ENCOR 350-401 (350-401) — Questions 9761050

2015 questions total · 27pages · All types, answers revealed

Page 13

Page 14 of 27

Page 15
976
MCQmedium

An enterprise is migrating its data center to a leaf-spine architecture. The design must provide high availability and support for east-west traffic patterns. Which design choice best meets these requirements?

A.Deploy a collapsed core with a single pair of core switches.
B.Use a three-tier hierarchical design with access, distribution, and core layers.
C.Implement a leaf-spine topology with multiple spine switches and ECMP.
D.Use a ring topology connecting all switches in a loop.
AnswerC

Leaf-spine with ECMP provides high bandwidth, low latency, and redundancy for east-west traffic.

Why this answer

A leaf-spine topology with multiple spine switches and Equal-Cost Multi-Path (ECMP) routing provides high availability by eliminating single points of failure and supports east-west traffic patterns by ensuring that any leaf switch can reach any other leaf switch with a consistent number of hops (typically one hop via a spine). ECMP allows load balancing across all available spine links, maximizing bandwidth and redundancy for data center east-west flows.

Exam trap

Cisco often tests the misconception that a three-tier design is always more reliable or that a collapsed core is sufficient for modern data centers, but the trap here is that candidates overlook the specific requirement for east-west traffic patterns, which demands a flat, non-blocking fabric like leaf-spine with ECMP rather than traditional hierarchical or ring topologies.

How to eliminate wrong answers

Option A is wrong because a collapsed core with a single pair of core switches still creates a bottleneck for east-west traffic, as all inter-subnet traffic must traverse the core pair, and it does not provide the same level of scalability or deterministic latency as a full leaf-spine design. Option B is wrong because a three-tier hierarchical design (access, distribution, core) introduces additional latency and oversubscription for east-west traffic, as traffic between access switches must traverse both distribution and core layers, which is suboptimal for modern data center east-west patterns. Option D is wrong because a ring topology creates a single loop that can cause broadcast storms and relies on Spanning Tree Protocol (STP) to block redundant paths, leading to inefficient use of links and potential convergence delays, which violates high availability and east-west traffic requirements.

977
Matchingmedium

Drag and drop each PIM mode on the left to its matching traffic distribution method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses explicit join messages to build a shared tree, then can switch to shortest-path tree

Floods multicast traffic on all interfaces, then prunes branches that do not want it

Uses (S,G) state only; receivers must know the source address via IGMPv3

Uses a shared tree for both sources and receivers; no source-specific tree; uses designated forwarder to prevent loops

Allows interface to operate in sparse or dense mode per group

Why these pairings

PIM Sparse Mode uses explicit join to build shared tree then optionally switch to SPT; PIM Dense Mode floods and prunes; PIM SSM uses exclusively source-specific trees; PIM Bidir uses a shared tree with no source-specific tree and a designated forwarder to prevent loops.

978
Matchinghard

Drag and drop each CoPP class on the left to its matching traffic type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects routing protocol packets like OSPF, BGP, EIGRP

Permits management traffic such as SSH, SNMP, and Telnet

Handles packets requiring CPU intervention (e.g., TTL expired, unreachable)

Matches any traffic not explicitly classified by other classes

Reserved for high-priority control plane traffic (e.g., LDP, RSVP)

Why these pairings

Routing class protects control plane routing protocols; Management class allows SSH/SNMP; Exception class handles packets that need CPU processing (e.g., TTL expiry); Default class matches all other traffic; Critical class is for high-priority control traffic.

979
Matchinghard

Drag and drop each Ansible variable precedence level on the left to its matching scope on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Variables passed via --extra-vars, highest precedence

Default variables inside a role, lowest precedence

Variables defined in host_vars/ directory for a specific host

Variables defined in group_vars/ directory for a group

Variables defined in the vars: section of a play

Why these pairings

extra-vars have highest precedence; role defaults have lowest; host vars apply to a specific host; group vars apply to all hosts in a group; play vars are set at the play level.

980
MCQhard

A network engineer is tasked with deploying a DMVPN Phase 2 network for a company with multiple branch offices. The hub router is a Cisco 4451-X and the spoke routers are Cisco 4331s. After configuration, the spokes can ping the hub's tunnel IP, but cannot reach each other's tunnel IPs. The engineer checks the routing tables and sees that the hub has routes for both spoke subnets, but the spokes do not have routes to each other. What is the most likely cause?

A.The NHRP network ID is mismatched between the hub and spokes.
B.The spokes are not configured with a crypto map for IPsec.
C.The hub is not configured to propagate spoke routes to other spokes.
D.The tunnel mode is set to GRE instead of mGRE on the spokes.
AnswerC

Correct because without route propagation, spokes cannot learn each other's networks.

Why this answer

In DMVPN Phase 2, spokes learn about other spoke networks via the hub using dynamic routing (e.g., EIGRP or OSPF). The hub must be configured to propagate spoke routes to other spokes. If the hub is not configured to redistribute or advertise the spoke subnets, the spokes will not have routes to each other.

Option C is correct because the hub must have a routing configuration that allows spoke-to-spoke route propagation. Option A is incorrect because NHRP is used for mapping, not routing. Option B is incorrect because spoke-to-spoke tunnels are established dynamically via NHRP.

Option D is incorrect because mGRE is the correct interface type for DMVPN.

981
Drag & Dropmedium

Drag and drop the steps of gRPC dial-in telemetry session from collector into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The collector initiates the connection, authenticates, requests data, and the device streams telemetry back until the session ends.

982
Matchingmedium

Drag and drop each Ansible component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines the managed nodes and their groups

A YAML file containing a list of tasks to execute

A structured collection of tasks, variables, and handlers for reuse

A Python script that performs a specific task on a managed node

A task that runs only when notified by another task

Why these pairings

Inventory defines managed nodes; playbook is a YAML file of tasks; role is a reusable set of tasks; module is a Python script for a specific action; handler is a task triggered by a notify.

983
Multi-Selecthard

Which three statements about multicast RP (Rendezvous Point) are true? (Choose three.)

Select 2 answers
A.The RP is used only in PIM sparse mode and is the root of the shared distribution tree.
B.A single RP can serve multiple multicast groups, and multiple RPs can be configured for different group ranges.
C.The RP must be the first-hop router for all multicast sources in the network.
D.The RP must be directly connected to all multicast receivers.
E.In PIM dense mode, the RP is used to limit multicast flooding.
AnswersA, B

Correct because the RP is a key component of PIM sparse mode, serving as the root of the shared tree (RP-tree).

Why this answer

The RP is a central router in PIM sparse mode that acts as the meeting point for sources and receivers. Sources register with the RP, and receivers join via the RP. Multiple RPs can be configured for different groups using Auto-RP or BSR.

The RP is not required to be the first-hop router for the source; sources can be anywhere in the network. The RP does not need to be directly connected to receivers; it only needs IP reachability. PIM dense mode does not use an RP.

984
Drag & Dropmedium

Drag and drop the steps of Ansible role directory structure and task execution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible roles follow a standard directory layout: tasks/main.yml is executed first, then handlers are notified, defaults provide variables, vars override defaults, and templates are rendered for configuration files.

985
MCQhard

A network engineer is implementing MACsec on a Cisco switch-to-switch link to provide encryption. Both switches support MACsec and are configured with the same pre-shared key (PSK). The engineer configures 'mka' and 'macsec' on the interfaces. After configuration, the link does not come up, and the engineer sees 'MKA not operational' in the show macsec status. What is the most likely cause?

A.The pre-shared key (PSK) configured on both switches does not match.
B.MACsec requires a RADIUS server for key distribution, which is not configured.
C.The interfaces are configured with different VLANs, causing MACsec to fail.
D.The interfaces must be configured as trunk ports for MACsec to work.
AnswerA

Correct because MKA requires matching keys to establish a secure channel.

Why this answer

MACsec requires that both ends have matching keys and that the interfaces are in the same security mode (e.g., should-secure or must-secure). If one end is configured as 'must-secure' and the other as 'should-secure', they may not establish a secure channel. Option A is correct because a mismatch in the key chain or key string is a common issue.

Option B is incorrect because MACsec can work with PSK. Option C is incorrect because MACsec does not require dot1q. Option D is incorrect because MACsec does not require a specific duplex setting.

986
Multi-Selecthard

Which three statements about dynamic ARP inspection (DAI) are true? (Choose three.)

Select 3 answers
A.DAI validates ARP packets by checking the sender MAC and IP addresses against the DHCP snooping binding table.
B.DAI can be configured on a per-VLAN basis using the 'ip arp inspection vlan' command.
C.DAI includes rate limiting to prevent ARP flooding attacks.
D.DAI inspects both IPv4 ARP and IPv6 Neighbor Discovery packets.
E.DAI validates the destination IP address in ARP requests to prevent man-in-the-middle attacks.
AnswersA, B, C

Correct because DAI uses the DHCP snooping database to ensure ARP packets are legitimate.

Why this answer

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. It uses the DHCP snooping binding table to verify the MAC-to-IP address mapping. DAI is configured on a per-VLAN basis and can be applied to specific interfaces.

Rate limiting is used to prevent ARP storms. Option D is incorrect because DAI does not inspect ARP replies for IPv6; it is for IPv4 ARP only. Option E is incorrect because DAI does not validate the destination IP address of ARP requests; it validates the sender MAC and IP in the ARP body.

987
MCQmedium

Examine the following VRF configuration: vrf definition BLUE rd 1:1 route-target export 1:1 route-target import 2:2 ! interface GigabitEthernet0/5 vrf forwarding BLUE ip address 10.0.0.1 255.255.255.0 What is the effect of having different export and import route targets?

A.The VRF exports routes tagged with RT 1:1 and imports routes tagged with RT 2:2, enabling selective route exchange.
B.The configuration is invalid because export and import RTs must be identical.
C.The VRF will only import routes from other VRFs that also have RT 1:1.
D.This configuration disables route advertisement for VRF BLUE.
AnswerA

Correct. This is a common design for hub-and-spoke or inter-VRF routing.

Why this answer

Option A is correct because the VRF BLUE configuration uses different route targets for export (1:1) and import (2:2). This enables selective route exchange: routes learned in VRF BLUE are exported with RT 1:1, and only routes tagged with RT 2:2 are imported into VRF BLUE. This is a common design for hub-and-spoke or inter-VRF route leaking scenarios where import and export RTs are intentionally asymmetric.

Exam trap

Cisco often tests the misconception that export and import route targets must match, but in reality they can differ to control route propagation in complex MPLS VPN designs.

How to eliminate wrong answers

Option B is wrong because Cisco IOS allows different export and import route targets; they do not need to be identical. Option C is wrong because the VRF imports routes tagged with RT 2:2, not RT 1:1; routes from other VRFs with RT 1:1 would be exported, not imported. Option D is wrong because the configuration does not disable route advertisement; routes are still exported with RT 1:1 and imported with RT 2:2, enabling normal VRF operation.

988
Drag & Dropmedium

Drag and drop the steps of network audit and gap analysis steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The audit starts with inventory collection, then performance baselining. Security and configuration compliance are checked, gaps are identified, and finally a remediation plan is created.

989
MCQmedium

An engineer is configuring MPLS L3VPN on a Cisco IOS-XR router. The VRF CUSTOMER_B is configured with route-target import 100:1 and export 100:1. The engineer notices that the VRF routes are not being advertised to the route reflector. The BGP session to the route reflector is established and the VPNv4 address family is activated. What is the missing configuration?

A.The VRF is not configured with a route distinguisher.
B.The engineer did not configure the address-family ipv4 unicast vrf CUSTOMER_B under BGP and redistribute the routes.
C.The route-target import/export values are incorrect.
D.The interface in the VRF is not configured with the ipv4 address.
AnswerB

Correct because without this, the VRF routes are not injected into BGP VPNv4.

Why this answer

Option B is correct because in MPLS L3VPN on Cisco IOS-XR, simply configuring the VRF and establishing the BGP VPNv4 session is insufficient. The engineer must explicitly configure the address-family ipv4 unicast vrf CUSTOMER_B under BGP and use the redistribute command (e.g., redistribute connected or redistribute static) to inject the VRF routes into BGP for advertisement to the route reflector. Without this, the VRF routes remain in the local routing table but are never converted into VPNv4 prefixes.

Exam trap

Cisco often tests the misconception that configuring the VRF and establishing the BGP VPNv4 session is enough, but the trap is that candidates overlook the mandatory redistribution step under the VRF-specific BGP address family, which is required to inject routes into the VPNv4 table.

How to eliminate wrong answers

Option A is wrong because a route distinguisher (RD) is required for VRF configuration to make routes unique across VPNs, but its absence would cause the VRF to fail to install routes or cause route duplication, not specifically prevent advertisement to the route reflector; the question states the VRF is configured with route-target import/export, implying an RD is likely present. Option C is wrong because the route-target import 100:1 and export 100:1 values are correctly matched, which is necessary for route distribution between PE routers; incorrect values would affect import/export filtering but not the initial advertisement from the PE to the route reflector. Option D is wrong because an interface in the VRF with an IPv4 address is required for the VRF to have local routes, but the issue is about route advertisement to the route reflector, not about the existence of routes; the VRF could have routes from other sources (e.g., static) without a directly connected interface.

990
Drag & Dropmedium

Drag and drop the steps of NETCONF edit-config with candidate datastore flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The candidate datastore flow begins with locking the candidate, then editing it, validating the changes, committing them to running, and finally unlocking the candidate.

991
MCQmedium

Examine this Python script that uses the napalm library to manage a Cisco IOS-XE device: ```python from napalm import get_network_driver driver = get_network_driver('ios') device = driver('192.168.1.1', 'admin', 'cisco') device.open() print(device.get_facts()) device.close() ``` What is the output of this script?

A.It displays the running configuration of the device.
B.It prints a dictionary containing device facts like hostname, model, uptime, etc.
C.It applies a configuration change to the device.
D.It tests connectivity to the device using ICMP.
AnswerB

get_facts() returns a dictionary with device information.

Why this answer

The script uses NAPALM to retrieve device facts such as hostname, OS version, serial number, etc.

992
MCQmedium

Examine the following Python script snippet that uses netmiko to configure a Cisco IOS-XE device: ```python from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'ip': '192.168.1.1', 'username': 'admin', 'password': 'cisco', } connection = ConnectHandler(**device) output = connection.send_command('show ip interface brief') print(output) connection.disconnect() ``` What is the primary purpose of this script?

A.It configures an IP address on an interface.
B.It retrieves and prints the output of 'show ip interface brief'.
C.It saves the running configuration to startup configuration.
D.It backs up the configuration to a TFTP server.
AnswerB

The script connects, sends a show command, prints the output, and disconnects.

Why this answer

The script uses netmiko to connect to a Cisco device and retrieve the output of 'show ip interface brief'.

993
Multi-Selecthard

Which three statements about model-driven telemetry are true? (Choose three.)

Select 3 answers
A.Model-driven telemetry uses YANG data models to define the data to be streamed.
B.Telemetry data can be pushed from the network device to a collector using gRPC or gNMI.
C.Model-driven telemetry supports both periodic and on-change subscriptions.
D.Model-driven telemetry requires SSH for secure data transport.
E.Model-driven telemetry increases the polling overhead compared to SNMP.
AnswersA, B, C

Correct because YANG models describe the structure and semantics of the data, enabling structured telemetry.

Why this answer

Model-driven telemetry uses YANG data models and can push data via gRPC or gNMI. It supports both periodic and on-change subscriptions. It reduces polling overhead compared to SNMP.

It does not require SSH for transport (gRPC uses HTTP/2).

994
Drag & Dropmedium

Drag and drop the steps of MSDP peering for inter-domain multicast into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MSDP peers first establish a TCP connection, then exchange SA messages to advertise active sources; the remote RP receives the SA, creates (S,G) state, and forwards join toward the source.

995
MCQmedium

A network engineer is designing a campus network with high availability for critical services. Which Cisco technology enables traffic to be forwarded to an alternate next hop in the event of a first-hop router failure, without requiring any configuration changes on the hosts?

A.Static default route with a floating static
B.GLBP
C.VRRP
D.HSRP
AnswerD

HSRP is a Cisco proprietary FHRP that provides transparent failover without host configuration changes.

Why this answer

HSRP (Hot Standby Router Protocol) is a Cisco-proprietary FHRP that allows multiple routers to share a virtual IP and MAC address, providing transparent failover. Hosts are configured with the virtual IP as their default gateway, so when the active router fails, the standby router takes over without any host configuration changes. This directly meets the requirement for high availability without host reconfiguration.

Exam trap

Cisco often tests the distinction between proprietary (HSRP) and open standard (VRRP) protocols, leading candidates to pick VRRP because it is non-proprietary, but the question explicitly asks for 'Cisco technology,' making HSRP the intended correct answer.

How to eliminate wrong answers

Option A is wrong because a static default route with a floating static requires manual configuration on the host or router and does not provide transparent failover; the host must be reconfigured or rely on routing protocol convergence, which is not first-hop redundancy. Option B is wrong because GLBP (Gateway Load Balancing Protocol) also provides first-hop redundancy without host changes, but it is not the only correct answer; however, the question asks for the Cisco technology that enables this, and while GLBP does, HSRP is the most commonly referenced and the designated correct answer in this context. Option C is wrong because VRRP (Virtual Router Redundancy Protocol) is an open standard (RFC 5798) that provides similar functionality, but the question specifies 'Cisco technology,' and VRRP is not Cisco-proprietary; Cisco supports VRRP, but HSRP is the native Cisco solution.

996
Drag & Dropmedium

Drag and drop the steps of DNA Center template deployment to a device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with creating the template in the project, then committing the template, then attaching it to a site, then provisioning the device, and finally pushing the configuration. This ensures the template is properly versioned and applied during provisioning.

997
Multi-Selectmedium

Which two statements about 802.1X authentication with MAC Authentication Bypass (MAB) are true? (Choose two.)

Select 2 answers
A.MAB is used as a fallback authentication method for devices that do not support 802.1X.
B.MAB requires the supplicant to present a digital certificate for authentication.
C.In MAB, the switch sends the MAC address of the endpoint as the username and password to the RADIUS server.
D.MAB encrypts the MAC address using TLS before sending it to the RADIUS server.
E.MAB uses EAPoL to transport the MAC address between the switch and the endpoint.
AnswersA, C

Correct; MAB allows non-802.1X-capable devices to authenticate.

Why this answer

MAB is used as a fallback for devices that do not support 802.1X supplicant, and it uses the MAC address as the credential. Option A is correct because MAB is typically configured as a fallback method. Option C is correct because the MAC address is used as both username and password.

Option B is incorrect because MAB does not use certificates; that is for EAP-TLS. Option D is incorrect because MAB sends the MAC address in the clear, not encrypted. Option E is incorrect because MAB does not use EAPoL; it uses RADIUS with the MAC address.

998
Multi-Selectmedium

Which two statements about AAA authentication methods are true? (Choose two.)

Select 2 answers
A.The local method for authentication uses the enable password for privilege level 15 access.
B.The enable method for authentication checks the local username database.
C.The none method for authentication provides fallback to the local database if the server is unreachable.
D.The login local method authenticates users against the local username database.
E.The line password method for authentication uses the enable secret password.
AnswersA, D

Correct because the local method authenticates using the enable password for privilege level 15 access.

Why this answer

The correct answers highlight key differences between local and server-based authentication. Option A is correct because the local method uses the enable password for privilege level 15 access. Option D is correct because the login local method authenticates against the local username database.

Option B is wrong because the enable method does not check the local database; it uses the enable password. Option C is wrong because the none method provides no authentication, not fallback. Option E is wrong because the line password method uses the password command under the line, not the enable password.

999
Matchingmedium

Drag and drop each MPLS VPN type on the left to its matching layer on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Operates at Layer 3 using IP routing and VRF

Operates at Layer 2, emulating Ethernet or Frame Relay

Multipoint L2VPN that emulates a LAN

Point-to-point L2VPN that emulates a leased line

L2VPN control plane using BGP for MAC/VXLAN distribution

Why these pairings

L3VPN uses IP routing (Layer 3) and VRF, L2VPN emulates Layer 2 services like Ethernet, VPLS is a multipoint L2VPN, VPWS is a point-to-point L2VPN, and EVPN is a modern L2VPN control plane.

1000
Multi-Selecthard

Which three statements about Cisco DNA Center Assurance are true? (Choose three.)

Select 3 answers
A.Cisco DNA Center Assurance uses NetFlow, SNMP, and syslog data to analyze network performance and client experience.
B.Cisco DNA Center Assurance assigns a health score to each client based on factors like signal strength, latency, and packet loss.
C.Cisco DNA Center Assurance uses machine learning to detect anomalies and predict potential network issues.
D.Cisco DNA Center Assurance can capture and analyze full packet captures in real time for every flow.
E.Cisco DNA Center Assurance only monitors wired clients and does not provide visibility into wireless client performance.
AnswersA, B, C

Correct because Assurance collects telemetry from multiple sources to provide a holistic view of network health.

Why this answer

DNA Center Assurance provides proactive monitoring and troubleshooting. The correct answers cover its data sources (NetFlow, SNMP, syslog), client health scoring, and AI-driven insights. The wrong answers incorrectly claim real-time packet capture (not a core Assurance feature) and that Assurance only monitors wired clients.

1001
MCQmedium

Consider this configuration for TrustSec on a Cisco switch: cts role-based enforcement interface GigabitEthernet1/0/5 cts manual sap pmk AABBCCDDEEFF00112233445566778899 mode-list both propagate sgt What is the purpose of the 'propagate sgt' command under the interface?

A.It allows the switch to receive SGT information from the connected device.
B.It enables the switch to insert SGT tags into packets forwarded out of this interface.
C.It enables the switch to enforce role-based access control on this interface.
D.It configures the interface to use SXP for SGT propagation.
AnswerB

The 'propagate sgt' command enables SGT insertion in packets leaving this interface.

Why this answer

The 'propagate sgt' command enables the switch to insert SGT information into packets received on this interface, allowing SGT propagation to downstream devices.

1002
MCQmedium

A network engineer writes a Python script using Paramiko to execute a command on a Cisco IOS device: ```python import paramiko ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('192.168.1.1', username='admin', password='cisco123') stdin, stdout, stderr = ssh.exec_command('show version') output = stdout.read().decode() print(output) ssh.close() ``` What is a potential issue with this approach?

A.The script will work fine because exec_command() sends the command over SSH.
B.The script will fail because the username and password are passed as plaintext; Paramiko requires key-based authentication.
C.The script will fail because Cisco IOS does not support SSH command execution; it requires an interactive shell session.
D.The script will fail because the output should be read using stdout.readlines() instead of stdout.read().
AnswerC

Paramiko's exec_command() opens a single channel that may not work with IOS; using invoke_shell() is needed.

Why this answer

Paramiko's exec_command() is designed for SSH command execution, but Cisco IOS devices do not support direct command execution via SSH like Unix systems. Instead, the device expects an interactive shell. The command may not execute or may return an error because the SSH channel is not a shell.

Netmiko or similar libraries handle this by opening a shell and sending commands.

1003
MCQhard

A network engineer configured VRF TENANT_A and moved the subinterfaces into the VRF. After the change, the CEF table shows the prefixes but the next-hop addresses are unreachable. What is the most likely cause?

A.LISP is not configured to map the virtual network.
B.The next-hop IP addresses are in the global routing table, not in the VRF.
C.OSPF is not redistributing the routes into the VRF.
D.The physical interface is not configured as a trunk.
AnswerB

Next-hops must be in the same VRF to be reachable.

Why this answer

When subinterfaces are moved into a VRF, the CEF table for that VRF will contain the learned prefixes, but the next-hop addresses must also be reachable within the same VRF. If the next-hop IP addresses reside in the global routing table instead of the VRF, the VRF will have no route to those next hops, causing them to be marked as unreachable. This is a common misconfiguration where the next-hop adjacency is not established within the VRF context.

Exam trap

Cisco often tests the concept that VRF creates a completely isolated routing table, and the trap here is that candidates assume CEF showing the prefix means the route is fully functional, overlooking that the next-hop must also be in the same VRF.

How to eliminate wrong answers

Option A is wrong because LISP (Locator/ID Separation Protocol) is not required for basic VRF operation; it is used for overlay network virtualization and mobility, not for resolving next-hop reachability within a VRF. Option C is wrong because OSPF redistribution is not the root cause; the issue is that the next-hop addresses are not present in the VRF's routing table, not that routes are missing from OSPF. Option D is wrong because trunk configuration on the physical interface is irrelevant to VRF next-hop reachability; subinterfaces can be placed into a VRF regardless of whether the parent interface is a trunk or access port.

1004
MCQhard

An engineer is configuring a new access switch that connects to two distribution switches via trunk links. The distribution switches are configured with Rapid PVST+ and are both running as root bridges for different VLANs. The engineer wants to ensure that the access switch does not become the root bridge for any VLAN, even if the distribution switches fail. The engineer also wants to prevent any unauthorized switch from becoming root. What configuration should the engineer apply on the access switch?

A.Configure 'spanning-tree vlan 1-4094 priority 61440' and enable Root Guard on the uplink ports.
B.Configure 'spanning-tree vlan 1-4094 priority 0' and enable BPDU Guard on the uplink ports.
C.Configure 'spanning-tree vlan 1-4094 priority 4096' and enable Loop Guard on the uplink ports.
D.Configure 'spanning-tree vlan 1-4094 priority 61440' and enable BPDU Guard on the uplink ports.
AnswerA

Correct because setting the priority to 61440 ensures the switch will not become root, and Root Guard on uplinks prevents any superior BPDUs from making the switch root.

Why this answer

Option A is correct because setting the spanning-tree priority to 61440 (the highest possible value) ensures the access switch will never become the root bridge, even if the current root bridges fail. Enabling Root Guard on the uplink ports prevents any unauthorized switch from becoming root by placing the port into a root-inconsistent state if a superior BPDU is received, thus protecting the root bridge election.

Exam trap

Cisco often tests the distinction between Root Guard and BPDU Guard, where candidates mistakenly apply BPDU Guard (which shuts down ports receiving any BPDU) instead of Root Guard (which specifically protects the root bridge election) on trunk links.

How to eliminate wrong answers

Option B is wrong because setting the priority to 0 makes the access switch the most likely candidate to become root, which directly contradicts the requirement to prevent it from becoming root. Option C is wrong because priority 4096 is a low value that could allow the access switch to become root if the distribution switches fail, and Loop Guard prevents alternate/root port loops but does not protect against unauthorized root bridges. Option D is wrong because while the priority 61440 is correct, BPDU Guard is used to shut down ports that receive BPDUs (typically on access ports), not to prevent unauthorized root bridges on trunk links; Root Guard is the appropriate feature for this purpose.

1005
Drag & Dropmedium

Drag and drop the steps of MAB (MAC Authentication Bypass) fallback flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

MAB is used as a fallback when 802.1X fails; the switch detects the MAC, sends a RADIUS Access-Request, ISE checks the MAC database, returns an Access-Accept with a downloadable ACL, and the switch applies the ACL.

1006
MCQmedium

A network engineer is configuring a remote access VPN using Cisco AnyConnect on an ASA. The engineer wants to use certificate-based authentication. The ASA is configured with a CA server. After configuration, users can connect, but they are prompted for a username and password instead of using certificates. The engineer checks the ASA configuration and sees that the tunnel group has authentication method set to AAA. What should the engineer do to fix this?

A.Re-enroll the CA certificate on the ASA.
B.Change the connection profile to use the correct group.
C.Configure the group policy to require certificates.
D.Change the tunnel group authentication method to certificate.
AnswerD

Correct because the authentication method must be set to certificate.

Why this answer

For certificate-based authentication, the tunnel group must be configured to use certificate authentication. If it is set to AAA, the ASA will prompt for credentials. Option D is correct because the authentication method must be changed.

Option A is incorrect because the CA is already configured. Option B is incorrect because the connection profile is not the issue. Option C is incorrect because the group policy does not control authentication method.

1007
Drag & Dropmedium

Drag and drop the steps of SD-WAN policy creation and push via vManage into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Policy creation begins with defining the policy in vManage, then attaching it to a group of devices, after which vManage pushes the policy to vSmart, vSmart translates it into OMP updates, and finally the edge devices receive and enforce the policy.

1008
MCQhard

A telemetry subscription is configured on a Cisco IOS-XE device using gRPC dial-out: telemetry ietf subscription 101 encoding encode-kvgpb filter xpath /interfaces/interface/statistics stream yang-push update-policy periodic 500 receiver ip address 10.10.10.10 50001 protocol grpc-tcp What does this configuration do?

A.It sends interface statistics every 500 milliseconds to the receiver using gRPC.
B.It sends interface statistics every 500 seconds to the receiver at 10.10.10.10 port 50001 using gRPC.
C.It sends configuration changes for interfaces to the receiver using gRPC.
D.It sends interface statistics only when there is a change, using a push model.
AnswerB

The periodic value is in seconds; the receiver is correctly specified.

Why this answer

The subscription pushes interface statistics every 500 seconds to a receiver at 10.10.10.10:50001 using gRPC over TCP. The correct answer correctly describes the behavior.

1009
MCQmedium

A company uses Cisco NFVIS to host a virtual ASA (vASA) and a virtual router (vRouter). The engineer notices that the vASA cannot communicate with the vRouter even though both are on the same NFVIS host. The vASA is connected to a bridge network, and the vRouter is connected to a different bridge. What should the engineer do to enable communication between the two VNFs?

A.Connect a physical cable between two ports on the NFVIS host.
B.Create a new bridge that connects both VNFs, or use a virtual switch to route between the bridges.
C.Configure VLAN tagging on both VNFs with the same VLAN ID.
D.Add a static route on each VNF pointing to the other VNF's IP address.
AnswerB

Correct because placing both VNFs on the same bridge allows Layer 2 communication; alternatively, a virtual router can route between bridges.

Why this answer

In NFVIS, VNFs attached to different bridge networks are isolated at Layer 2. To enable communication between them, you must either create a new bridge that connects both VNFs or use a virtual switch (e.g., a Linux bridge with routing enabled) to forward traffic between the two bridges. This allows the VNFs to share a common Layer 2 domain or have a routed path through the hypervisor.

Exam trap

Cisco often tests the misconception that VLAN tagging alone can connect VNFs across different bridges, but VLANs only segment traffic within a single bridge and do not create connectivity between separate bridges.

How to eliminate wrong answers

Option A is wrong because physically cabling ports on the NFVIS host would create a loop or require external hardware, and NFVIS does not support direct physical loopback connections for internal VNF-to-VNF traffic. Option C is wrong because VLAN tagging alone does not bridge separate bridge networks; both VNFs would need to be on the same bridge with matching VLANs for Layer 2 connectivity. Option D is wrong because static routes only work if there is already a Layer 3 path between the VNFs; with different bridges, there is no connectivity at Layer 2 or Layer 3 without an intermediate router or bridge.

1010
MCQmedium

An Ansible playbook uses the cisco.ios.ios_l3_interfaces module to configure an IPv4 address on GigabitEthernet0/1: ```yaml --- - name: Configure IPv4 address hosts: cisco-routers gather_facts: no tasks: - name: Set IP address cisco.ios.ios_l3_interfaces: config: - name: GigabitEthernet0/1 ipv4: - address: 10.1.1.1/24 state: merged ``` What is the effect of the 'state: merged' parameter?

A.It replaces the entire L3 configuration on the interface with only the provided address.
B.It adds the IP address to the interface, merging with any existing configuration.
C.It deletes the IP address if it exists.
D.It only checks the configuration without making changes.
AnswerB

'merged' adds the configuration to the existing one without removing other settings.

Why this answer

The 'merged' state adds the provided configuration to the existing configuration without removing any other settings. If the interface already has an IP address, it will be replaced only if the address is different; otherwise, it remains unchanged.

1011
MCQeasy

What is the default OSPF reference bandwidth used for cost calculation in Cisco IOS?

A.100 Mbps
B.1000 Mbps
C.10 Mbps
D.1 Mbps
AnswerA

The default reference bandwidth is 100 Mbps, as defined in the OSPF specification.

Why this answer

In Cisco IOS, the default OSPF reference bandwidth is 100 Mbps. OSPF calculates the cost of an interface as the reference bandwidth divided by the interface bandwidth. With the default reference of 100 Mbps, a FastEthernet (100 Mbps) interface gets a cost of 1, which is the minimum cost.

This default was established when FastEthernet was considered high-speed, but it can be changed using the 'auto-cost reference-bandwidth' command to accommodate faster links like GigabitEthernet.

Exam trap

Cisco often tests the default OSPF reference bandwidth as 100 Mbps, and the trap here is that candidates confuse it with the actual interface bandwidth (e.g., 10 Mbps for Ethernet) or assume it matches the fastest common link speed (e.g., 1000 Mbps for GigabitEthernet).

How to eliminate wrong answers

Option B (1000 Mbps) is wrong because 1000 Mbps is not the default; it is a common value set manually to avoid cost rounding issues on GigabitEthernet and faster interfaces. Option C (10 Mbps) is wrong because 10 Mbps is the bandwidth of an Ethernet interface, not the reference bandwidth; using 10 Mbps would make all faster links have fractional costs. Option D (1 Mbps) is wrong because 1 Mbps is the bandwidth of a legacy serial link and would result in extremely high costs for modern interfaces; the default reference bandwidth is 100 Mbps.

1012
MCQmedium

Consider the following TrustSec configuration on a Cisco switch: cts role-based enforcement interface GigabitEthernet1/0/3 cts manual sap pmk 0123456789ABCDEF mode-list both What is the purpose of this configuration?

A.It enables 802.1X authentication with a pre-shared key.
B.It configures the interface to use SGT (Security Group Tag) propagation via SXP.
C.It enables CTS inline tagging with a pre-shared key for SGT exchange between peers.
D.It enables dynamic VLAN assignment based on user authentication.
AnswerC

The 'cts manual' with 'sap pmk' configures manual TrustSec with inline SGT tagging using a pre-shared key.

Why this answer

This enables CTS role-based enforcement globally and configures the interface for manual CTS with a pre-shared key (PMK) for SGT exchange. The 'mode-list both' allows both source and destination SGT enforcement.

1013
Drag & Dropmedium

Drag and drop the steps of EIGRP stub configuration for hub-and-spoke into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In hub-and-spoke EIGRP, the spoke router is configured as a stub to limit query propagation. First, enter router configuration mode, then enable EIGRP on the spoke, configure it as a stub, optionally restrict advertised routes, and finally verify the stub status.

1014
MCQeasy

A network team must design QoS for a campus network that carries voice, video, and data traffic. The design must use the DiffServ model and ensure that voice traffic is prioritized over all other traffic classes. Which DSCP marking and queuing strategy should be used for voice?

A.Mark voice with AF41 and place in a weighted fair queue.
B.Mark voice with EF and place in a strict priority queue.
C.Mark voice with CS3 and place in a low-latency queue.
D.Mark voice with BE and rely on WRED for drop precedence.
AnswerB

EF (DSCP 46) is the standard marking for voice, and strict priority queue ensures minimal delay.

Why this answer

Option B is correct because voice traffic requires strict priority to ensure minimal jitter and latency. DSCP EF (Expedited Forwarding, per RFC 3246) is the standard marking for real-time traffic like voice, and placing it in a strict priority queue (LLQ) guarantees that voice packets are serviced before any other queue, which is essential for meeting QoS requirements in a DiffServ model.

Exam trap

The trap here is that candidates often confuse AF41 (used for video) with voice marking, or assume that any low-latency queue (LLQ) works regardless of DSCP value, but Cisco specifically tests that voice must use EF and strict priority queue, not just any low-latency queue.

How to eliminate wrong answers

Option A is wrong because AF41 (Assured Forwarding class 4, low drop probability) is designed for traffic that can tolerate some delay and jitter, such as video conferencing, not for voice which needs strict priority; weighted fair queue does not provide the absolute priority required for voice. Option C is wrong because CS3 (Class Selector 3) is a legacy marking that does not guarantee low latency or strict priority; while a low-latency queue (LLQ) is correct, the DSCP marking must be EF for voice, not CS3. Option D is wrong because BE (Best Effort, DSCP 0) is the default marking for non-priority traffic, and WRED (Weighted Random Early Detection) is a congestion avoidance mechanism that drops packets before queue overflow, which is unsuitable for voice as it introduces jitter and packet loss.

1015
Drag & Dropmedium

Drag and drop the steps of BGP session establishment between eBGP peers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

BGP session establishment begins with the TCP three-way handshake (SYN, SYN-ACK, ACK). Once TCP is established, BGP sends an OPEN message to negotiate capabilities. The peer responds with an OPEN message.

After both OPENs are exchanged, BGP sends KEEPALIVE messages. Finally, the session moves to the Established state and UPDATE messages can be exchanged.

1016
Drag & Dropmedium

Drag and drop the steps of OpenAPI schema validation for DNA Center REST call into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with retrieving the OpenAPI specification from DNA Center, then parsing the endpoint definition, validating the request parameters against the schema, checking the response structure, and finally confirming compliance with the API contract.

1017
Multi-Selecthard

Which three statements about Cisco DNA Center wireless assurance are true? (Choose three.)

Select 3 answers
A.DNA Center collects telemetry from wireless controllers and access points to provide health scores for clients and APs.
B.DNA Center can be used to troubleshoot client connectivity issues by replaying historical client association events.
C.DNA Center uses synthetic test clients (sensors) to simulate client traffic and measure wireless performance.
D.DNA Center replaces the WLC for real-time client association and roaming decisions.
E.DNA Center requires a dedicated wireless LAN controller to be deployed solely for assurance data collection.
AnswersA, B, C

Correct because DNA Center uses telemetry from the network infrastructure to compute health scores for proactive monitoring.

Why this answer

DNA Center provides proactive health monitoring, client troubleshooting via historical data, and sensor-based proactive testing. It does not replace the WLC for real-time client association, nor does it require a separate controller for assurance data.

1018
MCQmedium

A network operations center (NOC) is deploying streaming telemetry from Cisco IOS-XE devices to a Kafka-based analytics platform. The engineer needs to ensure that the telemetry data is encoded in a compact, efficient format for high-volume streaming. Which encoding format should the engineer configure?

A.Google Protocol Buffers (GPB) encoding.
B.JSON encoding.
C.XML encoding.
D.CSV encoding.
AnswerA

Correct because GPB is a binary, compact format that minimizes bandwidth and CPU usage for high-volume streaming.

Why this answer

For high-volume streaming telemetry, efficient encoding is critical. Option A is correct because GPB (Google Protocol Buffers) is a compact binary format that reduces bandwidth and parsing overhead. Option B is incorrect because JSON is text-based and verbose.

Option C is incorrect because XML is even more verbose. Option D is incorrect because CSV is not a standard telemetry encoding and lacks structure.

1019
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show client summary Client MAC Address AP Name WLAN State Protocol RSSI SNR 00:11:22:33:44:55 AP-1 1 Run 802.11ac -65 25 00:11:22:33:44:66 AP-2 2 Run 802.11n -70 20 00:11:22:33:44:77 AP-1 1 Run 802.11ac -60 30 00:11:22:33:44:88 AP-3 3 Probe 802.11ax -75 15 Based on this output, what can be concluded?

A.All clients are fully associated and passing traffic.
B.The client with MAC 00:11:22:33:44:88 is attempting to associate but is not yet connected.
C.The client with MAC 00:11:22:33:44:55 has the best signal strength.
D.All clients are using 802.11ac or higher.
AnswerB

Probe state indicates the client is sending probe requests but not yet associated.

Why this answer

The output shows client states: 'Run' means associated and active, 'Probe' means the client is probing but not yet associated. The client with MAC ending 88 is in Probe state, indicating it is not fully connected.

1020
Multi-Selecthard

Which three statements about EtherChannel configuration and verification are true? (Choose three.)

Select 3 answers
A.All member ports in an EtherChannel must have the same speed and duplex settings.
B.The 'channel-group 1 mode on' command enables LACP negotiation on the interface.
C.The command 'show etherchannel summary' displays the port-channel interface status and which member ports are bundled.
D.If a member link is configured as a trunk but the port-channel interface is an access port, the channel will still form.
E.When using LACP, the 'lacp rate fast' command reduces the interval for sending LACPDUs from 30 seconds to 1 second.
AnswersA, C, E

Correct because mismatched speed or duplex will prevent the channel from being established.

Why this answer

EtherChannel configuration requires consistent settings across member ports (speed, duplex, VLAN, trunking). The 'show etherchannel summary' command displays the state (SU for Layer 2 in use, P for bundled). The 'on' mode forces the channel without negotiation.

Misconfigurations can cause the channel to not form or to flap.

1021
Matchingmedium

Drag and drop each STP timer on the left to its matching default value on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2 seconds

15 seconds

20 seconds

Why these pairings

Hello timer defaults to 2 seconds; Forward delay defaults to 15 seconds; Max age defaults to 20 seconds.

1022
Multi-Selecthard

Which three statements about Cisco SD-Access policy enforcement are true? (Choose three.)

Select 3 answers
A.Policy enforcement in SD-Access is based on Scalable Group Tags (SGTs) assigned to endpoints.
B.Cisco ISE is used to define and manage SGT-to-policy mappings in the SD-Access fabric.
C.The fabric border node enforces all intra-fabric policies between different virtual networks.
D.The SGT information is carried in the VXLAN header using the Group Policy Option (GPO).
E.The underlay network devices must be aware of SGTs to forward traffic correctly.
AnswersA, B, D

Correct because SGTs are the foundation for group-based policy, allowing dynamic segmentation.

Why this answer

SD-Access uses Scalable Group Tags (SGTs) for micro-segmentation, and policies are defined in Cisco ISE (Identity Services Engine). The fabric edge enforces policies by applying SGTs to traffic and using SGT-based ACLs. The control plane (LISP) distributes SGT mappings, but policy enforcement is done at the edge.

The border node does not enforce policies for internal fabric traffic; it only handles external connectivity. The SGT is carried in the VXLAN header using the Group Policy Option. The underlay network is unaware of SGTs.

1023
MCQmedium

A network engineer is configuring a Cisco SD-WAN solution for a retail chain with hundreds of stores. The engineer wants to use a centralized data policy to steer all YouTube traffic to a specific WAN link (broadband) to save MPLS bandwidth. The engineer creates a policy that matches YouTube traffic by destination IP and sets the preferred color to 'biz-internet'. After applying the policy, the engineer tests and finds that YouTube traffic is still using the MPLS link. The vEdge routers show that the policy is received and active. What is the most likely reason?

A.The vEdge routers have not rebooted after the policy was applied.
B.The data policy was applied on the vEdge instead of the vSmart.
C.The policy does not include a match condition for the correct VPN or site list.
D.YouTube traffic is encrypted and cannot be matched by destination IP.
AnswerC

Correct because the policy must be associated with the specific VPN and site list to apply to the traffic.

Why this answer

Option C is correct because a centralized data policy in Cisco SD-WAN must include match conditions for both the VPN (service-side VRF) and the site list to which the policy applies. Without specifying the correct VPN or site list, the policy may be received and active on the vEdge but will not match the traffic flows, causing them to fall through to the default routing behavior (e.g., MPLS). The policy matches destination IPs, but if the VPN or site scope is missing or incorrect, the vEdge will not apply the policy to the relevant traffic.

Exam trap

Cisco often tests the misconception that a data policy only needs a destination IP match to steer traffic, but the trap here is that the policy must also specify the correct VPN (or service-side VRF) and site list to scope the policy to the intended traffic flows.

How to eliminate wrong answers

Option A is wrong because vEdge routers do not require a reboot for data policies to take effect; policies are applied dynamically via the OMP (Overlay Management Protocol) and become active immediately upon receipt from vSmart. Option B is wrong because centralized data policies are designed to be configured on the vSmart controller and pushed to vEdge routers; applying the policy directly on the vEdge would be a local policy, not a centralized one, but the question states the policy is received and active, indicating it was correctly pushed from vSmart. Option D is wrong because YouTube traffic uses HTTPS (TLS) for encryption, but the destination IP addresses of YouTube servers are still visible in the packet headers and can be matched by a data policy; encryption does not obscure the destination IP.

1024
Drag & Dropmedium

Drag and drop the steps of KVM VM provisioning via virsh CLI into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The provisioning process starts with defining the VM XML, then starting it, installing the OS, and finally accessing the console.

1025
MCQmedium

A network engineer configures an IP SLA on a Cisco router to monitor reachability to a critical server at 10.1.1.1 using ICMP echo. The IP SLA is used as a track object for a static default route. After deployment, the engineer notices that the static route is never removed from the routing table, even when the server is unreachable. The IP SLA operation shows 'State: Active' and 'Latest RTT: NoConnection/Busy/Timeout'. What is the most likely cause?

A.The IP SLA operation is not configured with a timeout value, so it never times out.
B.The IP SLA operation needs a threshold configured to mark the operation as 'down' when the RTT exceeds the threshold or a timeout occurs.
C.The track object must be configured with a 'down' delay to allow the route to be removed.
D.The static route must be configured with a higher administrative distance to allow the IP SLA to remove it.
AnswerB

Correct. IP SLA uses thresholds to determine when an operation should be considered failed. Without a threshold, the operation stays active regardless of timeouts.

Why this answer

The IP SLA operation is not failing because the threshold has not been configured. Without a threshold, the operation never transitions to a 'down' state, so the track object never triggers the removal of the static route.

1026
MCQeasy

Which PIM mode requires a rendezvous point (RP) to function?

A.PIM Dense-Mode
B.PIM Sparse-Mode
C.PIM Sparse-Dense-Mode
D.PIM Bidirectional
AnswerB

Correct. Sparse-mode requires an RP to manage group membership.

Why this answer

PIM sparse-mode (SM) requires an RP to act as a meeting point for receivers and sources. Dense-mode uses flood-and-prune without an RP, and bidirectional PIM also uses an RP but with a different mechanism.

1027
MCQmedium

Examine the following configuration snippet: ip pim send-rp-announce Loopback0 scope 10 group-list 10 ip pim send-rp-discovery scope 10 access-list 10 permit 239.0.0.0 0.255.255.255 ! interface Loopback0 ip address 192.168.0.1 255.255.255.255 ip pim sparse-mode ! What is the purpose of this configuration?

A.The router will act as both a candidate RP for groups 239.0.0.0/8 and a mapping agent for Auto-RP within a scope of 10 hops.
B.The router will only act as a mapping agent and will not advertise itself as an RP.
C.The router will use the IP address of GigabitEthernet0/0 as the RP address.
D.The router will only accept RP announcements from other routers within 10 hops.
AnswerA

Correct. The router is configured as both a candidate RP and a mapping agent, with a TTL scope of 10.

Why this answer

This configures the router as an Auto-RP mapping agent and candidate RP. The 'send-rp-announce' command advertises this router as a candidate RP for groups matching ACL 10 (239.0.0.0/8) with a TTL scope of 10. The 'send-rp-discovery' command makes the router act as a mapping agent, listening for RP announcements and sending RP-discovery messages.

The loopback interface is used as the RP address.

1028
MCQmedium

Examine the following Python script that uses the netmiko library to send configuration commands to a Cisco IOS-XE device: ```python from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'ip': '192.168.1.1', 'username': 'admin', 'password': 'cisco', } connection = ConnectHandler(**device) config_commands = [ 'interface GigabitEthernet1/0/1', 'description Link to Core', 'ip address 10.1.1.1 255.255.255.0', 'no shutdown' ] output = connection.send_config_set(config_commands) print(output) connection.disconnect() ``` What is the purpose of this script?

A.It retrieves the running configuration of the device.
B.It configures interface GigabitEthernet1/0/1 with a description, IP address, and enables it.
C.It saves the configuration to the startup configuration.
D.It tests connectivity to the device using ping.
AnswerB

The commands configure the interface as described.

Why this answer

The script sends configuration commands to configure an interface with a description, IP address, and enable it.

1029
MCQhard

A network engineer is configuring PIM sparse mode in a network that uses a Bootstrap Router (BSR) for RP discovery. The engineer has configured a candidate BSR and candidate RPs. However, some routers in the network are not learning the RP set. The engineer checks the BSR and sees that it is receiving candidate RP advertisements, but the BSR messages are not being forwarded to all routers. What is the most likely cause?

A.PIM is not enabled on all interfaces between the BSR and the other routers.
B.The candidate BSR priority is set too low.
C.The candidate RPs are not in the same OSPF area as the BSR.
D.The BSR is not configured as a candidate RP.
AnswerA

Correct because BSR messages rely on PIM to flood; without PIM on intermediate interfaces, the messages are dropped.

Why this answer

BSR messages are flooded hop-by-hop using PIM. If PIM is not enabled on all interfaces between the BSR and the other routers, the BSR messages will not be forwarded, preventing RP discovery.

1030
Drag & Dropmedium

Drag and drop the steps of deploying a virtual router as a VNF into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Deploying a virtual router VNF starts with uploading the image, then creating the VM, attaching virtual interfaces, configuring routing protocols, and finally verifying connectivity.

1031
Drag & Dropmedium

Drag and drop the steps of AAA accounting for command logging setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

AAA accounting for commands requires first enabling AAA globally, then defining an accounting method list for commands. The method list is applied to a line (e.g., vty or console). The device then sends command logs to the accounting server, which records them.

1032
MCQeasy

A network engineer runs the following command on Switch SW1: SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 10 Sales active Gi0/4, Gi0/5 20 Engineering active Gi0/6, Gi0/7 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Based on this output, what can be concluded?

A.VLANs 10 and 20 are configured and have ports assigned
B.All VLANs are in the active state and supported
C.VLAN 1 is the only VLAN with ports assigned
D.The switch is running VTP transparent mode
AnswerA

The output shows VLANs 10 and 20 with status 'active' and ports assigned (Gi0/4, Gi0/5 for VLAN 10; Gi0/6, Gi0/7 for VLAN 20).

Why this answer

The output shows VLANs configured on the switch. VLANs 1, 10, and 20 are active and have ports assigned. VLANs 1002-1005 are default VLANs that are not supported on this platform (act/unsup).

The correct answer is that VLANs 10 and 20 are configured and have ports assigned.

1033
MCQeasy

An enterprise is deploying Cisco SD-WAN with multiple vSmart controllers for redundancy. The engineer configures the vEdge routers to connect to two vSmart controllers. After deployment, the engineer notices that the vEdge routers are only connected to one vSmart, and the second vSmart is not being used. The vEdge routers show that the second vSmart is reachable. What is the most likely reason for this behavior?

A.The vEdge routers are designed to use only one vSmart at a time; the second is for redundancy.
B.The vEdge routers can only connect to one vSmart at a time.
C.The vEdge routers need to be rebooted to establish a connection to the second vSmart.
D.The second vSmart has a different site ID than the first.
AnswerA

Correct because vEdge routers use a single active vSmart for OMP, and the second is a backup.

Why this answer

In Cisco SD-WAN, vEdge routers are designed to establish a control connection to only one active vSmart controller at a time, even when multiple vSmart controllers are configured for redundancy. The second vSmart serves as a standby; the vEdge will fail over to it only if the primary vSmart becomes unreachable. Since the vEdge shows the second vSmart is reachable but not actively used, this confirms the expected behavior of active/standby redundancy rather than load balancing.

Exam trap

Cisco often tests the misconception that multiple vSmart controllers are used for load balancing or concurrent connections, when in fact they are strictly for active/standby redundancy, and a vEdge will only ever hold one active control connection at a time.

How to eliminate wrong answers

Option B is wrong because vEdge routers can indeed be configured with multiple vSmart controllers, but they do not maintain simultaneous active connections to all of them; the design is active/standby, not concurrent. Option C is wrong because rebooting the vEdge would not force it to connect to the second vSmart; the vEdge will only switch to the standby vSmart if the primary fails, regardless of reboot. Option D is wrong because site ID is used for OMP route propagation and policy, not for determining which vSmart a vEdge connects to; vSmart selection is based on DTLS/TLS control connections and priority, not site ID.

1034
Multi-Selecthard

Which three statements about VRF route targets are true? (Choose three.)

Select 3 answers
A.Route targets are used to control which routes are imported into a VRF.
B.Route targets are used to control which routes are exported from a VRF.
C.A VRF can have multiple import and export route targets configured.
D.Route targets and route distinguishers are the same BGP attribute.
E.Route targets are only used in MPLS VPN and not in VRF-lite.
AnswersA, B, C

Correct because the 'route-target import' command specifies which RTs cause a route to be installed in the VRF.

Why this answer

Route targets (RTs) are BGP extended communities used in MPLS VPN to control route import and export between VRFs. The correct answers describe the role of RTs in importing routes into a VRF, exporting routes from a VRF, and the fact that multiple RTs can be configured per VRF. The incorrect options confuse RTs with route distinguishers (RDs) or claim that RTs are not used in VRF-lite (they are used in VRF-lite with BGP as well).

1035
MCQmedium

A network engineer is troubleshooting OSPF adjacency issues between two routers connected via a Gigabit Ethernet link. The engineer notices that the routers are stuck in the EXSTART state. Both routers have the same MTU of 1500 bytes. What is the most likely cause of this issue?

A.The OSPF network type is point-to-point on one router and broadcast on the other.
B.The OSPF hello and dead intervals are mismatched.
C.One router has a lower IP MTU configured on the interface, causing the DBD packet to be dropped.
D.The OSPF router IDs are the same.
AnswerC

Correct because OSPF routers exchange DBD packets in the EXSTART state. If the DBD packet size exceeds the IP MTU, the packet is dropped, and the routers remain stuck in EXSTART.

Why this answer

When OSPF routers are stuck in the EXSTART state, it typically indicates a problem with the Database Description (DBD) packet exchange. Even though both routers have the same configured MTU of 1500 bytes, one router may have a lower IP MTU on its interface (e.g., due to a different interface MTU or encapsulation overhead), causing the DBD packet to be fragmented or dropped. Since OSPF DBD packets are not fragmented, a mismatch in the actual IP MTU prevents the adjacency from progressing beyond EXSTART.

Exam trap

Cisco often tests the nuance that the configured MTU (e.g., 1500 bytes) may not equal the actual IP MTU due to overhead from encapsulation or interface settings, leading to DBD packet drops and a stuck EXSTART state.

How to eliminate wrong answers

Option A is wrong because mismatched OSPF network types (e.g., point-to-point vs. broadcast) would cause the routers to get stuck in the INIT or 2-WAY state, not EXSTART; the DBD exchange process is not even reached. Option B is wrong because mismatched hello and dead intervals prevent the routers from forming a neighbor relationship at all, leaving them stuck in the DOWN or INIT state, not EXSTART. Option D is wrong because duplicate OSPF router IDs would cause a conflict that prevents adjacency formation, typically resulting in a state of DOWN or INIT, not EXSTART.

1036
MCQmedium

A network engineer runs the following command on Router R6: R6# show ip dhcp conflict IP address Detection method Detection time VRF 10.0.0.10 Ping Mar 01 2025 10:00 AM default 10.0.0.15 Gratuitous ARP Mar 01 2025 10:05 AM default Based on this output, what can be concluded?

A.The DHCP server has successfully assigned these addresses to clients.
B.The addresses 10.0.0.10 and 10.0.0.15 are unavailable for DHCP assignment.
C.The DHCP server uses only ping to detect conflicts.
D.The conflicts were caused by the DHCP server itself.
AnswerB

Conflicted addresses are excluded from the pool until the conflict is cleared.

Why this answer

The output shows two IP address conflicts detected by the DHCP server. One was detected via ping, the other via gratuitous ARP. These addresses are marked as conflicted and will not be assigned until resolved.

1037
Matchingeasy

Drag and drop each broadband type on the left to its matching technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses telephone copper pairs

Uses coaxial cable

Uses optical fiber

Uses cellular radio

Uses geostationary or LEO orbit

Why these pairings

DSL uses telephone lines, Cable uses coaxial, Fiber uses optical, 4G LTE uses cellular, Satellite uses RF to orbit.

1038
Matchingmedium

Drag and drop each EIGRP router role on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-hop router with the lowest metric for a destination

Backup next-hop router meeting the feasibility condition

Directly connected EIGRP router exchanging Hello packets

Router is actively querying for a route

Router has a valid route and is not querying

Why these pairings

Successor is the next-hop router with the lowest metric; Feasible Successor is a backup that meets the feasibility condition; Neighbor is a directly connected EIGRP router.

1039
MCQhard

An engineer configures model-driven telemetry on a Cisco IOS-XE device with the following gRPC dial-out configuration: ``` telemetry ietf subscription 101 encoding encode-kvgpb filter xpath /interfaces/interface/state/counters source-address 10.1.1.1 stream yang-push update-policy periodic 500 receiver ip address 10.2.2.2 50001 protocol grpc-tcp ``` What is the purpose of the 'encoding encode-kvgpb' command?

A.It sets the encoding to JSON format for human readability.
B.It specifies that the data should be encoded using the Key-Value Google Protocol Buffers format.
C.It enables compression of the telemetry data.
D.It sets the encoding to XML format.
AnswerB

KV-GPB is a binary encoding used for telemetry data.

Why this answer

The 'encoding encode-kvgpb' command specifies that the telemetry data should be encoded using the Key-Value Google Protocol Buffers (KV-GPB) format, which is a compact binary encoding used for efficient data transmission.

1040
MCQeasy

A company is deploying Cisco DNA Center and wants to use streaming telemetry from its network devices to provide real-time visibility. The network consists of Cisco Catalyst 9000 switches running IOS-XE. The engineer needs to configure the devices to stream telemetry data to DNA Center. Which protocol should the engineer use for the telemetry transport?

A.gRPC (Google Remote Procedure Call).
B.NetFlow v9.
C.SNMPv3.
D.Syslog.
AnswerA

Correct because gRPC is the standard transport for model-driven telemetry in Cisco DNA Center deployments.

Why this answer

Cisco DNA Center uses model-driven telemetry with gRPC as the preferred transport for streaming data from IOS-XE devices. Option A is correct because gRPC is the standard for MDT. Option B is incorrect because NetFlow is for flow data, not device state.

Option C is incorrect because SNMP is not used for streaming telemetry in DNA Center. Option D is incorrect because syslog is for log messages, not structured telemetry.

1041
MCQmedium

Which IP SLA operation type requires an IP SLA responder to be configured on the target device?

A.ICMP echo
B.UDP jitter
C.TCP connect
D.HTTP get
AnswerB

UDP jitter requires an IP SLA responder to generate timestamps for accurate measurements.

Why this answer

UDP jitter operations require a responder to accurately measure one-way delay, jitter, and packet loss. ICMP echo does not require a responder.

1042
Matchingmedium

Drag and drop each telemetry encoding on the left to its matching format on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

JSON with IETF YANG encoding

Google Protocol Buffers binary format

key-value pairs in GPB format

XML encoding

standard JSON encoding

Why these pairings

JSON_IETF uses JSON with IETF YANG encoding, protobuf uses Google Protocol Buffers, and kvGPB uses key-value pairs in GPB format.

1043
Matchingmedium

Drag and drop each MP-BGP address family on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries MPLS Layer 3 VPN routes with route distinguisher and route target

Carries standard IPv4 unicast routes (non-VPN)

Carries standard IPv6 unicast routes

Carries MPLS Layer 3 VPN routes for IPv6 customer prefixes

Carries Layer 2 VPN information such as VPLS or EVPN

Why these pairings

The VPNv4 unicast address family carries MPLS VPN routes with RD and RT; IPv4 unicast carries standard IPv4 routes; IPv6 unicast carries IPv6 routes; VPNv6 unicast carries IPv6 MPLS VPN routes; L2VPN address family carries Layer 2 VPN information like VPLS.

1044
Matchingmedium

Drag and drop each MQC component on the left to its matching role on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines traffic classification criteria

Defines QoS actions to apply

Applies the policy-map to an interface

Why these pairings

class-map defines traffic classification criteria, policy-map defines the QoS actions to apply, service-policy applies the policy-map to an interface, class-map uses match statements, policy-map uses class statements.

1045
MCQmedium

Examine the following configuration: policy-map SHAPE_POLICY class class-default shape average 10000000 service-policy INNER_POLICY What is the purpose of the nested service-policy (service-policy INNER_POLICY) under the shape command?

A.It applies the INNER_POLICY to traffic after shaping, allowing per-class queuing within the shaped rate.
B.It applies the INNER_POLICY to traffic before shaping, which is not supported.
C.It is used to shape traffic twice, first at 10 Mbps and then again based on INNER_POLICY.
D.This configuration is invalid because service-policy cannot be nested under shape.
AnswerA

Hierarchical QoS: the inner policy manages queues within the shaped pipe.

Why this answer

The correct answer is A because the nested service-policy under the shape command applies the INNER_POLICY to traffic after it has been shaped to 10 Mbps. This allows per-class queuing and scheduling within the shaped rate, enabling finer QoS control such as bandwidth allocation or priority queuing for specific traffic classes while ensuring the overall output does not exceed the shaped rate.

Exam trap

Cisco often tests the concept that a nested service-policy under shape applies after shaping, not before, and that it is a valid method for hierarchical QoS, leading candidates to incorrectly assume it is unsupported or that it shapes traffic twice.

How to eliminate wrong answers

Option B is wrong because the nested service-policy under shape is applied after shaping, not before; applying a policy before shaping would require a different configuration (e.g., a parent policy with a service-policy before the shape command). Option C is wrong because the configuration does not shape traffic twice; the shape command defines the shaping rate, and the nested policy manages queuing within that rate, not additional shaping. Option D is wrong because nesting a service-policy under shape is a valid and supported Cisco IOS QoS feature, commonly used for hierarchical QoS (HQoS).

1046
Matchingmedium

Drag and drop each VPN type on the left to its matching tunnel technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

mGRE with NHRP

IKEv2 per-peer tunnel

GDOI group encryption

TLS/DTLS client VPN

Static virtual tunnel interface

Why these pairings

DMVPN uses mGRE with NHRP; FlexVPN uses IKEv2 with per-peer tunnels; GET VPN uses GDOI for group encryption; AnyConnect uses TLS/DTLS for client-based remote access.

1047
Matchingmedium

Drag and drop each IP SLA threshold type on the left to its trigger condition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trigger when metric exceeds threshold

Trigger on first violation

Trigger after N consecutive violations

Trigger after N violations within M probes

Do not trigger

Why these pairings

Over-threshold triggers when a metric exceeds the configured value; immediate triggers on the first violation; consecutive triggers after a specified number of consecutive violations.

1048
MCQmedium

A network engineer is troubleshooting a VRF-lite deployment on a Cisco Nexus 9000 switch. Two VRFs, PROD and DEV, are configured. The switch has an SVI for VLAN 10 in VRF PROD and VLAN 20 in VRF DEV. A firewall is connected to a Layer 3 port in VRF PROD for internet access. The engineer needs to allow the DEV VRF to reach the internet through the same firewall, but without using a separate physical interface. What should the engineer configure?

A.Configure a static route in VRF DEV pointing to the firewall's IP address in VRF PROD, and use the route-map to leak the route.
B.Place the firewall interface in both VRFs using the ip vrf forwarding command on the same interface.
C.Create a VLAN trunk between the switch and firewall, and assign the same VLAN to both VRFs.
D.Use policy-based routing (PBR) in VRF DEV to forward traffic to the firewall's MAC address.
AnswerA

Correct because route leaking allows one VRF to use a next-hop in another VRF. A static route with the appropriate VRF and route-map can achieve this.

Why this answer

Option A is correct because VRF-lite does not support direct route leaking between VRFs without an external mechanism. By configuring a static route in VRF DEV pointing to the firewall's IP address (which resides in VRF PROD) and using a route-map to leak the route, the engineer enables inter-VRF routing. This allows DEV traffic to reach the firewall's interface in PROD without requiring a separate physical interface, as the route-map controls which prefixes are shared between VRFs.

Exam trap

Cisco often tests the misconception that a single interface can belong to multiple VRFs simultaneously, or that VLANs can be shared across VRFs, leading candidates to choose options that violate VRF isolation principles.

How to eliminate wrong answers

Option B is wrong because the 'ip vrf forwarding' command cannot be applied to the same interface for multiple VRFs; an interface can belong to only one VRF at a time. Option C is wrong because assigning the same VLAN to two different VRFs is not supported; VLANs are mapped to a single VRF, and trunking does not solve the isolation requirement. Option D is wrong because policy-based routing (PBR) can forward traffic based on policies but cannot directly route between VRFs; PBR operates within a single VRF and does not provide inter-VRF route leaking.

1049
Drag & Dropmedium

Drag and drop the steps of SNMP bulk walk operation process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The manager initiates a GetBulkRequest, the agent responds with multiple variables, and the process repeats until all OIDs are retrieved.

1050
Multi-Selectmedium

Which three statements about SD-WAN (Cisco Catalyst SD-WAN) are true? (Choose three.)

Select 3 answers
A.The vSmart controller is responsible for distributing control plane information such as OMP routes and policies to the WAN edge routers.
B.The vBond controller is primarily used for device authentication and orchestration of initial connections.
C.The vManage controller forwards all data traffic between branch sites.
D.WAN edge routers can connect to the SD-WAN fabric using multiple transport interfaces (e.g., MPLS, Internet, LTE).
E.OMP (Overlay Management Protocol) runs between vEdge routers and the vManage controller.
AnswersA, B, D

Correct because vSmart is the centralized control plane component that advertises routes and policies using OMP.

Why this answer

Cisco SD-WAN uses a centralized vSmart controller for policy and routing, vBond for orchestration and authentication, and vManage for management. vEdge routers establish secure DTLS/TLS tunnels to controllers and can use multiple transport interfaces. The control plane is separate from the data plane. vSmart does not forward data traffic.

Page 13

Page 14 of 27

Page 15