ENCOR 350-401 (350-401) — Questions 12011275

2015 questions total · 27pages · All types, answers revealed

Page 16

Page 17 of 27

Page 18
1201
MCQmedium

Examine the following configuration snippet applied to a Cisco IOS-XE device: interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/2 ip address 192.168.1.1 255.255.255.0 ip nat outside ! access-list 100 permit ip 10.1.1.0 0.0.0.255 any ip nat inside source list 100 interface GigabitEthernet0/2 overload What is the effect of this configuration?

A.It translates all IP traffic from 10.1.1.0/24 to the IP address 192.168.1.1 using port address translation.
B.It performs static NAT for the host 10.1.1.1 to 192.168.1.1.
C.It translates all traffic from 192.168.1.0/24 to the IP address 10.1.1.1.
D.It allows all IP traffic from any source to any destination without translation.
AnswerA

Correct. The 'ip nat inside source list 100 interface GigabitEthernet0/2 overload' command performs PAT, translating the inside network to the outside interface IP.

Why this answer

This is a standard NAT overload (PAT) configuration. The inside network 10.1.1.0/24 is translated to the IP address of the outside interface (GigabitEthernet0/2) with port multiplexing.

1202
Drag & Dropmedium

Drag and drop the steps of Ansible role directory structure and task execution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible role execution starts with the role's main.yml in tasks directory; then, any pre_tasks defined in the playbook run; next, handlers are loaded from handlers/main.yml; after that, role dependencies are resolved from meta/main.yml; finally, tasks execute in order, triggering handlers as needed.

1203
MCQmedium

A network engineer runs the following command on Router R1: R1# show crypto isakmp sa dst src state conn-id slot 10.1.1.2 10.1.1.1 MM_NO_STATE 1 0 Based on this output, what can be concluded?

A.The IPsec VPN tunnel is fully established and passing traffic.
B.IKE Phase 1 is in progress but not yet complete.
C.The ISAKMP SA has been deleted due to a timeout.
D.The remote peer has rejected the IKE proposal.
AnswerB

MM_NO_STATE is the initial state before Main Mode completes; it indicates negotiation is ongoing or stuck.

Why this answer

The MM_NO_STATE indicates that the IKE Phase 1 negotiation has not progressed past the initial state. This typically means that the remote peer is not responding or the ISAKMP policy does not match.

1204
MCQmedium

Consider the following configuration on a Cisco IOS-XE router: vrf definition RED rd 100:1 route-target export 100:1 route-target import 100:1 ! interface GigabitEthernet0/2 vrf forwarding RED ip address 10.10.10.1 255.255.255.0 Which statement is true about this configuration?

A.The VRF RED is correctly configured for MPLS L3VPN, and the interface is placed in VRF RED.
B.The 'rd' command is optional for VRF operation and can be omitted.
C.The 'route-target export' and 'route-target import' must match the RD value exactly.
D.This configuration will cause the interface to use the global routing table for forwarding.
AnswerA

Correct. RD and RTs are set, and the interface uses VRF RED.

Why this answer

Option A is correct because the configuration defines a VRF named RED with an RD of 100:1 and matching route-target import/export values, which is the standard setup for an MPLS L3VPN. The 'vrf forwarding RED' command under the interface assigns that interface to the VRF, isolating its routing table from the global table. This allows the router to participate in a Layer 3 VPN by importing and exporting routes with the specified route-target.

Exam trap

Cisco often tests the misconception that the route-target must match the RD exactly, but in reality they serve different purposes and can be configured independently.

How to eliminate wrong answers

Option B is wrong because the 'rd' (route distinguisher) command is mandatory for VRF operation in MPLS L3VPN contexts; without it, the VRF cannot distinguish overlapping IP prefixes across different VPNs. Option C is wrong because the route-target import/export values do not have to match the RD value; they are independent identifiers used for VPN route distribution and can differ from the RD. Option D is wrong because the 'vrf forwarding RED' command under the interface causes the interface to use the VRF-specific routing table, not the global routing table.

1205
Drag & Dropmedium

Drag and drop the steps of named ACL modification using sequence numbers into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Named ACLs can be modified by inserting or deleting entries by sequence number. The correct order is: view current entries, delete the old entry, insert the new entry with a sequence number, verify, then save.

1206
Drag & Dropmedium

Drag and drop the steps of VRF-aware NAT configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with defining the VRF, then configuring the inside and outside interfaces under the VRF, defining the NAT pool (if used), applying the access list for translation, and finally enabling NAT inside source with the VRF keyword.

1207
Drag & Dropmedium

Drag and drop the steps of VNF service chain instantiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Service chain instantiation begins with defining the chain, then selecting VNFs, allocating resources, connecting VNFs via virtual links, and finally testing the chain to verify functionality.

1208
MCQmedium

A company uses Ansible to manage the configuration of 1000 Cisco IOS routers. They have a playbook that uses the ios_config module with the 'src' parameter pointing to a Jinja2 template. The playbook runs successfully for months, but after a recent IOS upgrade on a subset of routers, the playbook fails with 'ERROR! Syntax error while loading YAML script'. The template has not been changed. What is the most likely cause?

A.The IOS upgrade changed the output of a 'show' command that is used to set a fact, and that fact now contains characters that break YAML syntax.
B.The Jinja2 template now contains syntax errors because the IOS upgrade changed the configuration requirements.
C.The ios_config module is incompatible with the new IOS version.
D.The playbook file was corrupted during the IOS upgrade process.
AnswerA

If a fact contains newlines or special characters, it can cause YAML parsing errors when the playbook tries to process it.

Why this answer

The error 'Syntax error while loading YAML script' suggests that the playbook itself has a YAML syntax issue, not the template. However, if the template is included in the playbook via a variable that contains special characters, it could cause a YAML parsing error. But since the template hasn't changed, the most likely cause is that the IOS upgrade changed the output of a command that is used to generate a fact, and that fact is now being passed to the template in a way that breaks YAML.

Alternatively, the playbook might be using a 'vars_prompt' or 'set_fact' that now produces invalid YAML.

1209
Drag & Dropmedium

Drag and drop the steps of STP path cost manipulation for load balancing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

To load balance with STP, first identify redundant links. Then change the path cost on one switch's port to make it less preferred. This alters the root port selection.

The switch recalculates the spanning tree, and traffic is redirected to the lower-cost path. Finally, verify the new root port and forwarding state.

1210
MCQhard

A service provider uses MPLS L3VPN with OSPF as the PE-CE routing protocol. A customer reports that a new subnet added on CE1 is not reachable from CE2, even though the PE1 router has the route in its VRF and BGP table. The 'show ip bgp vpnv4 vrf CUSTOMER' on PE2 shows the prefix with a valid next-hop. What should the engineer check next?

A.Verify that LDP has allocated a label for the BGP next-hop address on PE2.
B.Check if OSPF is redistributed into BGP on PE1.
C.Ensure the route is present in the global BGP table on PE2.
D.Confirm that the VRF on PE2 has the correct route-target import.
AnswerA

Correct because without a label for the next-hop, the VPN route cannot be forwarded.

Why this answer

In MPLS L3VPN, even if BGP has the route, the packet forwarding requires a valid MPLS label for the next-hop. If LDP is not resolving the BGP next-hop, the route is not usable. Option A is correct.

Option B is wrong because OSPF is fine; Option C is wrong because the route is in BGP; Option D is wrong because redistribution is already working.

1211
MCQmedium

An enterprise network uses BGP to connect to two ISPs. The router has a BGP configuration that includes the command 'bgp bestpath med missing-as-worst'. The engineer notices that routes from ISP-A that do not have the MED attribute are being preferred over routes from ISP-B that have a MED of 50. What is the effect of the 'bgp bestpath med missing-as-worst' command?

A.It causes routes without the MED attribute to be treated as having the highest MED value, making them less preferred.
B.It causes routes without the MED attribute to be treated as having a MED value of 0, making them more preferred.
C.It causes routes with the MED attribute to be ignored during path selection.
D.It causes the router to add a MED value of 0 to all routes that are missing MED.
AnswerA

Correct because the command sets missing MED to the worst possible value, which is the highest MED, making those routes less preferred in path selection.

Why this answer

The 'bgp bestpath med missing-as-worst' command instructs the router to treat routes that lack the MED (Multi-Exit Discriminator) attribute as if they have the highest possible MED value (effectively infinity). Since a higher MED value is less preferred in BGP path selection, routes without MED become the least preferred among paths from the same AS. In this scenario, routes from ISP-A missing MED are treated as having a very high MED, making them less preferred than routes from ISP-B with a MED of 50, which contradicts the observed behavior, but the command's intended effect is to make missing-MED routes less preferred.

Exam trap

Cisco often tests the default behavior versus the modified behavior with 'missing-as-worst', and the trap here is that candidates mistakenly think the command makes missing-MED routes more preferred (like a MED of 0) instead of less preferred (like the highest MED).

How to eliminate wrong answers

Option B is wrong because the command does not treat missing MED as 0; treating missing MED as 0 would make those routes more preferred, which is the default behavior without this command. Option C is wrong because the command does not ignore MED during path selection; it specifically modifies how missing MED is evaluated, but MED is still considered. Option D is wrong because the command does not add a MED value of 0 to routes; it only changes the comparison logic so that missing MED is treated as the highest value, not a literal addition of 0.

1212
Multi-Selectmedium

Which three statements about STP convergence and timers are true? (Choose three.)

Select 3 answers
A.The default Max Age timer in classic STP is 20 seconds.
B.The Forward Delay timer determines how long a port stays in the listening and learning states, with a default of 15 seconds each.
C.RSTP eliminates the need for the Forward Delay timer by using a proposal-agreement handshake mechanism.
D.The Hello timer in STP is used to determine how often a switch sends BPDUs, with a default value of 5 seconds.
E.UplinkFast is a standard IEEE 802.1D feature that reduces convergence time after a root port failure.
AnswersA, B, C

Correct. Max Age defaults to 20 seconds, which is the time a switch waits to hear a BPDU from the root bridge before declaring it dead.

Why this answer

Classic STP convergence relies on timers: Hello (2 sec), Max Age (20 sec), Forward Delay (15 sec). Max Age defines how long a switch waits without receiving a BPDU before re-evaluating the root. Forward Delay is the time spent in listening and learning states (each 15 sec).

The total convergence time can be up to 50 seconds (20 sec Max Age + 15 sec listening + 15 sec learning). RSTP improves convergence by using handshakes instead of timers. UplinkFast is a Cisco proprietary feature that reduces convergence time after a root port failure, not a standard STP timer.

1213
Drag & Dropmedium

Drag and drop the steps of IP SLA HTTP operation for application monitoring into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by creating the IP SLA operation with HTTP type. Then specify the target URL and HTTP method (e.g., GET). Optionally configure HTTP version and other parameters.

Next, schedule the operation to run. Finally, verify the HTTP response times and status.

1214
Matchingmedium

Drag and drop each security protocol on the left to its matching service on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encryption and authentication

Integrity and authentication only

Authentication without encryption

Both integrity and confidentiality

Encrypts TCP/UDP payload

Why these pairings

ESP provides confidentiality (encryption) and authentication; AH provides integrity and authentication but no encryption; ESP with NULL encryption provides authentication only.

1215
MCQmedium

A network engineer is configuring a Cisco router as a DHCP relay agent to forward DHCP requests from a client VLAN to a centralized DHCP server located in a different subnet. The engineer configures the ip helper-address command on the VLAN interface. However, clients in the VLAN are not receiving IP addresses. The DHCP server is reachable from the router. What is the most likely cause?

A.The ip helper-address command is applied on the wrong interface (e.g., the interface facing the DHCP server).
B.The DHCP server is not configured with a scope for the client subnet.
C.The router does not have a return route to the client subnet, so the DHCP server's reply is dropped.
D.The DHCP client is using DHCPv6 instead of DHCPv4.
AnswerC

Correct because the DHCP server sends the reply to the relay agent (router), which then forwards it as a broadcast to the client. If the router cannot reach the client subnet, the reply is lost.

Why this answer

The ip helper-address command forwards DHCP broadcasts as unicasts to the specified server. If the DHCP server receives the request but the reply cannot be routed back to the client, the client will not get an address. This often happens when the router does not have a route back to the client subnet.

1216
MCQmedium

An engineer retrieves telemetry data from a Cisco IOS-XE device using RESTCONF and receives the following response: ```json { "ietf-interfaces:interfaces": { "interface": [ { "name": "GigabitEthernet1", "type": "iana-if-type:ethernetCsmacd", "enabled": true, "ipv4": { "address": [ { "ip": "192.168.1.1", "netmask": "255.255.255.0" } ] } } ] } } ``` What is the correct way to access the IP address of the interface using Python?

A.data['ietf-interfaces:interfaces']['interface'][0]['ipv4']['address'][0]['ip']
B.data['interface'][0]['ipv4']['address']['ip']
C.data['interfaces']['interface']['ipv4']['address']['ip']
D.data['ietf-interfaces:interfaces']['interface']['ipv4']['address'][0]['ip']
AnswerA

This correctly navigates the nested JSON structure.

Why this answer

The JSON response is nested. To access the IP address, you need to navigate through the dictionary: data['ietf-interfaces:interfaces']['interface'][0]['ipv4']['address'][0]['ip']. This returns '192.168.1.1'.

1217
MCQmedium

A network engineer runs the following command on Router R3: R3# show mpls ldp bindings lib entry: 10.1.1.1/32, rev 2 local binding: label: 16 remote binding: lsr: 10.1.1.2:0, label: 17 lib entry: 10.2.2.0/24, rev 4 local binding: label: 18 remote binding: lsr: 10.1.1.2:0, label: 19 lib entry: 10.3.3.0/24, rev 6 local binding: label: 20 remote binding: lsr: 10.1.1.2:0, label: 21 Based on this output, what is true?

A.For prefix 10.1.1.1/32, the local label is 16 and the remote label from LSR 10.1.1.2 is 17.
B.The router has learned label bindings from two different LDP peers.
C.The label for prefix 10.2.2.0/24 is 18 locally and 19 remotely, indicating that the remote LSR will use label 18.
D.The LIB entry for 10.3.3.0/24 has a revision number of 6, meaning it was the sixth entry added.
AnswerA

The output clearly shows local binding label 16 and remote binding label 17.

Why this answer

The output shows the LIB (Label Information Base). For each prefix, there is a local label assigned by this router and a remote label learned from LSR 10.1.1.2. The rev number indicates the revision of the entry.

1218
MCQeasy

An enterprise network uses OSPF in the core and EIGRP in the campus distribution layer. The engineer needs to redistribute routes between the two protocols. Which design consideration is most important to prevent routing loops?

A.Set appropriate administrative distance values for redistributed routes.
B.Use route maps to filter all redistributed routes.
C.Enable OSPF on all EIGRP interfaces.
D.Use a single routing protocol throughout the network.
AnswerA

Correct because AD controls route preference; if not set correctly, a redistributed route could be preferred over the original, causing loops.

Why this answer

Setting appropriate administrative distance values for redistributed routes is crucial to prevent routing loops when redistributing between OSPF and EIGRP. By default, EIGRP has an administrative distance of 170 for external routes and 90 for internal routes, while OSPF uses 110. If redistributed routes are not assigned a higher administrative distance, a router might prefer a redistributed route over a directly learned route, creating a feedback loop where routes are re-injected into the original protocol.

Adjusting the administrative distance ensures that redistributed routes are less preferred than native routes, breaking the loop.

Exam trap

Cisco often tests the misconception that route filtering (option B) is the primary loop-prevention mechanism, but the real trap is that administrative distance must be adjusted to prevent the redistribution feedback loop, especially when multiple routers perform mutual redistribution.

How to eliminate wrong answers

Option B is wrong because using route maps to filter all redistributed routes is overly restrictive and can prevent necessary route propagation, but it does not directly address the root cause of routing loops, which is the preference for redistributed routes over native ones. Option C is wrong because enabling OSPF on all EIGRP interfaces would merge the two routing domains, defeating the purpose of redistribution and potentially causing instability, but it does not prevent loops in a multi-protocol environment. Option D is wrong because using a single routing protocol throughout the network is a valid design choice but is not a consideration for preventing loops during redistribution; the question specifically asks about redistributing between two protocols, so this option avoids the problem rather than solving it.

1219
MCQmedium

A network engineer is configuring QoS on a Cisco Catalyst 3850 switch to prioritize voice traffic. The switch is connected to an IP phone and a PC using a single access port. The engineer applies a service policy on the access port that marks CoS 5 for voice and CoS 0 for data. However, the IP phone is not receiving any voice packets. What is the most likely cause?

A.The switchport is configured as an access port without 'mls qos trust cos'
B.The IP phone is not configured with the correct VLAN for voice traffic
C.The service policy is applied in the output direction instead of input
D.The switch does not support CoS marking on access ports
AnswerA

Correct because without trusting CoS, the switch ignores the phone's markings and treats all traffic as best-effort.

Why this answer

The correct answer identifies that the switchport must be configured to trust the CoS markings from the IP phone. If the port is set to untrusted, the switch will re-mark all incoming CoS values to 0, overriding the phone's markings.

1220
MCQmedium

A network engineer runs the following command on Switch SW4: SW4# show monitor session 4 Session 4 --------- Type : Local Session Source VLANs : RX Only : 10,20 Destination Ports : Gi1/0/25 Encapsulation : Native Ingress : Disabled Based on this output, what can be concluded?

A.Only incoming traffic on VLANs 10 and 20 is mirrored to Gi1/0/25.
B.Both incoming and outgoing traffic on VLANs 10 and 20 are mirrored.
C.This is an RSPAN session using VLANs 10 and 20 as remote VLANs.
D.The destination port Gi1/0/25 is configured to receive mirrored traffic.
AnswerA

Source VLANs are set to RX Only, so only received traffic is captured.

Why this answer

The session is local SPAN with source VLANs 10 and 20, capturing only received traffic (RX Only). The destination port Gi1/0/25 sends out the mirrored traffic with Native encapsulation and ingress disabled. This monitors incoming traffic on those VLANs.

1221
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1024 1020 10 0 0 00:12:34 15 192.168.1.3 4 65003 2048 2040 10 0 0 00:24:56 20 Based on this output, what can be concluded?

A.Both BGP sessions are in the established state
B.The BGP session with 192.168.1.2 is idle
C.Router R1 is using iBGP with both neighbors
D.The BGP table version is 10, meaning 10 prefixes are in the table
AnswerA

The State/PfxRcd column shows prefix counts (15 and 20), indicating the sessions are established and exchanging routes.

Why this answer

The output shows BGP neighbors and their state. Both neighbors are in established state (PfxRcd shows number of prefixes received). The local AS is 65001, and the neighbors are in different AS numbers (65002 and 65003), indicating eBGP sessions.

The correct answer is that both BGP sessions are established and exchanging prefixes.

1222
Multi-Selectmedium

Which two statements about PIM sparse mode (PIM-SM) are true? (Choose two.)

Select 2 answers
A.PIM-SM uses a pull model where receivers explicitly join the multicast group.
B.In PIM-SM, the rendezvous point (RP) is the root of the shared tree.
C.PIM-SM automatically switches to the shortest path tree (SPT) immediately after the first multicast packet is received.
D.PIM-SM requires all routers in the domain to be configured with the same RP address.
E.PIM-SM supports only one RP per multicast group.
AnswersA, B

Correct because PIM-SM requires receivers to send IGMP joins, which trigger PIM joins toward the RP, pulling traffic only where needed.

Why this answer

PIM-SM uses a pull model where receivers join the shared tree via the RP, and the RP is the root of the shared tree. The SPT switchover occurs after the first packet arrives via the shared tree.

1223
MCQeasy

A network engineer is using the Cisco DNA Center API to initiate a network discovery. The API endpoint '/dna/intent/api/v1/discovery' is called with a POST request containing the following JSON payload: ```json { "discoveryType": "Range", "ipAddressList": "10.10.20.1-10.10.20.254", "protocolOrder": "SSH", "timeout": 5, "retryCount": 3 } ``` The API returns a 202 Accepted status code. What does this indicate?

A.The discovery was completed successfully and devices are added.
B.The request is invalid and the payload needs correction.
C.The discovery has been accepted and is being processed asynchronously.
D.The server is busy and the request is queued.
AnswerC

202 Accepted is used for asynchronous operations.

Why this answer

A 202 Accepted status code means the request has been accepted for processing, but the processing has not been completed. The discovery is asynchronous and will continue in the background.

1224
Multi-Selectmedium

Which two statements about using Python for network automation are true? (Choose two.)

Select 2 answers
A.The netmiko library is commonly used to automate SSH connections to Cisco devices.
B.The paramiko library provides a high-level API for network automation tasks.
C.The requests library can be used to send HTTP requests to REST APIs on network devices.
D.The telnetlib library is recommended for secure network automation.
E.The scapy library is used to send configuration commands to network devices.
AnswersA, C

Correct because netmiko is a popular Python library that simplifies SSH connections to network devices and supports sending commands and retrieving output.

Why this answer

Correct answers: A and C. A is correct because the netmiko library simplifies SSH connections to network devices and is widely used for sending commands. C is correct because the requests library can be used to interact with REST APIs on devices like Cisco DNA Center or IOS-XE.

B is incorrect because paramiko is a low-level SSH library, not a high-level one; netmiko is built on paramiko but adds higher-level abstractions. D is incorrect because the telnetlib library is for Telnet, which is insecure and rarely used in modern automation. E is incorrect because the scapy library is for packet manipulation and network scanning, not for sending configuration commands.

1225
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via "bgp 65001", distance 200, metric 0 Tag 65002, type external Last update from 192.168.1.2 00:00:15 ago Routing Descriptor Blocks: * 192.168.1.2, from 192.168.1.2, 00:00:15 ago Route metric is 0, traffic share count is 1 AS Hops 1 Route tag 65002 MPLS label: 18 Based on this output, what can be concluded?

A.The route is learned via OSPF and tagged with an MPLS label.
B.The route is learned via BGP and has an MPLS label assigned, indicating MPLS forwarding.
C.The route is a directly connected interface with an MPLS label.
D.The route is a static route with an MPLS label.
AnswerB

The output clearly shows 'Known via bgp 65001' and 'MPLS label: 18', confirming BGP learned route with MPLS label.

Why this answer

The output shows a BGP route with an MPLS label, indicating that MPLS VPN or MPLS forwarding is in use. The presence of the MPLS label (18) in the routing table is the key clue.

1226
Drag & Dropmedium

Drag and drop the steps of IBNS 2.0 concurrent authentication policy map into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IBNS 2.0 uses a policy map to define concurrent methods; the switch first tries 802.1X, then MAB as fallback, and if both fail, applies a critical or default ACL; the order is defined in the policy map class.

1227
MCQhard

A network engineer runs the following command on switch SW8: SW8# show cts role-based sgt-map 192.168.1.10 IP Address: 192.168.1.10 SGT: 10 Source: SXP Based on this output, what can be concluded?

A.The SGT mapping was configured manually.
B.The SGT mapping was learned via SXP from a peer.
C.The IP address 192.168.1.10 is not mapped to any SGT.
D.The SGT mapping is from local authentication.
AnswerB

The source field shows SXP.

Why this answer

The output shows the SGT for IP 192.168.1.10 is 10, and the source is SXP, meaning the mapping was learned via the SGT Exchange Protocol from an SXP peer. This is dynamic, not static.

1228
Matchingmedium

Drag and drop each STP protection feature on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Immediately transitions a port to forwarding state (access ports)

Disables a port if a BPDU is received (protects against rogue switches)

Prevents a port from becoming a root port (enforces root bridge location)

Prevents a port from becoming designated if BPDUs stop (prevents loops)

Detects and disables unidirectional links

Why these pairings

PortFast moves a port to forwarding immediately; BPDU Guard disables a port if a BPDU is received; Root Guard prevents a port from becoming a root port; Loop Guard prevents alternate/backup ports from becoming designated if BPDUs stop.

1229
Multi-Selectmedium

Which two statements about IPsec IKEv2 are true? (Choose two.)

Select 2 answers
A.IKEv2 uses UDP port 500 for initial negotiation and can switch to UDP port 4500 for NAT traversal.
B.IKEv2 requires a separate authentication phase for each security association established.
C.IKEv2 supports EAP authentication for remote access VPNs.
D.IKEv2 uses only pre-shared keys for authentication and does not support digital certificates.
E.IKEv2 is backward compatible with IKEv1 and can interoperate with older peers.
AnswersA, C

Correct because IKEv2 uses UDP 500 for standard exchanges and moves to UDP 4500 when NAT is detected, as per RFC 7296.

Why this answer

IKEv2 improves upon IKEv1 by using fewer messages for SA establishment and providing built-in NAT traversal and mobility support.

1230
Matchingmedium

Drag and drop each NAT type on the left to its matching description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps one private IP to one public IP permanently

Maps private IPs to a pool of public IPs on a first-come basis

Maps multiple private IPs to a single public IP using port numbers

Cisco term for PAT with a single public IP address

Translates IPv6 addresses to IPv4 addresses for interoperation

Why these pairings

Static NAT maps a private IP to a fixed public IP. Dynamic NAT uses a pool of public IPs. PAT (Port Address Translation) maps multiple private IPs to one public IP using unique port numbers.

Overload is another name for PAT. The fifth term 'NAT64' translates IPv6 to IPv4.

1231
MCQmedium

Consider the following BGP configuration on a Cisco IOS-XE router: router bgp 65001 neighbor 10.0.0.2 remote-as 65002 neighbor 10.0.0.2 route-map SET_COMMUNITY out ! route-map SET_COMMUNITY permit 10 set community 65001:100 What is the effect of this configuration?

A.The router will set the community to 65001:100 on all routes received from neighbor 10.0.0.2.
B.The router will set the community to 65001:100 on all routes advertised to neighbor 10.0.0.2.
C.The router will filter routes with community 65001:100 from being advertised.
D.The router will remove the community from routes advertised to the neighbor.
AnswerB

The 'out' direction and route-map cause the community to be set on outbound updates.

Why this answer

The route-map is applied to outbound updates to neighbor 10.0.0.2. It sets the BGP community value to 65001:100 on all routes advertised to that neighbor. The community is a well-known transitive attribute that can be used for routing policy.

1232
Multi-Selectmedium

Which two statements about MPLS Layer 3 VPNs are true? (Choose two.)

Select 2 answers
A.PE routers use MP-BGP to exchange VPNv4 routes that include the route distinguisher and the VPN label.
B.P routers in the MPLS core must maintain a full routing table for each customer VRF.
C.CE routers must run MPLS and participate in the label distribution with the PE router.
D.Each VRF on a PE router maintains a separate routing table and forwarding table per customer.
E.The MPLS label stack in a Layer 3 VPN always contains exactly one label.
AnswersA, D

Correct because MP-BGP carries VPNv4 routes (with route distinguisher) and the VPN label in the NLRI, enabling MPLS Layer 3 VPN operation.

Why this answer

MPLS Layer 3 VPNs use MP-BGP to exchange VPNv4 routes between PE routers, and each VRF maintains a separate routing table per customer. The P routers do not need to know customer routes, and the CE router does not run MPLS. The label stack includes both an IGP label and a VPN label.

1233
MCQhard

A cloud provider uses Cisco ACI to automate provisioning of tenant networks. A new tenant requires a Layer 2 bridge domain that extends to an external Layer 2 network via a VPC. The engineer creates a bridge domain with the settings: Type: Regular, L2 Unknown Unicast: Flood, L3 Unknown Multicast Flood: Flood, and Multi-Destination Flooding: Flood. The VPC is configured as a virtual port channel. The tenant reports that broadcast traffic is not reaching the external network. What is the most likely cause?

A.The VPC configuration does not support L2 extension.
B.The bridge domain is configured as proxy mode for L2 unknown unicast.
C.The L2Out is not configured to flood BUM traffic.
D.The bridge domain type should be set to 'L2 Only'.
AnswerC

L2Out must be configured with flood settings to extend flooding.

Why this answer

The correct answer is C because the bridge domain is configured to flood BUM (Broadcast, Unknown Unicast, and Multicast) traffic internally, but the L2Out (Layer 2 external connection) must also be explicitly configured to flood BUM traffic to the external network. Without this configuration on the L2Out, the ACI fabric will not forward broadcast or multicast frames across the VPC to the external Layer 2 network, even though the bridge domain itself permits flooding.

Exam trap

Cisco often tests the distinction between bridge domain flood settings and L2Out flood settings, trapping candidates who assume that enabling flooding in the bridge domain automatically allows BUM traffic to reach external networks.

How to eliminate wrong answers

Option A is wrong because a VPC (Virtual Port Channel) in ACI is specifically designed to support Layer 2 extension by providing a loop-free, redundant connection to external switches, and it does not inherently block L2 traffic. Option B is wrong because the bridge domain is explicitly configured with 'L2 Unknown Unicast: Flood', not proxy mode; proxy mode would be 'L2 Unknown Unicast: Proxy', which is not the case here. Option D is wrong because the bridge domain type 'Regular' is appropriate for a Layer 2 bridge domain that extends to an external network; setting it to 'L2 Only' would disable Layer 3 forwarding but would not affect the flooding of BUM traffic to the external network via the L2Out.

1234
MCQeasy

A network engineer is troubleshooting a wireless network where clients in a specific area report slow speeds and frequent disconnections. The engineer uses a spectrum analyzer and finds high utilization on channel 11 in the 2.4 GHz band. The engineer also notices that several neighboring access points are using channel 11. What is the most likely cause of the issue?

A.Co-channel interference from neighboring access points using the same channel.
B.Adjacent channel interference from access points using channels 10 and 12.
C.Non-WiFi interference from devices like microwaves or cordless phones.
D.The access point is overloaded with too many clients.
AnswerA

Correct because multiple APs on the same channel cause co-channel interference, leading to collisions and poor performance.

Why this answer

The correct answer is co-channel interference from neighboring APs using the same channel. This causes contention and collisions, degrading performance. Adjacent channel interference would occur if channels overlapped (e.g., channels 10 and 11), but the scenario specifies same channel.

Non-WiFi interference is possible but not indicated. Client load on a single AP would cause high utilization but not necessarily disconnections.

1235
MCQeasy

What is the maximum hop count for EIGRP?

A.100
B.15
C.255
D.16
AnswerA

Correct. The default maximum hop count is 100, configurable up to 255.

Why this answer

EIGRP has a default maximum hop count of 100, which can be changed up to 255.

1236
Matchingmedium

Drag and drop each IP SLA tracking object on the left to its application on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used with a floating static route

Used to adjust HSRP priority

Used with policy-based routing

Used to debounce state changes

Used to trigger event-based actions

Why these pairings

IP SLA tracking can be used to monitor reachability for static routes (floating static) or to influence HSRP priority.

1237
Drag & Dropmedium

Drag and drop the steps of Private VLAN (PVLAN) configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PVLAN configuration requires first creating the primary VLAN, then the secondary VLANs (community or isolated), associating them, and finally configuring host ports as PVLAN ports. The order ensures proper VLAN hierarchy and port assignment.

1238
MCQhard

A network engineer is troubleshooting voice quality issues on a WAN link. The engineer notices that voice packets are being dropped during congestion. The QoS policy uses LLQ for voice traffic, but the priority queue is not providing the expected bandwidth. What is the most likely cause?

A.The priority queue is not configured with a bandwidth statement.
B.The priority queue has a built-in policer that drops traffic exceeding the configured bandwidth.
C.The class-map is not matching voice traffic correctly.
D.The router is using FIFO queuing instead of LLQ.
AnswerB

Correct because LLQ uses a policer to limit the priority queue; if voice traffic exceeds the configured bandwidth, it is dropped.

Why this answer

The priority queue in LLQ uses a built-in policer that drops traffic exceeding the configured bandwidth. When congestion occurs, the policer enforces the bandwidth limit by dropping excess packets, which explains why voice packets are being dropped despite the priority queue being active. This is a fundamental behavior of LLQ to prevent the priority queue from starving other queues.

Exam trap

Cisco often tests the misconception that the priority queue provides unlimited bandwidth during congestion, when in fact LLQ uses a policer to enforce the configured bandwidth limit, causing drops for excess traffic.

How to eliminate wrong answers

Option A is wrong because the priority queue in LLQ does not require a bandwidth statement; it uses the 'priority' command which implicitly sets the bandwidth and enables the policer. Option C is wrong because if the class-map were not matching voice traffic correctly, the voice packets would not be placed into the priority queue at all, leading to different symptoms such as no prioritization rather than drops during congestion. Option D is wrong because if the router were using FIFO queuing, there would be no priority queue mechanism, and voice packets would experience general congestion drops without any bandwidth guarantee, not the specific behavior of the priority policer.

1239
MCQmedium

Consider the following configuration on a Cisco router: class-map match-any CRITICAL_DATA match ip dscp af21 af22 af23 policy-map QOS class CRITICAL_DATA bandwidth remaining percent 50 class class-default fair-queue interface GigabitEthernet0/0 service-policy output QOS Which statement about this configuration is true?

A.Traffic matching DSCP AF21, AF22, or AF23 is guaranteed 50% of the interface bandwidth, and all other traffic is subject to fair-queuing.
B.Only traffic with DSCP AF21 is matched; AF22 and AF23 are ignored because 'match-any' requires all conditions to be true.
C.The configuration is invalid because 'bandwidth remaining percent' cannot be used with 'fair-queue' in the same policy-map.
D.The policy-map will only be applied to incoming traffic on GigabitEthernet0/0.
AnswerA

Correct. 'bandwidth remaining percent' guarantees a percentage of the bandwidth left after priority queues, and the default class uses fair-queue.

Why this answer

The class-map matches DSCP values AF21, AF22, and AF23 (which are Assured Forwarding classes). The policy-map allocates 50% of remaining bandwidth to this class after any priority queues, and uses fair-queue for the default class.

1240
Multi-Selectmedium

Which two statements about the Cisco FlexConnect architecture are true? (Choose two.)

Select 2 answers
A.FlexConnect APs can locally switch client data traffic when the CAPWAP tunnel to the WLC is down.
B.FlexConnect APs must always tunnel all client traffic back to the WLC for central switching.
C.FlexConnect APs can be assigned to a FlexConnect group to share the same VLAN and ACL configuration.
D.FlexConnect APs require a direct Layer 2 connection to the WLC at all times.
E.FlexConnect APs cannot support native VLAN tagging on the uplink interface.
AnswersA, C

Correct because FlexConnect supports local switching even if the WLC is unreachable, using the local VLAN configuration.

Why this answer

FlexConnect allows local switching and backup connectivity when the WLC is unreachable. Central switching requires the CAPWAP tunnel to the WLC. FlexConnect groups are used to apply common policies, not to assign APs to different VLANs.

Native VLAN tagging is supported on the uplink port.

1241
MCQmedium

A network engineer is configuring a site-to-site IPsec VPN between two Cisco routers. The engineer wants to ensure that the VPN tunnel uses the strongest possible encryption and authentication algorithms. The engineer configures the following: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. On the remote router, the engineer configures: crypto isakmp policy 10, authentication pre-share, encryption aes-256, group 14, lifetime 86400. The tunnel fails to establish. What is the most likely cause?

A.The lifetimes are set too high; they should be 3600 seconds.
B.The hash algorithm is not specified and defaults may differ between routers.
C.The Diffie-Hellman group 14 is not supported on these routers.
D.Pre-shared keys cannot be used with AES-256 encryption.
AnswerB

Correct because the default hash algorithm can vary, causing a mismatch.

Why this answer

The IKE policy parameters must match exactly on both peers. In this scenario, the policies appear identical, but a common oversight is that the hash algorithm (e.g., SHA-256) is not specified in the policy; the default is MD5 or SHA-1 depending on IOS version. If one router uses default SHA-1 and the other uses MD5, the mismatch will prevent Phase 1 from completing.

Option B is correct because the hash algorithm mismatch is a frequent cause of failure. Option A is incorrect because the lifetimes match. Option C is incorrect because group 14 is valid.

Option D is incorrect because pre-shared keys can be used with strong encryption.

1242
MCQmedium

Consider the following configuration for a Cisco IOS-XE device: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 standby 1 ip 192.168.1.254 standby 1 priority 150 standby 1 preempt ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 standby 2 ip 192.168.2.254 standby 2 priority 100 What is the effect of this HSRP configuration?

A.For group 1, this router will be active if it has the highest priority, and for group 2, it will be standby because priority is 100.
B.For group 1, this router will be active and will preempt if a higher-priority router fails. For group 2, it will be active or standby depending on other routers, but will not preempt.
C.Both groups will have this router as active because it is configured on both interfaces.
D.The configuration is invalid because HSRP group numbers must be unique across all interfaces.
AnswerB

Correct. Group 1 has priority 150 and preempt, so it will become active and preempt. Group 2 has default priority and no preempt.

Why this answer

HSRP uses priority to determine the active router. Preempt allows a higher-priority router to become active after a failure. Without preempt, the current active router remains active even if a higher-priority router comes online.

1243
Matchinghard

Drag and drop each DMVPN phase on the left to its matching spoke-to-spoke capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No direct spoke-to-spoke tunnels

Direct spoke-to-spoke tunnels with static NHRP mapping

Direct spoke-to-spoke tunnels with NHRP redirect and shortcut

Why these pairings

Phase 1 requires all traffic to go through the hub. Phase 2 allows direct spoke-to-spoke tunnels but uses static NHRP mappings. Phase 3 uses dynamic NHRP redirect and shortcut to enable spoke-to-spoke tunnels with traffic flow optimization.

1244
MCQhard

A network engineer runs the following command on Router R7: R7# show mls qos interface GigabitEthernet0/1 statistics GigabitEthernet0/1 Ingress statistics: dscp: incoming no_change classified policed dropped default: 0 0 0 0 0 ef: 100 100 100 0 0 af31: 200 200 200 0 0 other: 300 300 300 0 0 Egress statistics: dscp: queued dropped default: 0 0 ef: 100 0 af31: 200 0 other: 300 0 Based on this output, what can be concluded?

A.Packets with DSCP EF are being dropped at ingress.
B.All packets are being queued without drops at egress.
C.Policing is dropping packets with DSCP AF31.
D.The interface is not using any QoS policy.
AnswerB

The egress statistics show queued packets equal to incoming, with zero drops.

Why this answer

The ingress statistics show that packets with DSCP EF, AF31, and other values are being classified and no policing drops occur. The egress statistics show that all packets are queued without drops. This indicates that the QoS policy is not dropping any traffic, and the interface is likely not congested.

1245
Matchingmedium

Drag and drop each PAgP port mode on the left to its matching negotiation behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends PAgP packets to negotiate

Responds only to received PAgP packets

Why these pairings

Desirable initiates negotiation, auto waits for partner.

1246
MCQmedium

Examine the following IP SLA configuration: ip sla 1 icmp-echo 10.1.1.1 frequency 10 ip sla schedule 1 life forever start-time now What is the effect of this configuration?

A.It sends ICMP echo requests to 10.1.1.1 every 10 seconds, starting immediately and running forever.
B.It sends ICMP echo requests to 10.1.1.1 every 10 seconds, but only for 10 minutes.
C.It sends ICMP echo requests to 10.1.1.1 every 60 seconds by default.
D.It sends ICMP echo requests to 10.1.1.1 every 10 seconds, but only if an IP SLA responder is configured on the target.
AnswerA

The 'frequency 10' sets the interval to 10 seconds, 'start-time now' starts it immediately, and 'life forever' keeps it running indefinitely.

Why this answer

This configuration creates an IP SLA operation that sends ICMP echo requests to 10.1.1.1 every 10 seconds and schedules it to run immediately and indefinitely.

1247
MCQhard

A network engineer is configuring an EtherChannel between two Cisco switches. The engineer wants to use LACP and ensure that the local switch is the one that determines which ports are active in the channel. Which configuration should be applied?

A.Configure 'lacp system-priority 100' on the local switch.
B.Configure 'lacp port-priority 100' on the physical ports of the local switch.
C.Configure 'channel-group 1 mode active' on the physical ports.
D.Configure 'lacp fast-switchover' on the port-channel interface.
AnswerA

Correct because a lower system priority value makes the switch more likely to be the controlling switch in LACP.

Why this answer

The correct answer is to set the LACP system priority lower on the local switch. The wrong answers involve other LACP parameters that do not determine which switch controls active port selection.

1248
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip eigrp interfaces EIGRP-IPv4 Interfaces for AS(100) Interface Peers Xmit Queue Mean Pacing Time Multicast Pending Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/0 1 0/0 12 0/10 50 0 Gi0/1 1 0/0 15 0/10 55 0 Based on this output, what can be concluded?

A.Interface Gi0/1 has higher latency than Gi0/0.
B.Both interfaces have pending routes to send.
C.The router is using EIGRP named mode.
D.There is a queue backlog on Gi0/0.
AnswerA

The Mean SRTT is higher on Gi0/1 (15 ms) compared to Gi0/0 (12 ms), indicating higher round-trip time.

Why this answer

The 'Mean SRTT' (Smooth Round-Trip Time) column shows the average time in milliseconds for EIGRP packets to reach a neighbor and receive an acknowledgment. Gi0/1 has an SRTT of 15 ms, while Gi0/0 has an SRTT of 12 ms, indicating higher latency on Gi0/1. This directly correlates to the path's delay, which EIGRP uses in its composite metric calculation.

Exam trap

Cisco often tests the ability to interpret the 'show ip eigrp interfaces' output, specifically the 'Mean SRTT' column, and the trap here is that candidates confuse SRTT with interface bandwidth or fail to recognize that a higher SRTT means higher latency, not necessarily a problem with queue or pending routes.

How to eliminate wrong answers

Option B is wrong because the 'Pending Routes' column shows 0 for both interfaces, meaning no routes are waiting to be sent. Option C is wrong because the command output shows 'EIGRP-IPv4 Interfaces for AS(100)', which is the classic mode format; named mode would display 'EIGRP-IPv4 (Address Family)' or similar. Option D is wrong because the 'Xmit Queue Un/Reliable' column shows 0/0 for Gi0/0, indicating no queue backlog.

1249
Multi-Selecthard

Which three statements about IPv4 ACLs on Cisco IOS are true? (Choose three.)

Select 3 answers
A.Standard ACLs can filter traffic based on source IP address only.
B.Extended ACLs can filter based on source and destination IP addresses, protocol, and port numbers.
C.An implicit deny any statement is automatically added at the end of every ACL.
D.ACL entries are processed from bottom to top, with the last match determining the action.
E.An ACL applied to an inbound interface filters traffic leaving that interface.
AnswersA, B, C

Correct because standard ACLs (numbered 1-99, 1300-1999) examine only the source IP address.

Why this answer

Standard ACLs filter only source IP, extended ACLs filter more fields, and the implicit deny is always present. The incorrect options confuse the order of processing or the placement of ACLs.

1250
Drag & Dropmedium

Drag and drop the steps of Layer 3 EtherChannel (routed port-channel) setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Layer 3 EtherChannel setup requires creating port-channel interface, assigning IP, adding member ports with no switchport, configuring channel-group, and finally verifying routing.

1251
Drag & Dropmedium

Drag and drop the steps of troubleshooting a model-driven telemetry subscription using CLI into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, verify the telemetry receiver configuration to ensure the destination is correct. Next, check the sensor group to confirm the correct YANG paths are included. Then, examine the subscription status to see if it is active.

After that, review any telemetry error logs for connectivity or data issues. Finally, use debug commands to capture real-time telemetry packets.

1252
Matchingmedium

Match each wireless standard to its frequency band and maximum data rate.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

5 GHz, up to 6.9 Gbps

2.4/5 GHz, up to 9.6 Gbps

2.4/5 GHz, up to 600 Mbps

2.4 GHz, up to 54 Mbps

5 GHz, up to 54 Mbps

Why these pairings

Wireless standards define operating frequencies and theoretical speeds.

1253
Matchingmedium

Drag and drop each VM network mode on the left to its matching behavior description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

VM appears as a separate device on the physical network

VM uses host IP for outbound connectivity

VM communicates only with host and other VMs on same virtual switch

VM communicates only with other VMs on same virtual switch, not with host

VM connects to a user-defined virtual switch

Why these pairings

Bridged mode connects the VM to the physical network as if it were a separate host. NAT mode allows the VM to share the host’s IP address for outbound access. Host-only mode creates an isolated network between the host and VMs.

Internal mode isolates VMs from the host. Custom mode allows the user to select a specific virtual switch.

1254
Matchingmedium

Drag and drop each WAN transport type on the left to its matching SD-WAN characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Predictable latency and SLA, private Layer 3 VPN

Low cost, best-effort, public IP addressing

Wireless backup, variable throughput, cellular network

High latency, global coverage, limited bandwidth

High bandwidth, low latency, metro-area Layer 2 connectivity

Why these pairings

MPLS provides predictable SLA and private connectivity; Broadband (Internet) offers low cost but variable quality; LTE/4G/5G provides wireless backup with lower bandwidth; Satellite offers high latency global coverage; Metro Ethernet provides high-speed metro-area connectivity.

1255
Matchingmedium

Drag and drop each wireless AP mode on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Serves clients with CAPWAP control and data to WLC

Switches client data locally at the AP

Listens for rogue access points on all channels

Captures packets and forwards to a remote analyzer

Detects rogue devices by monitoring wired traffic

Why these pairings

Local mode serves clients with CAPWAP control and data; FlexConnect mode switches client data locally; Monitor mode listens for rogue APs; Sniffer mode captures packets for analysis; Rogue Detector mode detects rogue devices via wired network.

1256
Matchingmedium

Match each Cisco IOS command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays the routing table

Displays interface status and statistics

Displays VLAN information

Displays the current configuration

Enables OSPF event debugging

Why these pairings

These commands are commonly used for troubleshooting and verification.

1257
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show interfaces gi0/1 trunk Port Mode Encapsulation Status Native vlan Gi0/1 desirable n-802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 1-1005 Port Vlans allowed and active in management domain Gi0/1 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1,10,20 Based on this output, what can be concluded?

A.The interface is configured as an access port.
B.The trunk is using ISL encapsulation.
C.VLANs 2-9 are allowed but not active.
D.The native VLAN is 10.
AnswerC

Allowed VLANs are 1-1005, but only 1,10,20 are active; thus VLANs 2-9 are allowed but not active.

Why this answer

The output shows that VLANs 1-1005 are allowed on the trunk, but only VLANs 1, 10, and 20 are active in the management domain. This means VLANs 2-9 and 11-19, 21-1005 are allowed but not active (i.e., not created or not present on the switch). Option C correctly identifies that VLANs 2-9 are among those allowed but not active.

Exam trap

The trap here is that candidates often confuse 'allowed on trunk' with 'active in management domain', leading them to assume all allowed VLANs are actually forwarding traffic, when in fact only those listed in the second line are active.

How to eliminate wrong answers

Option A is wrong because the interface is in 'desirable' mode and shows 'trunking' status, which indicates it is a trunk port, not an access port. Option B is wrong because the encapsulation is 'n-802.1q' (likely a typo for '802.1q'), which is IEEE 802.1Q, not ISL (Cisco's proprietary encapsulation). Option D is wrong because the output explicitly shows 'Native vlan 1', not 10.

1258
Multi-Selecthard

Which THREE conditions are required for OSPF routers to become fully adjacent? (Choose three.)

Select 3 answers
A.Same area ID
B.Matching hello and dead intervals
C.Matching authentication (if configured)
D.Different router IDs
E.Same subnet mask
AnswersA, B, C

Routers must be in the same area.

Why this answer

OSPF routers must share the same area ID to form a full adjacency because the area ID defines the link-state database scope. Routers in different areas cannot exchange Type 1 LSAs directly; they rely on ABRs for inter-area routing. Without matching area IDs, the routers will not even proceed to the 2-Way state.

Exam trap

Cisco often tests the misconception that OSPF requires matching subnet masks for adjacency, but the actual requirement is matching network addresses (subnet number), not the mask itself, except on broadcast networks where the mask affects DR/BDR election.

1259
MCQmedium

Given the following syslog configuration on a Cisco IOS-XE router: logging buffered 4096 warnings logging console warnings logging monitor warnings logging trap warnings Which statement is true?

A.Syslog messages with severity 'debugging' (level 7) will be displayed on the console.
B.The router will store up to 4096 syslog messages in the internal buffer, but only those with severity 'warnings' or higher.
C.Syslog messages will be sent to a remote syslog server using the 'trap' facility.
D.The 'monitor' destination refers to logging to the console line.
AnswerB

The 'logging buffered 4096 warnings' command allocates a buffer of 4096 bytes (not messages) and logs messages with severity 0-4. The buffer size is in bytes, but the statement is essentially correct about severity filtering.

Why this answer

All four logging destinations (buffer, console, monitor, trap) are set to severity level 'warnings' (level 4). This means only messages with severity 0-4 are logged to each destination.

1260
MCQhard

A network engineer is troubleshooting a performance issue with a virtual firewall (vFW) running on a Cisco NFVIS host. The vFW is experiencing high packet loss during peak traffic. The engineer checks the NFVIS monitoring dashboard and sees that the vFW's CPU usage is low, but the host's memory usage is high. What is the most likely cause of the packet loss?

A.The vFW is CPU-bound, but the monitoring is inaccurate.
B.The host's CPU is oversubscribed, causing vCPU starvation.
C.The host is under memory pressure, causing the hypervisor to swap or balloon memory from the vFW.
D.The vFW's packet buffer is exhausted, but the monitoring does not show it.
AnswerC

Correct because high host memory usage can lead to memory reclaiming, which impacts vFW performance and causes packet loss.

Why this answer

When the NFVIS host experiences high memory pressure, the hypervisor may reclaim memory from virtual machines (VMs) using mechanisms such as ballooning or swapping. This reduces the memory available to the vFW, causing it to drop packets because its packet buffers or operating system memory are forcibly reclaimed. The vFW's CPU remains low because the bottleneck is memory, not processing power.

Exam trap

Cisco often tests the distinction between CPU and memory bottlenecks in virtualized environments, where candidates mistakenly assume high packet loss must be CPU-related, ignoring that memory pressure from the hypervisor can cause the vFW to lose packets even when its CPU is idle.

How to eliminate wrong answers

Option A is wrong because the monitoring dashboard shows low CPU usage, and NFVIS monitoring is generally accurate for CPU metrics; the issue is not CPU-bound. Option B is wrong because the problem statement indicates low vFW CPU usage and high host memory usage, not high host CPU usage or vCPU starvation; CPU oversubscription would manifest as high CPU ready times, not memory pressure. Option D is wrong because packet buffer exhaustion would typically be caused by insufficient memory allocation to the vFW or memory pressure from the host, but the monitoring would show buffer drops or memory usage; the question states the host's memory is high, pointing to host-level memory pressure as the root cause.

1261
Matchingmedium

Drag and drop each DHCP message on the left to its matching flow order position on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

First message sent by client to locate a DHCP server

Second message sent by server with an offered IP address

Third message sent by client to accept the offered IP

Fourth message sent by server to confirm the lease

Message sent by server to reject a client's request

Why these pairings

The DHCP DORA process: Discover (client broadcasts), Offer (server unicasts), Request (client broadcasts), Acknowledge (server unicasts). DHCPNAK is sent by server to reject a request, and DHCPDECLINE is sent by client if it detects an address conflict.

1262
MCQmedium

What is the maximum number of WLANs that can be configured on a single AP in a Cisco 9800 WLC deployment?

A.8
B.16
C.32
D.64
AnswerB

Up to 16 WLANs per radio are supported on modern APs.

Why this answer

Cisco APs support up to 16 WLANs (SSIDs) per radio, though the exact number may vary by platform.

1263
Matchingmedium

Drag and drop each EIGRP packet type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discovers and maintains neighbor relationships

Sends routing information to neighbors

Requests information about a lost route

Responds to a query with routing information

Acknowledges receipt of a reliable packet

Why these pairings

Hello packets discover and maintain neighbors; Update packets carry routing information; Query packets ask for alternate paths; Reply packets respond to queries; ACK packets acknowledge reliable delivery.

1264
MCQhard

A network engineer executes the following command on Router R5: R5# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.6 1 FULL/DR 00:00:35 192.168.1.6 GigabitEthernet0/0 10.0.0.7 1 FULL/BDR 00:00:32 192.168.1.7 GigabitEthernet0/0 10.0.0.8 1 2WAY/DROTHER 00:00:38 192.168.1.8 GigabitEthernet0/0 Based on this output, what can be concluded about the OSPF network?

A.The OSPF network type is point-to-point.
B.Router R5 is the DR on this segment.
C.The OSPF network type is broadcast.
D.All neighbors are in the FULL state.
AnswerC

The presence of DR, BDR, and DROTHER states is characteristic of a broadcast multiaccess network.

Why this answer

The output shows multiple OSPF neighbors on the same interface with different states: DR, BDR, and DROTHER. This indicates a broadcast multiaccess network (e.g., Ethernet) with OSPF DR/BDR election.

1265
Multi-Selecthard

Which three statements about MPLS traffic engineering (MPLS-TE) are true? (Choose three.)

Select 3 answers
A.MPLS-TE uses RSVP-TE to signal LSPs and reserve resources.
B.OSPF or IS-IS can be extended to carry TE link attributes.
C.MPLS-TE allows traffic to follow paths that differ from the IGP shortest path.
D.MPLS-TE relies on LDP to distribute labels for TE tunnels.
E.MPLS-TE uses BGP to compute the best path for TE LSPs.
AnswersA, B, C

Correct because RSVP-TE is the signaling protocol for MPLS-TE, enabling bandwidth reservation and explicit paths.

Why this answer

MPLS-TE uses RSVP-TE to signal explicit paths and reserve bandwidth. It can use OSPF or IS-IS extended LSAs to advertise link attributes like bandwidth and delay. MPLS-TE allows traffic to be routed away from shortest-path IGP routes.

LDP is not involved in TE; RSVP-TE handles label assignment for TE tunnels. MPLS-TE does not use BGP for path computation; it uses CSPF (Constrained Shortest Path First).

1266
Multi-Selectmedium

Which two statements about MPLS Layer 3 VPNs are true? (Choose two.)

Select 2 answers
A.PE routers use MP-BGP to exchange customer VPN routes with other PE routers.
B.The MPLS label stack in an MPLS VPN packet contains only a single label that identifies the egress PE.
C.P routers must maintain a full routing table for all customer VPNs to forward traffic correctly.
D.The VPN label is assigned by the ingress PE and used by the egress PE to determine the outgoing interface.
E.The inner VPN label is used by the egress PE to forward the packet to the correct customer VRF.
AnswersA, E

Correct because MP-BGP is used to carry VPNv4 routes between PE routers, including the VPN label and route distinguisher.

Why this answer

In MPLS Layer 3 VPNs, the provider edge routers participate in customer routing via MP-BGP, and the MPLS label stack includes both an outer transport label and an inner VPN label. The VPN label is used to identify the correct VRF and egress PE, not the ingress PE. The provider core routers do not need to know customer routes; they only switch based on the outer label.

The VPN label is assigned by the egress PE, not the ingress PE.

1267
Drag & Dropmedium

Drag and drop the steps of JSON vs XML encoding selection for RESTCONF into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with checking the Accept header in the request, then verifying the Content-Type header for the response, selecting JSON for lightweight parsing, selecting XML for schema validation, and finally encoding the payload accordingly.

1268
Multi-Selecteasy

Which TWO statements correctly describe characteristics of virtual device contexts (VDCs) in Cisco Nexus switches?

Select 2 answers
A.VDCs allow overlapping VLAN IDs across different VDCs only if using different VNIs.
B.VDCs provide Layer 3 routing isolation by default across all VDCs.
C.Each VDC can have its own admin account and separate management interface.
D.VDCs are supported on all Cisco IOS-XE switches.
E.VDCs enable partitioning of a single physical switch into multiple logical switches.
AnswersC, E

Correct: VDCs provide administrative and management isolation.

Why this answer

Option C is correct because each VDC in a Cisco Nexus switch can be configured with its own administrative credentials and a dedicated management interface (e.g., mgmt0). This allows separate administrative domains and management access per VDC, which is a key feature for multi-tenant environments.

Exam trap

Cisco often tests the misconception that VDCs automatically provide Layer 3 routing isolation, but in reality, routing isolation requires explicit VRF configuration per VDC.

1269
MCQeasy

A network engineer is deploying QoS on a Cisco Catalyst 4500 switch to support four queues per port. The engineer wants to assign voice traffic to queue 1 (priority), video to queue 2, critical data to queue 3, and best-effort to queue 4. The switch is configured with the default CoS-to-queue mapping. However, video traffic is being placed in queue 1 along with voice. What should the engineer do to separate them?

A.Modify the CoS-to-queue mapping using the 'mls qos srr-queue output cos-map' command
B.Change the video traffic marking to DSCP AF41 and rely on DSCP-to-queue mapping
C.Apply a service policy that uses a priority queue for voice only
D.Increase the number of queues to eight
AnswerA

Correct because this command allows the engineer to map specific CoS values to specific queues, separating voice and video.

Why this answer

The correct answer is to modify the CoS-to-queue mapping using the 'mls qos srr-queue output cos-map' command to assign different CoS values to different queues.

1270
Matchingmedium

Drag and drop each VPN type on the left to its matching tunnel technology on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

mGRE with NHRP

IKEv2-based VPN

GDOI group key management

TLS/DTLS for remote access

IKEv1 or IKEv2 with ESP

Why these pairings

DMVPN uses mGRE and NHRP; FlexVPN uses IKEv2; GET VPN uses GDOI; AnyConnect uses TLS/DTLS; Site-to-Site IPsec VPN uses IKEv1 or IKEv2 with ESP.

1271
Multi-Selectmedium

Which two statements about Control Plane Policing (CoPP) are true? (Choose two.)

Select 2 answers
A.CoPP uses ACLs to match traffic destined for the control plane.
B.CoPP is applied as a service policy on the control plane interface.
C.CoPP can only be used to rate-limit traffic, not to drop it.
D.CoPP is applied to all physical interfaces to protect the data plane.
E.CoPP can only filter IPv4 traffic.
AnswersA, B

Correct because CoPP relies on ACLs to classify traffic that is sent to the control plane.

Why this answer

CoPP uses ACLs to classify traffic destined for the control plane and applies a policy map to rate-limit or drop that traffic. It protects the control plane from excessive or malicious traffic. The service policy is applied to the control plane, not to interfaces.

CoPP does not protect the data plane forwarding path; it only filters traffic that is punted to the control plane. CoPP can be applied to both IPv4 and IPv6 traffic.

1272
Matchingmedium

Drag and drop each network design tier on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides Layer 2/Layer 3 access for end devices and users

Aggregates access switches and enforces routing policies

Provides high-speed, resilient backbone between distribution blocks

Combines core and distribution functions into a single layer

Provides leaf-to-leaf connectivity in a leaf-spine fabric

Why these pairings

The access layer provides user connectivity; the distribution layer aggregates and applies policies; the core layer provides high-speed transport.

1273
Drag & Dropmedium

Drag and drop the steps of QoS policing with two-rate three-color marker (RFC 2698) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, configure the police command with cir, pir, and conform, exceed, violate actions. Then, apply the policy to the interface. The marker uses CIR and PIR to assign colors.

1274
MCQeasy

What is the default OSPF hello interval on an Ethernet link in Cisco IOS?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

Correct. The default hello interval for Ethernet (broadcast) is 10 seconds.

Why this answer

OSPF hello interval defaults to 10 seconds on broadcast and point-to-point networks (e.g., Ethernet).

1275
Drag & Dropmedium

Drag and drop the steps of REST API call using Requests library to DNA Center into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order starts with importing the Requests library, sending a POST request to the authentication endpoint with credentials, extracting the token from the JSON response, using the token in headers for a GET request to a resource endpoint, and finally parsing the JSON response.

Page 16

Page 17 of 27

Page 18