception that `ip summary-address eigrp` filters incoming routes or that it sets the summary metric to the highest metric, when in fact it creates a discard route and uses the minimum metric from component routes.

How to eliminate wrong answers

Option B is wrong because the command does not filter incoming routes; it only summarizes routes being advertised outbound. Option C is wrong because the summary route's metric is set to the minimum metric among the component routes, not the best (which could be interpreted as highest or best path). Option D is wrong because this command configures manual summarization, not automatic classful summarization; automatic summarization is controlled by the `auto-summary` command.

934
Multi-Selecteasy

Which two statements about RESTCONF are true? (Choose two.)

Select 2 answers
A.RESTCONF uses HTTP methods like GET, PUT, POST, and DELETE to manipulate YANG data.
B.RESTCONF supports only XML encoding for data.
C.RESTCONF uses SSH as the transport protocol.
D.RESTCONF provides a 'data' resource as the entry point for accessing YANG data stores.
E.RESTCONF defines its own data modeling language.
AnswersA, D

Correct because RESTCONF maps HTTP methods to CRUD operations on YANG data.

Why this answer

RESTCONF uses HTTP methods to access YANG-defined data on network devices. It supports both XML and JSON encoding. It does not use SSH or TLS natively for transport; it relies on HTTP over TLS (HTTPS) for security.

The 'data' resource is the top-level resource for accessing YANG data stores. RESTCONF does not define its own data model; it uses YANG models.

935
MCQhard

A DevOps team is implementing a CI/CD pipeline that automates network configuration changes. Which design principle is most important to ensure that a failed deployment does not cause prolonged outages?

A.Use a single source of truth for all configurations
B.Ensure the automation framework supports rollback to a known good state
C.Implement idempotent configuration scripts
D.Run the deployment in a lab environment first
AnswerB

Rollback is critical to quickly restore service after a failed deployment.

Why this answer

Option B is correct because in a CI/CD pipeline for network automation, the ability to roll back to a known good state is the most critical design principle for minimizing downtime. If a deployment fails (e.g., a misapplied ACL or BGP configuration), the automation framework must be able to revert the network device to its previous stable configuration—often by reapplying a saved startup config or using a tool like Ansible's `network_backup` role or Cisco NSO's rollback mechanism. Without this, a failed deployment could leave the network in a broken state until manual intervention, causing prolonged outages.

Exam trap

Cisco often tests the distinction between 'preventing errors' (idempotency, single source of truth) and 'recovering from errors' (rollback), and the trap here is that candidates confuse idempotency with rollback, thinking that re-running a script will fix a failure, when in fact idempotency only ensures consistency, not recovery from a broken state.

How to eliminate wrong answers

Option A is wrong because a single source of truth (e.g., a Git repository for configurations) is important for consistency and auditability, but it does not directly address recovery from a failed deployment; it prevents drift but not the need for rollback. Option C is wrong because idempotent scripts ensure that repeated runs produce the same result, which helps avoid unintended changes, but they do not provide a mechanism to revert to a previous state if a deployment introduces a fault. Option D is wrong because running a deployment in a lab environment first is a best practice for testing, but it does not guarantee that a production deployment won't fail; the question specifically asks about ensuring that a failed deployment does not cause prolonged outages, which requires a rollback capability in production.

936
Drag & Dropmedium

Drag and drop the steps of the DHCP DORA process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The DHCP DORA process begins with the client broadcasting a Discover message to locate a DHCP server. The server responds with an Offer message containing an IP address and configuration parameters. The client then sends a Request message to formally request the offered IP address.

Finally, the server sends an Acknowledge message to confirm the lease and provide the configuration.

937
Matchingmedium

Drag and drop each NETCONF operation on the left to its action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve running configuration and state data

Retrieve configuration from a specific datastore

Modify the target configuration datastore

Confirm a candidate configuration as the new running config

Prevent other NETCONF sessions from altering a datastore

Why these pairings

Correct pairings: get retrieves running config and state data; get-config retrieves a specific datastore; edit-config modifies configuration; commit confirms a candidate configuration; lock prevents other sessions from modifying a datastore.

938
Drag & Dropmedium

Drag and drop the steps of Q-in-Q (802.1ad) double-tagging configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First enable the dot1q tunnel globally, then configure the access VLAN on the interface, enable the tunnel mode, and set the native VLAN to avoid conflicts.

939
MCQmedium

An engineer is configuring MPLS L3VPN with OSPF as the PE-CE protocol. The customer wants to ensure that routes from the MPLS backbone are not redistributed back into the customer's OSPF domain. What configuration should the engineer apply on the PE router?

A.Configure the 'domain-id' under the OSPF process in the VRF.
B.Configure a sham-link between the PE routers.
C.Use the 'capability vrf-lite' command under OSPF.
D.Apply a route-map to filter routes redistributed into OSPF.
AnswerA

Correct because the domain-id prevents routes from being redistributed back into the customer's OSPF domain.

Why this answer

In MPLS L3VPN, the 'domain-id' OSPF attribute prevents redistribution of routes from the backbone into the customer's OSPF domain. Option A is correct. Option B is wrong because 'sham-link' is for backdoor links; Option C is wrong because 'capability vrf-lite' is for VRF-lite; Option D is wrong because 'redistribute connected' is not related.

940
Multi-Selecthard

Which three statements about Dynamic Trunking Protocol (DTP) are true? (Choose three.)

Select 3 answers
A.DTP is a Cisco proprietary protocol.
B.DTP frames are sent on the native VLAN.
C.The 'switchport mode dynamic desirable' setting causes the interface to actively attempt to form a trunk.
D.DTP operates at Layer 3 of the OSI model.
E.DTP is used to negotiate trunking on routed ports.
AnswersA, B, C

Correct because DTP is only available on Cisco switches and is not standardized.

Why this answer

Correct: A is true because DTP is Cisco proprietary and not supported on non-Cisco switches. B is true because DTP uses VLAN 1 (the native VLAN) for its frames; if the native VLAN is mismatched, DTP may fail. C is true because the 'switchport mode dynamic desirable' interface configuration command actively sends DTP frames to negotiate trunking.

D is incorrect because DTP operates at Layer 2, not Layer 3. E is incorrect because DTP is not used on routed ports; it only applies to switch ports in access or trunk mode.

941
MCQhard

A network engineer issues the following command on Router R9: R9# show ip pim bsr-router PIMv2 Bootstrap Router (BSR) information This system is the Bootstrap Router (BSR) BSR address: 10.0.0.11 Uptime: 1w2d, BSR priority: 0, Hash mask length: 30 Next bootstrap message in 00:00:45 Based on this output, what can be concluded?

A.This router is the elected BSR.
B.This router is a candidate BSR but not elected.
C.The BSR priority is 192.
D.The hash mask length is 32.
AnswerA

The output states 'This system is the Bootstrap Router'.

Why this answer

The 'show ip pim bsr-router' output shows that this router is the BSR with address 10.0.0.11, priority 0, and hash mask length 30. The next bootstrap message will be sent in 45 seconds. The hash mask length of 30 means that the group-to-RP mapping uses a 30-bit mask for hashing.

The correct answer is that the BSR is elected and operational.

942
Drag & Dropmedium

Drag and drop the steps for the EIGRP neighbor discovery process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

EIGRP uses Hello packets to discover neighbors, then exchanges routes and maintains state.

943
MCQhard

A global enterprise is transitioning from a traditional three-tier campus architecture to a software-defined access (SD-Access) fabric. Which architectural consideration is most critical for the underlay network?

A.Configure a routed access layer with a link-state routing protocol (IS-IS or OSPF).
B.Implement PIM-SM for multicast routing in the underlay.
C.Preserve existing VLANs across the fabric to minimize changes.
D.Deploy VRF-lite on all edge nodes to isolate tenants.
AnswerA

A routed underlay with IS-IS or OSPF is a key design requirement for SD-Access.

Why this answer

In an SD-Access fabric, the underlay network must provide IP connectivity between all fabric devices (edge, control plane, border nodes) using a routed access layer with a link-state routing protocol like IS-IS or OSPF. This ensures fast convergence, loop-free topology, and support for the overlay's VXLAN tunnels. A routed access layer eliminates spanning-tree dependencies and aligns with the fabric's requirement for a simple, scalable IP-based transport.

Exam trap

Cisco often tests the misconception that the underlay must support multicast (PIM) or preserve legacy VLANs, when in fact the underlay only needs unicast routing and the overlay handles all segmentation and multicast replication via head-end replication or native multicast.

How to eliminate wrong answers

Option B is wrong because PIM-SM is used for multicast routing in the overlay (for traffic such as ARP or multicast applications), not in the underlay; the underlay only needs unicast routing to establish VXLAN tunnels. Option C is wrong because preserving existing VLANs across the fabric contradicts the SD-Access design principle of decoupling the overlay from the underlay; VLANs are mapped to virtual network identifiers (VNIs) in the overlay, and the underlay should be a clean, routed IP network. Option D is wrong because VRF-lite is a Layer 3 segmentation technique used in traditional networks, not in the SD-Access underlay; tenant isolation is achieved via the overlay's VXLAN and LISP/VN segmentation, not by configuring VRFs on underlay interfaces.

944
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show interfaces gi0/1 trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 10,20 Port Vlans allowed and active in management domain Gi0/1 10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 10,20 Based on this output, what can be concluded?

A.VLAN 1 is allowed on this trunk.
B.The trunk is using DTP dynamic desirable mode.
C.Only VLANs 10 and 20 are allowed on this trunk.
D.The native VLAN is 10.
AnswerC

The 'Vlans allowed on trunk' line explicitly shows 10,20.

Why this answer

The output shows that the 'Vlans allowed on trunk' list contains only VLANs 10 and 20. This means the trunk has been explicitly configured to permit only those VLANs, and all other VLANs (including VLAN 1) are pruned or blocked from traversing the trunk. Therefore, only VLANs 10 and 20 are allowed, making option C correct.

Exam trap

Cisco often tests the distinction between the native VLAN and the allowed VLAN list; candidates mistakenly assume that the native VLAN is always permitted on the trunk, but the allowed list explicitly controls which VLANs can pass traffic, and the native VLAN must be included in that list to be forwarded.

How to eliminate wrong answers

Option A is wrong because the 'Vlans allowed on trunk' line explicitly lists only VLANs 10 and 20; VLAN 1 is not included, so it is not allowed on this trunk. Option B is wrong because the 'Mode' field shows 'on', which indicates that trunking is statically configured (no DTP negotiation), not using DTP dynamic desirable mode. Option D is wrong because the 'Native vlan' field shows '1', not 10; the native VLAN is the VLAN used for untagged traffic on the trunk, and here it is VLAN 1.

945
Matchingmedium

Drag and drop each hypervisor product on the left to its matching vendor on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

VMware

Red Hat

Microsoft

Citrix

Oracle

Why these pairings

VMware vSphere is from VMware, KVM is from Red Hat (open source, but Red Hat is the primary commercial backer), Microsoft Hyper-V is from Microsoft, Xen is from Citrix (originally from the Xen Project), and Oracle VM is from Oracle.

946
Multi-Selecteasy

Which two statements about Cisco Aironet 2800/3800 series APs are true? (Choose two.)

Select 2 answers
A.These APs support 802.11ac Wave 2 with MU-MIMO technology.
B.These APs are Wi-Fi 6 (802.11ax) capable.
C.These APs have integrated antennas and are designed for indoor deployments.
D.These APs support modular field-replaceable radios for future upgrades.
E.These APs can operate in both local and FlexConnect modes.
AnswersA, C

Correct because the 2800/3800 series are 802.11ac Wave 2 APs that support Multi-User MIMO.

Why this answer

The 2800/3800 series APs are 802.11ac Wave 2 devices that support MU-MIMO and have integrated antennas; they do not support 802.11ax (Wi-Fi 6) and are not modular with field-replaceable radios.

947
Drag & Dropmedium

Drag and drop the steps of VLAN pruning on trunks using VTP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

VTP pruning must be enabled globally before configuring the pruning-eligible list on a specific trunk interface. The global VTP pruning command enables the feature, then per-interface configuration restricts which VLANs can be pruned.

948
Drag & Dropmedium

Drag and drop the steps of YANG data model traversal for interface stats into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process starts with identifying the YANG module, then navigating the tree to the interface container, retrieving statistics, and optionally filtering or using NETCONF/RESTCONF.

949
Matchingmedium

Match each Spanning Tree Protocol (STP) variant to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Original standard, slow convergence

Fast convergence, backward compatible

Multiple spanning trees per VLAN group

Cisco proprietary, per-VLAN STP

Cisco proprietary, per-VLAN RSTP

Why these pairings

STP variants differ in convergence speed and VLAN support.

950
MCQmedium

An engineer is troubleshooting an EtherChannel between two switches. The show etherchannel summary output shows that the port-channel is up, but only one physical link is active. The other three links are in a suspended state. The physical ports are all configured identically with the same VLAN allowed. What is the most likely cause?

A.The port-channel has been configured with the 'channel-group 1 mode on' command, but the physical ports are using different speeds.
B.The port-channel has been configured with the 'port-channel min-links 1' command.
C.The port-channel has been configured with the 'port-channel max-links 1' command.
D.The physical ports are in different VLANs.
AnswerC

Correct because max-links limits the number of active ports in the EtherChannel.

Why this answer

The correct answer is that the maximum number of active ports in the port-channel has been configured to 1. The wrong answers involve misconfigurations that would affect all ports or prevent the channel from forming.

951
MCQmedium

router bgp 65000 bgp router-id 10.0.0.1 neighbor 10.0.0.2 remote-as 65001 neighbor 10.0.0.2 route-map FILTER in ! route-map FILTER deny 10 match ip address prefix-list BLOCKED route-map FILTER permit 20 ! ip prefix-list BLOCKED seq 5 permit 10.0.0.0/8 ! What is the effect of this configuration?

A.All routes from neighbor 10.0.0.2 are accepted except those matching 10.0.0.0/8.
B.Only routes matching 10.0.0.0/8 are accepted from the neighbor.
C.The configuration is invalid because route-map must have a permit statement first.
D.The prefix-list is misconfigured because it should use 'deny' instead of 'permit'.
AnswerA

Correct. The deny statement blocks the specific prefix, and the permit allows everything else.

Why this answer

The route-map FILTER is applied inbound from neighbor 10.0.0.2. Sequence 10 denies routes that match the prefix-list BLOCKED, which permits 10.0.0.0/8. Sequence 20 is a permit statement with no match, which implicitly permits all other routes.

Therefore, only routes matching 10.0.0.0/8 are denied, and all other routes are accepted.

Exam trap

Cisco often tests the interaction between route-map sequence numbers and the implicit deny at the end of a route-map, leading candidates to forget that a permit statement with no match (like sequence 20) is needed to allow all other routes through.

How to eliminate wrong answers

Option B is wrong because the configuration denies routes matching 10.0.0.0/8, not accepts them. Option C is wrong because route-maps can start with a deny statement; there is no requirement for the first statement to be permit. Option D is wrong because the prefix-list uses 'permit' to define which prefixes are matched by the route-map's deny clause; using 'deny' in the prefix-list would not match the intended prefixes.

952
Multi-Selecthard

Which three statements about SD-WAN segmentation and multi-tenancy are true? (Choose three.)

Select 3 answers
A.Each VPN in SD-WAN corresponds to a separate VRF on the edge device, providing Layer 3 isolation.
B.OMP advertises VPN membership information so that edge devices know which VPNs are reachable via each TLOC.
C.Extranet VPN configuration allows selected routes to be shared between different VPNs on the same edge device.
D.VPN 0 is used for service-side connectivity, such as connecting to a corporate LAN or data center.
E.Multi-tenancy in SD-WAN requires separate physical edge devices for each tenant to ensure isolation.
AnswersA, B, C

Correct because VPN IDs map to VRFs, isolating routing and forwarding domains.

Why this answer

VPN segmentation in SD-WAN uses VRFs (VPN IDs) to isolate traffic. Service-side routing uses VRFs, and transport-side uses TLOCs. OMP carries VPN membership information.

Extranet allows controlled sharing between VPNs. VPN 0 is for transport, not service. Multiple VRFs can be used to support multi-tenancy.

953
Drag & Dropmedium

Drag and drop the steps of NFVI resource allocation and VNF instantiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The NFVI resource allocation and VNF instantiation process begins with the NFVO receiving a VNF instantiation request, then the NFVO requests the VIM to allocate compute, storage, and network resources. The VIM allocates the resources and provides the resource IDs. The NFVO then instructs the VNFM to instantiate the VNF.

Finally, the VNFM instantiates the VNF on the allocated resources.

954
MCQhard

Refer to the exhibit. A Python script sends the JSON payload shown via a POST request to the RESTCONF URI /restconf/data/ietf-interfaces:interfaces on a Cisco IOS XE device. The API returns 201 Created, but the interface GigabitEthernet1 is not configured. What is the most likely cause?

A.The script is not authenticated
B.The URI should be /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1
C.The payload is missing a required field for the interface
D.The JSON syntax is invalid
AnswerC

The model may require a description.

Why this answer

The 201 Created response indicates the RESTCONF request was accepted and the resource was created, but the interface GigabitEthernet1 is not configured because the JSON payload is missing a required field. In the ietf-interfaces YANG model, the 'type' leaf under an interface is mandatory; without it, the device cannot complete the interface configuration, even though the API returns a success status for the creation of the container.

Exam trap

Cisco often tests the misconception that a 201 Created status guarantees full configuration success, when in reality the YANG model's mandatory fields must be included in the payload for the interface to be operational.

How to eliminate wrong answers

Option A is wrong because a 201 Created response would not be returned if authentication failed; RESTCONF would return a 401 Unauthorized or 403 Forbidden error. Option B is wrong because the POST request to the collection URI /restconf/data/ietf-interfaces:interfaces is the correct method to create a new interface resource; using a specific URI like /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1 would be appropriate for a PUT or PATCH operation on an existing resource. Option D is wrong because if the JSON syntax were invalid, the RESTCONF API would return a 400 Bad Request error, not 201 Created.

955
MCQmedium

An architect is designing a QoS policy for a campus LAN that must support real-time voice and video traffic alongside mission-critical data. The design must use the DiffServ model with consistent per-hop behavior across all switches. Which approach should the architect choose to ensure that voice traffic receives priority queuing while video traffic is guaranteed bandwidth without starving other classes?

A.Use the MQC framework to classify traffic based on DSCP markings, apply a priority queue for EF traffic, and allocate a minimum bandwidth guarantee for AF41 traffic.
B.Implement a single FIFO queue on all interfaces and rely on the default CoS-to-queue mapping to prioritize voice.
C.Configure strict priority queuing for all traffic marked with DSCP values greater than 0.
D.Use the IntServ model with RSVP to reserve bandwidth for each voice and video flow.
AnswerA

This correctly implements DiffServ with consistent PHB: priority for voice (EF) and bandwidth guarantee for video (AF41) using MQC.

Why this answer

Option A is correct because it uses the Modular QoS CLI (MQC) framework to classify traffic by DSCP markings, which aligns with the DiffServ model's per-hop behavior consistency. By applying a strict priority queue for EF (Expedited Forwarding, DSCP 46) traffic, voice gets low-latency treatment, while a minimum bandwidth guarantee for AF41 (Assured Forwarding, DSCP 34) ensures video traffic receives a guaranteed share without starving other classes, as AF uses weighted fair queuing with bandwidth allocation.

Exam trap

Cisco often tests the misconception that strict priority queuing can be applied broadly to multiple traffic classes without starvation risks, but the trap here is that only EF (voice) should use priority queuing, while AF (video) requires a bandwidth guarantee to avoid starving other classes.

How to eliminate wrong answers

Option B is wrong because a single FIFO queue cannot provide differentiated treatment; it treats all traffic equally, causing voice and video to suffer jitter and delay, and default CoS-to-queue mappings are not sufficient for consistent per-hop behavior across switches. Option C is wrong because strict priority queuing for all traffic with DSCP > 0 would place multiple classes (e.g., AF, CS) into the priority queue, leading to starvation of lower-priority traffic and potential queue overflow for voice. Option D is wrong because the IntServ model with RSVP is not designed for campus LANs with DiffServ; it requires per-flow state and signaling, which does not scale and violates the requirement for consistent per-hop behavior across all switches.

956
MCQeasy

What is the default hold time multiplier for EIGRP?

A.3
B.4
C.5
D.10
AnswerA

Correct. The hold time is typically three times the hello interval, so the multiplier is 3.

Why this answer

The default hold time multiplier for EIGRP is 3. This multiplier is applied to the hello interval to calculate the hold time (hold time = hello interval × multiplier). By default, EIGRP uses a hello interval of 5 seconds on most interfaces (or 60 seconds on low-speed NBMA interfaces), so the default hold time is 15 seconds (5 × 3) or 180 seconds (60 × 3).

Exam trap

Cisco often tests the default hold time multiplier (3) versus the default hold time (15 seconds), causing candidates to confuse the multiplier with the actual hold time value or to mistakenly recall the default hello interval (5 seconds) as the multiplier.

How to eliminate wrong answers

Option B (4) is wrong because the default EIGRP hold time multiplier is not 4; a multiplier of 4 would result in a hold time of 20 seconds (5 × 4), which is not the Cisco default. Option C (5) is wrong because a multiplier of 5 would yield a hold time of 25 seconds (5 × 5), which is not the standard default value. Option D (10) is wrong because a multiplier of 10 would produce a hold time of 50 seconds (5 × 10), far exceeding the default 15 seconds; this value is not used as the default multiplier in EIGRP.

957
MCQmedium

A network engineer is configuring MPLS L3VPN on a Cisco IOS-XE router. The VRF CUSTOMER_C has route-target import 300:1 and export 300:1. The PE receives VPNv4 routes from the route reflector, but the CE router connected to the PE cannot ping any remote site IP addresses. The PE can ping the remote site IP addresses from the VRF. What is the most likely cause?

A.The CE router does not have a default route pointing to the PE's VRF interface.
B.The VRF is missing the route-target export command.
C.The PE router is not running a routing protocol with the CE router.
D.The MPLS LDP is not enabled on the PE-CE link.
AnswerA

Correct because if the CE does not have a route to remote sites, it cannot send traffic. The PE can ping because it has the routes in the VRF.

Why this answer

The PE can ping remote site IP addresses from within the VRF, confirming that the VRF has the correct route-target import/export configuration and that VPNv4 routes are being received and installed in the VRF routing table. However, the CE router cannot ping remote sites, which indicates that the CE does not have a route pointing to the PE’s VRF interface as its next hop. Without a default route or a specific route pointing to the PE’s VRF-facing interface, the CE has no path to forward traffic to remote VPN destinations, even though the PE can reach them.

Exam trap

Cisco often tests the misconception that if the PE can reach remote sites from the VRF, the CE must also be able to reach them, but the trap is that the CE’s routing table is independent and requires explicit route injection or a default route pointing to the PE.

How to eliminate wrong answers

Option B is wrong because the VRF already has route-target export 300:1 configured, and the PE can ping remote sites from the VRF, proving that VPNv4 routes are being exported and imported correctly. Option C is wrong because the PE can ping remote sites from the VRF, which implies that a routing protocol (or static route) is running between the PE and CE to exchange routes; otherwise the PE would not have a route to the CE’s subnet. Option D is wrong because MPLS LDP is not required on the PE-CE link; LDP is used for label distribution in the MPLS core, not on the customer-facing link, which typically uses IP routing or static routes.

958
MCQmedium

Given the following EIGRP named mode configuration: router eigrp TEST address-family ipv4 unicast autonomous-system 100 network 10.0.0.0 0.255.255.255 topology base distance eigrp 90 170 exit-address-family Which statement is true?

A.The administrative distance for internal EIGRP routes is set to 90, and for external routes to 170.
B.The network statement will enable EIGRP on all interfaces with an IP address starting with 10.
C.The autonomous-system number must match the process ID in classic mode.
D.The 'topology base' command is optional and can be omitted.
AnswerA

Correct. The distance eigrp command sets internal AD to 90 and external AD to 170.

Why this answer

Option A is correct because the 'distance eigrp 90 170' command explicitly sets the administrative distance for internal EIGRP routes to 90 and for external EIGRP routes to 170. This overrides the default values of 90 for internal and 170 for external routes, but in this configuration, the values are set to the same defaults, so the statement accurately describes the configured distances.

Exam trap

Cisco often tests the mandatory nature of the 'topology base' command in EIGRP named mode, as candidates mistakenly think it is optional or only needed for advanced features, but it is required to complete the address-family configuration.

How to eliminate wrong answers

Option B is wrong because the network statement 'network 10.0.0.0 0.255.255.255' uses a wildcard mask that matches only the first octet (10.x.x.x), but EIGRP named mode enables EIGRP only on interfaces whose primary IP address falls within the specified range; it does not enable EIGRP on all interfaces with an IP starting with 10 if the interface is not in the specified subnet. Option C is wrong because in EIGRP named mode, the autonomous-system number is specified within the address-family and does not need to match a classic mode process ID; classic mode uses 'router eigrp <ASN>' directly, while named mode separates the router name from the ASN. Option D is wrong because the 'topology base' command is mandatory in EIGRP named mode; it defines the base topology for the address-family and cannot be omitted, as it is required to enter the topology configuration mode where routing policies are applied.

959
MCQhard

An enterprise network uses TACACS+ for device administration and RADIUS for network access (VPN and wireless). The TACACS+ server is configured to authorize commands. A network engineer notices that after a recent upgrade of the TACACS+ server software, some commands that were previously authorized are now being denied. The engineer checks the router configuration and sees 'aaa authorization commands 15 default group tacacs+'. The TACACS+ server logs show that the authorization requests are being sent and responded to. What is the most likely cause?

A.The router's 'aaa authorization commands 15 default group tacacs+' command is missing the 'local' keyword, so if TACACS+ denies, there is no fallback.
B.The TACACS+ server upgrade changed the default authorization behavior from permissive to restrictive, requiring explicit 'permit' statements for each command, and the existing rules may not cover all commands.
C.The router's privilege level 15 is not correctly assigned to the user.
D.The TACACS+ server is not reachable due to a firewall change, causing the router to deny all commands.
AnswerB

Correct because TACACS+ authorization rules are defined on the server; an upgrade can change default behavior (e.g., from permit-all to deny-all), requiring updated rules to allow previously permitted commands.

Why this answer

The TACACS+ server software upgrade likely changed the authorization model or the way commands are matched. The router sends the full command string to the TACACS+ server, and the server must have a matching rule. If the server's configuration now requires exact matching or has stricter parsing, previously allowed commands may be denied.

960
MCQmedium

What is the purpose of the Dynamic Trunking Protocol (DTP) on Cisco switches?

A.To automatically negotiate trunking between two Cisco switches.
B.To dynamically assign VLANs to access ports.
C.To provide security by encrypting trunk traffic.
D.To prevent loops in the network.
AnswerA

Correct. DTP negotiates trunk links.

Why this answer

DTP (Dynamic Trunking Protocol) is a Cisco proprietary protocol used to automatically negotiate the operational mode (access or trunk) of a switch port between two Cisco switches. When both ends are configured with DTP modes like dynamic desirable or dynamic auto, the link can become a trunk without manual configuration, simplifying deployment in environments where trunking is needed.

Exam trap

The trap here is that candidates confuse DTP with VTP (VLAN Trunking Protocol), which manages VLAN database propagation, or assume DTP provides security features like encryption, when in fact it only negotiates trunking and can be a security risk.

How to eliminate wrong answers

Option B is wrong because DTP negotiates trunking, not VLAN assignment; VLANs are assigned to access ports via the 'switchport access vlan' command or VTP, not DTP. Option C is wrong because DTP provides no encryption or security; trunk traffic encryption is handled by protocols like MACsec (802.1AE) or IPsec, not DTP. Option D is wrong because loop prevention is the function of Spanning Tree Protocol (STP), not DTP; DTP can actually create loops if misconfigured with STP disabled.

961
MCQeasy

A developer sends a RESTCONF request to retrieve interface statistics from a Cisco IOS-XE device: Request: ``` GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1/statistics HTTP/1.1 Host: 192.168.1.1 Accept: application/yang-data+json ``` Response: ```json { "ietf-interfaces:statistics": { "discontinuity-time": "2023-01-01T00:00:00Z", "in-octets": 1000000, "in-errors": 0, "out-octets": 500000, "out-errors": 0 } } ``` What is the correct way to interpret this response?

A.The response indicates the interface has 1,000,000 bytes received and 500,000 bytes transmitted.
B.The response shows the interface has 1,000,000 packets received and 500,000 packets transmitted.
C.The response indicates the interface has errors, so it is malfunctioning.
D.The response is invalid because the namespace should be 'ietf-interfaces:interfaces-state'.
AnswerA

in-octets is received bytes, out-octets is transmitted bytes.

Why this answer

The response shows the statistics for the interface, including in-octets and out-octets. The data is in JSON format with the namespace prefix 'ietf-interfaces:'. The engineer can use this data to monitor interface utilization.

962
Matchingmedium

Drag and drop each route-target action on the left to its matching behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Adds routes with a matching Route Target into the VRF

Tags routes from the VRF with a Route Target for advertisement

Filters which routes are imported into the VRF based on a route map

Filters which routes are exported from the VRF based on a route map

Can be configured per VRF using route-target commands

Why these pairings

Import RT adds routes with matching RT into the VRF; export RT tags routes from the VRF; import map filters routes during import; export map filters routes during export; both import and export can be configured per VRF.

963
MCQmedium

An engineer is using the Cisco DNA Center REST API to retrieve a list of network devices and their health scores. The engineer writes a Python script using the requests library. The script successfully retrieves data for the first 100 devices, but when trying to get the next 100, the API returns an empty list. The engineer checks the API documentation and finds that the endpoint supports pagination with the 'offset' and 'limit' parameters. The current script does not handle pagination. What should the engineer do to retrieve all devices?

A.Increase the 'limit' parameter to 1000 in a single API call.
B.Use the 'next' URL from the response headers to automatically fetch the next page.
C.Write a loop that increments the 'offset' parameter by the 'limit' value until all pages are retrieved.
D.Switch to using the Cisco DNA Center Python SDK which handles pagination automatically.
AnswerC

Correct because this implements standard pagination by adjusting the offset parameter in each iteration until no more data is returned.

Why this answer

The correct answer implements a loop that increments the offset parameter until all pages are retrieved. Option A is incorrect because increasing the limit may exceed the maximum allowed value. Option B is incorrect because the API does not return a 'next' link in this scenario.

Option D is incorrect because using a different library does not solve the pagination issue.

964
Matchingmedium

Drag and drop each YANG module on the left to its matching data category on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

vendor-neutral interface configuration and state

Cisco IOS-XE native device configuration

IETF standard interface management

vendor-neutral BGP configuration and state

Cisco-specific BGP configuration

Why these pairings

OpenConfig defines vendor-neutral models, Cisco-IOS-XE-native defines Cisco-specific native models, and ietf-interfaces defines standard interface models.

965
Matchingmedium

Drag and drop each BGP attribute on the left to the value that is preferred (highest or lowest) during path selection on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest

Highest

Lowest

Lowest

Lowest

Why these pairings

Higher weight is preferred; higher LOCAL_PREF is preferred; shorter AS_PATH length is preferred; lower MULTI_EXIT_DISC is preferred; lower IGP metric to next-hop is preferred.

966
MCQmedium

An organization uses a Cisco ISE as the RADIUS server for both wired and wireless authentication. The network engineer configures a Cisco switch with 'aaa authentication dot1x default group radius' and 'aaa authorization network default group radius'. When a user connects via 802.1X, authentication succeeds, but the user is placed in the wrong VLAN. The RADIUS server sends a 'Tunnel-Private-Group-ID' attribute with the correct VLAN name. The switch has the VLAN defined. What is the most likely cause?

A.The switch interface is configured as a static access port, which overrides the RADIUS-supplied VLAN.
B.The RADIUS server is sending the VLAN ID as a number, but the switch expects a VLAN name.
C.The switch needs the 'radius-server attribute 8 include-in-access-req' command to include the calling station ID.
D.The switch's VLAN database does not have the VLAN created, so it defaults to the native VLAN.
AnswerA

Correct because if the interface has a static 'switchport access vlan' command, it takes precedence over the RADIUS-assigned VLAN. The interface should be configured as 'switchport access vlan dynamic' or have no static VLAN assignment to allow RADIUS to assign the VLAN.

Why this answer

The switch must be configured to accept and apply RADIUS-supplied VLAN attributes. This requires the 'aaa authorization network default group radius' command, which is already configured. However, the switch may also need the 'radius-server attribute 6 on-for-login-auth' or similar to map the attribute to a VLAN.

But the most common issue is that the switch's interface is not configured for 'authentication port-control auto' or the VLAN is not in the allowed list. However, the scenario says authentication succeeds, so the port is authorized. The likely cause is that the switch is not configured to use the RADIUS-supplied VLAN because the interface is not set to 'switchport access vlan dynamic' or the 'authentication' command is missing the 'vlan' assignment.

967
MCQmedium

Consider the following configuration for a FlexVPN spoke router: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0/0 tunnel mode gre ip tunnel protection ipsec profile FLEXPROF ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 ip nhrp map 10.0.0.1 192.168.1.1 What is the purpose of the 'ip nhrp map 10.0.0.1 192.168.1.1' command?

A.It maps the spoke's tunnel IP to its own physical interface IP for local routing.
B.It provides a static mapping from the hub's tunnel IP (10.0.0.1) to the hub's physical IP (192.168.1.1) so the spoke can reach the hub.
C.It enables multicast mapping for dynamic spoke discovery.
D.It configures the spoke to register with the hub using the specified physical address.
AnswerB

This static NHRP mapping tells the spoke how to reach the hub's tunnel interface via the hub's physical NBMA address.

Why this answer

In FlexVPN (or DMVPN), the 'ip nhrp map' command statically maps a tunnel IP address (10.0.0.1) to a physical NBMA address (192.168.1.1). This is used by the spoke to know the hub's physical address for NHRP registration and communication.

968
Matchingmedium

Drag and drop each MPLS VPN role on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Customer edge router that connects to the provider network

Provider edge router that attaches labels and runs MP-BGP with other PEs

Provider core router that switches MPLS labels and does not hold customer routes

Router that connects two different MPLS VPN domains or autonomous systems

Route Reflector that reduces MP-BGP peering by reflecting VPN routes

Why these pairings

CE routers connect customer sites to the provider; PE routers label customer routes and exchange VPNv4 prefixes via MP-BGP; P routers perform label switching without storing customer routes; ASBR routers connect different MPLS domains; RRs propagate VPN routes within an AS.

969
MCQmedium

A network engineer is automating the configuration of a new VLAN on a Cisco Catalyst 9000 switch using RESTCONF. The engineer sends a PUT request to the URI 'https://switch/restconf/data/Cisco-NX-OS-device:Native/VlanList' with a JSON payload containing the VLAN details. The switch responds with a 405 Method Not Allowed error. What is the most likely cause of this error?

A.The engineer used the wrong URI; the correct URI should include a specific VLAN ID.
B.The engineer should have used the POST method instead of PUT to create a new list entry.
C.The payload format is incorrect; the engineer must use XML instead of JSON.
D.The switch does not support RESTCONF for VLAN configuration; NETCONF must be used instead.
AnswerB

Correct because RESTCONF uses POST to create a new resource in a list, while PUT is used to replace an existing resource.

Why this answer

The PUT method is typically used to create or replace a resource, but for list entries in RESTCONF, the POST method is used to add a new entry. The 405 error indicates that the method is not allowed for the specified URI. The engineer should use POST to add a new VLAN entry to the list.

970
MCQmedium

Examine the following configuration snippet on a Cisco IOS-XE router: interface GigabitEthernet0/1 service-policy output QOS_POLICY policy-map QOS_POLICY class VOICE priority percent 10 class VIDEO bandwidth percent 30 class class-default fair-queue What is the effect of this configuration?

A.VOICE traffic is guaranteed 10% of the interface bandwidth with strict priority queuing, VIDEO traffic is guaranteed 30%, and all other traffic shares the remaining bandwidth using fair-queuing.
B.VOICE traffic is limited to 10% of bandwidth, VIDEO to 30%, and all other traffic is dropped if the interface is congested.
C.VOICE traffic is given priority over VIDEO, but VIDEO can use up to 30% of bandwidth only if VOICE is not using its allocation.
D.The policy-map is invalid because 'priority' and 'bandwidth' cannot be used together in the same policy-map.
AnswerA

Correct. The 'priority' command provides strict priority queuing with a bandwidth guarantee, and 'fair-queue' enables fair sharing among the default class.

Why this answer

The policy-map applies a priority queue for VOICE traffic, guarantees bandwidth for VIDEO, and uses fair-queue for all other traffic on the output interface.

971
Drag & Dropmedium

Drag and drop the steps of configuring Dynamic NAT on a Cisco IOS router into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Dynamic NAT configuration starts by defining the pool of global IP addresses using 'ip nat pool'. Next, an access list is created to identify the inside local addresses that will be translated. The NAT source list is then configured to associate the ACL with the pool.

After that, the inside and outside interfaces are designated with 'ip nat inside' and 'ip nat outside'. Finally, translation is verified with 'show ip nat translations'.

972
Drag & Dropmedium

Drag and drop the steps of LLQ configuration for voice traffic into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, classify voice traffic using a class-map matching DSCP EF. Then create a policy-map and assign the class to priority (LLQ). Optionally configure a bandwidth guarantee for other classes.

Apply the service-policy on the WAN interface. Finally, verify the LLQ operation using show policy-map interface.

973
Multi-Selectmedium

Which two statements about virtual machine migration (vMotion and cold migration) are true? (Choose two.)

Select 3 answers
A.vMotion migrates a running virtual machine from one host to another with no downtime.
B.Cold migration requires the virtual machine to be powered off before it can be moved to a different host.
C.Storage vMotion allows the virtual machine's disk files to be moved between datastores while the VM remains running.
D.vMotion requires that both source and destination hosts share the same physical storage.
E.Cold migration can only be performed within the same vCenter Server and cannot move VMs to a different datacenter.
AnswersB, C, D

Correct because cold migration moves a VM that is in a powered-off state.

Why this answer

vMotion allows live migration of a running VM with minimal downtime. Cold migration requires the VM to be powered off. Storage vMotion moves VM files between datastores.

Shared storage is required for vMotion.

974
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/0 13 00:12:34 12 100 0 45 1 10.1.1.2 Gi0/1 12 00:10:20 15 120 0 32 Based on this output, what can be concluded?

A.Both neighbors are using MD5 authentication.
B.Neighbor 192.168.1.2 has a higher metric than 10.1.1.2.
C.Both neighbors are fully established and exchanging routing information.
D.Router R1 is using EIGRP named mode.
AnswerC

The 'Q Cnt' of 0 and valid uptime indicate stable adjacencies.

Why this answer

The 'show ip eigrp neighbors' output displays two neighbors in a stable state, indicated by the 'Q Cnt' (Queue Count) of 0 for both, meaning no packets are waiting to be sent. The 'Seq Num' (Sequence Number) values (45 and 32) show that R1 has received and processed EIGRP updates from each neighbor, confirming the adjacency is fully established and routing information is being exchanged. This output does not provide any metric or authentication details, so only the conclusion that both neighbors are fully operational is valid.

Exam trap

Cisco often tests the misconception that the 'show ip eigrp neighbors' output reveals authentication status or metric values, but the table only shows transport-layer reliability statistics and adjacency state, not security or routing metric details.

How to eliminate wrong answers

Option A is wrong because the 'show ip eigrp neighbors' output does not include any authentication type or key information; MD5 or SHA authentication status is verified with 'show ip eigrp interfaces detail' or 'show key chain', not from the neighbor table. Option B is wrong because the neighbor table does not display route metrics; metrics are shown per route in the topology table ('show ip eigrp topology') or routing table, and the SRTT/RTO values here are timers for reliable transport, not metrics. Option D is wrong because the output shows 'EIGRP-IPv4 Neighbors for AS(100)', which is the classic EIGRP configuration format; named mode EIGRP would display 'EIGRP-IPv4 VR-FOO Neighbors' or similar with a VRF or named instance, not just the AS number.

975
Matchingmedium

Drag and drop each NETCONF operation on the left to its matching action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve operational state and configuration data

Retrieve only configuration data from a datastore

Create, update, or delete configuration data

Confirm and apply candidate configuration changes

Prevent other NETCONF sessions from modifying a datastore

Why these pairings

get retrieves operational state and configuration, get-config retrieves only configuration, edit-config modifies configuration, commit applies candidate changes, and lock prevents other sessions from modifying the datastore.

Page 12

Page 13 of 27

Page 14