ENCOR 350-401 (350-401) — Questions 10511125

2015 questions total · 27pages · All types, answers revealed

Page 14

Page 15 of 27

Page 16
1051
Matchingmedium

Drag and drop each EIGRP router role on the left to its matching definition on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-hop router for the best route to a destination

Backup next-hop router meeting the feasibility condition

Directly connected EIGRP router exchanging Hello packets

Lowest metric to a destination from the local router

Metric advertised by a neighbor for a specific route

Why these pairings

A successor is the next-hop router for the best route; a feasible successor is a backup route meeting the feasibility condition; a neighbor is a directly connected EIGRP router.

1052
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.AS Path
AnswerA

Correct. Lower MED is preferred.

Why this answer

The Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from a neighboring AS. A lower MED value is preferred because it indicates a more preferred path into the AS, making it the correct answer when the question asks for the attribute preferred with the lowest value.

Exam trap

Cisco often tests the confusion between attributes that prefer the lowest value (MED) versus those that prefer the highest value (Weight, Local Preference), and candidates mistakenly apply the 'lowest is best' rule to all attributes without remembering the specific behavior of each.

How to eliminate wrong answers

Option B is wrong because Local Preference is preferred when it has the highest value, not the lowest, as it influences outbound traffic from the local AS. Option C is wrong because Weight is a Cisco-proprietary attribute that is preferred when it has the highest value, not the lowest, and it is local to the router. Option D is wrong because AS Path is preferred when it is the shortest (lowest number of AS hops), but the question asks for the attribute preferred with the lowest value, and AS Path is not a numerical value in the same sense; it is a sequence of AS numbers, and the preference is based on length, not a single lowest value.

1053
MCQhard

A network engineer is using Ansible to automate the deployment of a new VLAN on a Cisco Nexus switch. The playbook uses the nxos_vlan module. The engineer wants to ensure that if the VLAN already exists, the playbook does not make any changes (idempotent). However, the playbook always reports 'changed' even when the VLAN exists with the same configuration. What is a likely reason?

A.The playbook uses the 'vlan_id' parameter but not the 'name' parameter, causing the module to ignore the name mismatch.
B.The playbook does not include the 'vlan_state' parameter, and the existing VLAN is in 'suspend' state, while the module defaults to 'active'.
C.The nxos_vlan module is not idempotent by design and always reports changes.
D.The engineer is using the '--diff' flag, which forces the module to report changes.
AnswerB

If the module defaults to 'active' but the VLAN is 'suspend', the module sees a difference and reports 'changed'.

Why this answer

The nxos_vlan module compares the desired state with the current state. If the playbook specifies parameters that the module does not fully manage or if the switch returns additional default parameters (e.g., 'state: active' vs 'state: suspend'), the module may detect a difference. A common cause is that the playbook does not specify the 'vlan_state' parameter, and the module defaults to 'active', but if the switch has the VLAN in a different state (e.g., 'suspend'), the module will report 'changed'.

1054
MCQmedium

Examine the following configuration: interface GigabitEthernet0/0 ip address 172.16.1.1 255.255.255.0 ipv6 address 2001:db8:1::1/64 ipv6 ospf 100 area 0 ! What is missing from this configuration to enable OSPFv3 on this interface?

A.The configuration is complete; no additional commands are needed.
B.The command 'ipv6 router ospf 100' must be added globally to create the OSPFv3 process.
C.The interface needs the 'ipv6 ospf network point-to-point' command to work.
D.The 'ipv6 unicast-routing' command must be enabled globally.
AnswerB

Correct. The global OSPFv3 process must be created before interface configuration will take effect.

Why this answer

Option B is correct because OSPFv3 requires an active OSPFv3 process on the router before it can be enabled on any interface. The 'ipv6 router ospf 100' global command creates the OSPFv3 process with process ID 100, which is necessary for the interface-level 'ipv6 ospf 100 area 0' command to function. Without this global process, the interface configuration is incomplete and OSPFv3 will not operate.

Exam trap

Cisco often tests the requirement that an OSPFv3 process must be created globally with 'ipv6 router ospf <process-id>' before interface-level OSPFv3 commands will work, leading candidates to mistakenly think the interface configuration alone is sufficient.

How to eliminate wrong answers

Option A is wrong because the configuration is not complete; the OSPFv3 process must be created globally with 'ipv6 router ospf 100' for the interface command to take effect. Option C is wrong because 'ipv6 ospf network point-to-point' is an optional command used to override the default network type (e.g., broadcast) and is not required for basic OSPFv3 operation on this interface. Option D is wrong because 'ipv6 unicast-routing' enables IPv6 routing globally but is not specifically required for OSPFv3; OSPFv3 can run without it as long as IPv6 is configured, though it is commonly enabled for practical routing.

1055
MCQhard

A network engineer is deploying Cisco TrustSec (CTS) with Security Group Access Control Lists (SGACLs) on a campus network. The engineer configures the switch with 'cts role-based enforcement' and assigns SGTs to users via 802.1X. The engineer tests connectivity between a user in SGT 10 and a server in SGT 20. The SGACL permits traffic from SGT 10 to SGT 20, but the user cannot reach the server. The engineer checks 'show cts role-based sgt map' and sees that the user's SGT is 0. What is the most likely cause?

A.The RADIUS server is not configured to send the SGT in the Access-Accept message.
B.The SGACL is applied to the wrong interface.
C.The switch is not configured with 'cts role-based enforcement'.
D.The user's SGT is 0, which is a valid SGT that denies all traffic.
AnswerA

Correct because the SGT must be assigned by the RADIUS server during authentication.

Why this answer

SGT 0 is the default untagged SGT. If the user's SGT is 0, it means the switch did not receive the SGT from the RADIUS server during 802.1X authentication. Option A is correct because the RADIUS server must send the SGT in the Access-Accept message.

Option B is incorrect because SGACLs are applied per SGT, not per interface. Option C is incorrect because the switch is configured for enforcement. Option D is incorrect because SGT 0 is not a valid SGT for enforcement; the switch treats it as untagged.

1056
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- Based on this output, what can be concluded?

A.Dynamic NAT is configured with a pool of addresses.
B.Static NAT is configured for two internal hosts.
C.PAT is translating multiple internal addresses to a single global address.
D.NAT is not operational because no outside local addresses are shown.
AnswerB

The absence of protocol and the presence of inside global/local pairs indicate static NAT.

Why this answer

The output shows two static NAT translations with no protocol, indicating they are configured as static NAT entries. The inside global addresses are mapped one-to-one to inside local addresses. No dynamic translations are present.

1057
MCQmedium

A network engineer runs the following command on Switch SW6: SW6# show monitor session 6 Session 6 --------- Type : Remote Destination Session Source RSPAN VLAN : 200 Destination Ports : Gi1/0/12 Encapsulation : Native Ingress : Disabled Based on this output, what can be concluded?

A.This switch receives mirrored traffic from RSPAN VLAN 200 and sends it to Gi1/0/12.
B.This is a local SPAN session with source VLAN 200.
C.The RSPAN VLAN 200 is used to send traffic to a remote switch.
D.Ingress traffic on Gi1/0/12 is forwarded to the RSPAN VLAN.
AnswerA

The type 'Remote Destination Session' and source RSPAN VLAN confirm this.

Why this answer

This is an RSPAN destination session on SW6. The source is RSPAN VLAN 200, and the destination port Gi1/0/12 sends out the mirrored traffic. The destination port has Native encapsulation and ingress disabled, meaning it only forwards traffic from the RSPAN VLAN.

1058
Matchingmedium

Drag and drop each CPU feature on the left to its matching virtualization purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Intel hardware virtualization support

Reduces memory virtualization overhead

Enables direct VM access to physical NIC

Provides direct I/O device assignment

AMD hardware virtualization support

Why these pairings

VT-x enables hardware-assisted virtualization for Intel CPUs. EPT (Extended Page Tables) reduces memory overhead by handling guest page tables in hardware. SR-IOV allows a physical NIC to appear as multiple virtual functions.

VT-d provides direct I/O access for VMs. AMD-V is AMD’s equivalent of VT-x.

1059
Drag & Dropmedium

Drag and drop the steps of Multiple SPAN source ports with filter VLAN into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First specify the session, then add source ports and direction, apply VLAN filter, set destination, and activate the session.

1060
Matchingmedium

Drag and drop each NAPALM getter on the left to its matching returned data on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname, vendor, model, uptime

Interface name, status, MAC address, speed

BGP peer IP, ASN, state, prefixes

LLDP neighbor device ID, port ID

NTP server IP, stratum, offset

Why these pairings

get_facts returns device info like hostname, vendor; get_interfaces returns interface details; get_bgp_neighbors returns BGP peer info.

1061
MCQmedium

A large enterprise is migrating from traditional SNMP-based monitoring to streaming telemetry for better scalability and real-time visibility. The network team has Cisco Nexus 9000 switches running NX-OS. They want to stream interface counters and BGP neighbor state changes to a collector. Which telemetry technology should they implement?

A.Configure model-driven telemetry (MDT) using gRPC or gNMI to subscribe to the desired YANG data models for interface counters and BGP state.
B.Enable NetFlow v9 on the switches and configure the collector to receive flow records that include interface statistics.
C.Use SNMP traps to send interface and BGP state changes to the collector.
D.Deploy IP SLA responders on the switches to measure performance and send results via syslog.
AnswerA

Correct because MDT with gRPC/gNMI provides scalable, real-time streaming of structured data from NX-OS devices.

Why this answer

Model-driven telemetry (MDT) using gRPC or gNMI is the modern approach for streaming structured data from NX-OS devices. Option A is correct because MDT supports both periodic and event-driven subscriptions. Option B is incorrect because NetFlow is for flow data, not interface counters or BGP state.

Option C is incorrect because SNMP traps are event-driven but not scalable for high-frequency streaming. Option D is incorrect because IP SLA is for active measurements, not streaming device state.

1062
Drag & Dropmedium

Drag and drop the steps of IP SLA with threshold and reaction configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the IP SLA operation is defined. Then thresholds for rising and falling are configured. The reaction is set to trigger when thresholds are crossed.

The operation is scheduled. Finally, the reaction is enabled to take action.

1063
Matchingmedium

Drag and drop each wireless roaming method on the left to its matching 802.11 standard on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

802.11r

802.11k

802.11v

802.11k

802.11r

Why these pairings

802.11r provides Fast BSS Transition (FT); 802.11k provides Radio Resource Measurement (RRM) for neighbor reports; 802.11v provides BSS Transition Management (BTM) for network-assisted roaming.

1064
Matchingmedium

Drag and drop each PnP workflow step on the left to its matching action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Assigns a discovered device to a specific site and profile

Applies initial bootstrap configuration via CLI template

Installs the required software image on the device

Deploys full configuration including interfaces, VLANs, and routing

Replaces a failed device with a new one using the same configuration

Why these pairings

PnP steps: Claim assigns a device to a site; Day0 Template applies initial configuration; Image Upgrade updates the device software; Provision deploys the full configuration.

1065
Multi-Selecthard

Which three statements about the Cisco Enterprise WAN design principles are true? (Choose three.)

Select 3 answers
A.SD-WAN architecture separates the control plane and data plane, allowing centralized policy management.
B.Dual-homing a branch office to two different service provider routers increases WAN availability.
C.DMVPN requires a full mesh of static IPsec tunnels between all spoke routers.
D.MPLS Layer 3 VPNs use Virtual Routing and Forwarding (VRF) instances to provide customer isolation.
E.DMVPN requires a full mesh of IPsec tunnels between all spoke routers.
AnswersA, B, D

Correct because SD-WAN uses a controller-based approach where the control plane is centralized, simplifying policy deployment.

Why this answer

Enterprise WAN design focuses on connecting remote sites reliably and efficiently. SD-WAN decouples control and data planes for centralized management. Dual-homing provides redundancy.

MPLS VPNs offer any-to-any connectivity but with a full mesh of VRFs. Option A is correct because SD-WAN's centralized controller manages policies and path selection. Option B is correct because dual-homing to different provider routers improves availability.

Option D is correct because MPLS VPNs use VRFs to isolate customer routing, allowing overlapping addresses. Option C is incorrect because DMVPN uses dynamic tunnels (mGRE/NHRP), not static IPsec tunnels. Option E is incorrect because DMVPN does not require a full mesh; it uses a hub-and-spoke or partial mesh topology.

1066
MCQmedium

A network engineer is using Cisco DNA Center to automate the deployment of a new VLAN across multiple access switches. The engineer creates a new network profile with the VLAN definition and assigns it to a site. However, after provisioning, the VLAN is not created on any of the switches. The engineer verifies that the devices are in the Inventory and are reachable. What is the most likely cause?

A.The engineer did not run the Provision workflow to push the configuration to the devices.
B.The VLAN ID conflicts with an existing VLAN on the switches.
C.The switches do not support the VLAN ID range.
D.The DNA Center appliance is not licensed for the Automation module.
AnswerA

Correct because creating a profile and assigning it to a site only defines the intent; the actual configuration is pushed only when the Provision workflow is executed.

Why this answer

In Cisco DNA Center, network profiles are used to define settings, but they must be applied to a site and then the devices must be provisioned with that site's settings. If the engineer only created the profile and assigned it to a site, but did not run the provisioning workflow (which pushes the configuration to devices), the VLAN will not be created.

1067
Drag & Dropmedium

Drag and drop the steps of vSphere VM snapshot creation and revert steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with taking the snapshot and ends with reverting to it. First, the snapshot is taken while the VM is running. Then, changes are made to the VM.

Next, the snapshot is reverted to restore the previous state. After that, the snapshot is deleted to free storage. Finally, the VM continues running without the snapshot.

1068
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip interface GigabitEthernet0/1 | include access list Inbound access list is not set Outbound access list is 140 R1# show access-lists 140 Extended IP access list 140 10 permit tcp 192.168.1.0 0.0.0.255 any eq 443 (25 matches) 20 deny tcp any any eq 443 (10 matches) 30 permit ip any any (50 matches) Based on this output, what can be concluded?

A.HTTPS traffic from sources outside 192.168.1.0/24 is denied when exiting the interface.
B.All HTTPS traffic is permitted outbound.
C.The ACL is applied inbound on the interface.
D.The ACL permits all traffic from 192.168.1.0/24.
AnswerA

Entry 20 denies HTTPS from any source not matching entry 10, so HTTPS from other subnets is denied outbound.

Why this answer

ACL 140 is applied outbound on GigabitEthernet0/1. It permits HTTPS (port 443) from subnet 192.168.1.0/24 to any destination, denies all other HTTPS, and permits all other IP traffic. The match counts show 25 HTTPS packets from the subnet, 10 denied HTTPS packets from other sources, and 50 other packets permitted.

The correct answer is that HTTPS traffic from sources outside 192.168.1.0/24 is denied when exiting the interface.

1069
Multi-Selectmedium

Which two statements about LISP in Cisco SD-Access are true? (Choose two.)

Select 2 answers
A.The LISP Map Server stores the mapping between endpoint identifiers (EIDs) and routing locators (RLOCs).
B.LISP encapsulation is used to forward data traffic between fabric edge nodes.
C.The LISP Map Resolver processes Map-Request messages and responds with the RLOC of the destination EID.
D.LISP uses TCP port 4342 for control plane communication.
E.The EID in LISP represents the MAC address of the endpoint device.
AnswersA, C

Correct because the Map Server is the central database that holds EID-to-RLOC mappings for the fabric.

Why this answer

LISP (Locator/ID Separation Protocol) is the control plane in SD-Access. The Map Server (MS) maintains the EID-to-RLOC mapping database, and the Map Resolver (MR) handles Map-Request queries. The EID represents the endpoint identity (IP address), while the RLOC is the routing locator (IP address of the fabric node).

LISP does not perform encapsulation; VXLAN does. LISP uses UDP ports 4342 (data plane) and 4341 (control plane), not TCP. The EID is typically the host IP, not the MAC address.

1070
MCQmedium

A network engineer issues the following command on Router R2: R2# show ip mroute 239.1.1.1 IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group session, Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.1.1.1), 00:03:45/00:02:15, RP 10.0.0.1, flags: S Incoming interface: GigabitEthernet0/0, RPF nbr 10.0.0.1 Outgoing interface list: GigabitEthernet0/1, Forward/Sparse, 00:03:45/00:02:15 Based on this output, what can be concluded?

A.The group is using PIM dense mode.
B.The RP for this group is 10.0.0.1.
C.The multicast traffic is being hardware switched.
D.The group is a Bidir group.
AnswerB

The output clearly states 'RP 10.0.0.1' in the (*,G) entry.

Why this answer

The 'show ip mroute' output shows a (*,G) entry for group 239.1.1.1 with flags 'S' (Sparse mode) and an RP of 10.0.0.1. The incoming interface is GigabitEthernet0/0 with RPF neighbor 10.0.0.1, and the outgoing interface list includes GigabitEthernet0/1 in Forward state. This indicates that the multicast route is using PIM sparse mode and the RP is known.

The correct answer is that PIM sparse mode is used with an RP at 10.0.0.1.

1071
MCQhard

A network engineer runs the following command on Router R2: R2# show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 10.1.1.1/32 0 Gi0/0 192.168.1.1 17 18 10.2.2.0/24 1500 Gi0/1 192.168.2.3 18 Untagged 10.3.3.0/24 0 Gi0/2 192.168.3.4 Based on this output, what is the correct interpretation?

A.For prefix 10.1.1.1/32, the router will pop the MPLS label before forwarding because the outgoing label is 'Pop Label'.
B.For prefix 10.2.2.0/24, the router will impose label 18 onto the packet.
C.For prefix 10.3.3.0/24, the router will forward the packet with an MPLS label of 18.
D.The router has received 1500 bytes for prefix 10.2.2.0/24, and the outgoing interface is Gi0/1.
AnswerA

Pop Label indicates PHP, so the router removes the label.

Why this answer

The forwarding table shows label operations. For prefix 10.1.1.1/32, the outgoing label is 'Pop Label' meaning PHP (Penultimate Hop Popping). For 10.2.2.0/24, label 17 is swapped to 18.

For 10.3.3.0/24, 'Untagged' means the packet is forwarded without an MPLS label (e.g., to a non-MPLS interface).

1072
MCQmedium

Examine the following configuration: aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control interface GigabitEthernet1/0/4 switchport mode access authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 30 What is the effect of the 'dot1x timeout quiet-period 30' command?

A.The switch will wait 30 seconds before sending a new EAPOL-Start after a failed authentication.
B.The switch will wait 30 seconds for a response from the supplicant before timing out.
C.The switch will wait 30 seconds before placing the port in the unauthorized state after a link up event.
D.The switch will wait 30 seconds for the RADIUS server to respond before failing authentication.
AnswerA

The quiet-period timer controls the delay after a failure before the authenticator retries.

Why this answer

The quiet-period timer defines the number of seconds the switch waits after a failed authentication attempt before re-initiating authentication. The default is 60 seconds; here it is set to 30 seconds.

1073
MCQmedium

A network engineer is configuring model-driven telemetry on a Cisco IOS-XE router to stream interface statistics to a collector using gRPC. The engineer wants to ensure that the telemetry data is sent only when there is a change in the interface counters, rather than at a fixed interval. Which configuration parameter should the engineer use to achieve this behavior?

A.Use a periodic subscription with a sample-interval of 0
B.Configure an on-change subscription
C.Set the suppress-repetition flag in a periodic subscription
D.Use a dynamic subscription with a sample-interval of 1 second
AnswerB

An on-change subscription sends updates only when the monitored data changes, which matches the requirement.

Why this answer

The correct answer is 'on-change' subscription because it triggers updates only when the monitored data changes, unlike periodic subscriptions that send data at fixed intervals. The other options are incorrect because 'periodic' sends data at a fixed interval, 'suppress-repetition' reduces duplicate updates in periodic subscriptions but does not enable on-change behavior, and 'sample-interval' is used for periodic subscriptions.

1074
MCQmedium

A network engineer is configuring a Cisco switch for 802.1X port-based authentication. The switch is configured with a RADIUS server for authentication. The engineer wants to allow devices that fail 802.1X authentication to still access a limited guest VLAN. The engineer configures 'authentication port-control auto' and 'authentication host-mode multi-host' on the interface. However, when a non-802.1X-capable device is connected, the port remains in the unauthorized state and does not fall into the guest VLAN. What is missing?

A.The interface needs the 'authentication guest-vlan <vlan-id>' command to specify the VLAN for non-802.1X devices.
B.The switch must have 'aaa authentication dot1x default group radius' configured globally.
C.The 'authentication host-mode multi-host' command should be replaced with 'authentication host-mode multi-domain' to support guest VLAN.
D.The port must be configured as a trunk port to allow the guest VLAN.
AnswerA

Correct because the guest VLAN is a separate configuration that tells the switch to place the port into a specific VLAN when authentication fails or times out.

Why this answer

For a port to move to a guest VLAN when authentication fails, the switch must be configured with a guest VLAN on that interface. The 'authentication port-control auto' enables 802.1X, but without a guest VLAN defined, the port stays unauthorized on failure.

1075
Multi-Selectmedium

Which two statements about MPLS label distribution protocol (LDP) are true? (Choose two.)

Select 2 answers
A.LDP uses TCP port 646 for session establishment.
B.LDP hello messages are sent as UDP packets to multicast address 224.0.0.2.
C.LDP uses UDP for session establishment.
D.LDP uses RSVP to distribute labels.
E.LDP assigns labels only to BGP routes.
AnswersA, B

Correct because LDP sessions use TCP port 646 for reliable communication.

Why this answer

LDP uses TCP port 646 for session establishment and UDP for discovery (hello messages). LDP sessions are established between directly connected LSRs by default, but can also be established between non-adjacent LSRs using targeted hellos. LDP assigns labels to every prefix in the routing table by default.

Option C is incorrect because LDP uses TCP, not UDP, for session establishment. Option D is incorrect because LDP does not use RSVP; that is for traffic engineering. Option E is incorrect because LDP assigns labels to all prefixes, not just BGP routes.

1076
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 10 Sales active Gi0/4, Gi0/5 20 Engineering active Gi0/6 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Based on this output, what can be concluded?

A.VLAN 20 is not operational because it has only one port assigned.
B.The switch supports FDDI and Token Ring VLANs.
C.Port Gi0/6 is an access port in VLAN 20.
D.VLAN 10 has more broadcast traffic than VLAN 20.
AnswerC

The output shows Gi0/6 assigned to VLAN 20, and since no trunking is indicated, it is likely an access port in VLAN 20.

Why this answer

The output shows VLANs configured on the switch. VLANs 1, 10, and 20 are active and have ports assigned. VLANs 1002-1005 are default VLANs for legacy technologies (FDDI, Token Ring) and are shown as 'act/unsup' (active/unsupported) because the switch does not support them.

The key point is that VLAN 20 has only one port (Gi0/6) assigned, which is unusual but possible. However, the question tests understanding that VLAN 20 exists and is active with one port.

1077
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show monitor session 1 Session 1 --------- Type : Local Session Source Ports : Both : Gi1/0/1 Both : Gi1/0/2 Destination Ports : Gi1/0/10 Encapsulation : Native Ingress : Disabled Based on this output, what can be concluded?

A.Traffic from Gi1/0/1 and Gi1/0/2 is copied to Gi1/0/10 for monitoring.
B.This is an RSPAN session that sends traffic to a remote VLAN.
C.Ingress traffic on Gi1/0/10 is forwarded to the source ports.
D.The destination port is configured to capture only egress traffic.
AnswerA

The session type is Local, source ports are in both directions, and destination is Gi1/0/10.

Why this answer

The output shows a local SPAN session with source ports Gi1/0/1 and Gi1/0/2 (both directions) and destination port Gi1/0/10. The destination port is set to Native encapsulation, meaning it sends traffic in the original VLAN format. Ingress is disabled, so no incoming traffic on the destination port is forwarded.

This is a standard local SPAN configuration.

1078
MCQmedium

interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ip ospf hello-interval 10 ! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 What is the effect of this configuration?

A.OSPF will use a 10-second hello interval and suppress DR/BDR election.
B.OSPF will use a 30-second hello interval and elect a DR/BDR.
C.OSPF will use a 10-second hello interval but still elect a DR/BDR.
D.OSPF will use a 30-second hello interval and suppress DR/BDR election.
AnswerA

Correct. The point-to-point network type eliminates DR/BDR and uses a 10-second hello interval by default; the explicit command is redundant but confirms the behavior.

Why this answer

The configuration sets the OSPF network type to point-to-point and overrides the default hello interval (which for point-to-point is 10 seconds) to 10 seconds, which is actually the default for point-to-point. However, the key point is that the 'ip ospf network point-to-point' command changes the OSPF network type from broadcast to point-to-point, which disables DR/BDR election and uses a 10-second hello interval by default. The explicit hello-interval command is redundant but not harmful.

1079
MCQmedium

An engineer is troubleshooting an MPLS VPN where CE1 (10.1.1.0/24) cannot reach CE2 (10.2.2.0/24). The PE routers are running OSPF with the CE routers. On PE1, the 'show ip route vrf CUSTOMER' output shows 10.2.2.0/24 as an OSPF route, but the prefix is not present in the global BGP table. What is the most likely cause?

A.Redistribution from OSPF into BGP under the VRF is not configured on PE1.
B.The OSPF adjacency between PE1 and CE1 is down.
C.The VRF forwarding table on PE1 is full.
D.MPLS LDP is not enabled on the PE1-CE1 link.
AnswerA

Correct because VRF routes must be redistributed into BGP to be advertised as VPNv4 prefixes.

Why this answer

In MPLS L3VPN, CE routes must be redistributed into BGP (VPNv4) on the PE. If OSPF routes are present in the VRF but not in BGP, redistribution is missing. Option A correctly identifies this.

Option B is wrong because OSPF is running; Option C is irrelevant; Option D would affect label allocation, not route advertisement.

1080
MCQmedium

A network architect is designing the QoS architecture for a Cisco SD-WAN deployment that carries voice, video, and data traffic across MPLS and Internet transports. The design must use a consistent DiffServ marking strategy across all transports and ensure that voice traffic is prioritized over video. Which QoS policy type and marking approach should the architect use?

A.Use localized QoS policies on each WAN edge router with CoS markings based on the transport type.
B.Use a centralized QoS policy that marks traffic with DSCP and applies per-queue shaping on the WAN edge.
C.Use MPLS EXP markings for MPLS transport and IP Precedence for Internet transport.
D.Use NBAR2 to automatically classify traffic and apply markings based on application signatures.
AnswerB

Centralized policies ensure consistent DSCP markings across all transports, and per-queue shaping allows prioritization of voice over video.

Why this answer

Option B is correct because Cisco SD-WAN uses centralized QoS policies applied via vSmart to ensure consistent DiffServ marking (DSCP) across all transports (MPLS and Internet). Per-queue shaping on the WAN edge router allows voice traffic to be prioritized over video by assigning voice to a higher-priority queue (e.g., queue 4 with DSCP EF) and video to a lower queue (e.g., queue 3 with DSCP AF41), ensuring voice is always serviced first.

Exam trap

Cisco often tests the misconception that localized QoS policies are sufficient for multi-transport consistency, but the trap here is that only centralized QoS policies in SD-WAN can enforce uniform DiffServ markings across all transports, while options like NBAR2 or per-transport markings (EXP vs. IP Precedence) fail to meet the requirement for a consistent strategy.

How to eliminate wrong answers

Option A is wrong because localized QoS policies on each WAN edge router would not guarantee a consistent marking strategy across all transports, as each router could apply different CoS markings based on local configuration, violating the design requirement for consistency. Option C is wrong because using MPLS EXP markings for MPLS transport and IP Precedence for Internet transport creates an inconsistent marking strategy across transports, and IP Precedence is a legacy field that does not provide the granularity of DSCP, which is required for proper DiffServ behavior. Option D is wrong because NBAR2 is a classification tool that can identify applications, but it does not define the QoS policy type or marking strategy; it would need to be combined with a centralized policy to ensure consistent marking, and the question specifically asks for the policy type and marking approach, not just classification.

1081
MCQhard

A company has a network with multiple VLANs connected via a Layer 3 switch acting as the gateway for all VLANs. The network uses Rapid PVST+ for spanning tree. Recently, the network team added a new access switch to VLAN 100. After the switch was connected, users in VLAN 100 experienced intermittent connectivity, and the Layer 3 switch logs show 'SPANTREE-2-ROOTGUARD_BLOCK' messages for the port connected to the new switch. The new switch is intended to provide additional access ports for VLAN 100. The network team ensured that the new switch's configuration is correct for VLAN 100 access. What is the most likely cause of the issue, and what action should be taken to resolve it?

A.Change the port configuration on the new switch to access mode for VLAN 100.
B.Disable Root Guard on the Layer 3 switch port connected to the new switch.
C.Configure the new switch with a higher bridge priority (e.g., 28672) to prevent it from becoming the root bridge.
D.Remove the new switch from the network because it is causing a BPDU attack.
AnswerC

Setting a higher bridge priority ensures the new switch does not attempt to become root, resolving the root guard blocking.

Why this answer

The issue is that the new switch, intended as an access switch, has a lower bridge priority (or default priority of 32768) than the existing root bridge for VLAN 100. When connected, it becomes the new root bridge, causing topology changes and intermittent connectivity. Root Guard on the Layer 3 switch port detects this superior BPDU and blocks the port to protect the root bridge position.

Configuring the new switch with a higher bridge priority (e.g., 28672) ensures it cannot become the root bridge, resolving the Root Guard blocks.

Exam trap

Cisco often tests the misconception that Root Guard is the problem and should be disabled, when in fact the root cause is the new switch's bridge priority being too low, and the correct fix is to adjust the priority on the new switch.

How to eliminate wrong answers

Option A is wrong because the port is already configured as an access port for VLAN 100 (the team verified correct configuration), and changing it again would not address the root bridge election issue. Option B is wrong because disabling Root Guard would allow the new switch to become the root bridge, causing the same intermittent connectivity and potential instability; Root Guard is a protective feature, not the cause. Option D is wrong because the new switch is not causing a BPDU attack; it is simply sending superior BPDUs due to its default bridge priority, which is a normal behavior that Root Guard is designed to protect against.

1082
Drag & Dropmedium

Drag and drop the steps of VRF import/export route-target policy flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with the PE receiving a VPNv4 route from MP-BGP, checking the route target against the VRF import list, matching the RT to accept the route, installing the route in the VRF routing table, and then redistributing the route to the CE.

1083
MCQhard

An enterprise is deploying a virtualized network function (VNF) for a next-generation firewall on a KVM-based hypervisor. The architect must ensure that the VNF can handle high throughput without CPU bottlenecks. Which hypervisor configuration technique should the architect use to dedicate physical CPU cores to the VNF?

A.Enable CPU overcommitment to allow the VNF to use any available CPU cycles.
B.Configure NUMA pinning and CPU pinning to dedicate physical cores to the VNF's virtual CPUs.
C.Use VMware vSphere instead of KVM for better VNF performance.
D.Increase the number of virtual CPUs assigned to the VNF to improve throughput.
AnswerB

NUMA pinning ensures memory locality and CPU pinning dedicates cores, providing consistent performance for the VNF.

Why this answer

Option B is correct because CPU pinning (also called CPU affinity) binds specific virtual CPUs (vCPUs) of the VNF to dedicated physical CPU cores, eliminating context-switching overhead and ensuring deterministic performance. NUMA pinning further aligns vCPUs and memory with the same Non-Uniform Memory Access node, reducing latency. This configuration is critical for VNFs like next-generation firewalls that require high throughput and low jitter.

Exam trap

Cisco often tests the misconception that simply increasing vCPU count (Option D) or enabling overcommitment (Option A) can solve performance issues, when in reality, dedicated core assignment via pinning is required for deterministic VNF throughput.

How to eliminate wrong answers

Option A is wrong because CPU overcommitment allows multiple VMs to share physical cores, which can lead to CPU contention and performance bottlenecks, exactly the opposite of what is needed for high-throughput VNFs. Option C is wrong because the question explicitly asks about a KVM-based hypervisor, and recommending VMware vSphere does not solve the configuration requirement; it also implies a platform change rather than a configuration technique. Option D is wrong because simply increasing the number of vCPUs without pinning them to dedicated cores can cause excessive scheduling overhead and cache thrashing, degrading throughput rather than improving it.

1084
MCQmedium

What is the default multicast group range for Source-Specific Multicast (SSM) as defined by IANA and supported by Cisco IOS?

A.224.0.0.0/4
B.232.0.0.0/8
C.239.0.0.0/8
D.233.0.0.0/8
AnswerB

Correct. 232.0.0.0/8 is the default SSM range.

Why this answer

The IANA has reserved the 232.0.0.0/8 address range for SSM. Cisco IOS uses this range by default for SSM, and it can be modified with the 'ip pim ssm' command.

1085
Drag & Dropmedium

Drag and drop the steps of GET VPN key server registration and rekey into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In GET VPN, a group member (GM) first registers with the key server (KS) using ISAKMP. The KS authenticates the GM and then pushes the current policy and encryption keys (TEK and KEK) to the GM. The KS periodically sends a rekey message to all GMs to update the keys before they expire.

1086
MCQmedium

A company has a campus network with two distribution switches (DSW1 and DSW2) connected via a Layer 2 trunk. Each distribution switch connects to two access switches. Spanning Tree Protocol (STP) is running with default settings. Recently, a network administrator added a new access switch (ASW3) and connected it to both distribution switches. After the connection, network performance degraded significantly, and users in VLAN 10 reported intermittent connectivity. The administrator checked the logs and saw multiple TCN notifications. What is the most likely cause of the issue?

A.The new switch is causing a Layer 2 loop due to redundant links without proper STP configuration.
B.The new switch is not configured with the same VLANs as the distribution switches.
C.The new switch has a lower bridge priority than the current root bridge.
D.The new switch has become the root bridge and is sending inferior BPDUs.
AnswerA

Redundant links without proper STP can cause loops.

Why this answer

When ASW3 is connected to both DSW1 and DSW2 via Layer 2 trunk links, it creates a physical loop in the network. With default STP settings, the new switch will participate in the spanning tree algorithm, but the sudden addition of redundant links can cause a temporary loop or instability until STP converges. The multiple TCN (Topology Change Notification) messages indicate that the spanning tree topology is flapping, leading to MAC address table flushes and intermittent connectivity for VLAN 10 users.

This is the classic symptom of a Layer 2 loop caused by redundant links without proper STP configuration or before convergence completes.

Exam trap

Cisco often tests the distinction between a Layer 2 loop causing TCN flapping and a root bridge election, where candidates mistakenly think a new root bridge is the primary problem rather than the redundant physical loop itself.

How to eliminate wrong answers

Option B is wrong because mismatched VLANs would cause traffic to be dropped or not forwarded, but would not generate TCN notifications or cause a Layer 2 loop; TCNs are triggered by changes in the spanning tree topology, not by VLAN mismatches. Option C is wrong because a lower bridge priority would make the new switch more likely to become the root bridge, but that alone does not cause a loop or performance degradation; STP would still converge and block redundant ports. Option D is wrong because if the new switch becomes the root bridge, it sends superior BPDUs (not inferior), and while this would cause a topology change, it would not inherently create a loop or cause the severe performance degradation described; the issue is the physical loop, not the root bridge election.

1087
Drag & Dropmedium

Drag and drop the steps of Ansible playbook execution flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible playbook execution begins with inventory parsing to identify target hosts, then loads variables from group_vars/host_vars. Next, it gathers facts from the managed nodes, applies tasks from the playbook in order, and finally runs post-task handlers if notified.

1088
MCQhard

A network engineer is deploying a wireless mesh network using outdoor access points. The mesh APs are configured to use 802.11a/n on the 5 GHz band for backhaul and 802.11b/g/n on the 2.4 GHz band for client access. The engineer notices that the mesh backhaul links are unstable and have high packet loss. What is the most likely cause of the instability?

A.The 5 GHz band is being used for both backhaul and client access, causing co-channel interference.
B.The 802.11a/n standard is obsolete and does not support mesh networking.
C.The mesh APs require a wired Ethernet connection to the root AP.
D.The 2.4 GHz band provides better range for backhaul than the 5 GHz band.
AnswerA

Correct because using the same band for backhaul and client access can cause interference if channels overlap; dedicated backhaul channels should be used.

Why this answer

The correct answer is that the backhaul and client access channels are overlapping, causing interference. Using the same band for both backhaul and client access can lead to co-channel interference, especially if channels are not carefully planned. The other options are less likely: 802.11a/n is not obsolete, mesh backhaul does not require a wired connection, and 5 GHz generally has better range than 2.4 GHz for backhaul.

1089
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap config general AP-2 AP Name: AP-2 MAC Address: aabb.cc00.0200 Country Code: US - United States Regulatory Domain: 802.11bg: -A 802.11a: -A AP Submode: FlexConnect AP Mode: FlexConnect AP Join Priority: 2 Primary Controller: WLC-1 Secondary Controller: WLC-2 Tertiary Controller: WLC-3 Based on this output, what can be concluded?

A.The AP is operating in Local mode and will tunnel all traffic to the WLC.
B.The AP can locally switch client traffic and maintain connectivity even if the WLC is unreachable.
C.The AP will only work if the WLC is directly connected at Layer 2.
D.The AP is in Monitor mode and will not serve clients.
AnswerB

FlexConnect APs can locally switch traffic and operate independently if the WLC is unreachable.

Why this answer

The output shows the AP is in FlexConnect mode, which means it can locally switch traffic and maintain connectivity to the WLC over a WAN. The AP has a primary, secondary, and tertiary controller configured.

1090
Matchingmedium

Drag and drop each VLAN type on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries user data traffic

Carries VoIP traffic; uses QoS trust boundaries

Carries management traffic (e.g., SSH, SNMP, syslog)

Carries untagged frames on an 802.1Q trunk

Unused VLAN; all ports assigned to it are shut down to prevent loops

Why these pairings

Data VLAN carries user traffic. Voice VLAN carries VoIP traffic (typically VLAN 100–199). Management VLAN carries management traffic (e.g., SSH, SNMP).

Native VLAN carries untagged frames on a trunk (default VLAN 1). Black-hole VLAN is unused and dropped to prevent loops.

1091
MCQmedium

An engineer is deploying a wireless network in a hospital that requires strict security and client isolation. The network must support 802.1X authentication for employees and a separate guest SSID with a captive portal. The engineer configures the WLC with RADIUS servers for 802.1X and a local web server for the captive portal. However, guest users can access the internal network after authentication. What configuration change is needed?

A.Enable client isolation (peer-to-peer blocking) on the guest SSID.
B.Configure 802.1X authentication for the guest SSID as well.
C.Apply a VLAN ACL on the guest VLAN to block access to internal subnets.
D.Place the guest SSID on the same VLAN as the employee SSID.
AnswerA

Correct because client isolation prevents guest clients from communicating with each other and with internal network resources, ensuring security.

Why this answer

The correct answer is to enable client isolation (or peer-to-peer blocking) on the guest SSID. This prevents guest clients from communicating with each other and with internal resources. The other options are incorrect: 802.1X is not needed for guests, VLAN ACLs would be more complex, and guest traffic should be on a separate VLAN, but isolation must also be enforced at the wireless level.

1092
MCQeasy

A network engineer runs the following command on Switch SW3: SW3# show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip EtherChannel Load-Balancing Operational State: src-dst-ip Based on this output, what can be concluded?

A.The switch uses source MAC and destination MAC for load balancing.
B.The load-balancing method is based on source and destination IP addresses.
C.The operational state differs from the configured state, indicating a problem.
D.The switch is using round-robin to distribute traffic across ports.
AnswerB

The output confirms 'src-dst-ip' as the method.

Why this answer

The output shows that both the configured and operational load-balancing method is 'src-dst-ip', which means the switch uses source and destination IP addresses to determine which member port to use for each flow. This is a common and valid method. The correct answer is that the load-balancing method uses both source and destination IP addresses.

1093
MCQmedium

An engineer configures gRPC dial-out telemetry on a Cisco IOS-XE device: ``` telemetry ietf subscription 100 receiver ip address 10.1.1.100 port 50051 protocol grpc-tcp source-address 10.1.1.1 encoding encode-kvgpb filter xpath /interfaces/interface/state/counters update-policy periodic 10000 ``` What is the purpose of the 'source-address' command?

A.It specifies the IP address of the telemetry receiver.
B.It specifies the source IP address for the telemetry stream.
C.It enables the device to receive telemetry data from the receiver.
D.It specifies the IP address of the network management station.
AnswerB

The source-address defines the IP address used as the source in the telemetry packets.

Why this answer

The 'source-address' command specifies the IP address that the device uses as the source IP when sending telemetry data to the receiver. This ensures that the receiver can identify the device and that the traffic is sourced from a specific interface.

1094
Drag & Dropmedium

Drag and drop the steps of STP root guard and loop guard activation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Root guard is enabled on an interface to prevent it from becoming a root port. Loop guard is enabled to prevent alternate/backup ports from transitioning to forwarding. Both features are configured per interface, then verified.

Root guard places the port in root-inconsistent state if a superior BPDU is received, while loop guard places it in loop-inconsistent state.

1095
Drag & Dropmedium

Drag and drop the steps of IPFIX template negotiation and export into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IPFIX starts with the exporter defining a template with field definitions, then the exporter sends the template record to the collector, the collector acknowledges (optional), the exporter sends data records referencing the template ID, and finally the collector interprets data using the stored template.

1096
MCQhard

A network engineer is automating the configuration of VLANs on a Cisco Nexus 9000 switch using Python and the NX-API. The engineer sends a Python dictionary with the CLI commands to the API and receives a successful response. However, when checking the switch, the VLANs are not created. The engineer verifies that the credentials and IP address are correct, and the API is enabled. The engineer also notices that the API response contains a 'code' field of '200' and a 'result' field that shows the command output. What is the most likely cause of the issue?

A.The API response code of 200 indicates an error, and the engineer should check for a different status code.
B.The VLAN commands are incorrect; the engineer should use 'vlan 10' instead of 'vlan 10-20'.
C.The engineer used the 'show' message type in the API request instead of 'cli_conf'.
D.The switch requires a 'commit' command after configuration changes via NX-API.
AnswerC

Correct because NX-API requires the 'cli_conf' type to execute configuration commands; 'show' only executes show commands and does not apply changes.

Why this answer

The correct answer is that the engineer used the 'show' command type instead of 'cli_conf' for configuration commands. Option A is incorrect because a 200 response indicates the API call was successful. Option B is incorrect because the commands are valid.

Option D is incorrect because the API does not require a commit command by default.

1097
Matchingmedium

Drag and drop each YANG module on the left to its matching standard body on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OpenConfig

IETF

Cisco-IOS-XE

OpenConfig

IETF

Why these pairings

OpenConfig: vendor-neutral YANG models. IETF: RFC-based YANG models. Cisco-IOS-XE: Cisco proprietary YANG models for IOS-XE.

1098
MCQhard

An engineer is writing a Python script to parse the output of 'show ip interface brief' from multiple Cisco routers. The engineer uses the netmiko library to collect the output and then uses regular expressions to extract the interface name, IP address, and status. The script works correctly for most routers, but on one router, the output format is slightly different (e.g., extra spaces or different column headers). The engineer wants to make the parsing more robust. What is the best approach?

A.Write a custom parser that handles each router's output format individually.
B.Use the 'split()' method to tokenize each line and then extract the relevant fields by position.
C.Use the 'textfsm' library with a pre-defined template for 'show ip interface brief'.
D.Use the 're' module with a more complex regular expression that accounts for optional whitespace.
AnswerC

Correct because textfsm templates are designed to handle variations in output format and provide structured data.

Why this answer

The correct answer is to use the 'textfsm' library with a pre-defined template for 'show ip interface brief'. Option A is incorrect because it is not scalable for many devices. Option B is incorrect because it does not handle format variations.

Option D is incorrect because it does not change the parsing logic.

1099
MCQmedium

Analyze this NAT configuration: ``` ip nat pool GLOBAL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 ip nat inside source list 1 pool GLOBAL overload access-list 1 permit 192.168.1.0 0.0.0.255 ``` Which statement is correct?

A.Traffic from 192.168.1.0/24 is translated to addresses in the range 203.0.113.10-20, using PAT.
B.Each host in 192.168.1.0/24 gets a unique IP from the pool without port translation.
C.The pool must include the outside interface IP address.
D.Access-list 1 is used to filter inbound traffic.
AnswerA

Correct. The pool provides the translated addresses, and overload enables PAT.

Why this answer

This is dynamic NAT with overload (PAT) using a pool of addresses.

1100
MCQmedium

A network engineer runs the following command on Router R3: R3# show mls qos interface GigabitEthernet0/1 GigabitEthernet0/1 trust state: trust DSCP trust mode: trust dscp COS override: dis default COS: 0 DSCP Mutation Map: default dscp mutation map trust device: none qos mode: port-based R3# show mls qos QoS is enabled globally QoS global counters: total packets not matching QoS criteria = 0 Total packets with known CoS = 0 Total packets dropped by policing = 0 Based on this output, what can be concluded?

A.The interface is configured to trust CoS values.
B.The interface will overwrite incoming DSCP values with default CoS.
C.The interface trusts the DSCP markings of incoming packets.
D.QoS is disabled globally.
AnswerC

The output clearly states 'trust state: trust DSCP' and 'trust mode: trust dscp'.

Why this answer

The interface is configured to trust DSCP values. This means incoming packets will have their DSCP values preserved and used for QoS classification. The global QoS is enabled.

The trust mode is 'trust dscp', indicating that the switch will trust the DSCP markings of received packets.

1101
Matchingeasy

Drag and drop each leased line technology on the left to its matching speed on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1.544 Mbps

2.048 Mbps

44.736 Mbps

155.52 Mbps

622.08 Mbps

Why these pairings

T1 = 1.544 Mbps, E1 = 2.048 Mbps, DS3 = 44.736 Mbps, OC-3 = 155.52 Mbps, OC-12 = 622.08 Mbps.

1102
Matchingmedium

Drag and drop each NFV management layer on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lifecycle management (instantiation, scaling, termination) of a VNF

Orchestration of network services and resource inventory management

Management of NFVI compute, storage, and network resources

Service ordering, billing, and fault management

Element management for a specific VNF type

Why these pairings

VNFM manages individual VNFs, NFVO handles orchestration and resource inventory, VIM controls NFVI resources.

1103
MCQeasy

A network engineer is configuring a new Cisco Catalyst 9300 switch to connect to an existing network. The uplink to the core switch is configured as a trunk. The engineer wants to ensure that all VLANs except VLAN 1 are allowed on the trunk, and that the native VLAN is set to VLAN 999. Which configuration should the engineer apply on the uplink interface?

A.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan except 1
B.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan remove 1
C.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan 2-4094
D.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan none
AnswerA

Correct because it sets the trunk, changes the native VLAN, and allows all VLANs except VLAN 1.

Why this answer

Option A is correct because the 'switchport trunk allowed vlan except 1' command explicitly permits all VLANs except VLAN 1 on the trunk, while the 'switchport trunk native vlan 999' command sets the native VLAN to 999, ensuring that untagged frames on the trunk belong to VLAN 999 instead of the default VLAN 1. This meets the requirement to exclude VLAN 1 from the allowed list and change the native VLAN.

Exam trap

Cisco often tests the difference between 'switchport trunk allowed vlan remove' and 'switchport trunk allowed vlan except', where candidates mistakenly think 'remove' is equivalent to 'except', but 'remove' only deletes a VLAN from the current list and requires the list to be pre-populated, while 'except' sets the list to all VLANs minus the specified ones in a single command.

How to eliminate wrong answers

Option B is wrong because 'switchport trunk allowed vlan remove 1' only removes VLAN 1 from the current allowed list, but if the default allowed VLAN list (all VLANs) was not explicitly set first, the command may behave inconsistently; more importantly, the syntax 'remove' is used to delete a VLAN from the existing allowed list, not to exclude it from the start, and the question requires a configuration that ensures all VLANs except VLAN 1 are allowed, which is better achieved with the 'except' keyword. Option C is wrong because 'switchport trunk allowed vlan 2-4094' explicitly lists VLANs 2 through 4094, but this excludes VLANs 0 and 1, and more critically, it does not account for reserved VLANs (like VLAN 1002-1005) that are not included in the range 2-4094, potentially blocking those VLANs; the 'except 1' command is more precise and inclusive. Option D is wrong because 'switchport trunk allowed vlan none' removes all VLANs from the trunk, effectively blocking all traffic, which does not meet the requirement to allow all VLANs except VLAN 1.

1104
Matchingmedium

Drag and drop each cisco.ios module on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pushes configuration commands to Cisco IOS devices

Executes arbitrary show commands on Cisco IOS devices

Gathers facts about Cisco IOS devices

Manages VLANs on Cisco IOS devices

Configures Layer 3 interface properties

Why these pairings

ios_config pushes configuration commands; ios_command executes show commands; ios_facts gathers device facts; ios_vlans manages VLAN configuration; ios_l3_interfaces configures Layer 3 interfaces.

1105
MCQmedium

Consider the following configuration snippet: policy-map QOS_POLICY class VOICE priority percent 30 class VIDEO bandwidth percent 20 queue-limit 50 packets class class-default fair-queue queue-limit 100 packets What is the effect of this configuration?

A.The VOICE class traffic is always sent before other classes, but if it exceeds 30% of the interface bandwidth, excess traffic is dropped.
B.The VOICE class traffic is always sent before other classes, and excess traffic beyond 30% is queued in the default class.
C.The VIDEO class traffic is treated with strict priority after the VOICE class.
D.The class-default uses Weighted Fair Queuing with a maximum queue size of 100 packets, and all classes share the remaining bandwidth equally.
AnswerA

Priority queuing sends traffic first; the percent 30 sets a policer that drops excess traffic beyond 30%.

Why this answer

The 'priority percent 30' command under the VOICE class enables strict priority queuing, meaning VOICE traffic is always transmitted before any other class. However, the priority queue is policed at 30% of the interface bandwidth; any traffic exceeding this rate is dropped, not queued. This is a fundamental behavior of the priority command in Cisco IOS — excess priority traffic is dropped to prevent starvation of other queues.

Exam trap

Cisco often tests the misconception that excess priority traffic is re-queued into the default class or another queue, when in fact it is always dropped to enforce the bandwidth limit and protect other traffic classes.

How to eliminate wrong answers

Option B is wrong because excess priority traffic beyond the configured percentage is dropped, not re-queued into the default class; the priority command does not allow excess traffic to fall back to another queue. Option C is wrong because the VIDEO class uses bandwidth percent 20, which is a non-priority queue (class-based weighted fair queuing), not strict priority; only the VOICE class has strict priority. Option D is wrong because the class-default uses fair-queue, but the remaining bandwidth is not shared equally among all classes — the VIDEO class has a guaranteed 20%, and the remaining bandwidth after VOICE and VIDEO is shared among the default class flows via fair-queuing, not equally across all classes.

1106
Drag & Dropmedium

Drag and drop the steps of DSCP re-marking at enterprise WAN edge into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DSCP re-marking at the WAN edge begins by identifying the trust boundary, then classifying traffic based on existing markings, applying a policy map to re-mark DSCP values, and finally applying the service policy to the interface. This ensures consistent QoS treatment across the WAN.

1107
Drag & Dropmedium

Drag and drop the steps of NAT64 IPv6-to-IPv4 translation flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NAT64 translates IPv6 packets to IPv4. The IPv6 host sends a packet to a synthetic IPv6 address, the router extracts the embedded IPv4 destination, creates a NAT64 binding, translates headers, and forwards the IPv4 packet.

1108
MCQhard

A large enterprise uses a centralized automation platform based on Ansible Tower to manage its network infrastructure. The network consists of 500 Cisco IOS XE routers and switches distributed across multiple sites. The automation team has created a playbook that configures BGP peerings on all devices. The playbook uses the ios_bgp module. Recently, during a maintenance window, the playbook was run against a subset of devices that were supposed to be upgraded to a new IOS XE version. However, after the run, several devices lost their BGP configurations entirely. The team discovers that the new IOS XE version introduced a new BGP configuration model that is not fully compatible with the ios_bgp module's expected CLI commands. The playbook failed silently on those devices, and the existing BGP configuration was removed. The team needs to prevent this from happening in future maintenance windows. Which action should be taken?

A.Add a pre-task that validates the device's OS version and conditionally applies the appropriate module or command set
B.Implement idempotency checks in the playbook using the 'check_mode' option
C.Set 'gather_facts: no' in the playbook to speed up execution and avoid version detection issues
D.Replace the ios_bgp module with the ios_config module and use raw CLI commands for BGP configuration
AnswerA

Pre-validation allows the playbook to use version-appropriate modules or commands, preventing silent failures.

Why this answer

Option A is correct because it directly addresses the root cause: the new IOS XE version uses an incompatible BGP configuration model. By adding a pre-task that validates the OS version, the playbook can conditionally apply the correct module (e.g., ios_bgp for older versions or a different module/CLI for the new model), preventing silent failures and configuration loss. This ensures the automation adapts to version-specific changes, maintaining idempotency and safety.

Exam trap

Cisco often tests the misconception that idempotency (check_mode) or simply using raw CLI commands (ios_config) solves version incompatibility, when the real solution is version-aware conditional logic to handle model changes.

How to eliminate wrong answers

Option B is wrong because 'check_mode' only simulates changes without applying them; it does not prevent the ios_bgp module from removing existing BGP configs due to incompatibility, nor does it handle version-specific behavior. Option C is wrong because setting 'gather_facts: no' would skip version detection entirely, making the playbook blind to the OS version and increasing the risk of applying incompatible commands. Option D is wrong because replacing ios_bgp with ios_config and raw CLI commands bypasses Ansible's structured module logic, losing idempotency and validation, and still requires version-aware logic to avoid the same incompatibility issue.

1109
MCQmedium

A network engineer is troubleshooting a wireless connectivity issue in a campus network managed by Cisco DNA Center. The Assurance module shows that several access points have high client association failures. The engineer checks the wireless controller configuration and finds that the APs are registered and functional. What is the most likely cause of the association failures?

A.RF interference or poor signal-to-noise ratio on the affected APs.
B.The APs are not running the recommended firmware version.
C.The wireless controller has reached its maximum number of APs.
D.The DNA Center Assurance module is not properly configured to monitor wireless events.
AnswerA

Correct because high association failures are often due to RF issues, which DNA Center Assurance can detect and report.

Why this answer

Cisco DNA Center Assurance can correlate client association failures with RF interference, authentication issues, or configuration mismatches. Since the APs are registered and functional, the issue is likely related to RF interference or signal quality. DNA Center's Assurance can analyze client association events and highlight RF issues as a common cause.

1110
Drag & Dropmedium

Drag and drop the steps of NUMA-aware VM placement process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The order starts with enabling NUMA in the BIOS, then configuring the hypervisor, creating the VM with NUMA settings, and finally verifying placement and performance.

1111
MCQmedium

A network engineer is using Cisco DNA Center to manage a network with multiple sites. The engineer wants to ensure that all devices at a remote site have the same NTP server configuration. The engineer creates a network profile with the NTP settings and assigns it to the site. After provisioning, the engineer checks one of the switches and finds that the NTP configuration is missing. What should the engineer check first?

A.Verify that the device is assigned to the correct site in DNA Center.
B.Check if the NTP server is reachable from the device.
C.Ensure that the device is running a supported IOS version.
D.Recreate the network profile with the correct NTP settings.
AnswerA

Correct because if the device is not in the site where the profile is applied, it will not receive the configuration.

Why this answer

In Cisco DNA Center, network profiles are applied to sites, but devices must be assigned to the correct site hierarchy. If a device is not assigned to the site where the profile is applied, it will not receive the configuration. The engineer should verify that the device is in the correct site within DNA Center's hierarchy.

1112
Matchingmedium

Drag and drop each REST HTTP status code on the left to its matching meaning on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Request succeeded and response body contains data

New resource was created successfully

Request is malformed or invalid

Authentication credentials are missing or invalid

Requested resource does not exist

Why these pairings

200 OK indicates success, 201 Created indicates resource creation, 400 Bad Request indicates client error, 401 Unauthorized indicates authentication failure, 404 Not Found indicates missing resource, and 500 Internal Server Error indicates server failure.

1113
MCQmedium

A company is deploying a WAN with MPLS VPN and wants to ensure that customer traffic is isolated from other customers. Which technology is used to maintain separation in the MPLS core?

A.VLAN tagging
B.MPLS labels
C.IPsec tunnels
D.Virtual Routing and Forwarding (VRF)
AnswerD

VRF creates separate routing instances per VPN customer, maintaining traffic isolation.

Why this answer

VRF (Virtual Routing and Forwarding) is the technology used in MPLS VPN to maintain customer traffic separation within the MPLS core. Each customer is assigned a unique VRF on the Provider Edge (PE) router, which maintains a separate routing table and forwarding instance, ensuring that traffic from one customer never crosses into another customer's routing domain. This separation is enforced at Layer 3, independent of the MPLS label switching that occurs in the core.

Exam trap

Cisco often tests the misconception that MPLS labels alone provide customer separation, but labels are only a forwarding mechanism; the actual isolation comes from VRF instances on the PE routers.

How to eliminate wrong answers

Option A is wrong because VLAN tagging (802.1Q) operates at Layer 2 and is used for segmenting traffic within a LAN or between switches, not for isolating customer traffic across an MPLS WAN core. Option B is wrong because MPLS labels are used for forwarding packets through the core based on label-switched paths (LSPs), but they do not inherently provide customer separation; labels are assigned per FEC and can be shared across customers without VRF. Option C is wrong because IPsec tunnels provide encryption and authentication for secure communication over untrusted networks, but they do not provide routing isolation or separate forwarding tables; they are a security mechanism, not a Layer 3 isolation technology.

1114
MCQmedium

An enterprise network uses OSPF as its IGP. The network engineer notices that a particular route learned via OSPF is not being installed in the routing table, even though the neighbor adjacency is up and the route appears in the OSPF database. The route is an external route redistributed from EIGRP. What is the most likely cause?

A.The OSPF process ID is different on the routers.
B.The external route has a higher administrative distance than the internal route.
C.The forwarding address in the type 5 LSA is not reachable via an OSPF internal route.
D.The OSPF metric for the external route is too high.
AnswerC

Correct because OSPF requires the forwarding address to be reachable via an intra-area or inter-area route; otherwise, the external route is not installed.

Why this answer

Option C is correct because OSPF requires the forwarding address (FA) in a Type 5 LSA to be reachable via an OSPF internal route (intra-area or inter-area) for the external route to be installed in the routing table. If the FA is not reachable, the router will ignore the LSA and not install the route, even though the LSA exists in the OSPF database and the neighbor adjacency is up.

Exam trap

Cisco often tests the forwarding address reachability requirement for Type 5 LSAs, and the trap here is that candidates assume any route in the OSPF database will automatically be installed, ignoring the recursive lookup condition for external routes with a non-zero forwarding address.

How to eliminate wrong answers

Option A is wrong because the OSPF process ID is locally significant and does not affect route installation between routers; different process IDs can still form adjacencies and exchange routes. Option B is wrong because OSPF external routes (type 5) have a default administrative distance of 110, while internal OSPF routes also have 110; the issue is not about AD comparison between internal and external OSPF routes, but about reachability of the forwarding address. Option D is wrong because a high OSPF metric does not prevent route installation; it only influences route selection among multiple paths; the route will still be installed if the metric is valid and the forwarding address is reachable.

1115
Matchingmedium

Drag and drop each WAN encapsulation on the left to its matching use case on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco proprietary point-to-point serial encapsulation

Supports authentication and multilink on serial links

Encapsulation for DSL broadband connections

Legacy packet-switched WAN technology

Bundles multiple PPP links for increased bandwidth

Why these pairings

HDLC is Cisco proprietary and used for point-to-point serial links. PPP supports authentication and multilink. PPPoE is used for DSL broadband connections.

Frame Relay is a legacy packet-switched WAN technology. MLPPP bundles multiple PPP links.

1116
MCQeasy

Refer to the exhibit. A network engineer sends a RESTCONF PATCH request with the above JSON payload to the URL https://192.168.1.100/restconf/data/ietf-interfaces:interface=GigabitEthernet0/0/0. What is the expected outcome?

A.A new interface GigabitEthernet0/0/0 is created with the specified IP address.
B.The description and IP address of the existing interface are updated, and the interface remains enabled.
C.The request fails because a GET request must be sent first to retrieve the current configuration.
D.The entire interface configuration is replaced with only the fields in the payload.
AnswerB

PATCH merges the provided fields with the existing configuration.

Why this answer

A RESTCONF PATCH request uses the HTTP PATCH method to apply a partial update to an existing resource. The payload contains only the fields to be modified (description and IP address), and the request URL targets the specific interface resource. Since the interface already exists, the PATCH updates only those fields without affecting other configuration, such as the interface's enabled state.

This is why the interface remains enabled and only the description and IP address are updated.

Exam trap

Cisco often tests the distinction between HTTP methods in RESTCONF, specifically that PATCH is for partial updates and PUT is for full replacement, and that PATCH does not require a prior GET to retrieve the current configuration.

How to eliminate wrong answers

Option A is wrong because a PATCH request does not create a new resource; it updates an existing one, and the URL targets an existing interface. Option C is wrong because RESTCONF does not require a prior GET request; PATCH can be sent directly to update specific fields. Option D is wrong because PATCH performs a partial update, not a full replacement; a PUT request would replace the entire configuration with the payload.

1117
MCQeasy

A network engineer is troubleshooting an issue where a Cisco router is not forwarding traffic between two VLANs. The router has an ACL applied to the subinterface for VLAN 100 that permits traffic from VLAN 200 to VLAN 100, but denies all other traffic. Hosts in VLAN 200 can ping hosts in VLAN 100, but hosts in VLAN 100 cannot ping hosts in VLAN 200. The engineer checks the ACL and finds that it is applied inbound on the subinterface for VLAN 100. What is the most likely cause of the issue?

A.The ACL is applied inbound on VLAN 100, so it only filters traffic entering VLAN 100, not traffic leaving VLAN 100.
B.The ACL is applied outbound on VLAN 100, so it filters traffic leaving VLAN 100, preventing replies.
C.The ACL is applied to the wrong subinterface; it should be applied to the subinterface for VLAN 200.
D.The ACL is blocking ICMP echo replies from VLAN 100 to VLAN 200.
AnswerA

Correct because inbound ACLs filter traffic entering the interface; traffic from VLAN 100 to VLAN 200 is leaving VLAN 100 and is not filtered.

Why this answer

The correct answer is that the ACL is applied inbound on VLAN 100, so it filters traffic entering VLAN 100; traffic from VLAN 200 to VLAN 100 is permitted, but traffic from VLAN 100 to VLAN 200 is not affected by this ACL. Option B is incorrect because the ACL is applied inbound, not outbound. Option C is incorrect because the ACL is applied to the subinterface, not the VLAN.

Option D is incorrect because the ACL does not affect routing between VLANs; it only filters traffic.

1118
Drag & Dropmedium

Drag and drop the steps of Unicast Reverse Path Forwarding (uRPF) check process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

uRPF checks the source IP of incoming packets by first looking up the source in the FIB. If the best reverse path to the source uses the same interface, the packet is forwarded; otherwise, it is dropped. Strict mode requires exact match, while loose mode only requires a route.

1119
Drag & Dropmedium

Drag and drop the steps of NAPALM get_facts() retrieval from IOS-XE device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with importing the NAPALM library and driver, then creating a driver object with device credentials, calling the open() method to establish the connection, invoking get_facts() to retrieve device facts, and finally closing the connection.

1120
Matchingmedium

Drag and drop each wireless AP mode on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Normal client access with CAPWAP tunnel to controller

Client traffic switched locally at the AP

Listens for rogue devices without serving clients

Captures 802.11 packets for analysis

Detects rogue APs without client association

Why these pairings

Local mode provides normal client access with CAPWAP tunnel; FlexConnect switches client traffic locally at the AP; Monitor mode listens for rogue devices; Sniffer mode captures packets for analysis; Rogue detector mode detects rogues without serving clients.

1121
MCQeasy

Refer to the exhibit. An engineer notices that interface resets have occurred. What is the most likely cause of the interface resets?

A.Cable or hardware issue causing link flapping
B.CRC errors due to noise
C.Collisions on the link
D.Interface is administratively down
AnswerA

Option C is correct because interface resets often indicate the link went down and up.

Why this answer

Interface resets typically indicate that the interface has gone down and come back up, which is most commonly caused by a physical layer issue such as a faulty cable, damaged connector, or hardware problem that leads to link flapping. When the link flaps, the interface counters increment the 'resets' field, reflecting the number of times the interface has been reset due to a loss of carrier or a link state change. This is distinct from errors like CRC or collisions, which do not directly cause the interface to reset.

Exam trap

The trap here is that candidates often confuse interface resets with CRC errors or collisions, but Cisco specifically tests that resets are caused by physical layer issues (link flapping) rather than data-link layer errors.

How to eliminate wrong answers

Option B is wrong because CRC errors are caused by noise or signal integrity issues and are counted separately in the 'input errors' field; they do not directly cause the interface to reset. Option C is wrong because collisions are normal on half-duplex links and are tracked in collision counters, but they do not trigger interface resets. Option D is wrong because an administratively down interface is manually disabled via the 'shutdown' command and would show 'administratively down' in the show interface output, not resets.

1122
Multi-Selectmedium

Which two statements about AAA authorization and accounting are true? (Choose two.)

Select 2 answers
A.Authorization determines what commands a user is allowed to execute after authentication.
B.Authorization ensures that all traffic between the client and server is encrypted.
C.Accounting is used to authenticate users based on their previous login history.
D.Accounting provides a record of user activities for auditing or billing purposes.
E.Authorization can only be based on the source IP address of the user.
AnswersA, D

Correct because authorization enforces policies on what resources or commands a user can access.

Why this answer

The correct answers describe the purpose of authorization and accounting. Option A is correct because authorization controls what commands or services a user can access. Option D is correct because accounting records user activity for auditing and billing.

Option B is wrong because authorization does not encrypt traffic; encryption is a separate function. Option C is wrong because accounting does not authenticate users; it logs actions. Option E is wrong because authorization can be based on user or group attributes, not just the source IP.

1123
Drag & Dropmedium

Drag and drop the steps of RPF check verification for multicast forwarding into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The RPF check ensures that incoming multicast packets arrive on the correct interface toward the source. First, the router examines the source IP address. Then it consults the unicast routing table to find the best route.

It identifies the outgoing interface for that route. It compares that interface with the arrival interface of the multicast packet. If they match, the packet is forwarded; otherwise, it is dropped.

1124
MCQmedium

A company has deployed a Cisco ASA firewall in transparent mode. The internal network uses VLAN 10 and the external network uses VLAN 20. The ASA is configured with two bridge groups: BVI 10 for inside and BVI 20 for outside. The security policy must allow HTTPS traffic from inside to outside. Which access-list entry is correct?

A.access-list INSIDE extended permit tcp 192.168.1.0 255.255.255.0 any eq 443 access-group INSIDE in interface inside
B.access-list GLOBAL extended permit ip 192.168.1.0 255.255.255.0 any
C.access-list GLOBAL extended permit tcp any any eq 443
D.access-list GLOBAL extended permit tcp 192.168.1.0 255.255.255.0 any eq 443
AnswerD

Correct: global access-list permits traffic from inside subnet to any on port 443.

Why this answer

In transparent mode, the ASA acts as a Layer 2 bridge, so traffic must be permitted by a global access list applied to the bridge group virtual interface (BVI). Option D correctly uses the GLOBAL access list to permit TCP traffic from the inside subnet (192.168.1.0/24) to any destination on port 443 (HTTPS), which satisfies the security policy.

Exam trap

Cisco often tests the misconception that transparent mode uses interface-based ACLs like routed mode, when in fact transparent mode requires global ACLs applied to the BVI, and the 'GLOBAL' keyword is mandatory for Layer 2 traffic filtering.

How to eliminate wrong answers

Option A is wrong because in transparent mode, access lists are applied globally to the BVI, not per interface; the 'access-group INSIDE in interface inside' command is invalid in transparent mode. Option B is wrong because it permits all IP traffic (including non-HTTPS) and uses the 'ip' protocol instead of 'tcp', which violates the requirement to allow only HTTPS. Option C is wrong because it permits any source (including untrusted external hosts) to initiate HTTPS traffic, which does not restrict traffic from inside to outside as required.

1125
Multi-Selectmedium

Which two statements about Python data structures used in network automation are true? (Choose two.)

Select 2 answers
A.Tuples are commonly used to store device credentials because they can be modified easily.
B.Dictionaries are used to store key-value pairs such as device IP, username, and password.
C.Sets are ordered and allow indexing to retrieve specific elements.
D.Lists are ordered and can be used to store multiple device names for iteration.
E.Strings are mutable and ideal for storing multiple device configurations.
AnswersB, D

Correct because dictionaries map keys to values, which is perfect for storing device parameters like IP, username, and password.

Why this answer

Correct answers: B and D. B is correct because dictionaries are ideal for storing key-value pairs such as device parameters (IP, username, password). D is correct because lists are ordered and can hold multiple device names or IPs, and they support iteration.

A is incorrect because tuples are immutable, so they cannot be modified after creation, which limits their use for dynamic data. C is incorrect because sets are unordered and do not support indexing; they are used for unique elements, not ordered collections. E is incorrect because strings are immutable and not suitable for storing multiple separate values.

Page 14

Page 15 of 27

Page 16